First of the ncix leaked info scam letters going out?

[RemingtonXR]

26 minutes ago, mdchachi said:

I also received this exact same message today, hence the reason I am here.  Since I use a unique email address for every web site I access, I know with certainty that in my case the hack is originating from livejournal.com one way or another.  Is there anything I can do?  I mean, if this is a live, open security hole that isn't plugged I'd like to raise the issue somehow.

On the other hand I do see online references to livejournal hacks from over 10 years ago.  So maybe it's coming from then.

 

Breached databases are floating around in dark web.  I have not used USAJobs for over 10 years and I haven't used the same password on other sites.  It more likely they have more but I'm not too concerned as my passwords are all different.  Most financial, social, email and other sites now requires 2FA or email notification from unknown sources.

 

To be on the safe side, might be good idea to go ahead and change the passwords.

[Texconsin]

6 minutes ago, Texconsin said:

Got one of these, too.  The password was NOT that used on my email account and a check of the headers showed it was NOT coming from my email account.  It's time we bomb Macedonia!  The worst thing that ever happened was the fall of the Iron Curtain!

IP General Information

IP Address:

77.29.65.161

Hostname:

77.29.65.161

ISP:

Makedonski Telekom AD-Skopje

IP Geolocation Information

Continent:

Europe (EU)

Country:

Macedonia (MK) 

City:

Skopje

Time Zone:

Europe/Skopje

Latitude:

42 (42°0'0" N)

Longitude:

21.4333 (21°25'59.88" N)

Come to think of it, it could be the guy next door using Nordvpn!

[RemingtonXR]

Just now, Texconsin said:

Come to think of it, it could be the guy next door using Nordvpn!

Hacker sent me an email from Paris France but I doubt it and its not my email server.

[TetraSky]

Oh boy, I can't wait to get that email, it would at least confirm that my email really was in there. (Still kind of hoping it wasn't)

But did they really access your email to send you that or is it just a case of spoofing?

[TechyBen]

5 hours ago, leaderdog said:

We've gotten full damps of these data.

Gotta get those damps.

 

... gotta get those damps.

[Jtalk4456]

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...

First off, I'm sorry you guys had to see that...

Also I don't have a webcam, so i'd love to see what "video" you have of me

[RemingtonXR]

6 minutes ago, TetraSky said:

Oh boy, I can't wait to get that email, it would at least confirm that my email really was in there. (Still kind of hoping it wasn't)

But did they really access your email to send you that or is it just a case of spoofing?

They didn't access my email to send me that sleazy message.

[N0TIC]

Interesting I just got this email today and the password didn’t match the email they sent it to. I use a catch all for one of my email domains and it looks like one of the databases was from rent-a-coder. Rent a coder is like guru.com (they have code development gigs listed). 

 

I had to change all of my passwords as the password in the email was one I used in quite a few places. I won’t be making that mistake again. Now each login has another password and everything had two factor authentication.

 

ill be keeping an eye on this thread.

[TetraSky]

3 minutes ago, N0TIC said:

I had to change all of my passwords as the password in the email was one I used in quite a few places. I won’t be making that mistake again. Now each login has another password and everything had two factor authentication.

After the third leak from a website and having to change the password everywhere I used it, I went with unique password for everything using Keepass and protected my email with two factor. So yeah, it can be a hassle to set up, but it will be worth the time you won't be wasting every time a new leak like this one happen.

[orbitalbuzzsaw]

@RILEYISMYNAME

[Moonclamp]

Just googled my way in here.

Had three of these in a row to separate email addresses, one of them got a password wrong, the other two were correct.

It's a password I used to use all the time, but not so much in the last couple of years -- no idea what was hacked, but never used ncix afaik

 

IP routes to San Francisco.

I'm in the UK

[N0TIC]

10 minutes ago, Moonclamp said:

Just googled my way in here.

Had three of these in a row to separate email addresses, one of them got a password wrong, the other two were correct.

It's a password I used to use all the time, but not so much in the last couple of years -- no idea what was hacked, but never used ncix afaik

 

IP routes to San Francisco.

I'm in the UK

I also have never used ncix 

[Big Reg]

Bit of an update on the Full Header info:  Received: from b3d0bf17.virtua.com.br (unknown [179.208.191.23])

 

Seems to be from a temporary homebrew-type server.

