Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Complaint from MacRumors users about the recent security issue.

Why you would have an iTunes account without a CC is beyond me.
Click to expand...

Oh, my goodness. Surely you've heard of iTunes cards that are sold everywhere in different denominations? Or maybe you haven't.

At any rate, using iTunes card is an excellent way to control app purchases and more importantly, protect unauthorized use of your credit card should your device be stolen. Or if iTunes is hacked.
 
Perhaps it's time for this thread to be retired.

1) MR has posted a sticky thread on EVERY page about the leak.
2) MR has emailed users
3) MR has apologized about all of this

So most of what people were griping about in here has been addressed.
Furthermore, news of this is everywhere around the 'net and I really don't think there is anything to be gained by more complaining. Let the site admins focus on making MR more secure and let's move on.

Then there is the gradually deteriorating tone. There are a couple of discussions going on here where users are basically arguing back and forth. I know of one example because I chose to walk away from one such discussion in this very thread yesterday. Perhaps all this discussion about best password practices needs to continue in another thread and it wouldn't bother me one bit if this thread got closed...

@Aspasia: Funny you should mention using iTunes cards instead of CC. For a long time my approach was to use Paypal. I never gave Apple my CC for my iTunes account until Paypal screwed up a simple $2 Mac app purchase. I've now disconnected PP from iTunes and I have a CC on file for occasional purchases.
 
bmac4 said:
When I say held accountable I mean like what I have saying all along. Instead of people saying "well you should have not put that info on MR" why not just say what it is. MR screwed up, and got hacked.
Click to expand...
Apparently last night, "say what it is" meant something completely different, because you and Orange were complaining about how MacRumors was communicating during the hours immediately following the hack.

Is it because MacRumors sent the mass email out before 24 hours after coming back online (and put a notice about the hack on the top of virtually every forum page) that you're no longer complaining about the hack communication, and have switched to complaining about them being hacked in general?
 
Aspasia said:
Oh, my goodness. Surely you've heard of iTunes cards that are sold everywhere in different denominations? Or maybe you haven't.

At any rate, using iTunes card is an excellent way to control app purchases and more importantly, protect unauthorized use of your credit card should your device be stolen. Or if iTunes is hacked.
Click to expand...

Yes I have heard of iTunes cards. I have not heard of people being so paranoid they want put their CC on anything on the internet. The time I got my CC info stolen it had nothing to do with the internet. A company that handled CC transactions for a restaurant stole my CC, and sold it. There is just no way to completely protect yourself. I choose to live my life, and hope my CC company can catch fraud on my card.

----------
aristobrat said:
Apparently last night, "say what it is" meant something completely different, because you and Orange were complaining about how MacRumors was communicating during the hours immediately following the hack.

Is it because MacRumors sent the mass email out before 24 hours after coming back online (and put a notice about the hack on the top of virtually every forum page) that you're no longer complaining about the hack communication, and have switched to complaining about them being hacked in general?
Click to expand...

No I still think the communication was garbage. I am now talking about users on MR trying to blame other users for having info on MR.
 
bmac4 said:
1. I am suggesting like MR (which you claim no one should have personal info on)
Click to expand...

I didn't say that. I did say that there's no reason for anyone to be storing any personal information (e.g., home address) on the MR site. You have failed to provide a good reason why anyone needs to ever be sending any personal info on the MR site.

there are other sites which people freely give their personal info away. Apple was just one I thought of off the top of my head. Why you would have an iTunes account without a CC is beyond me.
Click to expand...

It's not that hard: you need an iTunes account to register a Mac or iOS device. If you don't want to buy anything on your account, there's no reason to have a CC.

I am merely suggesting that yes while you don't keep personal data on MR. People do.
Click to expand...

Given the known risks of vbulletin systems, it makes little sense to store any personal data on such systems.

I am not one of them as I have said many times, and you keep trying to use that.
Click to expand...

In this discussion, one user complained about the personal information they had on MR. They said they needed to do that to buy/sell things on the marketplace. That reason made no sense. AFAICT, there's no reason for any MR users to ever send any personal information on the site.

Most anyone would have no issue giving their CC or anything else to Apple for iTunes. I know these are completely different services, but I am just using the fact that no one worries about Apple getting hacked. Which none of the people thought anything about MR either.
Click to expand...

For anyone wishing to buy music or software on Apple's store, a CC is essential. OTOH, there's no good reason for anybody to store personal info on any vBulletin-powered website.

Your analogy is a failure. :(

If you want a different example what about the PS network? I did not see anyone screaming they should have not put personal info on that when it got hacked. No one expected it to get hacked. That has nothing to do with having different passwords, or having a service like lastpass. When they hacked it all the CC, and everything else personal was available to them. Same goes for MR. That is the only point I am trying to make.
Click to expand...

