apple’s password manager gave this alert about jw.org (?)

[Brandon]

my friend received this alert on their iphone (screenshot attached)

 

has anyone else received such an alert on their apple device?  i think it’s a relatively new feature for Safari. 

[Friends just call me Ross]

 Smells like a phishing scam to me. 

[AH173]

I would encourage you to talk to your congregation's jw.org account administrators-asap. In my case they are the cobe and the secretary.

[Old]

Not a password manager, but I got one similar today on my PC. Screaming red like shouting in my face. No borders on the page, went to task manager, Closed out Chrome and it went away. It said if I called an 888 number they would take care of me and well they would.

Edited October 28, 2020 by Old

[Friends just call me Ross]

Yup.  A phishing scam.

 

Seriously, why would anyone hack into

someone's JW.ORG account?

 

[ReadYourBible]

19 minutes ago, Friends just call me Ross said:

Yup.  A phishing scam.

 

Seriously, why would anyone hack into

someone's JW.ORG account?

 

because some have set up donations, and that means they could get the money that was rightly owed to jw.org

[Pjdriver]

31 minutes ago, Old said:

Screaming red like shouting in my face.

The louder and more bold they are, the more likely it is to be a scam. 

[Friends just call me Ross]

9 minutes ago, cerebral ecstasy said:

because some have set up donations, and that means they could get the money that was rightly owed to jw.org

Isn't that all encrypted? 

[Hinata]

37 minutes ago, Friends just call me Ross said:

Seriously, why would anyone hack into

someone's JW.ORG account?

 

I think that alert doesn’t seem to be like it’s saying that someone has hacked into your jw.org account.

 

It’s simply saying that the password you’ve used on your jw.org was found on the list of a leaked, breached “data files,” which, could have been from another secular web sites, or even completely different another users. (who’re may be unrelated to you, or may be related to you.)

 

A genuine password manager provided officially by Apple most likely won’t issue a phishing attack which could potentially cause the company into a trouble.

 

 

[Mykyl]

This is likely what you saw. Do not keep using the same password. Get it changed. Its just a warning that the password you use on jw.org is also used elsewhere and that it was compromised in a data breach elsewhere. Your device is not compromised. I believe on the device if you go into settings then passwords you can check if your password has shown up in a data leak somewhere. Something like that.

 

Quote

With the release of iOS 14, Apple has introduced a new feature that warns users when their stored passwords have been compromised in data breaches. iOS includes the Keychain password manager that allows users to save credentials and automatically fill them into login forms on sites and apps.17 Sep 2020

 

Edited October 28, 2020 by Mykyl

[Qapla]

In any case - you don't need any software or app to "fix" this issue. Regardless if you think this is a "real" warning or a "scam" you can simply log into your jw.org account and change your password.

[Brandon]

3 hours ago, Friends just call me Ross said:

smells like a phishing scam to me. 

that’s not how phishing... and this isn’t a...  just... no. 

 

1Password has an explainer: https://haveibeenpwned.com/

[Brandon]

1 hour ago, Mykyl said:

Its just a warning that the password you use on jw.org is also used elsewhere and that it was compromised in a data breach elsewhere.

that’s what i thought too and so i asked her if the password is unique or reused for any of her other accounts and she said it was unique;  she usually uses the icloud/safari password generator and keychain when she makes accounts. 

[Mykyl]

26 minutes ago, Brandon said:

that’s what i thought too and so i asked her if the password is unique or reused for any of her other accounts and she said it was unique;  she usually uses the icloud/safari password generator and keychain when she makes accounts. 

Maybe a bug with a new feature then. I don't know. I just know that there is a new feature. Similar to the google password checkup.

[Sheep]

2 hours ago, Brandon said:

that’s not how phishing... and this isn’t a...  just... no. 

 

1Password has an explainer: https://haveibeenpwned.com/

It sounds suspect to me. I tried my email address in that site, and it said Oh no — pwned!

 

So I used a password generator to create a brand new, very complex, highly uncrackable password of 50 characters, and changed my email password. That should do it, right? No, it gave me the same Oh no — pwned! as before.

 

How likely is it that a brand new password that could not be cracked by a computer in 1 vigintillion years be cracked within a couple of minutes!? (Yes, that really is a word: vigintillion.)