 

 

[qedyyc]

Among many reasons, the biggest flag here is they don't provide anyway to confirm who sent the payment... I am assuming the wallet is not unique per transaction... so how can they confirm who sent the payment to "delete the data". 

[TetraSky]

1 minute ago, qedyyc said:

Among many reasons, the biggest flag here is they don't provide anyway to confirm who sent the payment... I am assuming the wallet is not unique per transaction... so how can they confirm who sent the payment to "delete the data". 

As if these kind of scumbags would ever "delete the data" after being paid.
Paying them is the same as throwing your money in a fire, it will do nothing. They will always have a backup of whatever blackmail material they have of you. (Not these morons specifically, but actual blackmailers who really have dirt on you)

[Big Reg]

Has anyone ever registered for www.last.fm  ?  That's the only place I've used my targeted email and used the password that they've sent. I'm almost certain now that whatever data they had for my email message, they gained the info from last.fm

 

I guess they were hoping I used the same password for everything, including my email account, which I don't.

[DaMonkey]

Mine resolved to Brazil as well : r72-pw-gravatai.ibys.com.br ([189.14.7.67]:20040)

 

And yes, I have a lastfm account and that ties up perfectly, well spotted !

 

Also remember that steam and yahoo were also breached last year...  no mention of last.fm being hacked to my knowledge, but does seem to point there...

[Big Reg]

6 minutes ago, DaMonkey said:

Mine resolved to Brazil as well : r72-pw-gravatai.ibys.com.br ([189.14.7.67]:20040)

 

And yes, I have a lastfm account and that ties up perfectly, well spotted !

 

Also remember that steam and yahoo were also breached last year...  no mention of last.fm being hacked to my knowledge, but does seem to point there...

 

Starting to make a bit more sense now. I wonder if last.fm are aware of this yet.

[Moonclamp]

Just checked and discovered I have at least two accounts on last.fm - both correlating the password / email data.

Not used that website for years so sent a delete request.

This may be the culprit, but remember that correlation does not equal causation.

[kirashi]

7 hours ago, leaderdog said:

I guess with the WAN show bringing attention to the fact that NCIX's info has been sold to unscrupulous individuals, the "hackers" are now trying to extort money.

I received this email this morning:

--SNIP--

Scare letter essentially.  So delete if you get it.  Clearly the fools that bought the info from ncix.

And of course, change your passwords if you use the same for other sites as Luke said on the WAN show.

It appears these are some deceitful folks trying to capitalize on the hack, and most likely don't (yet) have any real data from NCIX. Why? Because if you do a Google search for the BitCoin address you'll find many emails claiming the same things for other websites that follow the same formatting. I'd be interested to know how they're getting email addresses though (aside from brute force spamming them), as if they're hitting everyone this would indeed indicate that they somehow got hold of all registered email addresses from a leaked database or another source.

https://www.google.ca/search?q=1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y

[vuln]

Found this thread/forum via google searching the bitcoin address:

1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y

 

 

I got the same email today -

Delivery-date: Tue, 25 Sep 2018 08:28:53 -0700
Received: from [154.68.47.50] (port=25662 helo=lsci2m-154.68.47.50.aviso.ci)

 

Quote

Transfer $700 to our Bitcoin wallet: 1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y
I guarantee that after that, we'll erase all your "data" :D

He's also using

1DuDhqSWdmRxJjaRRSpa9wRH7yf9ncgw56

 

I don't think i've ever ordered from ncix either.  Still trying to figure out who's database got hacked.

It's obvious that something was LEAKED recently although its possible these are older/emails/passwords.

 

 

[Big Reg]

last.fm hacked: https://techcrunch.com/2016/09/01/43-million-passwords-hacked-in-last-fm-breach/

[vuln]

Ive never had a last.fm account -- don't be so sure it's them.

[Big Reg]

3 minutes ago, vuln said:

Ive never had a last.fm account -- don't be so sure it's them.

 

I'd normally agree, but I've never used the same password anywhere else. Only last.fm

[DaMonkey]

As you said, doesnt prove its last.FM, probably not just one breached site, as said before yahoo mail, steam and NCIX all hacked, just that lot would keep them busy for a while...  but I dont have NCIX account, so one of the others gets my vote from the UK side of the pond...  and the password given would have tied up... for last.fm for me