Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
you never use your supersafe password & main email on any other website/forum/whatever. at least distinguish security levels and act accordingly. stop whining and use suggested software or practices
Thanks Arn, for honest up front info.
With all the hacks lately (adobe etc..) I suspect there is more information about me in the hands if cyber criminals than in my own office at this stage. I'm running out of memorable passwords to use.....
With all the hacks lately (adobe etc..) I suspect there is more information about me in the hands if cyber criminals than in my own office at this stage. I'm running out of memorable passwords to use.....
iCloud Keychain does not work with this site. In fact, I just changed my password to use the iCloud one, and Safari didn't autofill the login form, negating the purpose altogether.
Exactly because of this I don't trust any site including facebook and others.
The best is to use different usernames for different sites and also different passwords to avoid this.
Also I recommend with sites like this that don't offer top security to use a secondary email address and not your main email address.
The hackers that got the database from this website will use it to send spam, spyware, and all types of emails.
* Sorry for windows users because that emails always affect windows computers.
The best is to use different usernames for different sites and also different passwords to avoid this.
Also I recommend with sites like this that don't offer top security to use a secondary email address and not your main email address.
The hackers that got the database from this website will use it to send spam, spyware, and all types of emails.
* Sorry for windows users because that emails always affect windows computers.
They did tell us - someone got into an administrators account and was able to elevate their permissions, resulting in the ability to access the hashed password data.
This isn't strictly a fault on Arn's part, rather it's function of the underlying vBulletin software the forums are run on......
Given all the forum hacks that have been going on in the past two or three years, I'm beginning to think that pre-built forum scripts like vBulletin, Invision, phpBB, SMF, etc aren't worth the time saved by using them. They've all become overly complex and full of holes.
If you've written your own forum script, you're not going to suffer the same exploits as everyone else. Any would-be attackers would have to spend a lot of time figuring out the holes in your system, which just isn't worth it when they can just get ahold of the code for a widely used script like vBulletin and use any holes they find in it against a wide variety of sites.
Of course there's no patch for stupidity and every site can be subject to socially-engineered exploits, but that can be prevented at some level through good judgement when picking moderators and administrators.
If you've written your own forum script, you're not going to suffer the same exploits as everyone else. Any would-be attackers would have to spend a lot of time figuring out the holes in your system, which just isn't worth it when they can just get ahold of the code for a widely used script like vBulletin and use any holes they find in it against a wide variety of sites.
Of course there's no patch for stupidity and every site can be subject to socially-engineered exploits, but that can be prevented at some level through good judgement when picking moderators and administrators.
I change password and much better now. So many good time with my fruit products.
But you not see Microsoft tablet? So much good stuff! And keyboard! And USB.
Why you not all sell your fruit now?
But you not see Microsoft tablet? So much good stuff! And keyboard! And USB.
Why you not all sell your fruit now?
At least my Google, Apple ID, Facebook, Twitter and online Bank all have completely different passwords used only on those services (and Google has its two-factor auth turned on and app-sepcific passwords, etc).
About the only thing that may have a similar password is Minecraft (I just changed it) and maybe Steam (and my gaming PC was stolen months ago so that's all been redacted anyway).
I must concur with others that as *soon* as a breach is detected it must be announced. Yes you may need to gather forensic info and maybe see if the hacker is still actively accessing the systems, but anything more than 24 hours of delay is too much.
About the only thing that may have a similar password is Minecraft (I just changed it) and maybe Steam (and my gaming PC was stolen months ago so that's all been redacted anyway).
I must concur with others that as *soon* as a breach is detected it must be announced. Yes you may need to gather forensic info and maybe see if the hacker is still actively accessing the systems, but anything more than 24 hours of delay is too much.
Password change page is not encrypted???
So I get this notice to change my password. Go to my CP and find out that it is not even an encrypted page as far as I can tell.
It looks like it may be doing an MD5 checksum and sending that in plaintext?
Can anybody confirm?
So I get this notice to change my password. Go to my CP and find out that it is not even an encrypted page as far as I can tell.
It looks like it may be doing an MD5 checksum and sending that in plaintext?
Can anybody confirm?