MacRumors Forums: Security Leak

[oliversl]

At what time was the hack? I just received yesterday an email from Google saying someone accessed my gmail account from San Jose, CA, USA, with IP 173.245.67.55

Thanks

 

[MacVidCards]

Uh, gee MacRumors. If you were hacked, why not email your members to change their passwords, instead of posting it on your front page. Not everyone checks your site on a daily basis.

This.

I'll bet there are folks who only come here to ask questions when they can't load "Angry Birds 2" on their iPod.

And some of them might use same email and password on their bank/Paypal sites.

So if they don't happen to come by here, that gives the hackers a few weeks to empty their accounts out.

When other sites I belong to have been hacked they sent an immediate email with details and instructions to start changing passwords.

Seems like that should be standard protocol.

 

[iSRS]

Interesting. I use a Yahoo email for my profile on this site. I received a notification from Yahoo saying my account was locked due to suspicious activity. I was surprised, as I hadn't been doing anything with it in the last few days.

Wonder if they were trying to hack into my Yahoo account from data stolen here?

I use a different password for every site that I have an account, and several different user names across those various sites.

Ha, that's the exactly same thing that happened to me yesterday. So the hacker uses our emails registered with MacRumors and tried to get to Yahoo email accounts, using the same passwords. I didn't use the same password, so I guess they failed. But they could get into someone else account.

Did anyone else have the iMessage/FaceTime message or the Yahoo break-in attempt? I want to know if this was an active attack across accounts. Not good if you used the same password for everything before the attack.

I got the "need to change your yahoo" email/notification this morning. I don't use yahoo email for this site though. Not iMessage/FaceTime because that is another account altogether for me.

Same problem here, I cannot get MacRumors to work with iCloud Keychain.

1. Latest version of Mavericks on MacBook Air.
2. iCloud Keychain will offer to generate a password for me (and it autofills the fields when offered).
3. Try to login on MacRumors and it will never autofill the fields.
4. Using latest version of Safari, I have "AutoFill user names and passwords" and "Allow AutoFill even for websites that..." checked in the preferences.
5. Disabling popup blocking, disabling Safari Extensions, and restarting Safari and the Mac did not help.
6. MacRumors does not show up in the Passwords section of the Safari preferences, nor in the Keychain Access app. In other words, it offered to save the password for me, generated a password for me, and filled it, but seems like it never saved it.
7. Also tried it on the iPad winning iOS 7.0.3, same deal there.
8. I have other sites that are working with iCloud Keychain (and are visible int he preferences and in Keychain Access, so I know it's not that the whole thing is not working.

Any ideas what I'm doing wrong?

It worked on my iPad. It didn't at first, but I hadn't enabled it on my iPad, which I thought I did. Once I did, worked like a charm.

Same here

I mean, will not be losing any sleep over this. Changed my pass. Thanks MacRumors for being open and honest.

Yeah, agreed. I live in a state (won't say here, dislike the place) that the DOR was hacked last year. SSN, financial info, DOB, etc. all hacked. Took over a month for them to make it known.

 

[Dave-Z]

And some of them might use same email and password on their bank/Paypal sites.

Not MacRumors fault. People need to take ownership of their own lack of security practice.

 

[dec.]

I'm switching to AndroidRumors asap. Sorry.

 

[charlieroberts]

Just changed my password using the safari suggested password, and have done this for all my accounts recently. Really useful tool.

I tried doing this but then safari would not autofill the password, and i can't find it anywhere. Had to change it again via recovery.

did it just work for you?

 

[Stewie]

I decided to give icloud keychain a try, 3 passwords later and I've given up. Back to something I can remember.

Try lastpass free and much better then iCloud keychain.

 

[yg17]

Not MacRumors fault. People need to take ownership of their own lack of security practice.

I use the same password for some online banking accounts, what's someone gonna do with it? See that I ate at Panda Express for dinner and pay my credit card bill?

 

[Giuly]

Am I the only one who was just logged out?

 

[AppleScruff1]

For the record, all the warnings and timeouts I received in the past were when someone hacked my account.

 

[caesarp]

Someone explain to me why this is a big deal? In other words, so what if someone has my username and password here. So they can post as me and make snarky remarks about apple products?

