Someone found my passwords from Firefox password manager.
Three weeks ago someone gained simultaneous access to my Amazon account, my EBay account and my Email. There is no way they could have done this without knowing the passwords for the three accounts, none of which is written down anywhere, and none of which I ever key in because I use the password manager on Firefox to fill them in automatically. Unless someone knows differently my only possible conclusion is that the passwords we’re obtained via the Firefox password manager. Fortunately Amazon, EBay and my email provider have systems vigilant enough to spot the intrusion, warn me and freeze my accounts before any damage was done. But as a longtime Firefox user I am very concerned at this apparent breach of security. Has anyone from Mozilla or elsewhere any comment to make?
All Replies (10)
It is very unlikely that the passwords were taken from your password manager. The accounts were likely compromised by taking your e-mail account first, and then using that e-mail account to compromise the amazon and ebay accounts.
IF the password manager was breached, than it was likely because of malware. Scan with www.malwarebytes.com to check
Are you using a master password?
Are you using strong and unique passwords for all these websites?
Thanks, but I don’t see how penetrating my email would allow them to log in to my Amazon or EBay accounts. But I’m no expert. Maybe someone can explain that to me. I run Malwarebytes regularly, and all these passwords are strong and unique. I don’t use a master password - until I read your reply I didn't know there was such a thing. Maybe I will use one in future. But I see Mozilla recommends this if you share a computer with someone, and I don't. In any case I’m thinking the risk of letting someone else look after my passwords is not worth the payoff of easy login. Even if I ended up writing them all down, at least I would know where they were.
I posted that link because if you scroll down there is some good advice present. If you care about security then you should use a master password, even if you are the only user on the computer. Passwords can easily get compromised if you get malware on your computer because without a MP you would only need to access logins.json (encrypted logins) and key4.db (encryption key) to see all the passwords.
cor-el, thanks very much for your help and advice. Believe it or not I've been using browsers for decades without realising that saved passwords weren't stored somewhere mysteriously safe but could easily be read by anyone with open access to my computer - unless there was a MP in place. I wouldn't be surprised if 90% of ordinary computer users don't know this either. I have set up a master password and so should everyone else, but I wonder how many have done so? The web is full of people urging me to install password management software, but until now nobody has offered this simple and obvious piece of advice. I don't know (though I can guess) why this isn't emphasised - or even required - when a browser is installed or first told to remember a password.
Hi, do know if you loose your master password and have to reset or Firefox crashes to a point does not remember anything there is no way into your passwords. Please note this reason : https://www.howtogeek.com/338209/you-should-turn-off-autofill-in-your-password-manager/ Note there are alternatives : https://addons.mozilla.org/firefox/addon/norton-identity-safe/ https://addons.mozilla.org/firefox/search/?platform=mac&q=password%20manager This is very relevant and noticed you brush it off : https://monitor.firefox.com/ You should not as once in the can hound you for 10yrs or more (experienced). Glad decided on a course of action .
I didn't mean to brush off password managers, just to say that the master password is something every user should be made aware of. I'm considering LastPass. Thanks for the links which provide much food for thought. There's much online anxiety and panic-mongering about security these days (some of it justified, some less so) so it's useful to get a clearer view of things.
Oh....sorry if I gave that impression. Just making awareness and let people figure out them selves what works for them.
pen & paper & memory myself
No, I wasn’t talking about you, just generally. Pen & paper (highly coded) & memory is what I've been using too. Logically, that seemed to be enough, until it wasn't. Still don't know how they got those passwords though. It's a learning curve. Most grateful for your help and enlightenment.
johnbax said
No, I wasn’t talking about you, just generally. Pen & paper (highly coded) & memory is what I've been using too. Logically, that seemed to be enough, until it wasn't. Still don't know how they got those passwords though. It's a learning curve. Most grateful for your help and enlightenment.
Here's the thing using the same login and password will insure they find out sooner then later. Also LastPass has been broken into already if you read previous news reports how lastPass was breached. I recommend another better one KeePass. This one you can put on USB with Master Password and install another version on your computer both sync and same Master password. This is what I use so even if you loose the USB unless they can hack the password if you make it hard to even a child to guess then they will not make the effort to try. Most times people click on links or site looking like the legit site and give the login and password without even looking at the actual URL. That would be a dead give away it's not your site. So before giving your login/password look at the URL or hover the mouse over it and you will see it is like ***.cn or ***.ru ... ****.cc something like should RED FLAG you. Best course if you don't know don't click on it and open new tab and go directly to the site and if there is a problem you will see at your example banking site.
Modified