MacRumors Forums: Security Leak

[Jibbajabba]

Who cares if your details are stolen / known /. cracked. Surely people have enough common sense to realise that this is just another website where everyone on the internet (i.e. China) can gain access to it. As a result you surely won't use the same login you use on other websites / portals where personal details are stored, such as CC or address

 

[egeek84]

Only the people that have come onto the site and have read this know about it.

There's still thousands and thousands of users out there who are unaware of this.

Well I discovered about it by their post on Facebook but yeah I agree, an email should have definately been sent out at the very least...

 

[Jibbajabba]

All of you saying you're getting suspicious activity reports from email providers, other sites, imesssage,facetime, etc.

Did these services share the same password as your macrumors account or was it a different password and you still got these notices ??

I really doubt that anyone here is so important where it is worth trying to de-hash the password, assume the same email is used on other websites and then going through all of them. I think some people blowing it out of proportion ...

 

[Tamagotchi]

Working on getting the forums fully functional......... What about emailing everyone??? WTF Macrumors? Shouldn't this be first priority??

 

[Jibbajabba]

Only the people that have come onto the site and have read this know about it.

There's still thousands and thousands of users out there who are unaware of this.

Good point, vBulletin has the option to send out emails to all registered users ....

 

[djtech42]

I really doubt that anyone here is so important where it is worth trying to de-hash the password, assume the same email is used on other websites and then going through all of them. I think some people blowing it out of proportion ...

Then why did I get an alert saying that my iMessage and FaceTime were added to some random device when I haven't used any new devices today? I'm sure they at least tried Apple ID since this is an Apple-oriented website.

 

[nateo200]

Woah! Its a good thing my passwords are all different...still would have liked an automatic password reset and notification via email, I thought it was routine maintence that shut the site down and nothing abnormal...just saw this now and I usually don't miss stuff like this. I've been a moderator on high traffic forums as well as an admin on some smaller forums and it is tough to wrangle everything together but still. Regardless I'm not upset with MR's staff at all, just hope you guys get this all figured out.

 

[citi]

Then why did I get an alert saying that my iMessage and FaceTime were added to some random device when I haven't used any new devices today? I'm sure they at least tried Apple ID since this is an Apple-oriented website.

Have you ever looked at your signature? They know every product you own.

 

[Carlanga]

Were passwords hashed, salted, plain text...?

Mine had poppy seeds

Their 'explanation' is written like a political answer.

------


Way to go on not updating us on what was wrong, saying it was under 'maintenance' and then nothing on your twitter about it neither. Way to fail guys way to fail.

I had been telling you that you should have done Facebook logins as an option, I think I explain the better level of security of using it it to sandboxgeneral…. you wouldn't have been in such a predicament for many or most members. I guess this is what happens when being cheap on the security side.

 

[djtech42]

Woah! Its a good thing my passwords are all different...still would have liked an automatic password reset and notification via email, I thought it was routine maintence that shut the site down and nothing abnormal...just saw this now and I usually don't miss stuff like this. I've been a moderator on high traffic forums as well as an admin on some smaller forums and it is tough to wrangle everything together but still. Regardless I'm not upset with MR's staff at all, just hope you guys get this all figured out.

It was somewhat misleading by just saying it was maintenance in the beginning. Not sure if there is any issue with saying it was a security breach in the very beginning, but that would have been nice.

 

[TrashCanBin]

I had dreams about this.

 

[blanka]

If I find any hacking of my account, I create a new one. Ran into this leaked password/useraccount stuff so often yet it never gave any real problems. Just keep important stuff and "crap" like MacRumors forums separate.

 

[Trauma1]

I really doubt that anyone here is so important where it is worth trying to de-hash the password, assume the same email is used on other websites and then going through all of them. I think some people blowing it out of proportion ...

But that's the whole point. It's not about one important person. It's about a large group of unimportant, average people who are foolish enough to repeat login credentials. And these hackers could potentially cook up a little program where it takes a couple hundred email addresses with corresponding passwords and checks them against other websites. In this case there'd be an emphasis on Apple-related sites/services, too, and it would only take a couple seconds for the program to run.

I'd like to think people are smart enough to use different passwords. I'd also like to think people know how to reset their iPhones, but I look in the forums and am disappointed.

 

[djtech42]

But that's the whole point. It's not about one important person. It's about a large group of unimportant, average people who are foolish enough to repeat login credentials. And these hackers could potentially cook up a little program where it takes a couple hundred email addresses with corresponding passwords and checks them against other websites. In this case there'd be an emphasis on Apple-related sites/services, too and it would only take a couple seconds for the program to run.

I'd like to think people are smart enough to use different passwords. I'd also like to think people know how to reset their iPhones, but I look in the forums and am disappointed.

I find it hard to remember different passwords. I try to create one very complex password that I use so much it becomes muscle memory. But, then stuff like this happens... I will be using iCloud Keychain from now on to force myself to generate different passwords. I just hope the ones generated from iCloud are complex enough.

 

[syd430]

If you read the thread in the Feedback forum, I think Arn was unfairly pressured to rush an announcement out ASAP, resulting in this poorly worded statement.

Some important points that people seem to be missing:

1. How many websites alerts their users that a beach has occurred so close to the actual event (24-hours)?The answer is very few, especially when they're still working on bringing things back up.

