Post Reply Asked to reset password very ambiguously
32 cr points
Send Message: Send PM GB Post
47 / M
Offline
Posted 2/27/17 , edited 2/27/17
This may belong in "Suggestions", but today I was sent an e-mail telling me my password had been "scrambled" and I will need to use the reset form.

This is the language used:


It looks like someone has shared your password somewhere. You should change all your passwords on all sites that you use. Be sure not to use the same password on more than one site, as that's how someone can get into other people's accounts.


I'd very much like to know what exactly this means. Not what it *may* mean, but what took place that caused your system to randomize my password. "It looks like..." What is "it"?
50597 cr points
Send Message: Send PM GB Post
61 / M / Earth
Offline
Posted 2/27/17 , edited 2/27/17
Put your email address into this site to see how many breached sites there are where your id and password have been stolen (not Crunchyroll)

https://haveibeenpwned.com/

They also have eyes on sites where the exposed data has been dumped. Nice to see they are taking positive action with it instead of just reacting after someone reports that their account has been hacked here.
32 cr points
Send Message: Send PM GB Post
47 / M
Offline
Posted 2/27/17
Thanks, but I don't give e-mails out except to whom they are for. The one I use here is unique to this site, as for most sites, so using them for anything else is a bad idea. Don't think I'd feed that machine, anyway.

My nick, on the other hand gets around... So my protest is fairly moot.
59752 cr points
Send Message: Send PM GB Post
31 / M / Dallas, TX
Offline
Posted 2/27/17

strawhousepig wrote:

Thanks, but I don't give e-mails out except to whom they are for. The one I use here is unique to this site, as for most sites, so using them for anything else is a bad idea. Don't think I'd feed that machine, anyway.

My nick, on the other hand gets around... So my protest is fairly moot.


Read the HIBP FAQ, specifically the question "Is anything logged when people search for an account?": https://haveibeenpwned.com/FAQs

If your account was involved in a breach, it is already listed in the database, and is publicly searchable unless you use the Opt out feature.
32 cr points
Send Message: Send PM GB Post
47 / M
Offline
Posted 3/1/17 , edited 3/1/17
Thanks, but I will maintain best practices regarding submitting info to 3rd parties.

And as I said, the only entity with the e-mail address I use here is Crunchyroll. If they [CR] found it by searching someone else's database that would indicate a larger problem, and not necessarily just for me. I would like to know, whatever the case.

But again, the language in CR's e-mail notice is vague to the point of useless.
Der Zoodirektor
26159 cr points
Send Message: Send PM GB Post
35 / M / Germany
Offline
Posted 3/1/17

strawhousepig wrote:

Thanks, but I will maintain best practices regarding submitting info to 3rd parties.

And as I said, the only entity with the e-mail address I use here is Crunchyroll. If they [CR] found it by searching someone else's database that would indicate a larger problem, and not necessarily just for me. I would like to know, whatever the case.

But again, the language in CR's e-mail notice is vague to the point of useless.


As your email address is not listed on haveibeenpwned.com, your account was likely associated to an IP from which fraud was committed on other accounts. We very proactively reset passwords for all accounts involved with IPs associated with fraud and inform their users.
Are you sometimes using proxies or VPN services to access Crunchyroll?
32 cr points
Send Message: Send PM GB Post
47 / M
Offline
Posted 3/1/17

shinryou wrote:
As your email address is not listed on haveibeenpwned.com, your account was likely associated to an IP from which fraud was committed on other accounts. We very proactively reset passwords for all accounts involved with IPs associated with fraud and inform their users.
Are you sometimes using proxies or VPN services to access Crunchyroll?


Did you look up my e-mail address through haveibeenpwned? The only reason to do so would be if crunchyroll's user db had been dumped, but I hope that would prompt more alarm than an ambiguous e-mail. Of course there would be no need for you to look me up in that case as the answer would be obvious. I'm just curious if you did despite what I have said here.

At the time I received the message I was using the manga app on a DSL connection I use daily. The only odd behavior that might occur then is shifting from mobile (Verizon) to the DSL line or vice versa. No VPN and no proxies to the best of my knowledge. But, "it may be" is not very useful, which I why I wanted to avoid that as an answer.

If at this point there is no way for you or anyone else to plainly state what prompted my password reset, consider this the suggestion to supply that information to begin with in the future and drop the vagary. It can only help users to determine what steps to take from there.
Der Zoodirektor
26159 cr points
Send Message: Send PM GB Post
35 / M / Germany
Offline
Posted 3/2/17 , edited 3/2/17
Yes, of course I ran it through the tool - just like any other email in a case like this. There is no harm in doing it under any circumstances.

I can't tell who reset your password, or why it was reset. We don't keep a central log of the resets. But you can be sure that we do not do it without a reason. We either found/were sent a list that included your password, or your account was associated to other compromised accounts by IP. Credential theft directly via your PC or another of your devices is also always a possibility.

Usually such password resets happen in batches of hundreds of thousands at a time, so likely the agent who did it does not remember your address specifically.
You must be logged in to post.