[Nelly Kim]

Its quite Suspicious... 

[Brandon]

12 hours ago, Sheep said:

How likely is it that a brand new password that could not be cracked by a computer

i don’t think you understand how it works... Think: why would changing your password affect whether your email address was previously found in a data leak?

 

the site doesn’t look at your password... obviously 

[Sheep]

3 hours ago, Brandon said:

i don’t think you understand how it works... Think: why would changing your password affect whether your email address was previously found in a data leak?

 

the site doesn’t look at your password... obviously 

You're right. I don't get it.

 

So what can I do since that site says my email address is pwned? Scrap my email address and get another one? According to this, it says to change my password. However that didn't work.

[Hinata]

20 minutes ago, Sheep said:

Scrap my email address and get another one?

 

I think there’s nothing you can do if your email address is contained in a data leak. It’s already an information that someone has managed to grab out previously, and spread out over the internet. The “haveibeenpwned” web site only indexes from that list, and see if your email is in one of them. So changing your password would not be able to remove your address from there.

 

When you input your email address, the “haveibeenpwned” web site should tell you from which web sites your email address has been compromised. (i.e. the source of the data leaks.) Have you checked those?

 

Passwords are only in its encrypted forms, so I think it’s extremely unlikely your raw passwords have been leaked.

 

[Sheep]

10 minutes ago, Hinata said:

 

I think there’s nothing you can do if your email address is contained in a data leak. It’s already an information that someone has managed to grab out previously, and spread out over the internet. The “haveibeenpwned” web site only indexes from that list, and see if your email is in one of them. So changing your password would not be able to remove your address from there.

 

When you input your email address, the “haveibeenpwned” web site should tell you from which web sites your email address has been compromised. (i.e. the source of the data leaks.) Have you checked those?

 

Passwords are only in its encrypted forms, so I think it’s extremely unlikely your raw passwords have been leaked.

Okay. I looked more deeply into that. And I found this...

 

 

Bell Canada is indeed my ISP, and they provided my email account. I used to use a different account with Bell Canada, and that one is also reported as pwned. But does any of that tell me anything?

 

The breach was reported in the Globe & Mail...

 

Edited October 29, 2020 by Sheep
added link

[Hinata]

17 minutes ago, Sheep said:

But does any of that tell me anything?

 

Well, from just looking at that summary, a good guess could be made that the source of your breach has been through that company.

 

The summary and the article isn’t exhaustive, but it seems “geographic locations, IP addresses, . . . survey results, usernames” leaks are from “dating back to 2011 and 2012.” So unless you had participated in that particular survey, such information would not have been leaked. It also doesn’t list passwords, so that is ticked off.

There isn’t much one can do for email addresses, since usually address are permanent. But on the other hand, hackers probably can’t easily compromise your accounts — one which are associated with your email addresses — without passwords.

 

So having a secured password, and keeping a good and clean email inbox — clear spam mails, and regularly check security and other settings with your email and your accounts — would be the best option.

 

[Sheep]

Hhmm. I find this perturbing. Hacks and security breaches are happening at an alarming rate during these last days. So how come this website is advertising their password manager, which stores everybody's passwords online?

 

Is that a valid concern?

 

Edited October 29, 2020 by Sheep

[Hinata]

8 minutes ago, Sheep said:

Is that a valid concern?

 

Well if you’re talking about the password manager, then I’m probably not the best person.  Even I myself don’t use it and don’t intend to. I believe one’s password security can be done manually. (But I do get some help from Google Chrome’s “saved passwords” feature.)

 

A valid concern — maybe. I personally don’t like how everyone is advertising to use their password managers. But that is just what I feel.

 

That wouldn’t mean the password manager itself (as a software) would be bad though.

 

Edited October 29, 2020 by Hinata

[Tortuga]

I use a password manager but I don't put a password in the manager, I just put a hint about the password, so even if someone hacked my password manager, the password hints wouldn't make any sense to them.

[Brandon]

1 hour ago, Sheep said:

that site says my email address is pwned

What exactly did it say after you put in your email address?  personally i use https://monitor.firefox.com/ myself.

feel free to DM me @Sheep