Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Carlanga

macrumors 604
Nov 5, 2009
7,132
1,409
SSL? MacRumors? You must be new here. Take a look around you. The forum looks like it is from the 90ies. The fact is, the people responsible of MacRumors don't really care much as long as it is running.
you forgot:
and making boatload of money from app ads in "top stories posts" and clicks
 

tido2012

macrumors regular
Jul 20, 2010
144
0
Link for deleting account

I would like to delte my macrumors account, does anyone know how to do this? Thank you in advance.
 

bobr1952

macrumors 68020
Jan 21, 2008
2,040
39
Melbourne, FL
If your life depended on it or was in peril - possibly. Lol

It's a freaking message board. Who gives a crap. You probably have more stuff readily accessible on Facebook and you're worried about a simple password/account you have here that may or may not have been divulged? Ugh.

PRIORITIES!

Example - you live in Queens right?

Haha--I certainly agree with the "who gives a crap" part. Which is why when I was browsing through this thread I was trying to figure out why anyone would care--and I suppose the answer to that is not using a unique password for every Internet site. Would seem a good opportunity for those concerned to change that practice. :)
 

Vip

macrumors regular
May 8, 2008
180
0
Bloody NSA at it again. Can't get data otherwise now that they have been found out, so lets hack the common people!
 

PinkyMacGodess

Suspended
Mar 7, 2007
10,271
6,226
Midwest America.
When creating your new passwords, please keep this XKCD comic in mind and maybe we'll all have secure, easy to remember passwords:
Image

For the thousand and something-ith time here no doubt: I love xkcd comics. I've bought plenty of their t-shirts and a few posters. It's more funny to see who gets them sometimes, and a great way to meet people...
 
Last edited by a moderator:

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,035
15,412
California
Security Notice Email is Out

Just got this email from MR, so the mass alert emails are going out.

3nc0Q2s.png
 

Jimbo47

macrumors 6502a
Jun 21, 2010
728
3
Why weren't the passwords encrypted?

I find it absurd that MacRumors.com moderators spend so much time policing views and ideas -- particularly those critical of Apple, rather than actually spending more time on improving the security of the site.

Maybe the mods and arn as the owner can take a step back and reflect about their lapses.

Encrypting passwords is entry level stuff. Any decent site should have done it already.

And if the article is to be believed, the hack was similar to a previous hack -- so why weren't security measures taken to patch the site? After all, it is not an unknown issue.


You can't blame the moderators. They have nothing to do with the inner workings of the site and how secure it is. That's up to the administrators.

Now I don't know why MacRumors is running 3.8 and not vBulletin 5.0. Perhaps Arn doesn't have a valid license right now and would have to pay to upgrade. Theres nothing wrong with that, vBulletin isn't cheap. I would milk it for as long as I could too. However after this incident, it seems like the milk is gone.
 

n8mac

macrumors 6502
Jun 25, 2006
431
48
Ohio
Working on getting the forums fully functional......... What about emailing everyone??? WTF Macrumors? Shouldn't this be first priority??

Yeah but what about all the people who need to get on here to call the new Mac Pro a trash can?
 

Trauma1

macrumors 6502a
Jun 15, 2009
585
2
I'm glad to see the email (finally) went out. It was clear, concise, and upfront. Again, I know you guys must have had an exhausting couple of days.

There are over 860,000 registered members. How many of them don't come here on a daily basis (me)? On a regular basis? The people who created an account to make a one-time post about a relatively simple question certainly do not. And they're the ones likely to repeat their login credentials across the internet. At least now, the only way to be notified isn't just by coming to this website, which those people wouldn't normally be doing.
 

brand

macrumors 601
Oct 3, 2006
4,390
456
127.0.0.1
vBulletin isn't cheap.

