ThaiVisa private user data somehow exposed.

[rwdrwdrwd]

Something very strange occurred after I posted a (now removed) question on a topic last week. @Rimmer removed the post because they considered it to be speculation.
 

To be clear, I'm not disputing the removal, nor questioning moderation - the forum TOS clearly state that the forum is allowed to remove what they like for whatever reason they like, and every member agreed to those upon registration.

I'm concerned about something else odd that happened in regard to my account within minutes of the removal.
 

I received the first ever email from anybody other than this very forums mailing list distribution address to the email address I specifically set up for exclusive use on this forum. I don't like spam, and supplying unique high entropy email addresses when I use third party services makes it easy to track when my email address has been distributed, and who by.

 

Thankfully, the second ever email address that sent a message to my forum specific email account set up a number of years ago was not a spammer, it was the email provider for the account itself! I'm very happy to see that the forum sticks strongly to it's privacy policy of not selling users email addresses to third parties.

 

A suspicious login attempt had occurred. Clearly somebody has *somehow* obtained the email address that I solely provided to this forum, and attempted to hack into the account. This has never happened before with any of the sole use high entropy emails and passwords (incidentally handled by a 2FA protected globally renowned password management software) that I have so it's very concerning.

I did post this previously on the topic in question, however this was also removed due to being off topic. I have heard nothing further.

Obviously nobody at ThaiVisa would have done this so my concern is that there could be some technical vulnerability in place - unless there is a simpler explanation?

[johng]

unless there is a simpler explanation?

Yes farung fink too mutt !!!

[rwdrwdrwd]

No that doesn't really explain it John, somebody tried to access my email account so there's not anything to "think" about in that regard. It happened, and the only system that has reference to the address is ThaiVisa.

[lemonjelly]

It’s not one of those phishing attempts by any chance, did it give you a link to reset your password?
I get loads of emails from “Facebook” to an email account that isn’t linked to my Facebook account, they simply provide a link to try and steal your password


Sent from my iPhone using Thaivisa Connect

[metisdead]

Please contact support with your problem here:  https://www.thaivisa.com/forum/contact

 

 

[rwdrwdrwd]

6 minutes ago, lemonjelly said:

It’s not one of those phishing attempts by any chance, did it give you a link to reset your password?
I get loads of emails from “Facebook” to an email account that isn’t linked to my Facebook account, they simply provide a link to try and steal your password


Sent from my iPhone using Thaivisa Connect

Nope, it's a legitimate email from the provider - I'm a software engineer so very familiar with phishing. This wasn't a phishing attempt, somebody attempted to access my email account using the email address and a (wrong) password. They tried this one single time, never before and never since.

[johng]

Someone tried to access your email that you only use as a throwaway address but failed ?

Personally if it was my throwaway emaIl I wouldn't be thinking about it very much.

[rwdrwdrwd]

8 minutes ago, johng said:

Someone tried to access your email that you only use as a throwaway address but failed ?

Personally if it was my throwaway emaIl I wouldn't be thinking about it very much.

The issue is more that somehow they "obtained" that email address, a high entropy one that would take a brute force attack (with a capability of 100,000,000,000 guesses per second) just over 23 years to obtain. I checked, here https://www.grc.com/haystack.htm

So, given it has only ever been provided to ThaiVisa systems, how did the "hacker" (since "hack" is what they attempted to do) obtain it, is what concerns me.

There is a very simple explanation here indeed, but that would be illegal in most countries around the world under data protection legislation so I am sure it's not that.

[BuckBee]

Yep, to me it seems you thinking to much and not seeing the plausible options of random login error or email provider system error or pure coincidence .

A one time try and with the wrong password not much of an attack if an attack at all !

Now if that login had used the right password but been blocked due to unknown device/location yes concern needed.

In your scenario I would note the incident and move on with life not wasting time that not refundable .

[watcharacters]

17 hours ago, johng said:

Someone tried to access your email that you only use as a throwaway address but failed ?

Personally if it was my throwaway emaIl I wouldn't be thinking about it very much.

