Denise (![[staff profile]](https://www.dreamwidth.org/img/silk/identity/user_staff.png)
denise) wrote in ![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png)
dw_maintenance2020-03-17 04:31 pm
denise) wrote in dw_maintenance2020-03-17 04:31 pm
(no subject)
Some of you have noticed an uptick in spam accounts following you this week -- it was because a group of spammers were able to take over some legit accounts and use them for spam. (Our usual antispam efforts have worked pretty well to take care of newly created spam accounts, so spammers are going for the old ones instead.) It does appear that the accounts that were hijacked had used the same password they used on Dreamwidth for other sites, and the spammers found that username/password combination in one of the many black market venues for password resale.
We think we've managed to catch and suspend all the accounts that were being used for spamming -- if yours was one of them, open a support request in the Terms of Service category and we'll help you resecure your account so we can unsuspend it. If you spot one that our automated scan missed, open a support request in Anti-Spam and we'll take a look as soon as we get through the backlog of the already-reported ones. If you spot one and it's already been suspended, you don't have to report it.
This is a great time to remind everyone: please don't reuse passwords for multiple sites! The best and most secure way of handling passwords is to download a password manager, like Dashlane, 1Password, Keeper, LastPass, or Zoho. (Everyone has their own favorite, but those are all reputable and secure.) Let the password manager generate and remember passwords for you. This improves security for everyone!
(Edit:) I also forgot to remind people: you can check to see if your information has appeared in a data breach at Have I Been Pwned? It's a legitimate security research site that keeps a database of which account information is for sale on the black market. They don't tell you which passwords were compromised, just whether your email address appears in a collection of passwords, and they don't have every dataset that's circulating on the black market, but if your email address gets a result there, you should change your password on that site immediately, change the password on any site that you used the same password for (and make it a unique password!), and never use that password again. People who have the black market file try those username/password combinations on every site they can find to see how many accounts they can get into.
We think we've managed to catch and suspend all the accounts that were being used for spamming -- if yours was one of them, open a support request in the Terms of Service category and we'll help you resecure your account so we can unsuspend it. If you spot one that our automated scan missed, open a support request in Anti-Spam and we'll take a look as soon as we get through the backlog of the already-reported ones. If you spot one and it's already been suspended, you don't have to report it.
This is a great time to remind everyone: please don't reuse passwords for multiple sites! The best and most secure way of handling passwords is to download a password manager, like Dashlane, 1Password, Keeper, LastPass, or Zoho. (Everyone has their own favorite, but those are all reputable and secure.) Let the password manager generate and remember passwords for you. This improves security for everyone!
(Edit:) I also forgot to remind people: you can check to see if your information has appeared in a data breach at Have I Been Pwned? It's a legitimate security research site that keeps a database of which account information is for sale on the black market. They don't tell you which passwords were compromised, just whether your email address appears in a collection of passwords, and they don't have every dataset that's circulating on the black market, but if your email address gets a result there, you should change your password on that site immediately, change the password on any site that you used the same password for (and make it a unique password!), and never use that password again. People who have the black market file try those username/password combinations on every site they can find to see how many accounts they can get into.
no subject
we thought there must be better ways to do it than requiring phone numbers, we just haven't personally seen anywhere do so and call it 2FA. the only times we've heard the phrase so far have been in reference to requiring phone numbers, so that was the only pattern we had for it, but still we thought it must be more than that (hence saying -if- they require a phone number). we're delighted to learn that our suspicions were correct - there are better ways to do it! and we're unsurprised that you folks are on top of that and being awesome. x3
we're also very glad to hear about the ways 2FA can be used to keep at-risk people safe, and otherwise be extremely helpful. that's excellent and we're very much in favour of the option being there for those who need or want it! we see what you mean about the situations like you mentioned, and we agree it's very important to offer people ways to keep themselves and their data secure no matter what their situation. we're very glad you're working on that, thankyou.
it is sooo good to hear from you that you'll never make it mandatory. we thought you likely wouldn't, knowing the dreamwidth staff and style - your approach has always been in favour of options and choice and diversity and accessibility, which has been instrumental in this place becoming our no1 favourite website ever and online home - but we and accessibility in general get shut out and left by the wayside so consistently that it's still extremely reassuring to hear confirmation from you that you're not going to go that way. so even though we know that in general it's not the sort of thing dreamwidth is likely to do, this website means a lot to us and it's a huge relief to hear specific confirmation that we're definitely not going to lose access to it. thankyou very much for your dedication to keeping things accessible and preserving users' free will and choices. <3
you all are wonderful. <3 <3 <3