Complaint from MacRumors users about the recent security issue.

[Orange Furball]

Hello everyone. This is a complaint/open discussion on some recent situations and how they were handled by staff.

As we all should be aware, MacRumors was hacked. Our emails, user names, and passwords have been stolen. Like many people out there I am quite upset by this. I use Orange Furball on many different sites, and often use the same password for simplicity. When I don't use Orange Furball chances are I use the same email and password combination. While this has since been changed (after word of the hack reached me), it still upsets me.

Websites do get hacked, we get that, but we also expect websites to properly handle the situation. How did I find out? Via another member, WhoKnows87. He told me in a Google Plus hangout created for discussion of the Nexus 5. I then began to change all my passwords. I checked my email, even spam, and found no trace of any kind of warning about the security breach. How hard is it to warn users of something like this? I am 99.9% sure that it is basic knowledge to warn users and members of such an attack.

After confirming that MacRumors did not warn users, I proceeded to another Google Plus Hangout with more MR members. I told them what had happened, and as you could understand they were upset.

An anonymous user has said: "It is basic net etiquette. I'd absolutely think a site ... would follow the rules about notification."

Now we all love MR and the community, however this is just unacceptable.

Another anonymous user (There are a lot!) has said: "But the basic gist of it is that the site they linked as an example of the exploit said in the page MR linked to that they emailed everyone. Few forum members see every article posted and so few will know about this break in."

This is absolutely true. Normally when someone posts an example of a similar problem that is successfully dealt with, they would follow the same path as the other site did. This once again comes back to the warning.

I come to MR to talk tech, not so much for the news stories, so I probably wouldn't see the article just like a lot of other people.

There are still many users out there who have not heard about this attack and could be facing consequences. Admins, Mods, and other staff, please send out a warning of the attack and proper procedures to take (such as changing your password via https://forums.macrumors.com/profile.php?do=editpassword and warning about what data has been compromised).

Internet security is a large subject and concern for many, something like this needs to be properly reported. Please respond with any comments or concerns.

MR Users - if you agree with any points and would like to comment, please keep them clean and calm. This is a simple discussion.

Signed, Orange Furball, WhoKnows87, BMac4, jsw, and the anonymous members who wish to stay private.

 

[aristobrat]

This is absolutely true. Normally when someone posts an example of a similar problem that is successfully dealt with, they would follow the same path as the other site did.

How familiar are you with the details of this "similar problem that is successful dealt with"?

From what I'm reading, their hack started on 14 July 2013 and was still ongoing on 20 July 2013.

Can you cite how far in that incident the users were emailed?

----------

Now we all love MR and the community, however this is just unacceptable.

I bet there will be a lot of future changes from this incident. But right now, the house still appears to be on fire somewhat, and I have feeling that there are only a few people manning the fire hoses (mostly arn). My gut feeling is that he's not going to put the fire hose down and find a way to email the 860,151 MacRumors members until the fire is completely out.

Mailing just shy of a million people isn't something that's going to be done in just a few hours anyways.

 

[Orange Furball]

How familiar are you with the details of this "similar problem that is successful dealt with"?

From what I'm reading, their hack started on 14 July 2013 and was still ongoing on 20 July 2013.

Can you cite how far in that incident the users were emailed?

I am not, I am however the voice of the group. I have been involved in lower profile attacks (for example emails being leaked) and even then an email was sent immediately.

I bet there will be a lot of future changes from this incident. But right now, the house still appears to be on fire somewhat, and I have feeling that there are only a few people manning the fire hoses (mostly arn). My gut feeling is that he's not going to put the fire hose down and find a way to email the 860,151 MacRumors members until the fire is completely out.

Mailing just shy of a million people isn't something that's going to be done in just a few hours anyways.

It should not be that hard. You send an automated email.

 

[FloatingBones]

When I don't use Orange Furball chances are I use the same email and password combination.

This is a terrible idea. Tools like 1Password and Lastpass are well-designed to manage unique passwords for every website. Tools like Secure Quick Reliable Login should make it even easier in the next 6 months or so.

