Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

Will be honest, not got time to read all the comments now, but anyone else use mSecure?
Been using this for years since I had an Android phone, so just a new random password generated for me.

One thing I never got round to was setting up a forum gmail address to keep things a little more separate. I guess this will be a few more things to go into my spam folder...
 
baryon said:
Oh no! Now people can post annoying posts on MacRumors and make everyone think it was me!

I just wished providing an email address wasn't necessary to register literally everywhere, since I can't change that can I

Also, the problem with 1Password and iCloud keychain: you won't ever remember your passwords again. So one day your computer won't work, you'll be stuck with someone's borrowed PC, and won't be able to log in anywhere, ever again! So good luck with that!
Click to expand...

That's why you can have an encrypted back up, or synced with more than one device.
 
last night, i wasn't able to delete my e malls on my mail software..... Wonder if this has something to do with it? I'm able to delete them now however.... and yes, Mac rumors forum was under maintenance for a long time. I just received an e mail, followed the direction and changed the pass word to log in here, but what was my original log in? I don't even remember since my computer remembered it instead.....
 
How NOT to respond to a security breach - by email with link

Sorry guys, just got an email from you, at least I presume its you, telling me to change my password? Points so far, 100 for doing that. Points for providing an embedded link in the email to do so, minus several zillion.

What a great way to phish for actual username and passwords if all you have is hashed ones, but you do have the emails, send out a link to a spoof site which supposedly allows you to do a password change but actually just collects the passwords.

Now maybe this was actually a phishing attack, but I suspect not, and that you were committing a major faux pas by putting an embedded link in for users to click on to change their password. The email should just have said "go to mac rumours and click on the ball blah section to change your password"
 
Tumbleweed666 said:
Sorry guys, just got an email from you, at least I presume its you, telling me to change my password? Points so far, 100 for doing that. Points for providing an embedded link in the email to do so, minus several zillion.

What a great way to phish for actual username and passwords if all you have is hashed ones, but you do have the emails, send out a link to a spoof site which supposedly allows you to do a password change but actually just collects the passwords.

Now maybe this was actually a phishing attack, but I suspect not, and that you were committing a major faux pas by putting an embedded link in for users to click on to change their password. The email should just have said "go to mac rumours and click on the ball blah section to change your password"
Click to expand...


You're damned if you do and damed if you don't in this type of situation...I take your point on the link, but if I'd received an email without any form of proper ID i would probably have assumed it WAS a phasing attempt and deleted it without visiting the site. I think most people here now know what's happened, and fortunately it seems to have been an attack by an individual who was "playing" rather than a serious attempt to garner information...As long as members change their passwords then all should be well...Personally, my MR password is unique to MR and would help nobody get anything from my meagre bank balance.
 
Just to put things into perspective, it's just an internet forum, not your bank.

And as I said earlier, if anyone was using the same password for all their logins then I am pretty much lost for words that people are so lackadaisical when it comes to securing themselves on-line.

Perhaps this will serve as a wakeup call to get yourselves in order. There are numerous websites that will generate a secure password for you. I would recommend a minimum of 12 characters featuring numbers, lower & upper case letters.
 
Tumbleweed666 said:
Sorry guys, just got an email from you, at least I presume its you, telling me to change my password? Points so far, 100 for doing that. Points for providing an embedded link in the email to do so, minus several zillion.

What a great way to phish for actual username and passwords if all you have is hashed ones, but you do have the emails, send out a link to a spoof site which supposedly allows you to do a password change but actually just collects the passwords.

Now maybe this was actually a phishing attack, but I suspect not, and that you were committing a major faux pas by putting an embedded link in for users to click on to change their password. The email should just have said "go to mac rumours and click on the ball blah section to change your password"
Click to expand...

Fair point. We'll tweak the next batches. we're sending them as fast as we can without triggering spam warnings. still a lot to go.

arn
 
wackymacky said:
That's why you can have an encrypted back up, or synced with more than one device.
Click to expand...

