Ally suddently asking to input new password

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Post Reply
Topic Author
radiowave
Posts: 3352
Joined: Thu Apr 30, 2015 5:01 pm

Ally suddently asking to input new password

Post by radiowave »

I tried to log in to Ally this morning and after the usual login/password it stopped and asked me to enter a new password and confirm. Same thing happened on my phone app. I didn't get an email from them, wondering if this is some malicious attempt to take over my account. Anyone else seeing this?
Bogleheads Wiki: https://www.bogleheads.org/wiki/Main_Page
User avatar
sapphire96
Posts: 193
Joined: Fri Jun 16, 2017 8:08 pm

Re: Ally suddently asking to input new password

Post by sapphire96 »

I had to insert in a new password as well, but strangely it took my old password.
Keep interest as your friend, not your foe. | Use money as a tool for bettering your life, not squandering it. | Stay the course, don’t deviate from it.
Nyc10036
Posts: 1673
Joined: Wed Oct 05, 2016 6:29 pm

Re: Ally suddently asking to input new password

Post by Nyc10036 »

I no longer have any assets with Ally, but my account is still open.

I logged in just now and no problems.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally suddently asking to input new password

Post by Marseille07 »

I saw this about a week ago and changed my password accordingly. No email from them.

There's no malicious attempt from them, but it's possible they got hacked and secretly asking those who were impacted.
rantk81
Posts: 356
Joined: Tue Apr 18, 2017 8:12 am

Re: Ally suddently asking to input new password

Post by rantk81 »

Reviving this old thread. I just got a letter in the mail from Ally saying that our usernames and passwords were exposed to 3rd parties due to a "programming code error." I bet this is why they are forcing everyone to change their password.

A big question in my mind is: Were are passwords actually exposed in clear-text to the 3rd parties? Or just the hashes? Did they get any other information? I've noticed a big up-tick in spam to my primary email account recently -- maybe that's related, maybe not. Also, it would be nice if Ally were to actually list what the names of the 3rd parties are?
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: Ally suddently asking to input new password

Post by midareff »

rantk81 wrote: Sun Jun 20, 2021 6:48 am Reviving this old thread. I just got a letter in the mail from Ally saying that our usernames and passwords were exposed to 3rd parties due to a "programming code error." I bet this is why they are forcing everyone to change their password.

A big question in my mind is: Were are passwords actually exposed in clear-text to the 3rd parties? Or just the hashes? Did they get any other information? I've noticed a big up-tick in spam to my primary email account recently -- maybe that's related, maybe not. Also, it would be nice if Ally were to actually list what the names of the 3rd parties are?
Thanks... no letter but just updated anyway from an abundance of caution. They probably don't know who the third parties could be but dates of exposure or breach might be included as well.
rantk81
Posts: 356
Joined: Tue Apr 18, 2017 8:12 am

Re: Ally suddently asking to input new password

Post by rantk81 »

Yeah, I should have noted it in my first reply -- but the date of the occurrence was mentioned as April 12, 2021 in the letter they sent me.

I changed both my username and password (again) this morning, just to be safe.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Ally suddently asking to input new password

Post by anon_investor »

Marseille07 wrote: Sat Apr 17, 2021 11:10 am I saw this about a week ago and changed my password accordingly. No email from them.

There's no malicious attempt from them, but it's possible they got hacked and secretly asking those who were impacted.
Weird, I got no letter and I was able to login on my phone with no prompt to change my password, maybe I should change mine now...
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally suddently asking to input new password

Post by Marseille07 »

anon_investor wrote: Sun Jun 20, 2021 11:39 am
Marseille07 wrote: Sat Apr 17, 2021 11:10 am I saw this about a week ago and changed my password accordingly. No email from them.

There's no malicious attempt from them, but it's possible they got hacked and secretly asking those who were impacted.
Weird, I got no letter and I was able to login on my phone with no prompt to change my password, maybe I should change mine now...
This was a couple of months ago. I was speculating then since only few users got prompted to change their password.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Ally suddently asking to input new password

Post by anon_investor »

Marseille07 wrote: Sun Jun 20, 2021 11:49 am
anon_investor wrote: Sun Jun 20, 2021 11:39 am
Marseille07 wrote: Sat Apr 17, 2021 11:10 am I saw this about a week ago and changed my password accordingly. No email from them.

