It is worth checking logins, definitely. That's how I discovered a breach and
prompted the user to change her password ASAP. What is strange is the way the
intruders behaved.
First came 50.171.64.170, on the 7th around noon UTC. It had made 590 login
attempts to this server since March 2024, using both existing and non-existent
accounts. This time, it succeeded; it seems possible, given that the password
was trivial.
Second came 98.181.46.43, on the 8th around 11 a.m. UTC. No previous
violations at mine.
Then came 129.80.228.231, ten minutes after the second. Only 91 violations at
mine since April 2025.
All three IPs are 100% abusive according to AbuseIPDB, which is how I spotted
them.
The user changed her password a couple of hours after the third breach.
It looks like the second and the third hackers acquired the password from the
first. The strange thing is that no one sent tons of spam exploiting the
breach. All they did was send a single message each, the first to
[email protected], the second and third to [email protected].
Is this a non-exploitative password trading?
Best
Ale
--
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
