Someone who cares about bitcoin more than I do checked the transaction history for the bitcoin wallet provided by the “hacker gang” and it doesn’t look like they have collected any bitcoin with this scam.
I’ve gotten dozens of these in the last few weeks. Since I use accounts and passwords as watermarks, I could tell which websites’ user databases appear to have gone walkabout. But, in order to do that, I’d have to care a lot more than I do.
A typical user, who has one password for ten sites, might fall for this. What they’re doing is using the contact email address and password, assuming that I’d have the same password on my contact email address (firstname.lastname@example.org) as on the site account. In this case I can tell it’s a throwaway site because I used another account name off the top of my head as a password. A “throwaway site” in my mind is one of those annoying sites with a “you must have an account in order to access this document” signup-wall or something like that. I don’t care if the account gets hacked (that’s the site’s problem for forcing people to sign up to their stupid site!) because the credential has absolutely no value elsewhere.
Just a recap on the rules of passwords for websites:
- If it’s a garbage site, go ahead and use your cat’s name as a password
- If it’s a worthwhile site but has no financial ramifications for you, use a randomly chosen 16-character password (save the password in your password vault)
- If it’s a financial site use a randomly chosen 16-character password and keep the password written down on paper in an envelope in your desk at home, and do NOT log into the site from mobile devices
- If it’s where your life savings are kept, do not access it online, period. And request that online transactions be blocked or put in an ACH limit of $1 just in case someone manages to spoof the sign-up process for you
The last point is problematic. There are some banks/brokerages that will automatically populate your account with an online access account with a horribly weak default password. You need to make sure your life savings are not kept in such an account – I used to use a small-town bank specifically because they did not offer online banking when I signed up. A couple years later they started offering online banking and sure enough, the set-up password was my social security number. I signed up using a randomly-chosen large password that I didn’t even bother to remember, then stormed into the lobby to put every possible block and control on transfers that was possible.
The state of online transaction security is unbelievably bad.