About a month and a half ago, I started receiving “porn extortion” emails with my TVTropes password in them. For those who haven’t gotten on of these yet, consider yourself lucky.
About 4-6 months back millions of people started seeing emails that basically said “We infected your computer with a virus, turned on your webcam and recorded your screen. We saw the adult sites you visited, and what you were doing through your webcam when you were there.” Of course, for a small amount of BitCoin, they can keep that info to themselves.
In case you haven’t guessed, it’s a total scam. I know this because my machine is a Mac, and every single one of these emails I’ve gotten over the months specifically detailed how a WINDOWS machine was infected with their virus.
More recently, these emails started including passwords from websites that I had used in the past. That’s not hard to explain, sites do get hacked and password databases do get stolen. Then the passwords get sold for fractions of a penny each, and anyone – including these scammers – can use them for whatever they want. As nearly all of these passwords are now no longer valid; they’re rarely used for attacking other websites. But using them for this kind of email scam is a great way to recycle no-longer-usable data that’s already out on the web since so many users re-use passwords on so many sites that the likelihood that at least one victim you email still has that password in active use is pretty good indeed.
In this case, for the last month and a half I have been getting these scam emails that specifically mentioned my TVTropes email address and UNIQUE password. Of course I immediately changed my password for that website, and alerted the site administrators through their bug tracking forum. I know it had to have come from that website, because the password has never been used at any other website or for any other login (using a password manager has given me the luxury of having this benefit available to me). It could only have come from that one, specific site.
Over 30 days later, and there has been no response from TVTropes, forcing me to now go public. If you have an account on TVTropes.org, you need to immediately change your password on that site, and on any other sites you have re-used that same password.
I’m much more disappointed in TVTropes. While I wouldn’t expect them to have the same level of security as financial or commerce websites, I would expect that when evidence of a breach is found they immediately investigate and force password changes for all users that were subject to having their passwords stolen. This is standard response behavior.
Also, with no response at all from the site in over 30 days of repeated attempts to contact them, I’m horrifically disappointed in the site administrators. Someone is literally telling you, privately and quietly, that your users are at absolute risk; and your response is… nothing?
So, long story short, there is evidence that TVTropes.org has been breached and their password database has been stolen and decrypted. Change your password there, and on every other site you use that same password immediately.
I doubt it helps that you’re so adamant. You emphatically state that TV Tropes had a breach and that the password database had been decoded. But this is all based on one thing – you say the emails contained a password that you only used on there.
We’ve only got your word for that. When some random guy from the internet (I’ve no idea of your computing prowess or experience) says this kind of thing without offering any proof of their own, it doesn’t engender the greatest trust in either your expertise or the accuracy of what you claim.
If I was the admins at TV Tropes, I wouldn’t respond to you either. What do you want them to do? Do you want them to force everyone to change their password? Do you want them to check all their security? And for what? Because one guy says he got a spam email that contained his password. Are multiple people reporting this? Nope. Is there any indication that there was a recent intrusion? Nope. Just one guy being insistent.
All that stuff about being forced to make this public, 30 day industry standard periods and claims of password databases being hacked are a bit hyperbolic.
If I was you, I’d have sent an email to the admins explaining about the spam email and that you were fairly sure it had been a unique password and left it at that. After all, that’s as much as you know.
Reply
In actuality, disclosure after a 30 day period is the industry standard any time proof of a leak exists. As for how the proof was acquired, this is what security professionals do. When there is clear evidence of a breach, we notify the site administrator and offer to work with them to address the issue. In this case, the unique password was found outside of the site where it was held, which is evidence of a breach of either the website or the password vaulting system in-use. Since no other unique passwords stored in that vault have surfaced, the evidence points to the website having been compromised. Had I been asked to delay disclosure by a team of site administrators (or even one admin) who were working to address the problem, I would have – at least for a reasonable amount of time beyond the standard 30 days to give them room to correct things (while 30 days is the default, most security pros will honor a site owner’s request to extend it to 90 if asked). Had I been able to gain more information through working with the site staff, I would have. Lacking either of those things, I had to disclose with the information – and evidence – I had after the standard time period for notification expired.
Now, as to why it is important that notifications be made and action be taken: You and I and many others do not re-use passwords on multiple websites. That cannot be said for the vast majority of end-users, who do indeed re-use passwords on multiple (if not all) sites they log into. Because the username on websites is typically your email address – which is public information – a re-used password that has become compromised in a site breach can give an attacker access to multiple sites that may contain much more sensitive information than TVTropes. The general procedure for a compromised site is to force a password reset and advise users to change their passwords on any other site where they used the same password. Even if they chose not to force-reset, notification of users that their credentials may have been compromised is common.
