Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

lol said:
Again, like I said in my initial post, I'm not doing anything with anyones' information. Why would I waste my time trying to get into someone that I don't even knows' twitter or facetime account?
Click to expand...

For the same reason people hack websites for fun. Some find it fun to get into stranger's twitter and facetime accounts.

At least I hope you're helping the admin here to improve their security, and educate us users and moderators (since you said it was a mod's fault) on what enabled the hack and what we should do to avoid it in the future.
 
People can circle jerk around, they can second guess, third guess, fourth guess what happened, who did it, how it happened, and why, but the truth is that a lot of the breaches of security in our 'connected world' are the result of stupid stuff users do. I worked at a huge university, in the financial aid department. They used those SecurID token generators cards to 'insure security' to the aid system. In my department, nearly everyone outside of the programming department would write their current user abusive IT generated password on a sticky note and place it on the back of their SecurID and then leave the freaking 'card' on their desks! Yeah! What security. Exactly, what security? I suggested, in a 'systems' meeting one morning (after a breach) that someone should go around and swap the token cards with other users to prove a point. I caught Holy Hell because later in that week, someone did just that. I got roasted in effigy by all of those people, and I didn't even do it...

Make stupid passwords. Use all lower case... Use your dog's name, kid's name, the year of some big event. I hacked an account once of a tea party retard. His password? '1776'. Yeah...

If this breach was because of a moderator, shame on them, but for the carpers and whiners, it's time to put your big boy/girl pants on and deal with security like it WAS the front door to your house. And moderators DOUBLY SO!

I was just as guilty as others too. My old password was 'macsrock'. I was somewhat surprised that it wasn't hacked up to now. Bad password I knew, but I was lazy... It was quick to type, easy to remember, and easily guessable... I had thought of changing it for a while. I like to try to keep passwords 'fresh' by changing them from time to time, and I hadn't changed this one in far too long (not that in this case it would matter). What was the exposure... I'm not an administrator/moderator. I don't reuse passwords on other accounts.

I did know someone with a 38 character password (so he said). That's just too anal, and I'm sure he was being a showoff because watching him login was like watching someone with Parkinson's disease on too much caffeine. He had backspaces and delete key presses embedded in his 'muscle memory' performance.

I guess what I'm trying to say is: 'Fool me once, shame on you. Fool me twice, shame on me'. I've been hacked before. I assume it will happen again. I try to avoid it as best as I can, and I have to put my big pants on and learn a new password.

So lets get back to talking macs and iPads and how some of us can tell what Steve Jobs would be thinking at this moment... :D

rant over...
 
lol said:
I'm completely comfortable with my current financial situation.
Click to expand...

I actually forgot my password and had to get a new one anyway. However i need that password for a number of older shopping site accounts. can you post it here? it doesn't matter if other see it because I've changed it for the forum already.
 
andiwm2003 said:
I actually forgot my password and had to get a new one anyway. However i need that password for a number of older shopping site accounts. can you post it here? it doesn't matter if other see it because I've changed it for the forum already.
Click to expand...

Because that totally makes sense.

No.
 
lol said:
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.
Click to expand...

Taunting the people you have attacked is pretty cheesy...

You are either not the person that 'visited' this site, or you are a fool. Rather than attack a mac fan site, wouldn't you rather attack the sites of people that really do harm to the world?

Places like the US Chamber of Commerce, or the Koch brothers corporation and their many front groups. Hey, Fox News... The myriad of soulless money gathering organizations that funnel money around so fast they would make the best money laundering work of the old mafia look like playing 'store' with mom's empty boxes and the Monopoly game money.

There are so many other groups that are REALLY begging for some 'exposure'... Groups that should not be able to hide behind ANY layer of anonymity...

In fact, might I suggest that you DO target them. You really want to 'score'? You really want to make a name for yourself? Put a scalp on the wall? Hit them! Your 'conquest' of a mac fan site is almost a joke... Or you are a liar...
 
lol said:
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.

I'll need to provide some sort of proof to prove it's me. Arn, the first 16 bits of your old password hash was cd89d763f091c664. Your salt is (or was?) #er<ib"E%R0sa%`8b%N3+!5<J&PqnT.


First of all, regarding the passwords. As far as I'm aware, the older versions of vbulletin and the current all share the same hashing algorithm. 860106 users were dumped. Out of those, 488429 of them still had a salt which had a length of 3 bits. Anyone that'd been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do do, it's like to have many with a 3 bit salt). We're not "mass cracking" the hashes. It doesn't take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Second of all, I personally think Arn done a great job disclosing the details of what had happened in the time that he took to do so. Many other huge companies and corporations, probably some that you're all registered to, have taken days, weeks, or even never, to report a compromise. You should be thankful.

Third, we're not going to "leak" anything. There's no reason for us to. There's no fun in that. Don't believe us if you don't want to, we honestly could not care less.

Foruth, stop balming this on the "outdated vBulletin software". The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you're talking about. 3.x is far more secure than the latter. Just because it's older, it doesn't mean it's any worse.



That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.
Click to expand...

You could brush up on your English/spelling/grammar skills, instead of hacking sites.
 