We still have no idea what your point is. There's no good reason for anyone to store any person info on a vBulletin website. Contrast with the PlayStation or Apple accounts: anyone who wants to be able to purchase things needs to have their CC stored on those sites. Do you now understand the difference?

We both agree having personal info on MR was not the smartest thing, but it still happened.
Click to expand...

It's a careless way to use this particular kind of website. The obvious correction is to never ever store any personal information on MR.

2. Again I will say I do not, nor will I ever put personal info on MR. Why trusted them with that I don't know.
Click to expand...

If you manage your passwords (easy with 1P or LastPass) and don't store any personal information on the site, then the only action needed was to change your MR password. That took me 30 seconds. :)

The reason they put it on there was for the market place. People selling and buying. My opinion was that was not smart, but again that does not mean MR is not the blame for the hack.
Click to expand...

If those people wish to minimize their exposure on vBulletin websites, they should use unique passwords and have no personal info on the site. Simple.

Yes they did not need to put personal info on the site, but being hacked is something out of their hands.
Click to expand...

The impact on them from this kind of a hack is completely in their hands. That's the teachable take-away from this problem.

Guess we will agree to disagree, but I answered your questions to be of my ability.
Click to expand...

I have no idea what you're disagreeing with. We both agree that having personal data on this kind of site or sharing passwords on multiple sites increases your vulnerability on the Internet.
 
FloatingBones said:
I didn't say that. I did say that there's no reason for anyone to be storing any personal information (e.g., home address) on the MR site. You have failed to provide a good reason why anyone needs to ever be sending any personal info on the MR site.



It's not that hard: you need an iTunes account to register a Mac or iOS device. If you don't want to buy anything on your account, there's no reason to have a CC.



Given the known risks of vbulletin systems, it makes little sense to store any personal data on such systems.



In this discussion, one user complained about the personal information they had on MR. They said they needed to do that to buy/sell things on the marketplace. That reason made no sense. AFAICT, there's no reason for any MR users to ever send any personal information on the site.



For anyone wishing to buy music or software on Apple's store, a CC is essential. OTOH, there's no good reason for anybody to store personal info on any vBulletin-powered website.

Your analogy is a failure. :(



We still have no idea what your point is. There's no good reason for anyone to store any person info on a vBulletin website. Contrast with the PlayStation or Apple accounts: anyone who wants to be able to purchase things needs to have their CC stored on those sites. Do you now understand the difference?



It's a careless way to use this particular kind of website. The obvious correction is to never ever store any personal information on MR.



If you manage your passwords (easy with 1P or LastPass) and don't store any personal information on the site, then the only action needed was to change your MR password. That took me 30 seconds. :)



If those people wish to minimize their exposure on vBulletin websites, they should use unique passwords and have no personal info on the site. Simple.



The impact on them from this kind of a hack is completely in their hands. That's the teachable take-away from this problem.



I have no idea what you're disagreeing with. We both agree that having personal data or sharing passwords on multiple sites increases your vulnerability on the Internet.
Click to expand...

So you are completely ok with MR being hacked? Honestly that is just what you have said. Not in those words, but that is what you are saying.

There is personal information of yours on MR whether you like it or not. An email is required to be on MR. Whether they can do anything with that. We really don't know.

Just because you have not put addresses, or PayPal info on MR does not mean it has not been done. My anology was not a failure. You fail to comprehend it. Yes a CC is required to buy things on Apple, but you could simply buy an iTunes gift card at a store. (Which could also get hack, and your CC number is stolen, but that is ok cause well you are protected on the internet). So really there is no need to give Apple any information either. But guess what people do. Also guess what people have on MR to buy and sell. Whether you or I agree it. It has happened. It is just more widely excepted to do so on ITunes. You can keep saying the same stupid crap about why people would put personal info on MR, but that does not change the fact that they did.

And no you are completely wrong. The blame is totally on MR. Being hacked had nothing to do with having personal information on the site. MR was the system that was hacked. That is solely on MR security. No matter how you try to shift the blame on your precious MR. There security was the issue. Even if there was not personal info on MR. It got hacked. Do you need any more help explaining that?
 
FloatingBones said:
It's not that hard: you need an iTunes account to register a Mac or iOS device. If you don't want to buy anything on your account, there's no reason to have a CC.

----

For anyone wishing to buy music or software on Apple's store, a CC is essential.

----

Contrast with the PlayStation or Apple accounts: anyone who wants to be able to purchase things needs to have their CC stored on those sites. Do you now understand the difference?
Click to expand...

I agree with some of your points, but, I don't understand these points about Credit Cards. Lots of students do not have a CC and use iTunes cards bought at the supermarket with cash. In that case, the only exposure is the credit they have in their account.
 
r0k said:
Perhaps it's time for this thread to be retired.

