> Investigating - Cloudflare is aware of, and investigating, an issue which potentially impacts multiple users that use 1.1.1.1 public resolver. Further detail will be provided as more information becomes available.
> Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!
It's all good, as long as you're not in that recent AI Girlfriend breach which exposed a ton of users who were trying to coax it into generating CSAM images.
“I went to the site to jerk off (to an adult scenario, to be clear) and noticed that it looked like it [the Muah.ai website] was put together pretty poorly,” the hacker told 404 Media. “It's basically a handful of open-source projects duct-taped together. I started poking around and found some vulnerabilities relatively quickly. At the start it was mostly just curiosity but I decided to contact you once I saw what was in the database.”
Not sure if you're being sarcastic or not, but pentesting is not a particularly evil activity — and you often have to look at data to see if you actually found something.
What is evil is the way that he's ensured that the predators in the dataset will never face any consequences by making the data available to HaveIBeenPwned, making it trivial for predators to protect themselves (the method through which this is possible intentionally left as an exercise for the reader), and making the data available to a news website for...some reason, but it's bound to ensure that the vulnerability will be patched out quickly and no one else will be able to access the data.
I find it much more likely that this hacker who sought out a website for uncensored AI erotica isn't actually a good guy, and might even have something to hide within the dataset. Hopefully, I'm wrong and we'll see more of this.
> Create a new email address for every service we sign up for?
Exactly that, yes! Various services like icloud or proton offer "hide-my-email" addresses, or you can use any email service and just leverage a dedicated email aliasing service like SimpleLogin (paid but cheaper).
This way your email addresses are always random, and since these are shared services, the fact that it's random doesn't identify you either. In proton's / simplelogin's case, you can even set the display name used and email first, so from the outside it's not going to appear as strange, or have any real limitations.
If you think about it, modern email services don't really allow for easily testing if an email address is valid or not, so pretty much the only way your email is ever found out is if you share it on. So never share it on. Always share an alias instead. With automated systems, you may even want to rotate it every so often, so that if there's a leak, you can identify not just who leaked, but also roughly when.
Fixed identifiers, like an email address, are terrible, as their lifetime is always significantly longer than whatever context they're being used in for.
Truly unique email addresses and passwords per service is the strongest approach, but there may be alternatives. For instance, Gmail allows address+tag@gmail.com, which will save you from the lowest hanging fruit (block the +tag when it’s compromised to prevent the laziest spam from reaching you). iCloud also allows automatically generating a new email address that forwards to your inbox for a new account when using iCloud Keychain (possibly when using other password managers too, but I haven’t tried).
Gmail's +tag (and the .) is nice in theory, but terrible in practice. It's super easy for malicious actors to just drop them and there are a few services out there that simply are not able to work with the +tag, potentially getting you locked you out of your own account. Not gmail's fault, but I would recommend against using it.
I feel like it's safe to assume the official Internet Archive would not write a "friendly"/attempt-at-humurous/unprofessional/confusing/delivered-by-popup message advertising a devastating security breach. Oh also while announcing that nowhere else.
Obv an attackers ability to insert a message does imply a breach beyond a DoS. But I am pretty confident that message was not from the IA.
Verge reports someone has taken credit for an ongoing DDOS against IA.
"An account on X called SN_Blackmeta said it was behind the attack and implied that another attack was planned for tomorrow"
https://www.theverge.com/2024/10/9/24266419/internet-archive...
That class of sites generally is, yes. But on HN we go by article quality, not site quality (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...) and I didn't see a better specific article on this. If there is a better one, we can change the link again.