PinkyMacGodess said:
I did know someone with a 38 character password (so he said). That's just too anal, and I'm sure he was being a showoff because watching him login was like watching someone with Parkinson's disease on too much caffeine. He had backspaces and delete key presses embedded in his 'muscle memory' performance.

I guess what I'm trying to say is: 'Fool me once, shame on you. Fool me twice, shame on me'. I've been hacked before. I assume it will happen again. I try to avoid it as best as I can, and I have to put my big pants on and learn a new password.
Click to expand...

Aren't you contradicting yourself there. You said it was anal to have a long/complex password...then go on to say you've been hacked before. Maybe its because you used bad passwords.

Your best option is to have a 'rule set' for all your passwords. Think of it as having a specific chain you follow on all passwords.

So for arguments sake, lets take a few bits of made up personal info:

Dogs name: Spot
House number: 1024
Best friends surname: Smith
Fave movie character: R2D2
Symbol1: $
Symbol2: %
Symbol3: !
Now lets say you're setting a password for macrumors.

What you could do is something like this:

House Number + Symbol1 + Fave Movie Character + Symbol 2 + Best friends surname + Symbol3 + Dogs name

Then append to the end of it 'macrumors'.

Your password ends up being 1024$R2D2%Smith!Spotmacrumors

Looks complicated as hell, but its one hell of a secure password and once you know your pattern you'll never forget a password again. The above is an extreme example you could simplify it a lot by doing something like:

<sitename>.<dogs name>.<current year + 10>

Which gives you macrumors.Spot.2023

Even that, in its simplest form is pretty strong password and piss easy to remember.

There's no excuse for short, weak passwords. Sure its a ball ache having to type a long password, but if you aren't willing to do that, you probably shouldn't be using a computer.
 
lol said:
I'm completely comfortable with my current financial situation.
Click to expand...

If. and thats a huge if. If you did do this you do realize admitting to an illegal activity right here on MR was the dumbest thing you've ever done. So.

This tells me you are either :

A. A wannabe script kiddie. or.

B. A complete idiot. And if that is the case the info you took is probably in the hands of someone who WILL do something with it now.

Go back to 4chan kid. because they will need your assistance the next few days.
 
Peace said:
B. A complete idiot. And if that is the case the info you took is probably in the hands of someone who WILL do something with it now.
Click to expand...

That's what I'm worried about. Somebody has this information and is actually using it, trying to get into accounts.
 
djtech42 said:
That's what I'm worried about. Somebody has this information and is actually using it, trying to get into accounts.
Click to expand...

I'm not downplaying the hacking, but what information will they have? Names, passwords (to MR) and your birthdate and email address. If members used different passwords for their various sites the damage is limited to the hackers knowing your password here at MR which of course you already changed.

Am I missing something, or misunderstanding the issue :confused:
 
Best entertainment all day. Lol.

Someone hacks AT&T's database that has social security numbers, phone numbers, home addresses and credit card numbers - Nobody bats an eye!

Someone hacks a message board filled with nothing but messages and other superfluous crap - and everyone loses their minds!
 
Last edited:
maflynn said:
I'm not downplaying the hacking, but what information will they have? Names, passwords (to MR) and your birthdate and email address. If members used different passwords for their various sites the damage is limited to the hackers knowing your password here at MR which of course you already changed.

Am I missing something, or misunderstanding the issue :confused:
Click to expand...

You're not missing anything. A real hacker could use the info and try to get into bank accounts etc. But they would need more than an email and birthdate.

As far as I know MR doesn't ask for or store social security numbers.

This whole thing is being blown out of proportion.

But lol just hung himself if he is the culprit.
 
You know, I saw that MacRumors had a security leak when I read this.

I then checked my e-mail to see if there was an e-mail notification (I have a MacRumors forum account but haven't logged in 18 months). If I hadn't have seen the non-MacRumors notification, I'd have not known about this until much later.

Why would MacRumors not notify their user base by e-mail?? To not attempt to contact the user base is flat-out retarded. WTH. No, the notification wasn't caught up in spam filters.
 
unixfool said:
You know, I saw that MacRumors had a security leak when I read this.

I then checked my e-mail to see if there was an e-mail notification (I have a MacRumors forum account but haven't logged in 18 months). If I hadn't have seen the non-MacRumors notification, I'd have not known about this until much later.

Why would MacRumors not notify their user base by e-mail?? To not attempt to contact the user base is flat-out retarded. WTH. No, the notification wasn't caught up in spam filters.
Click to expand...

I received an email from them, albeit a few hours ago. From what I read on the site feedback forum, they had to email about 800,000 users. The admin who posted said it would take some time to send to everyone.
 
maflynn said:
I'm not downplaying the hacking, but what information will they have? Names, passwords (to MR) and your birthdate and email address. If members used different passwords for their various sites the damage is limited to the hackers knowing your password here at MR which of course you already changed.

Am I missing something, or misunderstanding the issue :confused:
Click to expand...

Also, the majority of secure sites require a more robust password. I had the same simple macrumors password since I started in 2006. Since that time, every other "secure" site (Facebook, gmail, bank, EBAY) has forced me to change to something with characters, capitals etc. There is zero impact for me.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back