Still no update for the alexhack. Maybe he has a better idea of what he's up against now?

My general email account has been pwned six times, but part of this is that I've had this email address for a long, long time and signed up for a number of social media accounts for it. I've also certainly changed my passwords since those breaches were reported. . . . and there's no way I'm going to give my email address up.

I work with a lot of older non-techy guys and act as low-level tech support for them, and it's a slog to even convince them that a password manager is a good idea, much less get them to use it. Mostly, they're worried about the idea of their password manager being hacked, and there's very little I can do to convince them it's the safer option (and they all have HORRIBLE PASSWORDS, OMG).

also I don't trust uber just because they have a tendency to be generally scuzzy and horrible when things go wrong when using their service
posted by dinty_moore at 2:34 PM on March 16, 2017

I've been pwned in two breaches -- something I didn't know until this episode. This absolutely convinced me that I need to use a password manager because I am very guilty of using the same password over and over, and it's not even a very strong one.

Aside from that, I thought this was a fun episode, like an extended YYN dynamic.
posted by gladly at 8:47 AM on March 17, 2017

While listening I wondered if the reason Alex didn't get the email alert about the pickup request, was because whomever got his uber account went in, changed the e-mail and phone number, and then booked the ride. That way the alert went to the new address, and Alex's gmail isn't compromised. They did say that once contact info changes, uber can't look up your account with "old" info. What's to stop a user from making contact info changes through their app, and then utilizing the service?
posted by jazon at 10:59 AM on March 17, 2017

jazon - that's a good point.

I know I need to use a pw manager, I've just been lazy about it. (I have 2-factor auth but apparently that's not good enough anymore.) This is a good time to actually start!

I was at my dad's today helping him with his computer, and I set up 2-factor auth on his Gmail and iCloud. Small victories.
posted by radioamy at 4:40 PM on March 17, 2017

I'd avoided password managers as I have so many devices and thought I was ok with 2-factor authorisation but am downloading 1Password now!
posted by ellieBOA at 8:35 AM on March 18, 2017

I was confused about why the two factor authentication didn't help here-can anyone explain?
posted by purenitrous at 4:20 PM on March 20, 2017

My understanding was that possibly some sort of malware on the dad's Surface tablet could have captured the password so that the two factor wasn't triggered? I know they never definitively answered, but the Surface does sound like it got compromised. The malware scan didn't find anything but Richard did report some unexpected login message that he thought was suspicious.

Anyway, yeah, I got a couple email addresses on the pwned list, and one of them is gmail. So I turned on the two factor also, and changed the password. Currently using the Safari/iCloud Keychain option for passwords as most of my logins happen either at home on my Mac or on my iPhone.
posted by dnash at 4:56 PM on March 20, 2017

If Alex logged in from the Surface, it would then have valid credentials (likely for 30 days) without needing 2 factor again. If an attacker had remote access to the Surface, they could just use the credentials on it to access Alex's account going forward until prompted again for a 2 factor code.
posted by primethyme at 9:13 AM on March 21, 2017