Shipment Tracker Site Security Warning / Suggestion: Ability to change/hide name


#1

This is a WARNING to all of the users of the DIY shipment tracker site, as well as a suggestion for the maintainers of the site (I’m not sure if that’s a third party, or the Soylent team’s responsibility).

My username on the site happens to be the same username that I use for a bunch of other sites (some more important than others), and as soon as I made my tracking info available on the public list, I got e-mails from my bank and other sites informing me that my account had had its security breached a security warning on it. My bank forced me to reset my password and other information, and other sites did something similar, as well.

So, this is a warning to everyone who is displaying their information on the shipment tracker publicly: Make sure your username is not used anywhere else, because malicious users are using the usernames on that site and attempting to gain access to other sites such as banks and e-mail accounts.

And to the maintainers of the site: Please add either an option to change your username, or at least change the name that is displayed on the shipment tracker (or just have a flag/checkbox so that it can say “Anonymous” instead of your username).

I really want to put my tracking info out there so that other people can benefit from it, but not at the cost of my personal data’s security. For now, my entry is marked “Hidden”.


#2

You’ve probably already done this, but be sure to check your computer for malware/keystroke loggers, etc.


#3

I use the same username across every site I’ve ever joined, since forever. I don’t think it’s anything to do with being tied to this site. :stuck_out_tongue:


#4

This is the ID I use for most social interactions on the net. If you do a search on it, you might find all the other boards I belong to and partake of the mixture of drivel and wisdom that constitutes my net presence.

My bank, however, uses the number on my bank card as my ID and I supplement that with a password. Ditto with other financial stuff. When I do have a username for other financial stuff, it is not this one. I’m not worried about having my ID on the tracker.

Eve


#5

The username I use for most sites was taken, so I had to use my “backup” username which I sometimes use for more “important” sites. I knew it was the tracker because as soon as I put my entry up, later that day my bank alerted me to a potential security threat on my account, so I promptly removed my listing from the tracking site. I didn’t have any other new accounts created with that name online, this was the only one, so it had to be the culprit.

I guess I just want people to be aware that there are malicious users monitoring the shipment tracker (as with anything online), so if your username is the same on a more important site, you might consider hiding your entry.


#6

I think a really big lesson to learn is to use a different password for every site.


#7

Oh, the password is different - it just tripped the bank’s security system because someone attempted to log in a bunch of times and it failed.

But yes, I agree 100% - never use the same password for more than one site. There are techniques out there to help you remember different passwords, or there are services like LastPass.


#8

I use program to manage passwords, and ALL sites I login has long and nasty password. Good luck figuring mine for here.


#9

Darn Russians!

20 chars


#10

Actually, I highly recommend avoiding LastPass like the plague. If you hadn’t heard LastPass has a couple of massive Security Issues that were in place for a year that kind of made it worthless. Their response was a subtle blog post with a non-descriptive title. And to me, that is the biggest red flag.

You might look in to 1Password or PasswordSafe instead.


#11

If it had been malware/logger, he wouldn’t have got a warning, but simply lost his account/data/stuff


#12

I still use LastPass. The two issues they had were with ‘bookmarklets’ and one time passwords, neither of which I’ve ever used.

The security issues weren’t in place for a year, but were fixed a year ago. LastPass didn’t mention it until a year later. They said that since they had patched the problems they didn’t want to go public with it until the guys who found the vulnerabilities published their results..


#13

You are right, of course. However, this is what was stated in his original post:

That would seem to suggest that passwords had been compromised as well as usernames. It was only in later posts that we discovered this was not the case.


#14

Sorry for the confusion, you are correct. I’ve edited my post.


#15

I feel for you @SpikeX. It is a huge violation when someone attempts to steal your private information and your hard-earned money. Thanks for the heads up. It’s always good to be reminded to keep vigilant in this area.


#16

I don’t use lastpass.