New Security Measures

That happened to me so I logged out and had BeerAdvocate email me a password reset link when I tried to log back in.

 

luckily, I was able to reset my password through the existing email address After a password reset, seem to be fine now.

Jeremy

 

How did the system send a reset link to an email address that is no longer valid? Did you contact BA directly with your new email address?

 

My only problem is I have God know how many passwords & the only real way I can keep up with them is to violate security on another device/level. At at least I no longer sweat the UCMJ piece. My mind was sharp enough to keep up with all that THEN

 

There's an app for that!

 

I'd find a way to F that up

 

A followup to this question. So we can change our passwords elsewhere but someone has had our passwords for 8 years ? Just trying to understand thank you

 

I hear you. I keep all my non-work related passwords on LastPass.

 

I made my account fairly well after the data breach in 2012-2013, and I joined I think either late 2017 or early 2018. Am I still at risk?

 

SMS (text message) 2FA is insecure as all hell. There are multiple ways to "steal" a phone number and then intercept the SMS. Amazon, Google, and many other places offer superior forms of 2FA (authenticator app). Sadly, many many financial institutions are really slow to get on this train, which is awful since they are the places I most want 2FA. (I really don't care about random forums, I just use long generated passwords that look like line noise...)

LastPass, or even better, BitWarden, both have free options for password storage.
For 2FA generators, Authy is fantastic (and you can use it from multiple devices, like your phone and your tablet and even a computer if you don't mind that small compromise in security).

 

When you say that you “recently” became aware of the breach that began approximately 8 years ago how recent are you talking? When you became aware of the breach and when you disclosed it to users matters.

Also, what’s the name of the third party cyber security firm you used to investigate the breach so we know they’re reputable?

 

Best practice for a breach of this stuff type is to force a password reset. Although it's nice to think that they only have the users in mind, they also also have to think of what may have been compromised beyond that. They have to protect themselves and the easiest way is to cut off access to everyone and force them to re-authenticate

 

Done did it!
I think.................

 

2FA would be overkill, please don't. Some will find that too much of a hassle and leave if they have to sign-in much. Same thing for timing out passwords - the latest security best practices say not to time them out, or at least make it a couple of years. Timing out often increases the chances that folks will write them down or use the same password everywhere. Just force some basic complexity (8+characters, one special character, one number, one upper-case). We're not doing our banking here.

 

what if we no longer use the email address we used to create our account?