Anyone who is promiscuously reusing the same password on multiple sites should stop doing that.

MR updated us about the security breach promptly. I don't think your complaint is justified.

 

[aristobrat]

It should not be that hard. You send an automated email.

To 861,000 people? Assuming the automated process can fire off 10 emails a second, that would take 23.91 hours to finish. A little logic suggests that might require some planning, no?

I'm not saying that MacRumors couldn't have handled this better. I just think that if you're going to start poking at Arn before the site's even 100% functional again, you might want to have all of your ducks in a row.

 

[Orange Furball]

Anyone who is promiscuously reusing the same password on multiple sites should stop doing that.

MR updated us about the security breach promptly. I don't think your complaint is justified.

I agree about the password issue now.

How did they update us besides the blog post? At this point anyone going to MacRumors.com and going to a different part of the site (the forum for example) would see the black friday deals post as the first post, not the breach one.

 

[aristobrat]

My guess is that since the Site Announcement feature was exactly how the site got hacked, they're not going be using that feature for awhile.

 

[thejadedmonkey]

I got an email from Adobe about a week ago, informing me of a database breach. That took them about a month. The Ubuntu forums were down for weeks. In this instance, the forums were repaired quickly, a notice was placed on the front page, and I'm certain that Arn will issue a mass email soon.

You need to guard passwords with the assumption that they will be hacked, not if, but when, and take steps to make sure that the password you use doesn't compromise any other accounts.

 

[bmac4]

Orange I think this is a huge issue, and a forum like MacRumors should have handled this much better. For a site that harps on how strict they handle their site. It seems they have not upheld the same standards for them self's. The communication from them was almost nonexistent. If anyone is like me I use tapatalk for this site, and would have never seen the message unless Orange I told me. This is unacceptable for MR.

 

[aristobrat]

An anonymous user has said: "It is basic net etiquette. I'd absolutely think a site ... would follow the rules about notification."

AFAIK, there are no rules that require forums to notify when incidents like this happen.

Side note, each of the 50 states have laws that require companies to notify when personal data (like financial or SSN) is breached. Of the 50 states, only one (Connecticut) requires immediate notification. The other 49 states say something to the effect of "Most expedient time possible, without unreasonable delay".
http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf

To me, it seems like MacRumors is still in the "immediate" stage of dealing with this. The site's been up and down this afternoon, and search still isn't working. Like jadedmonkey said, I think Arn will start the process of notifying 861,000 users as soon as he can.

 

[bmac4]

AFAIK, there are no rules that require forums to notify when incidents like this happen.

Side note, each of the 50 states have laws that require companies to notify when personal data is breached. Of the 50 states, only one (Connecticut) requires immediate notification. The other 49 states say something to the effect of "Most expedient time possible, without unreasonable delay".
http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf

To me, it seems like this is still part of the "immediate" stage. The site's been up and down this afternoon, and search still isn't working. Like jadedmonkey said, I think Arn will start the process of notifying 861,000 users as soon as he can.

No one is saying it is the law or required. What we are saying is for MR to not hold the same standards that they hold their user to is just unacceptable. The communication is garbage, and needs to be called out.

 

[aristobrat]

No one is saying it is the law or required. What we are saying is for MR to not hold the same standards that they hold their user to is just unacceptable. The communication is garbage, and needs to be called out.

Can you be more specific with the standards that you're talking about?

 

[bmac4]

Can you be more specific with the standards that you're talking about?

Sure can. Alright we are not allowed to so much as to breath wrong on another user. There are more rules to this site than you can even hope to remember. If you look at the list of rules it is kind of insane. Again we are held to a higher standard when it comes to being a member on this site. I would expect that MacRumors would hold them self's up to a high standards when it comes to something like a breach like this. When the PSN network was hack I was told the day of through an email. There has been no communication , but a post on the home page. Which many users like myself never look at. That is not the standards they would expect from us, and we should expect the same from them.

 

[aristobrat]

When the PSN network was hack I was told the day of through an email.

