Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

Trauma1 said:
This is a little irresponsible.

I don't blame MacRumors for being the target of a hack, but this has been going on for over twenty-four hours and you still haven't emailed all users? And the visibility is poor. There is nothing to flag this as attention-worthy and it is just the same as another retail store opening post.

I know you guys are scrambling and trying to figure things out. But you need to email all users, even if they don't come here anymore. You don't have to have all the facts in order, just a brief message on why passwords need to be changed. Forum functionality is not a priority here.
Click to expand...

I agree and said the same thing in one of my posts I didn't even see the message until tonight.
That means my information has been compromised since yesterday and I'm just now finding out about it.
A lot of damage can be done to people's accounts in that time.
 
tkmcguire1 said:
I agree and said the same thing in one of my posts I didn't even see the message until tonight.
That means my information has been compromised since yesterday and I'm just now finding out about it.
A lot of damage can be done to people's accounts in that time.
Click to expand...

Can I ask what email service was compromised?
 
Sadly a daily occurrence these days

As it says, use 1Password for passwords and I use Myemailguru for unique emails addresses that I can kill when this happens...
 
Thanks

First of all thank you for the way you communicated this, shame others don't do the same. I notice that iCloud keychain has problems remembering the password on your site. I use the suggested password in the password reset page, but it is then not saved. Thanks for any advice.
 
Peace said:
Not gonna happen. Thanks tho !

:)
Click to expand...

I used to keep all my passwords in an encrypted excel spreadsheet too. But I have so many now and find I need them at times when I'm away from home. So I bought Ewallet. Been using it for about 10 years. I have it on my iPad, my win8 phone and my PC. It's encrypted with 256-bit and is very safe. Plus I don't want a password manager that creates passwords I can't see or remember. Ewallet solves both issues for me. If you run Windows I think they still have a trial. The issue of remote hacking is certainly something to consider.
 
syd430 said:
If you read the thread in the Feedback forum, I think Arn was unfairly pressured to rush an announcement out ASAP, resulting in this poorly worded statement.

Some important points that people seem to be missing:

1. How many websites alerts their users that a beach has occurred so close to the actual event (24-hours)?The answer is very few, especially when they're still working on bringing things back up.

2. An email to all members alerting them about the breach is coming, as Arn has mentioned himself. Even if he didn't mention this, it's common sense that it would be coming soon anyway.

And probably most importantly;

3. A lot of people here seem to think that their passwords are just sitting in plain English in the database, and the hacker now has your password. This is simply not the case, and I think part of the reason for this misunderstanding is Arn's poorly worded statement. Your password first needs to be de-hashed by the hacker. Unless your password was extremely easy in which they can reference the value in a rainbow table, they are extremely unlikely to actually obtain your password, even though it is theoretically possible.

Arn really should have got some sleep and waited the next day to write a probably worded statement rather than give in to the mindless advice dished out to him on the Feedback forum. After all most websites wait a lot longer to make such an announcement, especially when they're still trying to figure out what's going on.
Click to expand...

First of all, arn wasn't forced to make an announcement. He reported what was happening on his own volition. He was only forced to repost it on the front page so that important information could be seen somewhere other than one of the sub forums with the least amount of traffic.

With regards to points 1 and 2, the site's functionality should not have been the priority. The priority should have been security. I would rather have the site go offline than risk users' info. I understand the need to keep things under wraps until things start to get under control (you may not want to let the hackers know you're onto them just yet). But there's a point where you need to realize it's more than you can control and halt operations. I really didn't need to know what Samsung was doing with the new chipsets. If there's a small fire, you stop what you're doing and you could try to put it out on your own. But when it gets out of your control, you need to call for help and warn those nearby. As of now, this email has still not been sent.

Which relates to your third point. It's the easy passwords that hackers are looking for. The people that use "password1234" are going to make mistakes that hackers love. And dehashing is always a possibility, rare or not. And if they are still running these programs right now, I hope those who have no clue aren't compromised.