1) MR has posted a sticky thread on EVERY page about the leak.
2) MR has emailed users
3) MR has apologized about all of this

So most of what people were griping about in here has been addressed.
Furthermore, news of this is everywhere around the 'net and I really don't think there is anything to be gained by more complaining. Let the site admins focus on making MR more secure and let's move on.

Then there is the gradually deteriorating tone. There are a couple of discussions going on here where users are basically arguing back and forth. I know of one example because I chose to walk away from one such discussion in this very thread yesterday. Perhaps all this discussion about best password practices needs to continue in another thread and it wouldn't bother me one bit if this thread got closed...

@Aspasia: Funny you should mention using iTunes cards instead of CC. For a long time my approach was to use Paypal. I never gave Apple my CC for my iTunes account until Paypal screwed up a simple $2 Mac app purchase. I've now disconnected PP from iTunes and I have a CC on file for occasional purchases.
Click to expand...

In addition to the above, all registered embers have now been emailed. I really can't see what more could have been done. In order to gather forensic information in situations like this, it's necessary to allow rings to run a while. More info gathered = more chance of preventing this type of attack in future. Since it seems that this was not a malicious intrusion, more of a "I do this because I can" attack. And assuming you have changed the passwords you use here and any that replicate elsewhere, the issue is now one of re-building the site and getting things working again.

With proper passwords and a little intelligence, all should be fine...I don't think the individual was interested in bank and CC account details but It'd best to check.
 
Been out for a bit.
Noticed the forums down a few days ago for maintenance, but did not bother being cautioned.

Received my email last eve, that was the first I had heard of it. As of yesterday, the top banner said search is down- no biggie.

I was a little taken back that a tweet did not go out- wonder why.
 
rdowns said:
Arn, I think the complaints are valid here. The forums went down approx. Tuesday afternoon. Front page articles continued to be posted. You created a thread at 1:25am EST on Wednesday morning in probably one of the least trafficked sub-forums on the site to notify people. The only tweets from the site or you were that the forums were down and being worked on.

In reviewing your timeline on Twitter, I see you also said TA forums were down. Was that site affected also? I don't see any story on the front page there.


I couldn't care less how Sony or Adobe handled their issues. As soon as you became aware of this, it should have been posted to the front page as well as your social media outlets.
Click to expand...

Agreed. The news should have been more visible here and on your social media.
r0k said:
2) MR has emailed users
Click to expand...

Macman45 said:
In addition to the above, all registered members have now been emailed.
Click to expand...

tigres said:
Received my email last eve, that was the first I had heard of it.
Click to expand...

I have not received any email from MacRumors about this. I have a valid email address listed here, one that I use regularly. Checked the junk folder, etc.:mad::(
 
Aspasia said:
http://arstechnica.com/security/201...-860000-passwords-speaks-were-not-terrorists/

Some folks aren't going to like this comment:

"We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason)," the user known simply as Lol wrote. "We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."
Click to expand...
Click to expand...

These arrogant asses should have stopped sort of grabbing the user tables. The fact that they say "we are not terrorists" does not impress me. And no I do not blame MR. I blame the user "LOL". That is where all the blame for this situation rests. The only blame attributed to MR is their delay getting the word out. The only blame attributed to users is password reuse. But the perpetrator is the user "LOL" and we shouldn't lose sight of that fact despite his (or her) unsubstantiated claim to have "good intentions."
 
Macman45 said:
In addition to the above, all registered embers have now been emailed. I really can't see what more could have been done.
Click to expand...

It's easy to find "more" things that could be done. Free advice is always easy. But the truth is that we must face the stupidity (unfriendliness) of hack attacks.

My call is that more than enough was done.

note: I also admit I have not read all 100+ posts of this thread
 
Will you guys just knock it off with the bantering. There are some important questions that have not been answered by MR.

1. Who did this.
2. WHY does one of the hackers still have an account here.
3. Have the proper authorities been contacted.
 
I posted this in the Security Leak thread. This is a compilation of information I have found about the hacker so far:

Hopefully this will clear some things up. There is only one "hacker." His username that he uses on other websites is clockwize0. He simply logged into one of the moderator's accounts, got the encrypted passwords, and paid off somebody to crack arn's password for him (he didn't even do it himself). I have a feeling that he might have targeted some accounts, posted them on the password cracking forum to pay somebody to crack them for him, and used the passwords on a bunch of websites to try to access accounts that use the same password. By the way, anything he says is BS. He can't be trusted. He has accounts on several blackhat websites. He probably didn't even make the "lol" account. Probably just used one of the cracked hashes to take over an account that existed.

Here's the evidence found by Brittany246 and me:

Brittany246 said:
I'm pretty sure this is the "hacker."

http://webcache.googleusercontent.c...377f1b3f7bc1ded4979+&cd=1&hl=en&ct=clnk&gl=us

He edited his post probably before he admitted to it yesterday.
Click to expand...