FWIW

On April 26, 2011 Sony explained on the PlayStation Blog why it took so long to inform PSN users of the data theft:

There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.

http://en.wikipedia.org/wiki/PlayStation_Network_outage

 

[bmac4]

FWIW


http://en.wikipedia.org/wiki/PlayStation_Network_outage

Maybe I remember that fact wrong because it was posted all over the internet. This really has nothing to do with MR and their communication. Like I said their standards should be set higher.

 

[jsw]

I agree that it takes time to email large numbers of users.

However, in the meantime, the fact that member information has been stolen should have been the top story on MR, and should have remained the top story, until the notifications had been sent out. I understand that fires are being fought, but if there is time to continue to post new stories, there is time to make this story stuck to the top.

In addition, those who follow MR on twitter could have been notified.

In addition, logins to these forums could have been disabled until things were resolved. As of now, we have no idea whether or not anyone is who they say they are. If the hacker indeed has emails, forum names, passwords (which can be guessed from their stored hashed forms), then that hacker could log in as any of us. While I'm not sure of the right way to remedy this, leaving the forums up with no notification of the issue is not the way to do it. We see that the search engine is down, but not that our information might have been stolen.

 

[aristobrat]

Maybe I remember that fact wrong because it was posted all over the internet. This really has nothing to do with MR and their communication. Like I said their standards should be set higher.

You're essentially asking for MacRumors breach standards to be higher than Adobe and Sony's -- both billion-dollar companies who have teams of on-staff lawyers, security experts, and administrators, and yet it took 7 days (Sony) and a month (Adobe) to notify users.

That seems logical.

 

[r0k]

This is a terrible idea. Tools like 1Password and Lastpass are well-designed to manage unique passwords for every website. Tools like Secure Quick Reliable Login should make it even easier in the next 6 months or so.

Anyone who is promiscuously reusing the same password on multiple sites should stop doing that.

MR updated us about the security breach promptly. I don't think your complaint is justified.

Who is us? Is us the people whose passwords were compromised? Then I must not have been one of them because I was not notified. Since I've been trying to log in to MR for about 10 hours now and wondering what is going on, and there is nothing on the front page and no banner telling me what happened I think the OP complaint is justified and I join with him in saying this has not been handled to my satisfaction. BTW, I'm not in favor of 800K emails, just a simple banner at the top of forums.macrumors.com and also at http://www.macrumors.com saying there has been a security breach with a link to an article with details on actions (if any) that users need to take.

Luckily I use throwaway password #37 here at MR but unluckily I also use it at a few other sites which I've also had to change.

 

[bmac4]

You're essentially asking for MacRumors breach standards to be higher than Adobe and Sony's -- both billion-dollar companies who have teams of on-staff lawyers, security experts, and administrators, and yet it took 7 days (Sony) and a month (Adobe) to notify users.

That seems logical.

Both Sony and Adobe have 3 times the users that MR. Again MR holds them self's and user to higher standards than any other forum. So yes I think I am being logical.

I am not sure why you are defending this site.

 

[Astroboy907]

This thread is the first I've heard about the hack.

FWIW, even I as a beginner web developer threw up a quick banner when one of my wordpress sites got hacked... It's kind of a common courtesy thing. I trust Macrumors, but the fact that this is the first time I've heard it was hacked is a bit unnerving. Nothing I can't deal with though. Just maybe throw something up for those people that don't read more than the first couple posts on the main page (me).

 

[jsw]

Can you be more specific with the standards that you're talking about?

I can.

You've been around a long time, aristobrat, so you can remember how things used to be. It was never the Wild West here, aside, from what I could gather, way way early on. But things were more relaxed. There were far fewer rules. They were less rigidly enforced. People only got banned for truly egregious behavior. People only got time-outs for going over the sort of line that anyone should have realized was there even if they hadn't memorized the rules. Warnings were infrequent. It was actually fun to post here. Remember the Private Forums? They used to actually be active. These days, they're a ghost town.

Now, though... everything is locked down. The rules are vast and difficult to fully retain unless you devote significant effort - how many other sites have anything even remotely that complex? I've seen members banned for no apparent reason, and while, as a former moderator, I know that things get cleaned up, I also know that some of those banned weren't the types who'd do terrible things deserving of a ban.

