Forced change of passwords on the site, or care about my security. Or free-lance.ru broke?
Just a few minutes ago I received a letter from the popular in its field site about the free-lance free-lance.ru of approximately the following content:
“Dear XXX!
The administration of Free-lance.ru holds an annual change of user passwords, this preventive measure will allow you to protect your account from unauthorized access by third parties. Your old password in the whole of your security has been changed automatically. To change the password to a new one, follow the LINK link ”.
My first thought: “where is the button to tell Google about phishing?”, But something stops. Looking through the headlines, links. It seems to be all honest, leads where it should be. Or they took the base from them, but they are quiet, without planning how to do it, they started sending out the mailing list ...
')
So tell me, about the usability guru of the site, did you decide to follow in the footsteps of the webmoney and in a panic make paranoid decisions for pseudo-security? Or maybe the resource was broken?
Inside - a pair of speculation and a rhetorical question.
UPD: intrigue appeared
Why should I change my password, which I have been using successfully for several years on several similar sites?
What are you ready to do for the sake of user security?
- donate hundreds of accounts of negligent users, and block them, examining each situation individually and restoring access to the written complaints
or
- once in N time to force people to change the password and carry out acts of care for users?
A few points that in this situation make you think.
All right, there people who a little understand in web technologies gather. And if it was a website about needlework, for example? Everyone would have horrified Google with messages about spam phishing. And we would get a safe, sort of service, but lost people who thought that their accounts were taken away.
If (all of a sudden?) You have your base taken away, have the courage to admit it, users will understand you. And if you remain silent in a rag, it will only get worse for everyone.
UPD1: Readers report that now a letter with a password comes right after trying to login to the site (successful). The difference between authorization and email is less than a minute. The “Panic” mode has changed to the “caution” mode. Opinion of the reader: this is not an attempt at hacking, but simply ill-considered actions of the administration.
UPD2: Recall that last year there was already a general change of passwords in connection with a DDoS attack. Now it is a real tradition.
UPD3: Unidentified people have denied rumors that they were hacked.
UPD4: Commented on Twitter that thebrains of the base, nevertheless, leaked, and in the evening will post a post on a given topic. “They lost their bases. In the evening I will add an article about this in the sandbox. ”
Look forward to!
UPD5: Developers and IS specialists came up on this day with proposals for cooperation:
"Good day! We write to you from your profile on the site Free-lance.ru. Our company requires a web programmer for continuous cooperation to write scripts that optimize the work of the enterprise ... "
For laughter: they offer sn as much as 20 thousand a month.
Meet the article from WildZero : Hole on free-lance.ru . Caught the same, their caring!
Remark: Initially, the article did not contain references to the hero of the occasion, but once such a thing went, here are all the direct coordinates for you, put in the content.
“Dear XXX!
The administration of Free-lance.ru holds an annual change of user passwords, this preventive measure will allow you to protect your account from unauthorized access by third parties. Your old password in the whole of your security has been changed automatically. To change the password to a new one, follow the LINK link ”.
My first thought: “where is the button to tell Google about phishing?”, But something stops. Looking through the headlines, links. It seems to be all honest, leads where it should be. Or they took the base from them, but they are quiet, without planning how to do it, they started sending out the mailing list ...
')
So tell me, about the usability guru of the site, did you decide to follow in the footsteps of the webmoney and in a panic make paranoid decisions for pseudo-security? Or maybe the resource was broken?
Inside - a pair of speculation and a rhetorical question.
UPD: intrigue appeared
Why should I change my password, which I have been using successfully for several years on several similar sites?
Question of the hour:
- donate hundreds of accounts of negligent users, and block them, examining each situation individually and restoring access to the written complaints
or
- once in N time to force people to change the password and carry out acts of care for users?
Maybe someone has stolen your base?
A few points that in this situation make you think.
- The letter of happiness is inconspicuous. The testimony confuses thoughts: why send me to change the password, if in the previous reply you report that everyone has already successfully turned themselves?
- I was able to successfully change my old password to my old password. If you say that passwords need to be changed at all costs, then why have you left such a loophole? Think about the need to change it in principle, and not to re-enter it
- Before changing the password, I try to log in with my old data. I see the message "you would not go to the forest, your password is incorrect. Let's restore it. ” No word on scheduled replacement. For example, I do not look mail. And only then, in a week, I will find a message in spam, they say, this is the kind of thing we had
All right, there people who a little understand in web technologies gather. And if it was a website about needlework, for example? Everyone would have horrified Google with messages about spam phishing. And we would get a safe, sort of service, but lost people who thought that their accounts were taken away.
If (all of a sudden?) You have your base taken away, have the courage to admit it, users will understand you. And if you remain silent in a rag, it will only get worse for everyone.
UPD1: Readers report that now a letter with a password comes right after trying to login to the site (successful). The difference between authorization and email is less than a minute. The “Panic” mode has changed to the “caution” mode. Opinion of the reader: this is not an attempt at hacking, but simply ill-considered actions of the administration.
UPD2: Recall that last year there was already a general change of passwords in connection with a DDoS attack. Now it is a real tradition.
Where is popcorn?
UPD3: Unidentified people have denied rumors that they were hacked.
UPD4: Commented on Twitter that the
Look forward to!
UPD5: Developers and IS specialists came up on this day with proposals for cooperation:
"Good day! We write to you from your profile on the site Free-lance.ru. Our company requires a web programmer for continuous cooperation to write scripts that optimize the work of the enterprise ... "
For laughter: they offer sn as much as 20 thousand a month.
UPD6: Here it is, the reason for the annual care of us with you!
Meet the article from WildZero : Hole on free-lance.ru . Caught the same, their caring!
Remark: Initially, the article did not contain references to the hero of the occasion, but once such a thing went, here are all the direct coordinates for you, put in the content.
Source: https://habr.com/ru/post/112173/
All Articles