MacRumors Forums: Security Leak

[jafd]

So.

Ubuntu forums were hacked back in July. They have even published a post mortem on this since.

And you, dear MR, were sitting on your butts ALL THAT FREAKING TIME despite using the same kind of forum software?

HOW FREAKIN' WISE, COMPETENT AND PROFESSIONAL OF YOU.

Pfui!

 

[iapplelove]

Hmmm , hater gonna hate i think.

Password changing took me 1 and a half hour ( for all accounts like twitter, fb, iCloud etc), but i am feeling happy for refreshing my password (3 years old and so on).

lol woke up at 4am local time and changed all mine right down the line before i got ready for work,thought i was the only one.

 

[mtbdudex]

They definitely saw the passwords because yesterday i got a notice from Yahoo that my email account was locked because of suspicious activity. This seems to coincide with others who had issues accessing their email provider at the same time.

+1, changed that also

 

[scrmtrey]

heh

I decided to use iCloud password generator for forums from now on. I have my iphone 99% of my time with me, so the long and random password is not a problem.

 

[bitslap47]

Looks like somebody ignored the patch notification from vBulletin they got via email a few months ago, or are/were on such an old version of vBulletin no patch was issued.

When you heavily modify a package like vBulletin, you are agreeing to take on the effort of merging your changes and modifications when the vendor issues security patches in order to protect your users.

 

[mtbdudex]

anyone thinks the hacker(s) are looking at this thread, to see the users names that respond, and targeting this for website hacking across the web on other forums first?

My early morning conspiracy theory....

 

[Steve121178]

I don't really understand the outrage. Yes, it's an unfortunate situation, but all you need to do is change your password.

If you are not using a unique password for each forum/website you use then, well, that's your fault.

 

[gnasher729]

First of all, arn wasn't forced to make an announcement. He reported what was happening on his own volition. He was only forced to repost it on the front page so that important information could be seen somewhere other than one of the sub forums with the least amount of traffic.

I think you will find there are some laws in place that require the site to notify anyone who is affected by this.

 

[josh.b]

ah that warm feeling when you know you used a unique password for macrumors as well as a unique username and a unique email address lol not even gonna bother changing my password on here. Hacking my MR account would be as extremely boring as hacking someone's FB. You get in and then don't know what to do. Not like I have any items to have stolen on my MR account haha

 

[bigpoppamac31]

You don't know your current password ? Have you been logged in since 2007 ?

Essentially yes. I'm auto logged into most sites I visit that I have accounts with like here, Facebook, Amazon, IMDB, etc. Not stuff like banking though. But most I do know my password for but not this one.

 

[Rygaard]

When creating your new passwords, please keep this XKCD comic in mind and maybe we'll all have secure, easy to remember passwords:
Image

Well that is true if you brute force only - however if you try to hack a password, I would always try combinations of words, and you can find word lists easy, and then it would take alot less time.

 

[steve119]

Password changed, thanks for the heads up.

 

[Snookerman]

They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn

I'm trying to change it but I get this:

"Please complete the required field "Email"."

Even though it says Email is optional. Can you fix this?

 

[yjchua95]

If the hacker was someone working for the NSA, I wouldn't even bat an eyelid.

 

[S.B.G]

I'm trying to change it but I get this:

"Please complete the required field "Email"."

Even though it says Email is optional. Can you fix this?

Send us a Contact request and an admin will assist you as soon as they can.

 

[ArtOfWarfare]

Is this really true?

Yes. Length makes your password far harder for an automated attack against your password than symbols do. People are extremely predictable when it comes to the ways they'll use symbols (and even if they weren't, it would still be trivial for a script to run through every possibility in a matter of minutes-hours.)

Never use a password shorter than 12 characters, but getting it to be 20-30 characters long is much safer. Also, don't reuse passwords - you never know how securely anyone will handle your password. You wouldn't want someone to get your email password just because some intern at Adobe didn't know you should encrypt passwords, for example, because most websites use your email as their recovery mechanism. Meaning a person targeting you could then get everything else they might want.