So in this site, in today's MR, where one must conform lest one be removed, there is a sense of an entire set of codified behavior and standards which are vigorously and seemingly emotionlessly enforced.

So, on such a site, one would expect the staff to similarly conform to common standards for handling hacks such as this, which would include the clear notice of the hack, notifications of the hack via mass media such as Twitter, and an attempt to ensure coverage of the hack via other media sites. Instead, we got one story which drifts ever lower and soon will be off the front page (if it isn't already).

We are asked to be perfect little posting role models. I expect the site, then, which tolerates zero deviance from the rules, to be similarly model in its behavior for handling a situation like this.

Edit: by "staff", I mean the paid staff, who set the standards that moderators are asked to enforce. The moderators do a difficult job - made more difficult, I'm sure, by the complex set of rules - and are paid nothing.

 

[aristobrat]

Both Sony and Adobe have 3 times the users that MR.

And they've also EASILY got 1,000x more resources than MR does, so it should have been cake to for a "team" of people to go handle the notifications.

I'm not defending this site. It appears to me that they didn't have a plan for how to handle this situation. JSW listed a couple of items that they could have done to have gotten the word out better. My guess is that Arn is still running around like crazy dealing with back-end stuff. My second guess is that the moderators don't have the ability to send an email to 861,000 users about this, and notification will come when Arn gets things under control and can focus on that.

To me, your posts (and the tone set by Orange) read like sour grapes. They make it sound like you've got a grudge against MacRumors for being "moderated" at some point, and now they've made a mistake, you're here to rub their nose in it.

Fine. It'd just be a little more tactful (IMO) to wait until the fire is out before you do. And seriously, read up on how major companies handle data breaches. Because AFAIK the standard that you want to hold MacRumors to, none of them have achieved.

----------

So, on such a site, one would expect the staff to similarly conform to common standards for handling hacks such as this, which would include the clear notice of the hack, notifications of the hack via mass media such as Twitter, and an attempt to ensure coverage of the hack via other media sites..

Since you "worked" here, you'd know this better than I, but when it comes to "staff", who are the people that can modify the vBulletin templates of the site to display the clear notice, or post to the MacRumors twitter account?

I have a feeling that some folks in this thread think that every MacRumors moderator has those abilities. Do they?

 

[jsw]

This is a terrible idea. Tools like 1Password and Lastpass are well-designed to manage unique passwords for every website. Tools like Secure Quick Reliable Login should make it even easier in the next 6 months or so.

Agreed. However, whether or not someone followed perfect password protocol is irrelevant to a discussion of whether the break-in was handled appropriately.

 

[bmac4]

And they've also EASILY got 1,000x more resources than MR does, so it should have been cake to for a "team" of people to go handle the notifications.

I'm not defending this site. It appears to me that they didn't have a plan for how to handle this situation. JSW listed a couple of items that they could have done to have gotten the word out better. My guess is that Arn is still running around like crazy dealing with back-end stuff. My second guess is that the moderators don't have the ability to send an email to 861,000 users about this, and notification will come when Arn gets things under control and can focus on that.

To me, your posts (and the tone set by Orange) read like sour grapes. They make it sound like you've got a grudge against MacRumors for being "moderated" at some point, and now they've made a mistake, you're here to rub their nose in it.

Fine. It'd just be a little more tactful (IMO) to wait until the fire is out before you do. And seriously, read up on how major companies handle data breaches. Because AFAIK the standard that you want to hold MacRumors to, none of them have achieved.

No I do not have grudge against MR. I just feel like when they make it a point to say they are not like other forums, and expect their users to abide by the rules that make them different. Then why can't we except more from them when it comes to our information.

 

[jsw]

Since you "worked" here, you'd know this better than I, but when it comes to "staff", who are the people that can modify the vBulletin templates of the site to display the clear notice, or post to the MacRumors twitter account?

I have a feeling that some folks in this thread think that every MacRumors moderator has those abilities. Do they?

I can't speak for how things are now, but it would very much surprise me if any moderator had such access. I suspect only the Gods can do those things.