 

 

Didn't you basically  already say that in post #2 with  "Yes farung fink too mutt !!!"

 

The poster is asking a legitimate question  which I don't think should be blown off.

 

 

[rwdrwdrwd]

9 hours ago, BuckBee said:

Yep, to me it seems you thinking to much and not seeing the plausible options of random login error or email provider system error or pure coincidence .

A one time try and with the wrong password not much of an attack if an attack at all !

Now if that login had used the right password but been blocked due to unknown device/location yes concern needed.

In your scenario I would note the incident and move on with life not wasting time that not refundable .

None of these are plausible options.

As I stated I have many such accounts (twenty or thirty), the email provider is Google, they don't accidentally send out messages  like this. I've been taking this procedure for half a decade now, and this is the first time it has ever occurred.

I'm a software engineer with twenty years experience, I'm very familiar with security and what is *possible* - this is why I take the approach I do with the information I expose to third parties.

The email address itself was as difficult to guess as a password like {8756*&56ijhIJYjkhjknNBHKhik%%2 would be. Nobody is going to have accidentally entered it.

The only plausible explanation, like 99.9999999999999999999999999999999999999999% probability, is that somebody somehow obtained the email from a system to which it has been provided, and that is solely this forum.

[My Thai Life]

On 8/27/2018 at 3:10 PM, rwdrwdrwd said:

somebody somehow obtained the email from a system to which it has been provided, and that is solely this forum.

This is a very interesting piece of news and a very important security issue for the forum, despite the fact that you have mitigated the risk to yourself as far as it's possible to do. I'm hoping that the forum IT security manager will contact you.

 

Please keep us updated with any developments. thanks.

[Slip]

You are probably already aware of https://haveibeenpwned.com/  Could it help?

[rwdrwdrwd]

 

3 hours ago, Slip said:

You are probably already aware of https://haveibeenpwned.com/  Could it help?

I've definitely not been pwned - this single use email address has solely been provided to ThaiVisa, it was solely set up for usage with ThaiVisa and has never been shared with anybody other than ThaiVisa. The email address itself is intentionally *extremely* high entropy.

The only place the email address could have been obtained is by either:

A. Somebody guessing an email address that would take the world's fastest supercomputer (which can try 1,000,000,000,000 permutations per second) solely dedicated to the task 2.3 years to guess by brute force - that's just for the bit before the `@`

or 

B. Somebody obtained it from a system to which it has been provided (which is solely ThaiVisa).

Probability says (by greater than 1,200,000,000,000,000,000 - 1) that (B) is the realistic explanation.
 

I'm sure (since I am familiar with invision, the software that powers the forum) that the admin team at ThaiVisa have access to this email address when they look at my account, but attempting to use it to log into the email provider account would be an *extreme* intrusion of privacy, and in most jurisdictions a clear breach of data protection laws, so surely this is not the reason - hence my concern regarding database security.

It's now changed btw, to another single use address.

[Tech Doctor]

Hi @rwdrwdrwd can you send me a PM and we can walk through the issue here and we can trace where the login was and by what device etc, see if we can see how, what when and where?

 

TD

[VBF]

22 hours ago, Slip said:

You are probably already aware of https://haveibeenpwned.com/  Could it help?

I just looked at that website - the first thing it asks for (obviously) is your email address.

 

Thought occurred that you're then giving your address to an unknown entity to see if other unknown entities are "pawning" you.

Ummmmm........ anyone else see the flaw in this?

[maxpower]

On 8/26/2018 at 5:47 PM, rwdrwdrwd said:

No that doesn't really explain it John, somebody tried to access my email account so there's not anything to "think" about in that regard. It happened, and the only system that has reference to the address is ThaiVisa.

 

Which of course includes Google and yourself. That's three on the obvious list with some kind of reference to the E-mail address. Now we have a logical security check sequence. You + Thaivisa + Google.

 

Your bullet proof security claims only have your word to support them and on a public forum, I guess you know how that goes.

