• A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
  • Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
  • Hunt has detailed the attack and warned his subscribers in a timely fashion.
  • randombullet@programming.devEnglish
    19·
    5 days ago

    Don’t password managers verify the domain name before offering credentials?

    Does that mean he doesn’t use a password manager?

    Edit: RIP, now that’s a proper phishing. I understand where he’s coming from

    • VerPoilu@sopuli.xyzEnglish
      60·
      5 days ago

      He mentioned that he does and the password manager didn’t prompt to autocomplete the password automatically, so he had to force it.

      The thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn’t I stop there? Because that’s not unusual. There are so many services where you’ve registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.

      • sugar_in_your_tea@sh.itjust.worksEnglish
        24·
        5 days ago

        Then add multiple URLs for that entry. You can even have it match on the base domain, so it works on any subdomain, or restrict it to a subdomain.

        I assume that works on 1Password, it works on Bitwarden at least.

        That said, I could see myself making this mistake. I’ve had to manually find entries before for one reason or another (e.g. usually use the app, but access the website this one time).

        • ricecake@sh.itjust.worksEnglish
          29·
          5 days ago

          It does work there. The unfortunate thing is that so many sites change their login structure often enough that it no unusual to discover that a site just changed again and you need to update the list.

        • otp@sh.itjust.worksEnglish
          7·
          5 days ago

          Yeah,.there are plenty of instances where I’m adding a new URL for a password because the app and the website are too different from each other, or the app changes its login paths…

          Or heck, sometimes it’s close enough, and with my password manager on my phone, I don’t have it auto fill – I have it auto-suggest. So “Probably a match” and “Exact match” have the same path to entry.

    • subversive_dev@lemmy.mlEnglish
      15·
      5 days ago

      This was mentioned in the write-up, the password manager didn’t autofill, but he was too out of it to notice at first

    • SayCyberOnceMore@feddit.ukEnglish
      4·
      5 days ago

      Depends… if you use an offline password manager ( like keepass), you can ask it to autotype your credentials into anything… if that’s what you ask it to do (ie it’s not a fault)

      Main point though: don’t reuse the same credentials across different sites.

      They’ll get 1 site, but not all the rest of them…