Old Freeper Accounts Hijacked?

Original Content | 03/16/2025 | By Laz A. Mataz

[Lazamataz]

I've noticed, over the years, that very old Free Republic accounts, accounts that have been inactive for months or years, suddenly reactivate.... but their politics are suddenly suspect.

Be they Zeeper-oriented (that is, super-favorable to Ukraine) or, conversely, super-favorable to Russia, or even suddenly-liberal... these accounts reactivate with a flurry of posts that are contrary to conservatism.

Are these real Freepers who have had a change of heart about their politics? Are these real Freepers who feel the need to jump on the forum with propaganda and support for one side or the other per the Ukraine/Russia war?

Or are these hijacked accounts?

People will recall some time back, quite a few accounts of active Freepers were hijacked. It created a bit of a problem. When all was said and done, the accounts were returned to their rightful owners, and the site owner (and his moderator crew) pointed out that their passwords were very easy to guess. He instructed people to have stronger passwords.

I also have a friend on Facebook who no longer participates in the forum, but still reads it, who has seen a Freeper posting who he happens to know has been dead for more than a decade.

The problem is, we have far too insecure a login process, and enemies of the forum have been exploiting that.

At the login page, you can attempted unlimited login attempts. This will allow simple brute-force password cracking.

Also, the Forget Password option sends an email with your password in clear text. Emails can easily be sniffed with the right techniques. Passwords can easily be cracked that way.

My suggestions to mitigate these critical security concerns are:

1. -- Limit login attempts to five, after which the account is suspended until unlocked. What unlocking consists of can be anything. One suggestion is that the account is auto-disabled for a day. That means a hacker will only get five brute-force attempts in any given 24 hour period.
2. -- Install two-factor authentication, in which a text number is sent to a phone the user possesses.
3. -- Emails for Forget Password should not send the actual password, but instead, a link to a page on FR that allows a reset of the password.

These relatively-simple security changes will stop account-hijacking.

[madison10]

Same. It is like we have a leak.

[bankwalker]

... invariably, their profile shows them joining between 1998 to 2002.

A newer account can have the signup date modified with the simplest of SQL statements. I wonder how many people actually have access to do that.

[Lazamataz]

This year was the first time I was called nasty stuff. I don’t think it was warranted. I thought it was against the rules. The person should have been zotted, but wasn’t.

Speaking of being called nasty stuff, on this VERY THREAD I was accused of fanciestism.

I am a member of AntiFancy, so this was wounding to me.

[bankwalker]

every combination doesn’t need to be tried ... only until you get a hit ...

[Lazamataz]

A newer account can have the signup date modified with the simplest of SQL statements.

Sure, but I'm fairly certain that SQL injection is covered here.

[GingisK]

Hey! It took over a year to convince JR to let me back on. This is really me.

[madison10]

I know! That is disgusting! You are not in the least fancy.

[Lazamataz]

Um, holy crap. Grok analyzed my sarcastic and irreverent style rater well. That, frankly, amazes me.

[bankwalker]

how many people have access? mods, etc.?

[Lazamataz]

Hey! It took over a year to convince JR to let me back on. This is really me.

How can we be sure you are you? You could be a fanciest.

[telescope115]

I have a strong password generated by Apple iOS so I feel relatively safe.

[Slings and Arrows]

I just changed my password to something tougher. Thanks for the heads-up.

[Kudsman]

That is hysterical. Laz is making unfancy fancy.

[OwenKellogg]

A little scary.

[linMcHlp]

BTW, I think that the sign-on username should not be the Freeper name.

Meaning, I much prefer using a password generator to create each of:

- account username
- account password

Thus, both of those, are known only to the account holder.

[BipolarBob]

Congratulations Laz! You outed one with very little trouble. The quick temper and illogic reasoning are sure signs. We'll keep an eye for ol' No. 7.

[Lazamataz]

I just changed my password to something tougher. Thanks for the heads-up.

That's great, but be aware, your password can be sent to you IN CLEAR TEXT by email. Emails go through a lot of hands before you get it, and at any step, the email can be sniffed, and your password compromised. This is why I'm advising JohnRob to, instead, do password-reset links in emails. Maybe also password-recovery questions, like "What was the name of your first cat" and stuff like that.

[Nik Naym]

“Within a day, I suddenly ‘bought’ Air Italia airline tickets and several expensive suits in Milan.

I’ve never been to Milan.

Lucky you. I never could afford a cool Italian suit. See, you really ARE a fanciest.

[Lazamataz]

BTW, I think that the sign-on username should not be the Freeper name. Meaning, I much prefer using a password generator to create each of: - account username - account password Thus, both of those, are known only to the account holder.

Great idea! Thanks!

(However, that might be a heck of a lot of development work)

[BipolarBob]

Traitor! You’ve given everyone my passwords. I’m screwed.