Had the administrators of TVTropes responded at all, I would have indeed shared any and all information, emails, and other data I had to help them track down what happened. I even explicitly told them I was not seeking a bug bounty or any other form of renumeration, this was purely an offer of assistance from a user and supporter of the site. When no response was forthcoming, I took the next standard step in the disclosure process and published the information I had.
Finally, to your main complaint, there are two things to point out. First, I don’t hide the fact that I work in Cybersecurity. I’ve worked in Identity and Access Management and Managed Security Services. I don’t expect anyone to take my word on that, there are links to my LinkedIN profile and that information can be independently confirmed. Secondly, “one guy being insistent” is quite literally how 90% of security disclosures happen. One guy found out about the Capital One breach: an FBI Agent who was investigating the attacker. One guy (or possible gal) blew the whistle on LabCorp and Quest Diagnostics: a threat researcher followed a pattern of data. While many of those folks work for threat-hunting organizations, it is nearly always one person, following the evidence, who is able to determine that a leak occurred. You are correct that I do not know for certain how the data was leaked, but the evidence does indicate a leak took place. You are also correct that I have no determination of the timing of the leak, however that doesn’t change the fact that data *was* leaked. I would have been quite happy to work with TVTropes to help find the answers to those questions, but that wasn’t an option they were willing to take.
I don’t expect TVTropes to have perfect security. First it’s approaching impossible to do that these days, and secondly it’s a small site run by a small team that doesn’t have security expertise. I do expect that when given evidence of a breach they take responsible action – investigating, alerting users, and forcing password resets. This costs them nothing, is negligible in terms of site visitor time and interaction, and defends their users. I was so adamant because they took no action. They didn’t even reply to me to tell me they were looking into it. As a site admin myself, I would definitely reach out to anyone who told me they had evidence of a site breach on my domains. I would at the very least take a serious look at the evidence and reply with my thoughts on the matter. If the evidence did point to the possibility of a breach, I’d force-reset the few users who do have passwords on my sites once I locked things back down. This actually happened once in the past, my site was invaded by “malvertising” and I had to clean up the mess after a user notified me. So I speak both from Cybersecurity and Site Admin experience when I say that this was handled poorly by TVTropes, and they are indeed willingly putting users at risk by inaction.
Reply
My point was rather that the evidence is pretty weak and quite far from being proof of a breach. Indeed, often such breaches are uncovered by an individual, but with considerably more evidence – as you mention, “a pattern of data”. That was all.
Reply
quite probably, and honestly I wish I had more data. The site owners ignored the evidence I do have, and therefore I wanted to at least get the word out that a breach was quite probable.
Reply
I can back up this claim. Same thing happened to me. Same emails using a password I only used at TV Tropes. It’s not weak evidence.
Reply
You’re not crazy. I sent them a note about this back in March 2019 after noticing my unique TVTropes password appearing in identity protection services. There’s a throwaway comment on Hacker News from someone else noticing this too:
https://news.ycombinator.com/item?id=18940919
The owner of TVTropes lives in California, where there are breach disclosure laws:
http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29.
Might need to escalate this to the DA or Sec State there.
Reply
Not crazy – have had spam with evidence of password content sent along to an email address entirely unique to TV Tropes.
Reply
Today I was informed by Chrome that my TVTropes password was detected by their breech service. You were correct.
Reply
This was also my experience. I use a password manager, so all my passwords are different, and they are all 20-character random strings.
I got the extortion email, and it was a simple matter to look through my password manager and find the password referenced in the email. It was TVTropes.
It is hard to believe that in 2020, sites are still storing passwords in the clear. But there is really no other explanation.
Reply
I have found the same thing. I use a unique email address which starts with tvtropes so clearly I wouldn’t use this anywhere else. Haveibeenpwned says that this email address is in not one but three different data breaches – Collection #1, Exploit In, and Anti Public Combo List. Clearly tvtropes have nonexistent data security, but good luck getting them to actually engage on this topic!
Reply
I am only just now finding this…unless it got buried in my inbox, I *never* received an email from TvTropes about this. I used a unique password for there, and also the scammers kept typing it wrong! Literally every time I’ve gotten the email (I got it once in 2019 and once a couple months ago), they always get the same letter wrong. And I always questioned why the scammers would try and scare me with a password to a site I hadn’t logged in on in actual years. Anyway, I had to go searching to find out what happened. I am also disappointed in the lack of communication from TvTropes. I did still change that password, but also I had no idea you could attempt to contact TvTropes to let them know about this.
Reply