Yeah but a backup won't help you if the computer simply refuses to understand that it needs to enter the password at the login page. You might be able to extract the password from a database, but you're not going to do that every time the computer simply ignores the fact that you're about to type into a password field.

You're at the mercy of the AI, and if it can't figure out that "the place where you entered your new password" and "the place where you are asked your login details" should both be given the same password, then you're screwed!
 
Why won't keychain save my new password!? TWICE, I've used Keychain's fancy long suggestion, but it won't remember it, or update the old info!?!?

I've tried deleting the old info, yet still refuses to ask me if I'd like to dave the new password... ffs...
 
Steve121178 said:
Only a complete idiot would use a word out of the dictionary.

Allow me to help:

https://identitysafe.norton.com/password-generator/

I recommend choosing at least a 12 char password.
Click to expand...
Problem is, you need to remember a random generated password (not very good for humans). Best thing is to use a long phrase + a memorable number. It'll make a long password and maybe introduce capitalisation and makes it more difficult to work out.
 
Tunster said:
Problem is, you need to remember a random generated password (not very good for humans). Best thing is to use a long phrase + a memorable number. It'll make a long password and maybe introduce capitalisation and makes it more difficult to work out.
Click to expand...

Yes, that is also a good solution.

I use LastPass. Lastpass even generates a secure password for you and locks it in the vault. This is all available for free.

I subscribe for the premium service which is only $1 a month and I also get the app on my phone so if I ever need to reference my account/passwords it's all at hand.
 
arn said:
They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn
Click to expand...

http://en.wikipedia.org/wiki/MD5

Further advances were made in breaking MD5 in 2005, 2006, and 2007.[7] In December 2008, a group of researchers used this technique to fake SSL certificate validity,[8][9] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[10] and most U.S. government applications now require the SHA-2 family of hash functions.[11]

everyone knows not to ever use md5
 
actuallyinaus said:
http://en.wikipedia.org/wiki/MD5

Further advances were made in breaking MD5 in 2005, 2006, and 2007.[7] In December 2008, a group of researchers used this technique to fake SSL certificate validity,[8][9] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[10] and most U.S. government applications now require the SHA-2 family of hash functions.[11]

everyone knows not to ever use md5
Click to expand...

Given the information you've just posted, I think that sums up the exact reason that I and others are calling for a software update. We cannot continue to use software last updated in 2011 (which was originally released in 2004), because security issues will emerge.

I'm not saying that vB4 or vB5 are any better though, worse if anything.
 
Macman45 said:
You're damned if you do and damed if you don't in this type of situation...I take your point on the link, but if I'd received an email without any form of proper ID i would probably have assumed it WAS a phasing attempt and deleted it without visiting the site.
Click to expand...

No links is just basic good security practice. For example, my bank sends me emails and points out one way you can tell a phishing attempt is that they will never (their emphasis) put a link in a email.
Security 101 especially for unsolicited emails.

Don't understand why you'd act as you say you would, thats exactly the wrong way round :eek: , its many times more likely to be a phishing attempt if there is an embedded link than not. Keep following links, you will eventually get phished.

----------

To QE2:

I guess you are getting no responses because this is the wrong forum to post this, the subject is about mac rumors security disclosure, no keychain issues, and the heading isnt at all applicable to your issue. Try the basics forum or similar.

https://forums.macrumors.com/forums/78/

I'd start with a search in there on "keychain", someone may already have come across your issue.
 
Last edited by a moderator:
It takes a lot of work to implement some of the changes. It's easy for a user to criticize what should be done, but it's a lot of work for the admins to make it happen. This forum doesn't really have any content worth hacking other than to be an annoyance.

As a user it's your responsibility to implement controls within your abilities, like simply not use the same login/pass for multiple websites. If you were halfway average and used a unique login/pass combo, who cares if some nut has it now? Change your pass using a strong non-dictionary combo of upper/lower/numbers/special characters and be done with it. Can't believe how many whiners there are here.
 