^^^He posted arn's hash and salt and asked them to be cracked for $10 each. He removed them right before his admission on here, but you can still see his original post with the cached version above.

djtech42 said:
Here's another post from him:
http://forum.insidepro.com/viewtopic.php?p=152944&#152944

Subforum is "Forum Hashes"

He was probably trying to figure out the MacRumors VB3 salt algorithm here: http://forum.insidepro.com/viewtopic.php?p=152431&#152431

Here's a google search exposing all his accounts on blackhat websites:
https://www.google.com/search?clien...e=UTF-8&oe=UTF-8#q=clockwize0&rls=en&start=10
Click to expand...

^^^Specifically asking about VBulletin 3 and forum hashes

Here is an older post where he asked to have over 21,000 VBulletin passwords be cracked: http://forum.insidepro.com/viewtopic...r=asc&start=15

^^^Scary stuff. I can't imagine a legal reason for doing this.
 
Honestly I'm not going to moan I use a different password for every website.

BUT!

What does piss me off is the fact that the main page had news postings all day as well as the forum place holder redirecting to other sources and no one thought hmm let's inform everyone. That is sloppy!

What now? I think the site needs to look at 2 things...

1, reduce the number of people with cp access.

2, force them to have long random passwords!!
 
djtech42 said:
I posted this in the Security Leak thread. This is a compilation of information I have found about the hacker so far:

Hopefully this will clear some things up. There is only one "hacker." His username that he uses on other websites is clockwize0. He simply logged into one of the moderator's accounts, got the encrypted passwords, and paid off somebody to crack arn's password for him (he didn't even do it himself). I have a feeling that he might have targeted some accounts, posted them on the password cracking forum to pay somebody to crack them for him, and used the passwords on a bunch of websites to try to access accounts that use the same password. By the way, anything he says is BS. He can't be trusted. He has accounts on several blackhat websites. He probably didn't even make the "lol" account. Probably just used one of the cracked hashes to take over an account that existed.

Here's the evidence found by Brittany246 and me:



^^^He posted arn's hash and salt and asked them to be cracked for $10 each. He removed them right before his admission on here, but you can still see his original post with the cached version above.



^^^Specifically asking about VBulletin 3 and forum hashes

Here is an older post where he asked to have over 21,000 VBulletin passwords be cracked: http://forum.insidepro.com/viewtopic...r=asc&start=15

^^^Scary stuff. I can't imagine a legal reason for doing this.
Click to expand...

Thanks for the info. Like I have said many time in this thread. I have different passwords for different sites that I log into. It just makes you think how crazy people are, and what they could do with information like this. Problem is people like this don't get caught very often.
 
[MOD NOTE]
Thread closed for moderator review.

I've reopened the thread and pruned the last page or two of posts that amounted to off topic bickering. Lets stay on topic, its not about safe data practices or 1Password vs. Lastpass.
 
Last edited:
maflynn said:
[MOD NOTE]
Thread closed for moderator review.

I've reopened the thread and pruned the last page or two of posts that amounted to off topic bickering. Lets stay on topic, its not about safe data practices or 1Password vs. Lastpass.
Click to expand...

Thank you,

Everyone, It seems that my original fear when opening this discussion has come true. You guys are fighting over nothing. There is no reason to be arguing about anything here. This was a discussion on what MR, in my opinion and the opinion of the others involved with me, did incorrectly. While basically anything on the internet sparks arguments there is no reason to argue this much.

While I am still slightly upset by the way this situation was handled, I do have to admit that the MR staff has fixed most of the issues. I did receive and email with information on what to do to protect yourself because of this security breach, and also the main page was updated with a static warning above all other articles. This, in my opinion, fixed most of the issues.

MR staff, thank you for correcting this problem so quickly, however I do have another complaint. The way warnings and timeouts are given is a little annoying, While I have not been in a timeout, I have been warned many times for an issue that is not needed at all. Thread bumping. What is the big deal with it if its not excessive? I don't see why I should be warned for responding to my own thread. The same goes for calling people "Fanboys" and such, these words are not offensive and if users find them to be offensive, they need to wake up and realize where they are. The Internet. You see, on the internet people tend to have and voice very strong opinions. These opinions can be said in mean or nice ways, but I wouldn't categorize "fanboy" as mean, and I don't believe 90% of this forum would either. I will readily admit I am an Android/Google fanboy, I know "I'm on MacRumors not Android Forums" but I am just stating a fact. Do I or would I get upset, mad, or offended if someone called me a fanboy while praising Google? No. Because there is no reason to get upset over such stupid things.

T be frank, a lot of these issues need to be dealt with and the rules/punishment system needs to be refreshed. We must remember this is a forum. Forums are for open discussion. What is being done lately is basically internet censorship, and we all know what happens to sites that like to censor junk. They go away.

-Matt
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back