2. An email to all members alerting them about the breach is coming, as Arn has mentioned himself. Even if he didn't mention this, it's common sense that it would be coming soon anyway.

And probably most importantly;

3. <point 3 retracted, I'm wrong on this one>

Arn really should have got some sleep and waited the next day to write a probably worded statement rather than give in to the mindless advice dished out to him on the Feedback forum. After all most websites wait a lot longer to make such an announcement, especially when they're still trying to figure out what's going on.

 

[JayCee842]

I find it hard to remember different passwords. I try to create one very complex password that I use so much it becomes muscle memory. But, then stuff like this happens... I will be using iCloud Keychain from now on to force myself to generate different passwords. I just hope the ones generated from iCloud are complex enough.

I'm the same as you. Now I'm panicking since I try and use one same password for all websites.

 

[olowott]

Just used the iCloud Keychain to create a new password - quick and cool

so whats new!

 

[syd430]

how ironic we just talked about this in ECommerce class today.

"should a company announce a security leak right away before the media gets wind of it or wait til they know what happened exactly and how to fix it?"

Coincidental, not ironic.

 

[psylence2k]

I really doubt that anyone here is so important where it is worth trying to de-hash the password, assume the same email is used on other websites and then going through all of them. I think some people blowing it out of proportion ...

I think you're underestimating the type of "shortcuts" and programs available to hackers today that could make searching,filtering, and cross referencing accounts,profiles, information relatively quick and easy.

They're not looking for a specific "important" person, they're looking for anybody who they can collect enough information on to gain access to valuable information.

There are already people in this thread reporting that other email accounts and websites are sending them notices that there have been successful logins or attempted log-ins from unusual locations and IPs.

 

[LaidBack]

Could an unencrypted login process have contributed to this attack?

 

[djtech42]

There are already people in this thread reporting that other email accounts and websites are sending them notices that there have been successful logins or attempted log-ins from unusual locations and IPs.

They should send the IPs to arn. It might help in the search for what caused this. Unfortunately, all I know is that my iMessage/FaceTime was added to " " (it's just blank, no device name), so I don't have any kind of identification of the culprit(s).

 

[tkmcguire1]

I just changed my passwords,I had the mistake of having similar passwords on a couple of sites,it looks like suspicious activity on one of them.
Macrumors you should have sent out notices Immediately as soon as you knew this had occurred.
As far as we knew the forums were just down for maintenance.So that means for over a day they were down before we knew that our info was compromised.
You should have let us know about this AS SOON AS YOU FOUND OUT!

 

[abhibeckert]

If you read the thread in the Feedback forum, I think Arn was unfairly pressured to rush an announcement out ASAP, resulting in this poorly worded statement.

Some important points that people seem to be missing:

1. How many websites alerts their users that a beach has occurred so close to the actual event (24-hours)?The answer is very few, especially when they're still working on bringing things back up.

Proper sysadmins will take their site offline, then notify users, and then start working on bringing the site back online. Clearly that's not what happened here.

2. An email to all members alerting them about the breach is coming, as Arn has mentioned himself. Even if he didn't mention this, it's common sense that it would be coming soon anyway.

He should have sent the email first, before anything else.

And probably most importantly;

3. A lot of people here seem to think that their passwords are just sitting in plain English in the database, and the hacker now has your password. This is simply not the case, and I think part of the reason for this misunderstanding is Arn's poorly worded statement. Your password first needs to be de-hashed by the hacker. Unless your password was extremely easy in which they can reference the value in a rainbow table, they are extremely unlikely to actually obtain your password, even though it is theoretically possible.

That's ********, it's not "theoretically possible". It's absolutely trivial. De-hashing a password is a simple matter, with software widely available to do it.

If you have a strong password and if the website uses a good hashing algorithm, then it's almost impossible. But most people don't have strong passwords and vBulletin doesn't use a good hashing algorithm.

According to vBulletin's support team this is what they do: "md5(md5(password)salt)". That is a TERRIBLE hashing technique and highly susceptible to brute force attacks. Everybody should assume the attacker has either already got access to their cleartext password (if they have a normal strength password) or will have it in a few days/weeks (if they have an unusually strong password).

Arn really should have got some sleep and waited the next day to write a probably worded statement rather than give in to the mindless advice dished out to him on the Feedback forum. After all most websites wait a lot longer to make such an announcement, especially when they're still trying to figure out what's going on.

Nope, I disagree and will reiterate: Arn should have taken forums.macrumors.com offline, then notified users, then got some sleep, then brought it back online.

 

[tkmcguire1]

I think you're underestimating the type of "shortcuts" and programs available to hackers today that could make searching,filtering, and cross referencing accounts,profiles, information relatively quick and easy.

They're not looking for a specific "important" person, they're looking for anybody who they can collect enough information on to gain access to valuable information.

There are already people in this thread reporting that other email accounts and websites are sending them notices that there have been successful logins or attempted log-ins from unusual locations and IPs.

I'm getting weird emails and on at least one of my accounts some of the security info was changed.I am extremely upset by this.
We should have been told of the breach a lot sooner!

 

[langdon1]

dammit, i signed up to use this forum once and this is what I get for it