Today I got an email using a template that has been making the rounds.
"I greet you!
I have bad news for you.
27/08/2018 - on this day I hacked your operating system and got full access to your account %EMAIL%
On that day your account (%EMAIL%) password was: %PASSWORD%"
I've had a few of these to services that I know have been breached like dropbox.com and easycontentunits.com but today is the first I have seen for fold.it.
The email address used was only ever provided to fold.it and has never been reused.
The password was the password used to secure my account. In other such cases I've had the attacker show an MD5 hash of my password (easycontentunits.com) but here it was plaintext suggesting that fold.it are not storing passwords in a hashed and salted secure manner. Admittedly my password here was only 8 characters so could have been bruteforced
My question is were fold.it aware of a breach previously? Did it communicate this to its userbase?
Thanks
We're investigating this right now and will get back to you ASAP.
Thanks - for reference, ignore the date offered in the email for any investigation. Supposedly this is the same day I was 'attacked' via easycontentunits.com. My dropbox.com account was supposedly 'hacked' on the 11th of August this year when in reality it was ~June 2012
When was the last time you had the client installed or played?
Also, as a note, we do store hashed passwords, not plaintext. Is it possible you have malware on your machine?
Possible but unlikely. I don't think I ever installed it. I signed up in 2008 and haven't used it since. That would have been many systems ago. I track all 'spam' as I'm anal and use a unique email address for everything.
This is the first time since Tue, 13 May 2008, 09:02 that this email address has been used.
Thanks for the heads up. Checking my spam folder, I found that I received the same email to the email address I use for foldit. However, the password provided in the email was my original password for my foldit account (created Oct 2011), which I changed at least a year ago (maybe 2 years ago, I don't remember). The hacker must have gotten the passwords some time ago, or perhaps this hacker recently acquired a collection of passwords that was actually harvested some time ago.
I should note that the email does not mention fold.it or my foldit account name anywhere. Because I occasionally re-used passwords in those days, it is possible they got this password from some other old account on some other site. Unlike Chimp, I do not use unique email addresses, so I can't confirm that this password was acquired from foldit.
As Loci said, my *.ir_user file does contain my current foldit password in plain text.
I have received a similar mail, which in effect is an extortion attempt for bitcoins. A very old password was listed which may or may not have been an old foldit password. I searched my records and I did use the e-mail address in a reply to an authorship request e-mail of the gmail address of foldit, it is not the account e-mail.
I am aware that old account data of various large firms was obtained years ago and my e-mail address and password may have been linked to those instead. In any case, do NOT pay as the claims in the mail are bogus.
As it is an extortion attempt I have reported it to the police.
Not sure what's going on, but I haven't received any email of this type.
If this is widespread, I suspect others would have reported it.
Foldit does store your password locally and unencrypted, if you allow it. There's a file 0000nnnnnn.ir_user, which contains your Foldit screen name, and optionally, password in cleartext. That wouldn't give the attacker an email address, however (unless you used your email as your screen name).
Similarly, browsers may store a password for fold.it, supposedly in a secure form. Once again, the combo would be screen name + password, hard to see them coming up with the email address without manual intervention.
I'll let the Foldit team know that there may be a problem.