I appreciate all the hard work arn and his team are putting in. We probably won't know everything they've done for us in this situation. But they're falling short on informing their users, something that could be fixed with a quick email. I would much rather have an email go out too early and then they say "turns out, we weren't hacked. Nothing compromised" than have one not go out until it's too late.
 
Last edited:
Kinda happy this happened forced me to discover lastpass and use separate passwords for everything... Like I should have been doing.
 
Weaselboy said:
Someone in an earlier thread posted a work around that will make iCloud Keychain or just Keychain standalone save the password on MR.

Enter your username and password on MR then DO NOT enter the site yet. Now refresh the Safari page with a command-r. You will then get the pop asking if you want to save the PW to Keychain. Go ahead and approve the PW save to Keychain then after that enter the site. Your username and PW are now saved in Keychain.
Click to expand...

This does indeed appear to work. But it's a pity you have to resort to a trick like that.

Also, I noticed that when I used the password change feature on this site, keychain stored my suggested password, but with a user name that was my e-mail address!

And heaven help you if you change the password, go for a new suggested value, but clear the e-mail fields. keychain will store it, but form validation fails. You can rapidly be in a situation where you need to resort to the old password-reset-and-email route.

I'm guessing this site uses an off-the-shelf backend forum. In which case it might be a bit of bother to make sure that it works with keychain properly. If not, it really does need sorting out.
 
abhibeckert said:
That's ********, it's not "theoretically possible". It's absolutely trivial. De-hashing a password is a simple matter, with software widely available to do it.

If you have a strong password and if the website uses a good hashing algorithm, then it's almost impossible. But most people don't have strong passwords and vBulletin doesn't use a good hashing algorithm.

According to vBulletin's support team this is what they do: "md5(md5(password)salt)". That is a TERRIBLE hashing technique and highly susceptible to brute force attacks. Everybody should assume the attacker has either already got access to their cleartext password (if they have a normal strength password) or will have it in a few days/weeks (if they have an unusually strong password).
Click to expand...

After looking in to it further, yes you are right regarding the password de-hashing. The process is trivial in this case. I eat my words and have edited my post.

Serves me right for commenting on something I have no expertise in!
 
Was very nice, participating in the MacRumor forums. But I do not want to participate, anymore :(
Bye!
 
So what is the likelihood of these hackers actually getting into other sites that we personally use? What kind of possibilities are we talking about here?

I just started using iCloud keychain for all my websites and accounts, allowing it to create unique passwords.

I guess I am one of those people that use about 5 different variations of the same password. This actually woke me up, no more of that.
 
Tysknaden said:
Was very nice, participating in the MacRumor forums. But I do not want to participate, anymore :(
Bye!
Click to expand...

:( You might as well stay now that something like this has already happened. There's a very low chance it will happen again soon because security should be improved over the next few days.
 
What an unfortunate situation.

Thanks to Mac Rumors for sorting all this out and quickly to get the forum back up and running. I changed my password straight away, but I tend to change it regularly anyway. I can't understand why posters use the same usernames, passwords etc across multiple sites. This is the internet and these kind of breaches have occurred since the internet went live.

Some of the comments here criticising MR are just pathetic. The announcement was made when it needed to be made. I'm sure the admins were busy trying to rectify the problems rather than taking the time to publish an announcement that in hindsight was going to be scrutinised and ripped apart by some of the ungrateful posters here.

Mac Rumors is a free service and we are lucky to be able to use it. Posting is a privilege, not a right. Its about time we remember that.

----------
Tysknaden said:
Was very nice, participating in the MacRumor forums. But I do not want to participate, anymore :(
Bye!
Click to expand...
All the best. :)
 
All this is why I use a different email address (at my own domain) for every single site I register with. So even if they figure out my password, there's no way of linking it to a different site. Also, it's easy to spot when any site's addresses have been leaked to spam merchants.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back