It's not like my credit card info or SSNs are stored here. So what is the concern? Please explain.

----------

how ironic we just talked about this in ECommerce class today.

"should a company announce a security leak right away before the media gets wind of it or wait til they know what happened exactly and how to fix it?"

If you don't know what happened there is nothing to announce. Maybe no personal info was accessed. If so, not a breach under most state laws.

 

[OSMac]

Someone explain to me why this is a big deal? In other words, so what if someone has my username and password here. So they can post as me and make snarky remarks about apple products?

It's not like my credit card info or SSNs are stored here. So what is the concern? Please explain.

Think it's a concern that they have your email too.

Some people may use the same password here and for other services that can be accessed with a email address, Paypal, google, apple App Store etc.

 

[V.K.]

it's coming

arn

good to know. thanks for sharing.

 

[Steviejobz]

Just checked and my old password was qwerty. Looks like I wasn't too concerned with security to begin with.

mine was "macrumours" figured the hackers would not be from UK and use the wrong spelling.

 

[Primejimbo]

I changed my passcode for this and other sites. I am now using iCloud keychain and letting it make my pass codes. I also changed PayPal, eBay, and others. So they all have a different pass code. They also had different pass codes, but I would change 1-2 letters.

I just wish iCloud had an export option or something.

 

[Peace]

The scariest day in MacRumors history.

Obviously you've not seen very many keynotes via MR.

 

[Steviejobz]

it's coming

arn

In fairness the only one of my 100 sites that warned me by email was Soap.com and I never use that site anymore.

 

[Primejimbo]

Someone explain to me why this is a big deal? In other words, so what if someone has my username and password here. So they can post as me and make snarky remarks about apple products?

It's not like my credit card info or SSNs are stored here.

A lot of people will use the same email and pass code for other things. Many many years ago I did the same for my email account and eBay. I learned the hard way and thankfully it wasn't bad

 

[madmacfan]

Thanks for letting us know. I've not had an email about unauthorized access though. Have changed all of my passwords just to be on the safe side.

 

[dolphin842]

Any chance the forums will get SSL/TLS support? How are passwords sent currently when logging in?

 

[caesarp]

Think it's a concern that they have your email too.

Some people may use the same password here and for other services that can be accessed with a email address, Paypal, google, apple App Store etc.

Yeah but they would have to use the same username also and the bad guys would have to randomly try different sites. Not likely. I think the concerns are way overblown and exaggerated.

Unless an individual is specifically targeted for time consuming efforts by the bad guys I don't see the real danger from a forum password. Maybe spam. that's it via the email address. Easily handled via filters.

----------

A lot of people will use the same email and pass code for other things. Many many years ago I did the same for my email account and eBay. I learned the hard way and thankfully it wasn't bad

So the bad guys will take thousands of emails and manually try various sites?

 

[dumastudetto]

So the bad guys will take thousands of emails and manually try various sites?

They will have automated methods to test matching credentials against target websites.

 

[iDuel]

Thanks for keeping us informed.

 

[Ledgem]

Someone explain to me why this is a big deal? In other words, so what if someone has my username and password here. So they can post as me and make snarky remarks about apple products?

It's not like my credit card info or SSNs are stored here. So what is the concern? Please explain.

The worst they can do? Learn your email address, your user name, and your password. If your password wasn't created with a random generator, then they'd have an idea of how you choose your passwords. If you use the same username on any other sites, they'd likely be able to gain access to them. If any of those sites have security questions, they might be able to gain access to your answers. All of this information can be compiled and then used against juicier targets than web forums, where they can gain even more details about you. At absolute worst, this could lead to identity theft, leaving you to clean up a credit mess after a criminal went on a spending or activity spree, posing as you.

Is it likely that this would actually happen? It doesn't seem like it, but these types of things are unfortunately very common and their incidence only seems to be increasing. As the saying goes, "it isn't paranoia if they really are out to get you." Your information and identity has monetary value to a lot of people, so consider that they are indeed out to get you, and operate accordingly.

 

[caesarp]

They will have automated methods to test matching credentials against target websites.

Well my email here and password do not match anything dealing with money or personal info on another site. And not because I'm careful. It's because the requirements to login are so different everywhere. I'm not worried.