Last edited:
LOL lots of security experts and super programmers around here, one guy even posting some code about password hashing..
 
BS! Hours after the hack, my Yahoo account was locked out due to suspicious activity. I've been on a few other sites that have had their passwords stolen and never once were any of my email accounts locked out meaning those hackers actually didn't try to use my email, but clearly the person who hacked MacRumors did.
 
mbp17xxx said:
LOL lots of security experts and super programmers around here, one guy even posting some code about password hashing..
Click to expand...

Didn't you know? Owning an iPhone, iPad or Macbook automatically makes you a security expert. I think Apple gives you a certificate stating so when you complete your purchase.
 
OMGitsShan said:
BS! Hours after the hack, my Yahoo account was locked out due to suspicious activity. I've been on a few other sites that have had their passwords stolen and never once were any of my email accounts locked out meaning those hackers actually didn't try to use my email, but clearly the person who hacked MacRumors did.
Click to expand...

Could be a coincidence, seems that Yahoo email accounts getting hacked or attempts on them is pretty regular, friend of mine had his hacked last week, had it happened a week later and he had a MR account no doubt he'd be blaming this.

Not saying it wasnt this, just that its not necessarily this. If they only have your hashed password, what use would an attempt be (unless they just tried the list of 10 or 100 (or whatever) most common passwords , bound to hit some? But AFAIK I've had no suspicious activity on my (non-yahoo) email associated with MR or at least no warnings which I suppose isnt the same thing :D .
 
Tumbleweed666 said:
No links is just basic good security practice. For example, my bank sends me emails and points out one way you can tell a phishing attempt is that they will never (their emphasis) put a link in a email.
Security 101 especially for unsolicited emails.

Don't understand why you'd act as you say you would, thats exactly the wrong way round :eek: , its many times more likely to be a phishing attempt if there is an embedded link than not. Keep following links, you will eventually get phished.

----------



I guess you are getting no responses because this is the wrong forum to post this, the subject is about mac rumors security disclosure, no keychain issues, and the heading isnt at all applicable to your issue. Try the basics forum or similar.

https://forums.macrumors.com/forums/78/

I'd start with a search in there on "keychain", someone may already have come across your issue.
Click to expand...

This has all come about because of the breakdown in security; it was working fine before; therefore I consider it perfectly related...

I mean conversations can expand outward; do we need a bunch of little Stalins, running around trying to pigeon-hole comments?

I mean perhaps you could give about 100 or so bullet points, marking out acceptable directions for the conversation to take; 'MacRumors Forums Security Leak' is a fairly broad heading...

...My original thought, was that macrumors might have changed the password saving permissions, following the security breach; this is mainly why I wanted to post here!
 
Last edited:
QE2 said:
Why won't keychain save my new password!? TWICE, I've used Keychain's fancy long suggestion, but it won't remember it, or update the old info!?!?

I've tried deleting the old info, yet still refuses to ask me if I'd like to dave the new password... ffs...
Click to expand...

I had the same issue I had to go to my iPad save it there then went back to my iMac and all was good.
 
QE2 said:
This has all come about because of the breakdown in security; it was working fine before; therefore I consider it perfectly related...

I mean conversations can expand outward; do we need a bunch of little Stalins, running around trying to pigeon-hole comments?

I mean perhaps you could give about 100 or so bullet points, marking out acceptable directions for the conversation to take; 'MacRumors Forums Security Leak' is a fairly broad heading...

...My original thought, was that macrumors might have changed the password saving permissions, following the security breach; this is mainly why I wanted to post here!
Click to expand...

A heading is supposed to be short and to the point, did you expect a long-winded detailed explanation as the header?

MR did a decent job informing their members about it in a timely manner. The risks towards the users all depend on whether or not they were foolish enough to replicate/duplicate their login/pass combos elsewhere. That's not MR's fault as it is carelessness on the user's part.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back