There's no malicious attempt from them, but it's possible they got hacked and secretly asking those who were impacted.
Weird, I got no letter and I was able to login on my phone with no prompt to change my password, maybe I should change mine now...
This was a couple of months ago. I was speculating then since only few users got prompted to change their password.
Only saw this now, I just changed my PW now, just in case.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally suddently asking to input new password

Post by Marseille07 »

anon_investor wrote: Sun Jun 20, 2021 11:50 am
Marseille07 wrote: Sun Jun 20, 2021 11:49 am
anon_investor wrote: Sun Jun 20, 2021 11:39 am
Marseille07 wrote: Sat Apr 17, 2021 11:10 am I saw this about a week ago and changed my password accordingly. No email from them.

There's no malicious attempt from them, but it's possible they got hacked and secretly asking those who were impacted.
Weird, I got no letter and I was able to login on my phone with no prompt to change my password, maybe I should change mine now...
This was a couple of months ago. I was speculating then since only few users got prompted to change their password.
Only saw this now, I just changed my PW now, just in case.
Marcus Savings is known to be extremely secure :twisted:
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Ally suddently asking to input new password

Post by anon_investor »

Marseille07 wrote: Sun Jun 20, 2021 11:51 am
anon_investor wrote: Sun Jun 20, 2021 11:50 am
Marseille07 wrote: Sun Jun 20, 2021 11:49 am
anon_investor wrote: Sun Jun 20, 2021 11:39 am
Marseille07 wrote: Sat Apr 17, 2021 11:10 am I saw this about a week ago and changed my password accordingly. No email from them.

There's no malicious attempt from them, but it's possible they got hacked and secretly asking those who were impacted.
Weird, I got no letter and I was able to login on my phone with no prompt to change my password, maybe I should change mine now...
This was a couple of months ago. I was speculating then since only few users got prompted to change their password.
Only saw this now, I just changed my PW now, just in case.
Marcus Savings is known to be extremely secure :twisted:
But they don't have 24/7 phone support, so if s*!t hits the fan, you are SOL if it is outside business hours!

A good example of why you shouldn't reuse passwords.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally suddently asking to input new password

Post by Marseille07 »

anon_investor wrote: Sun Jun 20, 2021 12:00 pm But they don't have 24/7 phone support, so if s*!t hits the fan, you are SOL if it is outside business hours!

A good example of why you shouldn't reuse passwords.
I never reuse passwords, which is why it was surprising to see the new password prompt 2 months ago.
Always use a password generator and store in a password manager.
nolesrule
Posts: 2631
Joined: Thu Feb 26, 2015 9:59 am

Re: Ally suddently asking to input new password

Post by nolesrule »

I received the letter on Friday.

It was a coding error that outputted the personal information in a report to a third party in a data exchange file. Any technology provider could have made this error unfortunately.
Fogbank
Posts: 88
Joined: Wed Jan 29, 2020 7:06 am

Re: Ally suddently asking to input new password

Post by Fogbank »

nolesrule wrote: Sun Jun 20, 2021 3:49 pm I received the letter on Friday.

It was a coding error that outputted the personal information in a report to a third party in a data exchange file. Any technology provider could have made this error unfortunately.
Nope, it's not possible to leak plaintext passwords like this if the technology provider is following best practice.

Passwords should never UNDER ANY CIRCUMSTANCES be stored in plaintext in a system... they should be hashed before storage using one of the CPU-intensive hashing algorithms appropriate for this use case. This is application design 101 level stuff.

Amateur-level mistake. It's extremely alarming that a bank as large as Ally would design an application this way, it makes me wonder what other lazy shortcuts they made in their systems. If I had an account there I'd be moving everything elsewhere ASAP.
nolesrule
Posts: 2631
Joined: Thu Feb 26, 2015 9:59 am

Re: Ally suddently asking to input new password

Post by nolesrule »

Fogbank wrote: Tue Jun 29, 2021 6:10 am
nolesrule wrote: Sun Jun 20, 2021 3:49 pm I received the letter on Friday.

It was a coding error that outputted the personal information in a report to a third party in a data exchange file. Any technology provider could have made this error unfortunately.
Nope, it's not possible to leak plaintext passwords like this if the technology provider is following best practice.

Passwords should never UNDER ANY CIRCUMSTANCES be stored in plaintext in a system... they should be hashed before storage using one of the CPU-intensive hashing algorithms appropriate for this use case. This is application design 101 level stuff.

Amateur-level mistake. It's extremely alarming that a bank as large as Ally would design an application this way, it makes me wonder what other lazy shortcuts they made in their systems. If I had an account there I'd be moving everything elsewhere ASAP.
Yes, I know. I build web apps with u/p storage. I don't trust any of these systems, which is why I use unique passwords.

I'm just regurgitating the letter I received in the mail.
Post Reply