Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
SSL? MacRumors? You must be new here. Take a look around you. The forum looks like it is from the 90ies. The fact is, the people responsible of MacRumors don't really care much as long as it is running.
Shouldn't MacRumors force a password reset for every forum account? That's what I've seen other sites do that had their data compromised in the past...
I hate forced password resets. I'll decide for myself when to change my damn password.
So you're ok with someone logging in to your account, and reading your personal info, changing your email, spamming the forums, and then getting your account ip banned?
Happened to me here until I logged out of here, and then logged back in (don't just change your password; log out after changing password). Upon logging back in, I was asked if I wanted to update my password in keychain.
Even though I have a computer science degree, I was never good at encryption/hashes. I know MD5 is known to have collisions but is it really that bad (even with/without a salt?) I have read that even SHA1 isn't good enough, and I am now reading that SHA-512 isn't either. From what I read, it is now recommended to use bcrypt since it is a more expensive method to make brute force attempts more impossible. Now, I had tried using john the ripper on my own password files and left it run for a month without one (besides the control) being hacked. I think my randomness is good enough, but can you explain why MD5 is so bad these days?
SSL only encrypts at the transport layer anyways (client-to-server communication). It doesn't protect passwords if a moderator account has been compromised and the passwords aren't encrypted with a strong cryptographic system.
Plus, reputable SSL certificates do cost money, which isn't necessarily an excuse.
So they were updating their twitter with feeds with stupid **** and not even once mention our personal info was compromised ?
MacRumors handled the situation in awful manner, they should at least admit that to their users instead of running forward with cheap excuses.
Keychain seems to retain the old password and won't allow me to delete the old one. Hence, I have to ape the new one into the login box. I suspect the list is somehow isolated but have yet to workout how.
At least the old password won't work, which is the main thing.
That would only be good for logging into MacRumors. It doesn't do anything for those people who are using the same password on other websites/services.
How nice they have me email address, not bothered as it's most likely recorded around the net anyway, as for my password, well I only use the password for this site on this site so not changing it unless someone hacks my account on here.
However Mac Rumors, it's a bit piss poor that you do not store our passwords securely, you have a lot of members on here that most likely do use passwords that are used elsewhere and it is you who have the responsibility to ensure these passwords are stored securely and safely. It is not an excuse to be flippant with security on the net these day's, we all know how many hackers their are out there just wanting to pounce the first chance they get.
Tell me, if you so chose to, are we able to delete our accounts and be confident that if we request it ALL of our information will be completely deleted from Mac Rumors servers?
However Mac Rumors, it's a bit piss poor that you do not store our passwords securely, you have a lot of members on here that most likely do use passwords that are used elsewhere and it is you who have the responsibility to ensure these passwords are stored securely and safely. It is not an excuse to be flippant with security on the net these day's, we all know how many hackers their are out there just wanting to pounce the first chance they get.
Tell me, if you so chose to, are we able to delete our accounts and be confident that if we request it ALL of our information will be completely deleted from Mac Rumors servers?
Most times email addresses have to be stored plain text or at least with a two-way cipher. You need to be able to get it back in order to send email to the registered user.
It doesn't count individual letters. Each word is considered to have an entropy of 11 bits, which means 2048 unique words. If they had counted letters, they would have arrived at an entropy of 26^6 = ~309 million unique words.
The important part is picking 4 words - that means the computer, even with a dictionary, has to make x^4 guesses instead of just x guesses. Assuming x is just 1000 (which would be awfully low), x^4 means the computer needs to make 10^12 guesses.
I thought I'd changed all my message board email addresses and passwords to different types than the ones I purchase goods from. Until this site went down that is and I checked what the password actually was that I had stored in Firefox and Safari for the past 5 years 
Fortunately I managed to change all these important accounts email addresses and passwords in time without them being compromised
Fortunately I managed to change all these important accounts email addresses and passwords in time without them being compromised
He's wrong. The state data breach laws (although they vary), generally require notification to consumers only where "personal information" as defined in the statute is accessed. Generally, personal information is limited to first name and last name, plus any of the following:
SSN
driver's license number
credit card information
bank account information
Few, if any statutes, include email addresses or passwords in the definition of "personal information".
Accordingly, MR likely had no legal obligation to notify its users of this incident. However, it may have had ethical, business or moral obligations.
Last edited: