within a 6 hours or so of initial indication of an issue - a perfectly reasonable timeframe IMO - initial notices were posted in the forums (feedback) and main macrumors page that the security may have been breached. Investigation continued to determine the scope.
(Note using my local forum time here - GMT)
Just a minor correction - a notice was posted in the feedback section at 6:25 PM Nov 12 by Arn confirming the issue. At that point he said that as far as they were aware, the user table was compromised.
At 9:23pm, after a page and a bit of people demanding for it to go on the home page,
Arn agreed to do so..
At 10:48pm the notice appeared on the homepage of MacRumors.
So the total time between reporting it, and it going on the homepage was 4 hours and 23 minutes.
3) well within 24 hours, additional notices were posted on the forums as well as the front page, and the team is working on a system to email the large quantity of users that exist.
The issue most people have is that the forums went offline at about 3:30pm on Nov 11 (and had been up and down for a good 6-10 hours prior to this).
That means that between them going down, and it being posted publicly on the frontpage was just shy of 17 hours. Whilst obviously it would have taken an hour or two to actually figure out what happened (your vB log files would have told all, as would the server log files) at that point people should have been informed. Be it via the homepage or a mass mail.
Bringing the forums back online should not have been the priority. If you have a car crash caused by your steering breaking, you get it looked at by an expert, you dont just dust it off and carry on driving and get it looked at later.
In my opinion, this was a world class response.
I wouldn't go that far
The response was 'satisfactory' however and I take no issue with the response time - Arn handled it well.
The only thing I disliked was that it took a rampage of pissed off members to get Arn to actually post it on the homepage. There should have been protocol in place for such an event.
What annoys me even more is the stupidity/stubbornness from MacRumors however.
vBulletin 3.x went end of life in March 2011 - that's 2 years, 8 months ago. That's 2 years, 8 months that MacRumors has used a piece of software known to not be patched in the event of a security flaw being found.
Do you find that acceptable? I sure don't. I've seen places do this before and they always give the same lacklustre excuse of "oh we cant move to a more modern piece of software -we've made to many modifications" - the solution is to re-write them or hire someone to do it for you.
Sticking with insecure software based on laziness is inexcusable. I've been banging on to MR staff to upgrade to a better piece of software for 2 years now and nobody's even mentioned anything about considering it.
I have no sympathy for the management on this I'm afraid, and I do hold the MacRumors management team fully responsible, not vBulletin as they had warned people a long time ago that the software was EOL.
----------
Since passwords were not stored in plain text I personally don't think the situation merits the level of alarm some feel. Just my 2 cents.
Food for thought:
http://codahale.com/how-to-safely-store-a-password/
----------
I'd like to know about PMs as well. Not that I gave out bank details or anything, but my home address has been shared.
I can probably answer that one for you (although it'd be nice to hear officially) - anything and everything stored in the vBulletin database would have been accessible. This includes PM's.
I'm basing this on the fact that Arn confirmed the attackers gained access to the hashed passwords - the only way to do that is with a direct method of access to the database. Once you've got that every single database table would have been accessible.