Former Demonoid Members Receive Email Claiming Resurrection, Get Malware Instead 62
New submitter giveen1 writes "I recieved this email as a former Demonoid.me user. I tried to go to the website and link is dead. ... 'Dear Demonoid Community Member, We have all read the same news stories: The Demonoid servers shut down and seized in the Ukraine. The Demonoid admin team detained in Mexico. The demonoid.me domain snatched and put up for sale. The Demonoid trackers back online in Hong Kong, but then disappearing. ... Now for some good news: The heart and soul of Demonoid lives on! Through an amazing sequence of unlikely events, the data on those Ukrainian servers has made its way into the safe hands of members of our community and has now been re-launched as d2.vu.'"
But it turns out that the site was distributing malware, hosted on an American VPS, and quickly shut down after the provider discovered this. No word yet on how the Demonoid user database was acquired, but if you did make the mistake of trying to log in Torrent Freak warns: "New information just in suggests that if you logged into the fake Demonoid and used the same user/password combo on any other site (torrent, email, Steam, PayPal) you should change them immediately."
Good Advice (Score:5, Insightful)
Yup. After all those LinkedIn passwords were leaked last year, I wised up and changed the passwords to all the websites I visit each to something different. So now if my username/password combo is compromised, it's only good for that one particular website.
People still use common credentials? (Score:2, Insightful)
Look, I know credential soup is a pain in the rear, but if you want to protect yourself online, it's essential these days. I follow an approach like this:
Tier 1 - For ultra important stuff, such as banks, online merchants, and credit cards. These credentials are very, VERY long and random. Good luck cracking those while I'm still alive.
Tier 2 - For less important stuff, like MMOs and websites I frequent. They'll still be fairly unique, but I'll use some mnemonics to aid myself here and reduce the headache without sacrificing too much security.
Tier 3 - For everything else, especially those damn one-off sites that demand you create an account before you use them. These credentials are usually pretty common, as they're mostly disposable junk anyway and not connected at all to my main stuff.
Oh, and one more thing: use yahoo or other disposable email addresses for Tier 2 or Tier 3 sites. Banks and credit cards should use a unique e-mail address that is not connected in any way to anything else to limit the effectiveness of keyloggers and phishing attempts.
Re:People still use common credentials? (Score:5, Insightful)
Or just use something like keepass and give them all strong passwords. It's not like you're going to be remembering hundreds of passwords anyways. Last count I had over 400 log ins and little or no clue as to how many of them I actually will ever need to use again. For most people, even a dozen passwords is more than they can reliably remember.
Sounds like demonoid used bcrypt. Yay! (Score:5, Insightful)
Someone has the database, but it's not enough: they want people to send them passwords associated with the records. That leads me to one conclusion, to the old Demonoid's credit.