Jump to content
BT_Blue

Arbiter breach

Recommended Posts

2 minutes ago, kylehutson said:

Speaking as a computer nerd...

This means they're not doing things right. If they're properly encrypting, it should take trillions of CPU-hours to decrypt that. Yes, trillions.

Oh, and since I've got my computer nerd hat on - listen to @beerguy55's advice above, too. If you need help setting up a separate password for each site, I suggest LastPass (though there are several competitors which are probably as good, that's just the one I happen to use).

Lastpass for me too - I don't even know what my password is for most websites

  • Like 1

Share this post


Link to post
Share on other sites
4 minutes ago, beerguy55 said:

Lastpass for me too - I don't even know what my password is for most websites

Me either - including Arbiter. I got the notification, changed my password, and I don't know what either the previous or current passwords were/are.

Share this post


Link to post
Share on other sites

Continuing to follow this...

I was wondering if any of our members with IT/Security specific knowledge could chime in with additional tips. I'm definitely going to look into lastpass.  

  • Like 3

Share this post


Link to post
Share on other sites
1 hour ago, kylehutson said:

Me either - including Arbiter. I got the notification, changed my password, and I don't know what either the previous or current passwords were/are.

Now with this last pass can you use it across all of your devices? In other words if I change a password on my work computer will it know it on my home iPad or cel phone?

Share this post


Link to post
Share on other sites

I use RoboForm across my devices, both Apple and non-Apple. I have been for years.

Share this post


Link to post
Share on other sites
On 8/28/2020 at 1:48 PM, beerguy55 said:

Couple of tips from your local cyber guy - this is what I do for a living.

First - do NOT reuse your password across websites...those who hacked Arbiter now have a set of passwords that they will attempt at any website you can imagine to see what works...and more than half of them likely will work somewhere else - Amazon, Linkedin, banks, etc, etc. 

Also - use this resource - https://haveibeenpwned.com/ - it will give you an idea of what breaches have found your email address...and what else with it.

 

Just curious, I tried HIBP and found some breaches of my email accounts in the past, but it didn't list the Arbiter breach. Is that just due to a delay in reporting? 

Share this post


Link to post
Share on other sites
4 hours ago, The Short Umpire said:

 

Just curious, I tried HIBP and found some breaches of my email accounts in the past, but it didn't list the Arbiter breach. Is that just due to a delay in reporting? 

Likely because the breach only impacts 8000 or so people - I'm assuming they draw the line somewhere.   You can always submit it to them.

Share this post


Link to post
Share on other sites
9 hours ago, The Short Umpire said:

 

Just curious, I tried HIBP and found some breaches of my email accounts in the past, but it didn't list the Arbiter breach. Is that just due to a delay in reporting? 

I have also heard (but I didn't try to verify) that the Arbiter breach didn't affect everyone.

Share this post


Link to post
Share on other sites
17 hours ago, aaluck said:

Now with this last pass can you use it across all of your devices? In other words if I change a password on my work computer will it know it on my home iPad or cel phone?

Yessir.

Share this post


Link to post
Share on other sites
On 8/31/2020 at 2:02 PM, Umpire in Chief said:

Continuing to follow this...

I was wondering if any of our members with IT/Security specific knowledge could chime in with additional tips. I'm definitely going to look into lastpass.  

Use (multifactor authentication) MFA wherever you can (at least where it matters - banks, social media, computer, phone, anywhere with PII or financial info) - use an authenticator app if you have a smart phone, or text message code, fingerprint, face, etc.  Something you have + something you know.  A bank card is an example...you have the card, you know the PIN.   Typically anything that requires your cell phone is a good additional layer of security. 

Try to avoid "secret questions"...that's just something else you know and if someone is motivated enough they can figure out the name of your first dog, or your mother's maiden name.

Check security settings of any site you use - turn on notifications where possible (eg. notify you of logins on a new device, notify you if someone changes your password, etc)

Here's a stat for you - 2/3 of people never change their home default wi-fi password.

 

As far as passwords - size matters - go for length, not crazy characters.  Put in a passphrase that is easy for you to remember, hard for someone to guess...even if it's all lower case if it's 15 characters or more it will be time consuming to hack.  (eg. drinkingbeerisawonderfulthing)..you can throw in some caps if you want to make it even harder  (or let your password manager do it for you - but you still need a really strong password for your password manager - and your computer...and your work account, etc, etc)

Also - don't use common phrases - eg. ilovekale vs ilovebeer - guess which one is 50 times harder to crack.