 

[MacModMachine]

Yes. Length makes your password far harder for an automated attack against your password than symbols do. People are extremely predictable when it comes to the ways they'll use symbols (and even if they weren't, it would still be trivial for a script to run through every possibility in a matter of minutes-hours.)

Never use a password shorter than 12 characters, but getting it to be 20-30 characters long is much safer. Also, don't reuse passwords - you never know how securely anyone will handle your password. You wouldn't want someone to get your email password just because some intern at Adobe didn't know you should encrypt passwords, for example, because most websites use your email as their recovery mechanism. Meaning a person targeting you could then get everything else they might want.

why mac rumors doesnt salt then pepper makes no sense

they should be salting and passing that salt through another server that will pepper the salt with foreign characters then let only the webserver's ip be able de-pepper passwords.

if you get hacked you just roll the pepper server's key.

 

[StevesJob]

The worst they can do? Learn your email address, your user name, and your password. If your password wasn't created with a random generator, then they'd have an idea of how you choose your passwords. If you use the same username on any other sites, they'd likely be able to gain access to them.

No they wouldn't. unless they also hack those other sites' databases. they can use bruteforce methods to reconstruct my password from a hashcode, but they can't use bruteforce directly for logging into a website since most sites won't give them unlimited login attenpts.

 

[ArtOfWarfare]

Well that is true if you brute force only - however if you try to hack a password, I would always try combinations of words, and you can find word lists easy, and then it would take alot less time.

Suppose your word list has just 1000 words (kind of on the short side for a word list.) 1000^4 is 1,000,000,000,000. No human being is going to make that many guesses. A computer wouldn't make that many guesses either. And like I mentioned, that's a short word list - you probably can't even assemble most passwords made with this method using your 1000 word word list (and if your list is longer, the number of guesses you have to make goes up exponentially.)

 

[caesarp]

I think you will find there are some laws in place that require the site to notify anyone who is affected by this.

Actually the US state laws generally require consumer notification only where SSN or credit card or banking info is revealed. Most data breach laws do not address emails and passwords. And yes, I do this for a living. Contact me if you need legal advice on data breaches. Legally no notification was required for this incident. Ethically? That's another story.

And federal law would not apply unless HIPPA HITECH (medical information) was implicated.

Macrumors. Contact me if you require further advice on this.

 

[AbSoluTc]

So.

Ubuntu forums were hacked back in July. They have even published a post mortem on this since.

And you, dear MR, were sitting on your butts ALL THAT FREAKING TIME despite using the same kind of forum software?

HOW FREAKIN' WISE, COMPETENT AND PROFESSIONAL OF YOU.

Pfui!

Don't speak of what you do not know. You can't change forum software like a pair of underwear. It's not even remotely close to being that easy. The downtime would be a few days and things would never match up exactly. There would be countless bugs, problems and user gripes that it's not even funny. So yeah, 98% of internet forums use VBulletin. Go talk to them about their software, not the people that use it.

A FREE site and you're bitching about software that costs money.

 

[Inconsequential]

So.

Ubuntu forums were hacked back in July. They have even published a post mortem on this since.

And you, dear MR, were sitting on your butts ALL THAT FREAKING TIME despite using the same kind of forum software?

HOW FREAKIN' WISE, COMPETENT AND PROFESSIONAL OF YOU.

Pfui!

Are you serious?

18 hours to go from WTF is happening to guys, change your passwords seems reasonable to me.

People need to get a grip, use password managers and not be so bloody stupid to use the same password on multiple sites.

I've changed mine in 30 seconds thanks to my manager.

 

[WillEH]

THANKS MR.

They emptied my bank account, my wife left me and I found out I was gay. All thanks to you having crap software.

 

[felt.]

You would think with all the advertising dollars this site is rolling in they could hire some competent network security staff? Then again if we have no expectation of privacy on the internet (thanks NSA) who cares.

 

[gnurf]

Have you considered they have your e-mail? Do you have an unique e-mail for each website?

I certainly do. Now the old MacRumors e-mail doesn't exist anymore