2014-05-12, 11:11 | Link #41 |
Senior Member
Join Date: Nov 2007
Location: Tennessee
Age: 36
|
... fuck.
I'm glad that I no longer use a common password - that habit was something I stopped June 2010 after having all my accounts broken into by some kid. I just scanned through my private messages and I don't think there's anything too terribly sensitive in there, either. |
2014-05-12, 11:12 | Link #42 | |
Call me MK! :)
Graphic Designer
Join Date: Oct 2009
Location: The top of the world.
Age: 34
|
Quote:
I don't have accounts for Amazon/Apple etc! The only site I ever registered, that has anything to do with money, was the one for WoW. And I have a unique user name/password/email (that I only use there) created just for that!
__________________
|
|
2014-05-12, 11:29 | Link #43 |
Senior Member
Join Date: Oct 2013
Location: America
|
I'm real lucky. I was actually recently thinking about changing some of my passwords to match to make them easier remember. Even then I haven't really registered with anything involving money so I wouldn't be in that much trouble.
__________________
|
2014-05-12, 11:35 | Link #44 |
ISML Technical Staff
Graphic Designer
|
Hm, what I'm most confused about was, if the password was leaked in its encrypted form, then how was the mod account hijacked?
Either way, I'm quite glad my AS password (and even username) are different from most other sites I use, and I haven't sent any PMs recently. In any case, I thank AS admins for their quick action to prevent any more serious problems.
__________________
|
2014-05-12, 11:35 | Link #45 |
Senior Member
Join Date: Apr 2004
|
Just spend some time changing various passwords on different sites. Luckily the "show password" option in Firefox is a real timesaver. I know using the same password is so stupid but remembering various different passwords can be a pain.
__________________
|
2014-05-12, 11:41 | Link #46 | |
Not Bennia Lover
Join Date: Oct 2013
Age: 26
|
Quote:
__________________
|
|
2014-05-12, 11:43 | Link #48 |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Just a heads up: in agreement with other admins & mods I've decided the best thing is to have the server wiped & reinstalled. The backup that will be restored is about 2 weeks old.
However I'll try to keep the current user, post and threads table so that you don't need to change your password twice nor will we lose any posts. You will lose anything else changed in the meanwhile though, such as PMs, visitor messages and basically anything else that is not a regular post in a regular thread. Our apologies for the inconvenience, but this is the only way we can be sure the attacker didn't leave anything behind. |
2014-05-12, 11:50 | Link #50 |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
The passwords are hashed and salted. But MD5 is hilariously easy to bruteforce crack these days. Unfortunately modifying the forum to use something more advanced is not easy as far as I know. The best defense is to simply not use the same password on any other site.
|
2014-05-12, 11:51 | Link #51 | |
Senior Member
Join Date: Nov 2010
|
Quote:
same with the database would had been secured in a more proper way. Sorry but this seens like an attempt to brush off responsibility with the forum security |
|
2014-05-12, 11:54 | Link #52 | ||
True Dragon
Join Date: Nov 2013
Location: Riding on Great Red head
Age: 28
|
Quote:
Quote:
The database in what kind of encryption it is if you can tell me?
__________________
|
||
2014-05-12, 11:55 | Link #53 | |||
Senior Member
Join Date: Feb 2009
|
Quote:
Quote:
Quote:
|
|||
2014-05-12, 12:01 | Link #55 | |
True Dragon
Join Date: Nov 2013
Location: Riding on Great Red head
Age: 28
|
Quote:
The database i`m not sure but it can be encrypted in other ways
__________________
|
|
2014-05-12, 12:08 | Link #59 | |
Senior Member
Join Date: Nov 2010
|
Quote:
Yes and passwords would have to be reset again( most of the forum posts etc can be moved to xenforo) IT would be a pain and the site would be down for a week but the move would be beneficial in terms of security , forum speed and features |
|
2014-05-12, 12:09 | Link #60 | |
…Nothing More
Administrator
Join Date: Mar 2003
Age: 44
|
Quote:
Adding encryption in a secure way to the forum, at this point, would be a mammoth undertaking even for the people who control the code base, let alone us. We're not in a position to do it securely. It would be quicker to replace the software with something newer, assuming there is something out there that does make use of database level encryption. As far as I know xenforo (which was started by the people who originally wrote this version of vBulletin!) does not do database encryption either. Technical limitations aside, it wouldn't have helped in this case as the attack compromised the forum software itself. At that point they would have had the same keys the forum uses, so would have been able to query the user information in the same way. Might have taken longer, doing the decryption, but it wouldn't change things much. |
|
|
|