this post was submitted on 27 Mar 2025
665 points (99.0% liked)

Technology

68131 readers
3350 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
665
Have I Been Pwned owner, pwned. (htxt.co.za)
submitted 5 days ago* (last edited 5 days ago) by Tea@programming.dev to c/technology@lemmy.world
70 comments fedilink hide all child comments
 
  • A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
  • Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
  • Hunt has detailed the attack and warned his subscribers in a timely fashion.
you are viewing a single comment's thread
view the rest of the comments
[–] randombullet@programming.dev 18 points 5 days ago* (last edited 5 days ago) (3 children)

Don't password managers verify the domain name before offering credentials?

Does that mean he doesn't use a password manager?

Edit: RIP, now that's a proper phishing. I understand where he's coming from

[–] VerPoilu@sopuli.xyz 59 points 5 days ago* (last edited 5 days ago) (1 children)

He mentioned that he does and the password manager didn't prompt to autocomplete the password automatically, so he had to force it.

The thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.

[–] sugar_in_your_tea@sh.itjust.works 23 points 5 days ago* (last edited 5 days ago) (2 children)

Then add multiple URLs for that entry. You can even have it match on the base domain, so it works on any subdomain, or restrict it to a subdomain.

I assume that works on 1Password, it works on Bitwarden at least.

That said, I could see myself making this mistake. I've had to manually find entries before for one reason or another (e.g. usually use the app, but access the website this one time).

[–] ricecake@sh.itjust.works 28 points 5 days ago

It does work there. The unfortunate thing is that so many sites change their login structure often enough that it no unusual to discover that a site just changed again and you need to update the list.

[–] otp@sh.itjust.works 7 points 5 days ago

Yeah,.there are plenty of instances where I'm adding a new URL for a password because the app and the website are too different from each other, or the app changes its login paths...

Or heck, sometimes it's close enough, and with my password manager on my phone, I don't have it auto fill -- I have it auto-suggest. So "Probably a match" and "Exact match" have the same path to entry.

[–] Zorsith@lemmy.blahaj.zone 6 points 5 days ago

Not everyone uses a browser extension for their password manager.

[–] Cyber@feddit.uk 4 points 5 days ago

Depends... if you use an offline password manager ( like keepass), you can ask it to autotype your credentials into anything... if that's what you ask it to do (ie it's not a fault)

Main point though: don't reuse the same credentials across different sites.

They'll get 1 site, but not all the rest of them...