 

I would expect an experienced professional who suspects security problems with a system that handles his data to communicate concerns discretely and not shout them from the tree tops. Thaivisa does have private communication channels.

[rwdrwdrwd]

Actually Lastpass with 2FA, Google with 2FA and ThaiVisa, but thanks for your input maxpower.

 

9 hours ago, Tech Doctor said:

Hi @rwdrwdrwd can you send me a PM and we can walk through the issue here and we can trace where the login was and by what device etc, see if we can see how, what when and where?

 

TD

Thank you for asking TD, however all the information I can provide to you is in the original message. The account has now been closed completely and I've changed to a new one.

I'm pretty confident I *know* what the answer to this question is really. Hopefully it does not happen to anyone else in the future.

[manarak]

20 minutes ago, rwdrwdrwd said:

Thank you for asking TD, however all the information I can provide to you is in the original message. The account has now been closed completely and I've changed to a new one.

I'm pretty confident I know what the answer to this question is really.

 

as an internet developer, I concur.

 

there is only one realistic explanation (if what you describe really happened that way).

 

I did an experiment over 10 years ago on exactly that subject. I found out that approx. 15 to 20% users have the same password for their forum account as for their email account.

But this requires a modification of the code so it harvests a clear text password instead of the usual MD5 or similar hash.

 

For additional security, you could host your email on your own server and use log parsers to identify failed login attempts and gather more information about the client trying to log in.

 

[rwdrwdrwd]

Just to be clear here, the password was not the same as the account with the forum and nobody actually accessed the account - they just tried to. The motivation for this, I am unsure of.

[manarak]

actually, there is another explanation, a bit far fetched though.

 

the router might have been compromised by hackers, for example by "VPN filter" malware.  they use automated scripts which could then perform a man in the middle attack to harvest email and password and then try it out.

 

 

 

[rwdrwdrwd]

Checked router - it's secure thankfully ? scary stuff though!

I think I'd have a lot more to worry about than a weird one off login attempt to a forum if this had happened - nightmare scenario.

 

[manarak]

1 hour ago, rwdrwdrwd said:

Checked router - it's secure thankfully ? scary stuff though!

I think I'd have a lot more to worry about than a weird one off login attempt to a forum if this had happened - nightmare scenario.

 

I'm curious: how did you check that your router is secure?

[maxpower]

17 hours ago, rwdrwdrwd said:

Checked router - it's secure thankfully ? scary stuff though!

I think I'd have a lot more to worry about than a weird one off login attempt to a forum if this had happened - nightmare scenario.

 

Oh I see, the login attempt was at a forum not an E-mail account as you stated back in post 6.

[rwdrwdrwd]

4 hours ago, maxpower said:

Oh I see, the login attempt was at a forum not an E-mail account as you stated back in post 6.

No, late night and wrote the wrong word offhand - it was a login attempt to the email account for the email address solely provided to this forum.

Anyway, bored as hell with this topic now, I'm comfortable now on reflection that this isn't a system issue, especially as nobody else has mentioned a similar occurrence. On the basis of probability I personally suspect a "human error".

[rwdrwdrwd]

20 hours ago, manarak said:

I'm curious: how did you check that your router is secure?

Decent router, all user (checked the config xml) passwords changed, wifi hidden and secured, all useful ports locked down, none of the online test tools showing anything of concern - I'm confident it's fine. In terms of my devices, I never, ever connect to public wifi.

I suspect if there were an issue with my router there would be far worse activity occurring than a random one-off login attempt to an email account.

[manarak]

31 minutes ago, rwdrwdrwd said:

Decent router, all user (checked the config xml) passwords changed, wifi hidden and secured, all useful ports locked down, none of the online test tools showing anything of concern - I'm confident it's fine. In terms of my devices, I never, ever connect to public wifi.

I suspect if there were an issue with my router there would be far worse activity occurring than a random one-off login attempt to an email account.

AFAIK, the only way to detect an infection by VPNfilter is to run a packet sniffer and detect unusual activity. VPNfilter will not modify any of your configurations.