Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
I would just create a Firefox or Chrome extension that filters out the HTML that tells browsers this.
While I don't disagree with part of your statement it only took about 12 hours after the hack ended. It did not take "ages".
November 14th now and still no email. I've changed my password to something more secure and, crucially, unique to this website.
I'd already moved 55 other accounts to LastPass but I'd forgotten I had this account until I heard about the breach on another tech blog.
I'd already moved 55 other accounts to LastPass but I'd forgotten I had this account until I heard about the breach on another tech blog.
Did anyone else have their email spammed 200+ times? I also found out my PayPal account had sent $160 to some guy I've never done business with. Currently talking with PayPal at the moment and was wondering if anyone else had this happened?
I've already begun changing emails and passwords, didn't really think it could happen to me but hey it did.
----------
I already made a post above, but the guy logged into my PayPal and bought $160 worth of bitcoins. I have his full name, seller ID, and email. Not sure what else to do, but I've already contacted PayPal.
I've already begun changing emails and passwords, didn't really think it could happen to me but hey it did.
----------
I already made a post above, but the guy logged into my PayPal and bought $160 worth of bitcoins. I have his full name, seller ID, and email. Not sure what else to do, but I've already contacted PayPal.
Is there a time on Nov 12 that this data was breached? I happened to have changed my password around 8pm eastern on Nov 12.. not sure if it would have been taken then or afterwards.
They don't even need the passwords with such a weak hash.
Honestly, it probably does not matter that they know the password with a weak hash as used by v-bulletin especially if it is unsalted.
All they need is something that they plug into the formula to get that hash.
In order to be seriously adversely affected, you would have had to use the same password on other sited that use the same hashing system and have had the same account login name, which is a security risk in itself.
If you used a different unique password like you should have, then you could easily audit your posts to MacRumors and report any strange behavior or posts to be corrected.
I would like to know:
1. If the hashes are salted
2. How the attack was discovered
3. Why it is announced as potential "security leak" is there some chance that this was a false alert?
Thank you
more information look at the Birthday attack: http://en.wikipedia.org/wiki/Birthday_attack
Also Salt cryptography: http://en.wikipedia.org/wiki/Salt_(cryptography)
Fing MD5 hashed passwords quickly: http://md5.gromweb.com/?md5=dfb55031417e64e7dd358e9d70cb7641
Honestly, it probably does not matter that they know the password with a weak hash as used by v-bulletin especially if it is unsalted.
All they need is something that they plug into the formula to get that hash.
In order to be seriously adversely affected, you would have had to use the same password on other sited that use the same hashing system and have had the same account login name, which is a security risk in itself.
If you used a different unique password like you should have, then you could easily audit your posts to MacRumors and report any strange behavior or posts to be corrected.
I would like to know:
1. If the hashes are salted
2. How the attack was discovered
3. Why it is announced as potential "security leak" is there some chance that this was a false alert?
Thank you
more information look at the Birthday attack: http://en.wikipedia.org/wiki/Birthday_attack
Also Salt cryptography: http://en.wikipedia.org/wiki/Salt_(cryptography)
Fing MD5 hashed passwords quickly: http://md5.gromweb.com/?md5=dfb55031417e64e7dd358e9d70cb7641
Last edited:
Only got my email about an hour ago, and whilst I would have liked to have been informed sooner, my password was unique to this site and I have minimal personal data stored, so hopefully no harm done.
On a side note I had to use my iPad to change my password using the keychain password generator in Safari.
Safari on my MacBook Pro was generating a new password but not updating it on my keychain, helped to get me locked out, rather helpful that.
On a side note I had to use my iPad to change my password using the keychain password generator in Safari.
Safari on my MacBook Pro was generating a new password but not updating it on my keychain, helped to get me locked out, rather helpful that.
Change it again regardless, and if you used the same password on any other services, change those as well.
Thanks for letting me know, I have already changed my password. As it happens MacRumors is the only site I had used that password with.
Whether it's neurology (dyslexia) or something else, mnemonics don't work for me. I'll store the wrong data and remember the wrong thing. Account info recollection is already a huge problem for me, then there's the fact that I have to keep track of more than 83 accounts all over the Internet. This whole system is stupid. There's good damn reason that human beings use easy passwords and that they reuse them all over the place. It's called being human. Using a third party service/tool to store them is no better, since they can be compromised too, and are targets. Might as well keep a spreadsheet on my own computer. I know others who do exactly that.
----------
Because people like you are superior and can remember a hundred different and unique log in credentials. [insert middle finger here]
And how do you remember all those unique credentials? How many accounts do you have all over the Internet?
----------
And when the password manager is hacked? Where does it store that master password? Where does it store all the others? What if it breaks or you need to log in through another device without the plugin?
Having been in the service of both businesses, home businesses and home residential users, We have recommended not using software firewalls nearly the entire time. For a total home user that doesn't have anything on their computer that is sensitive, no bank records, no personal information like passwords, etc, some of the really low end firewalls might be a good fit, but I have always had a hardware firewall of some kind. We sold what we used, and what clients requested where available. We never had a problem with that stand. For very nervous, and security conscious residential customers, we had a few SonicWall and Cisco ASA devices installed. The early SonicWall SOHO series with and without wireless were popular with residential and small business customers. They were more expensive than copies of software firewalls, but were a lot more secure in the long run, and for a small business, when you reached a certain level, the software firewalls were actually more expensive. Plus with no central management at the time, there was not much control over what havoc a user could cause with the settings. It may have gotten better, and I hope it did, but to this day nothing compares to a properly setup hardware firewall. They can also provide secure remote access to someone's home network also without monkeying around with shims and finicky client software through SSL/VPN capabilities found in many of them. I'd recommend one to any user that takes their security seriously...
But there are differing opinions out there on all of this... Whatever... A home user doesn't need an ASA 5580, but a medium business doesn't need an ASA 5505 either, or a software firewall that might not play with their other software well.
First, I use 1Password to remember all those passwords. I only need to remember my master password. My password vault is encrypted AES-256 bit. Nobody is going to hack that. I can use the 1Password app to view all those passwords offline, don't need the plugin. I can also view them in my iOS app.
The 1Password app would need to stop working for me not to be able to get to my passwords. I also have my 1Password vault backed up (encrypted). Even if 1Password went belly up and the app didn't work with some future version of Mac OS, I would just boot from my clone (on the older OS) and have to find a new password manager.
To save them so I can always see them, I could always created an encrypted disk 256 bit, and put them in clear text in that file, and give that a very hard password as well. But I don't think the guys at 1password are going away any time soon.
I was joking! Although, you're right. We can't put anything past anyone now a days.
I'm the same as you. Now I'm panicking since I try and use one same password for all websites.
Exactly.
My PayPal password is "m@$35$3y%hl*FG#5Er&" - generated and remembered by my password manager (RoboForm).
No. Finding the password is fairly easy if it's a weak password and hard if it's a good password. Finding a hash collision is all but impossible.
It's not "completely broken" at all. It's just not as good as other available options.