Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
As an avid user of the chicken-bone points, I felt personally attacked by this episode! 
In all seriousness though, thanks for the heads up. Just FYI for the “why on earth would you make an account with a restaurant app” - yes those points add up quickly and you can get lots of free food! For any restaurant you go to with any regularity, it definitely equates to money in your pocket. It’s the modern version coupon clipping!
I guess it depends on how often you go to a restraunt/fast food joint.
We go to our local Döner restraunt maybe once a month, pizza delivery once every couple of months, and that’s about it for regular fast food ordering.
Is there such a thing as ‘initiation’ in the black hat world. This seems like a lower level thing that somebody would do to be ‘made’ into a group. Maybe black hat groups aren’t this organized, but this all seemed a bit odd.
Tough as Steve mentions, now they know valid email creds, and can try that password against a known reuser of creds in more places.
Quote from the show notes regarding a Chrome extension stealing cookies (around minute 20:00 in the show):
If by any chance you are one of that extension’s 160,000 users, you should seriously consider
logging out of any websites which might have you persistently logged in. That will render any
stolen cookies useless.
This depends on the site. Some sites store a temporary token in a cookie, which gets invalidated as part of the logout process.
Other sites use a cookie to store a permanent token. If you log in again, you get the same cookie. This could be a hashed version of the password, or something else that doesn’t change unless you change your password.
So, if you used the extension, it’s a good idea to change your passwords on all sites as well. Unless you know they’re not using this kind of authentication.
Other than that, I think it’s another good example of why it’s a good idea to keep the installed extensions to a minimum and only use ones from a trusted vendor. But as the recent LastPass breach showed, maybe that’s not enough either.