The upgrade cost is $359. Im sure that with the tens or hundreds of thousands of dollars from ad revenue it could easily be afforded. The money is not the issue. The issue is the management and security policies of MacRumors.
 

cjmillsnun

macrumors 68020
Aug 28, 2009
2,399
48
Hmm. For some reason, my Google account is fine, but my Apple ID might have been compromised. They both used to use the same password as MacRumors.

If your apple id has been compromised FFS log in, change your password, then in your icloud settings remote wipe devices that shouldn't be on there. A bit of fun at their expense ;)
 

citi

macrumors 65816
May 2, 2006
1,363
508
Simi Valley, CA
I'm glad to see the email (finally) went out. It was clear, concise, and upfront. Again, I know you guys must have had an exhausting couple of days.

There are over 860,000 registered members. How many of them don't come here on a daily basis (me)? On a regular basis? The people who created an account to make a one-time post about a relatively simple question certainly do not. And they're the ones likely to repeat their login credentials across the internet. At least now, the only way to be notified isn't just by coming to this website, which those people wouldn't normally be doing.

It's probably going to end up in their spam folder and they'll never see it.
 

Zimmy68

macrumors 68000
Jul 23, 2008
1,989
1,606
In my experience, whenever a consumer is notified about a security incident from one provider, the consumer tends to naturally link any subsequent anomaly with that incident (and tends to look for other anomalies). However, there is rarely any connection. More likely what you are seeing is entirely coincidental and unrelated.

I hope so but I find it highly coincidental that the behavior happens the day I find out they have been hacked.

I go to Appshopper about 5 times everyday and never noticed this before.

Remember TouchArcade and AppShopper are MacRumor sites.

It happens in IE and Chrome.
Also, the user changes when I select a different tab.

I sent a notice to the webmaster there, I'll see what they say.
--------
Update

It looks like it is keeping my user information correct now.
There were a couple of items in my Wish List/Own that I never added before.
Other then that, it looks like things are back to normal.
 

lol

macrumors newbie
May 4, 2008
22
0
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.

I'll need to provide some sort of proof to prove it's me. Arn, the first 16 bits of your old password hash was cd89d763f091c664. Your salt is (or was?) #er<ib"E%R0sa%`8b%N3+!5<J&PqnT.


First of all, regarding the passwords. As far as I'm aware, the older versions of vbulletin and the current all share the same hashing algorithm. 860106 users were dumped. Out of those, 488429 of them still had a salt which had a length of 3 bits. Anyone that'd been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do do, it's like to have many with a 3 bit salt). We're not "mass cracking" the hashes. It doesn't take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Second of all, I personally think Arn done a great job disclosing the details of what had happened in the time that he took to do so. Many other huge companies and corporations, probably some that you're all registered to, have taken days, weeks, or even never, to report a compromise. You should be thankful.

Third, we're not going to "leak" anything. There's no reason for us to. There's no fun in that. Don't believe us if you don't want to, we honestly could not care less.

Foruth, stop balming this on the "outdated vBulletin software". The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you're talking about. 3.x is far more secure than the latter. Just because it's older, it doesn't mean it's any worse.



That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.
 

fertilized-egg

macrumors 68020
Dec 18, 2009
2,109
57
The upgrade cost is $359. Im sure that with the tens or hundreds of thousands of dollars from ad revenue it could easily be afforded. The money is not the issue. The issue is the management and security policies of MacRumors.

I feel the same. Also instead of telling us "maintenance", the admins should've put the notice right away on the site notifying the users so that anyone who use the same password could've changed it elsewhere. Also that should be the first item in the front page of the Macrumors with much higher visibility than it is now. Not very impressed with how they handled a potentially damaging incident.
 

caesarp

macrumors 65816
Sep 30, 2012
1,073
614
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.

I'll need to provide some sort of proof to prove it's me. Arn, the first 16 bits of your old password hash was cd89d763f091c664. Your salt is (or was?) #er<ib"E%R0sa%`8b%N3+!5<J&PqnT.


