MacRumors Forums: Security Leak

[Traverse]

So can they have my email?

The only info I have on this site are a username, password, and misc. email. It may not be me main email, but I'd had to have it violated.....

 

[bobwill]

Already been using lastpass for more than a year. Not a big deal.

 

[Peace]

If MacRumors was really taking this as seriously as they portray to be then the article on the front page would stay at the top of the page for an extended period of time. Instead the article has already been pushed down by two other articles and tomorrow it probably won't even be on the front page anymore. Almost seems intentional to try and get it off of the front page as soon as possible. Not surprised that it wasn't a second page story.

This is a good textbook case of how not to handle security and and how not to react to being hacked.

I'm sorry but to imply MR is purposefully trying to hide this is not correct.

All the writers know what to do is click post and the article is automatically listed. It's not done on purpose although it could be seen that way. It's actually the way the site is designed. The only way to post something and keep it on top is to go into the templates and change them. That would take a while so far all we know they may be working on this as we type.

It would be a good idea to try and make a link at the top of the main template and reboot the website.

 

[djtech42]

Hope we find out who did it soon!

 

[Trauma1]

This is a little irresponsible.

I don't blame MacRumors for being the target of a hack, but this has been going on for over twenty-four hours and you still haven't emailed all users? And the visibility is poor. There is nothing to flag this as attention-worthy and it is just the same as another retail store opening post.

I know you guys are scrambling and trying to figure things out. But you need to email all users, even if they don't come here anymore. You don't have to have all the facts in order, just a brief message on why passwords need to be changed. Forum functionality is not a priority here.

 

[djtech42]

This is a little irresponsible.

I don't blame MacRumors for being the target of a hack, but this has been going on for over twenty-four hours and you still haven't emailed all users? And the visibility is poor. There is nothing to flag this as attention-worthy and it is just the same as another retail store opening posts.

I know you guys are scrambling and trying to figure things out. But you need to email all users, even if they don't come here anymore. You don't have to have all the facts in order, just a brief message on why passwords need to be changed. Forum functionality is not a priority here.

They should also reset everybody's passwords (and log them off) so that people are forced to find out about the news and change their passwords. The email could tell them about the attack and give them a link to change their password.

 

[Jimbo47]

At least force everybody signing in to view this thread before they can do anything else. I can't remember if that is default or if it requires a modification.

 

[davideotape]

Im pretty sure "sticky"ing this thread would take an admin 30 seconds

 

[tutubibi]

This is a little irresponsible.

I don't blame MacRumors for being the target of a hack, but this has been going on for over twenty-four hours and you still haven't emailed all users? And the visibility is poor. There is nothing to flag this as attention-worthy and it is just the same as another retail store opening post.

I know you guys are scrambling and trying to figure things out. But you need to email all users, even if they don't come here anymore. You don't have to have all the facts in order, just a brief message on why passwords need to be changed. Forum functionality is not a priority here.

Agree 100%.

I found about this breach reading Ars ...

This should be on top of the home page in BIG BOLD LETTERS, not just another post that's already drifting out of the view.

Can somebody clarify what other profile information was there for picking on top of username, password hash and email?

 

[unplugme71]

i don't understand why the internet still uses md5. Isn't sha256 much more secure?

sha512

 

[Peace]

Im pretty sure "sticky"ing this thread would take an admin 30 seconds

Now that can be done easily. I agree it should be a sticky but that won't let everybody see the info. A lot of users just use the forum spy and rarely view MR by discussion thread hierarchy.

The spy and the main page are the most viewed I believe.

And it's been done.

Thanks guys.

 

[Trauma1]

The only way to post something and keep it on top is to go into the templates and change them. That would take a while so far all we know they may be working on this as we type.

Well obviously that's not true. At the top of the main page the iPad mini Retina being for sale is prominently displayed. And that just went for sale today.

 

[Jimbo47]

Looks like a notice is being put up now.

 

[djtech42]

Thankfully a link to the article is in bold at the top now in the forums and the forum spy. Only place where it isn't at the top is the front page, so that will need some work.

 

[abhibeckert]

Can an admin please just delete my account instead?

Thanks.

 

[Peace]

Well obviously that's not true. At the top of the main page the iPad mini Retina being for sale is prominently displayed. And that just went for sale today.

Your concept of " a while " and mine vary greatly.

 

[brentsg]

Hopefully the hacker was attempting to rid the site of the ridiculous in-thread advertisements.

 

[JayCee842]

How do I change my password??? Should I be worried??

 

[MacVidCards]

Agree 100%.

I found about this breach reading Ars ...

This should be on top of the home page in BIG BOLD LETTERS, not just another post that's already drifting out of the view.

Can somebody clarify what other profile information was there for picking on top of username, password hash and email?

Yeah, the truly irritating thing was that originally this was just a footnote on the "Site Feedback" section.

I went there this AM to see why the outage had happened.

I expected to read about spilled coffee on a server or perhaps a virus or worm, but instead saw this:

https://forums.macrumors.com/threads/1670477/

And there it was hidden..."oh by the way, looks like they got everyone's info"

(paraphrased).

Only after urging from people who found the thread was a news story generated.

Getting word out to change passwrords should have been #1, WELL before updating news page.

And first word about this should NOT have been buried in the site feedback section.

 

[egeek84]

Thanks for letting us know, just got done changing my password!

 

[abhibeckert]

Yeah, the truly irritating thing was that originally this was just a footnote on the "Site Feedback" section.

Which is why I just want someone to delete my account, if they don't take security seriously then I don't want any personal info on the site, including my email address.

 

[JayCee842]

Which is why I just want someone to delete my account, if they don't take security seriously then I don't want any personal info on the site, including my email address.

Same here. I just had to confirm my email address and security question THREE TIMES because of unusual activity. I had to do these on two of my email accounts.

 

[Trauma1]

Thanks for letting us know, just got done changing my password!

Only the people that have come onto the site and have read this know about it.

There's still thousands and thousands of users out there who are unaware of this.

 

[psylence2k]

All of you saying you're getting suspicious activity reports from email providers, other sites, imesssage,facetime, etc.

Did these services share the same password as your macrumors account or was it a different password and you still got these notices ??

 

[benji888]

When creating your new passwords, please keep this XKCD comic in mind and maybe we'll all have secure, easy to remember passwords:
Image

Is this really true?