PIN's - go 8 characters at least...that's just math - 4 characters 10000 combinations, 6 - one million, eight - 100 million

Finally - remember - hacking people is now easier than hacking technology - social engineering, mostly email phishing, is the prime way they're going to try to get your password, your money, your identity.   It's also cheaper.  The guy who sent you that phish email last week likely works in a cubicle, has a manager, has an annual review, performance objectives, a training plan, and may even share company bonuses.

Don't click links in emails unless you are 150% sure you know the source...I just go to the website and log in...if that Amazon email was real, the info will be there in my account.

I can go on and on and on.   Awareness is our best, and sometimes only, tool - there are companies in the world with THOUSANDS of employees whose only job is cybercrime.

Anyway - ask away - PM or here....this is my career, 25 years - I'm head of cybersecurity of a multi-billion dollar company.

  • Like 5

Share this post


Link to post
Share on other sites
2 hours ago, noumpere said:

I have also heard (but I didn't try to verify) that the Arbiter breach didn't affect everyone.

As I understand it was 8000 people in Iowa

Share this post


Link to post
Share on other sites
On 8/31/2020 at 4:02 PM, Umpire in Chief said:

Continuing to follow this...

I was wondering if any of our members with IT/Security specific knowledge could chime in with additional tips. I'm definitely going to look into lastpass.  

SO I subscribed to lastpass last night. I did a lot of research between it and a few other password management tools and think this is a very good product and for the price its a no brainer.

Check it out https://www.lastpass.com/

  • Like 1

Share this post


Link to post
Share on other sites

Oh wow I just logged into my account. and was not surprised... I looked into ArbiterPay and had a zero dollar balance...

I wasn't hacked or anything they just charge a hefty $10.00/ month inactivity fee. Which I wasn't aware of. I use to keep this as my secret hide away money. 

I guess those last couple of games in my career ended up being free.... :(

 

  • Sad 3

Share this post


Link to post
Share on other sites
17 minutes ago, Umpire in Chief said:

I wasn't hacked or anything they just charge a hefty $10.00/ month inactivity fee. Which I wasn't aware of. I use to keep this as my secret hide away money. 

I guess those last couple of games in my career ended up being free.... :(

That sucks.

I have a separate bank account for my stuff where SWMBO has look-but-don't-touch privileges. I set that up after she spent money that I needed to go to a conference for my day job (it would get reimbursed, but it made for an unpleasant conference). She doesn't mind too much because that's also my fun money (usually meaning taking her out to eat).

Share this post


Link to post
Share on other sites
On 9/1/2020 at 5:19 PM, Kevin_K said:

Is it OK to click on the link you provided? Can we trust you?  :wink:

Jersey guy is such a smartass:P 

Share this post


Link to post
Share on other sites
1 minute ago, LMSANS said:

Jersey guy is such a smartass:P 

Somethings offer too much temptation to resist. I'd apologize, but it wouldn't be an honest offer.

  • Haha 2

Share this post


Link to post
Share on other sites

I hope to God this finally torpedoes the absolute dumpster fire of a website and software that is Arbiter. It is outclassed and outmatched in literally every way by other softwares (Assignr, RefTown, etc.) that there is ZERO reason to continue giving these dinosaurs money. LET IT DIE! :fuel:

Share this post


Link to post
Share on other sites
11 hours ago, BlueRanger said:

I hope to God this finally torpedoes the absolute dumpster fire of a website and software that is Arbiter. It is outclassed and outmatched in literally every way by other softwares (Assignr, RefTown, etc.) that there is ZERO reason to continue giving these dinosaurs money. LET IT DIE! :fuel:

I'm OK with that, but I hope *somebody* wins. I'm not going to block schedules on 10 different calendars.

  • Like 2

Share this post


Link to post
Share on other sites
On 9/3/2020 at 12:36 PM, kylehutson said:

I'm OK with that, but I hope *somebody* wins. I'm not going to block schedules on 10 different calendars.

This was the greatest thing About Arbiter IMO. It didn't date long before all groups I worked with used Arbiter and life was easy. 

  • Like 1

Share this post


Link to post
Share on other sites

The part that frustrated me about this was when this occurred in the middle of July, they lied about it.

I didn't get notified about this until my check cards were getting declined and I had to call the bank to figure out wtf was going on and they told me that some idiot was driving up and down the Cali coast trying to cash fraudulent checks in my name. He had ALL of my verification information. 

I could have nipped this before it all went down had they been honest about it right away.

 

  • Thanks 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...