First of all, regarding the passwords. As far as I'm aware, the older versions of vbulletin and the current all share the same hashing algorithm. 860106 users were dumped. Out of those, 488429 of them still had a salt which had a length of 3 bits. Anyone that'd been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do do, it's like to have many with a 3 bit salt). We're not "mass cracking" the hashes. It doesn't take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Second of all, I personally think Arn done a great job disclosing the details of what had happened in the time that he took to do so. Many other huge companies and corporations, probably some that you're all registered to, have taken days, weeks, or even never, to report a compromise. You should be thankful.

Third, we're not going to "leak" anything. There's no reason for us to. There's no fun in that. Don't believe us if you don't want to, we honestly could not care less.

Foruth, stop balming this on the "outdated vBulletin software". The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you're talking about. 3.x is far more secure than the latter. Just because it's older, it doesn't mean it's any worse.



That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.

If you really were involved, do you know the legal headaches you cause? People who hack caused me to deal with long hours of counseling clients (sometimes on nights and weekends). Yes, I get paid for it, but its a pain in the neck. And for what purpose? Just because something can be taken, viewed or accessed, doesn't mean you should. Thanks alot dude.

Its not cool and its not fun. Stop it. And what's the point? If you aren't leaking anything, then what do you intend to do with the data?
 

DDustiNN

macrumors 68020
Jan 27, 2011
2,483
1,363
Well this possibly explains a strange email I got from Battle.net yesterday. It said they noticed "unusual activity" on my account, and suggested that I change my password.

Note: I haven't used my Battle.net account at all since playing the Diablo 3 beta last year.

I changed my password and got the "Authenticator" app on my iPhone.

Bah. I wonder what else has been compromised...

Not happy, MR :mad:
 

lol

macrumors newbie
May 4, 2008
22
0
If you really were involved, do you know the legal headaches you cause? People who hack caused me to deal with long hours of counseling clients (sometimes on nights and weekends). Yes, I get paid for it, but its a pain in the neck. And for what purpose? Just because something can be taken, viewed or accessed, doesn't mean you should. Thanks alot dude.

Its not cool and its not fun. Stop it.

Just because something isn't meant to be viewed or taken doesn't mean it won't be.
 

srgz

macrumors regular
Aug 22, 2010
134
81
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.

I'll need to provide some sort of proof to prove it's me. Arn, the first 16 bits of your old password hash was cd89d763f091c664. Your salt is (or was?) #er<ib"E%R0sa%`8b%N3+!5<J&PqnT.


First of all, regarding the passwords. As far as I'm aware, the older versions of vbulletin and the current all share the same hashing algorithm. 860106 users were dumped. Out of those, 488429 of them still had a salt which had a length of 3 bits. Anyone that'd been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do do, it's like to have many with a 3 bit salt). We're not "mass cracking" the hashes. It doesn't take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Second of all, I personally think Arn done a great job disclosing the details of what had happened in the time that he took to do so. Many other huge companies and corporations, probably some that you're all registered to, have taken days, weeks, or even never, to report a compromise. You should be thankful.

Third, we're not going to "leak" anything. There's no reason for us to. There's no fun in that. Don't believe us if you don't want to, we honestly could not care less.

Foruth, stop balming this on the "outdated vBulletin software". The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you're talking about. 3.x is far more secure than the latter. Just because it's older, it doesn't mean it's any worse.



That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.

What is left is the explanation -- why did you do this? You could have informed the site admins of the problem and had them fix it without compromising user data. Now you have all of our info and we're supposed to trust your word that you're not going to use it for malicious purposes? Go **** yourself.
 

caesarp

macrumors 65816
Sep 30, 2012
1,073
614
Just because something isn't meant to be viewed or taken doesn't mean it won't be.

So you are proud of being a criminal and a jerk? Wonderful. I'm sure your parents are proud too.

Do you beat up old ladies too and take their purse, cause its easy to do?
 

arn

macrumors god
Staff member
Apr 9, 2001
16,362
5,794
That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.

I'm sending a pm.

arn
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.