There are a however also some users that noticed that the site was a scam and used credentials like NoHacker123 to protest. Another person tried to convert the sinning scammers to Christianity by sending them the password repentnowcauseJesuslovesu
These could also be just real, actual passwords these people used, right?
Their username was also a variation of that or just “test”, so I find it unlikely.
But it’s a fun thought of someone trying to repel hackers through a magic password…
Discord actually (annoyingly) will ban your account as a precaution if you’re connected to a public network and don’t have 2FA enabled, so it somewhat tries to prevent phishing. I don’t know how well-known that “feature” is but it should scare anyone aware of it into setting up 2FA, which should also somewhat mitigate phishing.
Vercel could look for patterns in the sites they take down in much the same way that anti-spam tools detect common patterns of abuse, and block or flag problematic sites. Perhaps they already do, and this site evaded detection, but the article notes that the criminals “set up the exact same site only about a day later, but under a slightly altered domain name - again on Vercel”.
These could also be just real, actual passwords these people used, right?
Having seen a bunch of password dumps, 100% yes, absolutely, these are very likely to be.
Yeah exactly! I’ve seen very similar in password dumps+word lists before.
Their username was also a variation of that or just “test”, so I find it unlikely. But it’s a fun thought of someone trying to repel hackers through a magic password…
Seems like Instagram could detect patterns like this trivially
Until it affects their profit margin or puts them at risk of further regulation, they won’t. Same as Discord.
Discord actually (annoyingly) will ban your account as a precaution if you’re connected to a public network and don’t have 2FA enabled, so it somewhat tries to prevent phishing. I don’t know how well-known that “feature” is but it should scare anyone aware of it into setting up 2FA, which should also somewhat mitigate phishing.
Yes, it should be absolutely possible to detect chains like these and just cut off users access to private messages when they get suspicious logins.
Vercel need to do better here.
they responded in a few hours and took it down within 24hrs, how would you propose they do it better?
Vercel could look for patterns in the sites they take down in much the same way that anti-spam tools detect common patterns of abuse, and block or flag problematic sites. Perhaps they already do, and this site evaded detection, but the article notes that the criminals “set up the exact same site only about a day later, but under a slightly altered domain name - again on Vercel”.
This is not the first time I’ve seen Vercel used like this.
Glad they took it down but doesn’t the article say that another Vercel domain popped up soon after?