Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

2012Tony2012 said:
My password is 14 characters long...mixed with letters, numbers randomly.

So with this security leak/breach....all they got was an ENCRYPTED password file and they would need to use brute force on the password file?

Or the hackers got an UNENCRYPTED password file and knows everyones passwords now?
Click to expand...

As mentioned numerous times, the attacker got (salted, then) hashed passwords. This means that the password was run through a one-way operation so that they cannot reverse what they have into passwords. They can only try generating hashes to figure out what matches.
 
Brilliant.

Thanks a ****ing million.

Now time to change my password on around 40 websites.

*leaves forum forever*
 
thepowerofnone said:
Ok so some people are being overly aggressive here:

2) Others are complaining about MacRumors leaving far too long before telling us; they have only left a day. In terms of what a hacker can do with any data in one day, given the passwords are hashed, this is somewhat limited.
Click to expand...

That is patently false. A good hacker, once he has a password/email like that, can own you in hours. Right now, I can decrypt every single user's password in the database I manage in a matter of seconds (MD5 hash) with a 7-line java procedure. For Cripe's sake, you can unhash an MD5 password online for free. (Not a salted one... I haven't read the details of the salt, so I'll reserve my aggrevation.)

What's frustrating to me is that I *JUST* got the email now and I'm seeing this was posted on 11/12. That's a bigger issue.

Has anyone looked on the Darkweb to see if anyone posted the passwords/emails?
 
Last edited:
retroneo said:
Why were you storing our passwords in the first place? You are supposed to store an irreversible hash of them instead.
Click to expand...

Sounds reasonable that to use a password, it would be stored on the site. Telling MacRumors what they should do and not do is not up to members, but the site owners. Hackers get into governments, banks, etc. So this is not such a big deal, find something else to harp on. Nothing is hacker safe including the space program. Every security measure is at risk...........live with it.
 
mspman said:
That is patently false. A good hacker, once he has a password/email like that, can own you in hours...

What's frustrating to me is that I *JUST* got the email now and I'm seeing this was posted on 11/12. That's a bigger issue.?
Click to expand...

I completely agree with mspman. No time to read all the posts, so I might be repeating.

Just got the email *NOW*, so almost a week before I knew. Why not err on the cautious side and alert all users immediately?

And what the heck does this mean, "a moderator account being logged into by the hacker...? Was the moderator's workstation left unlocked? Having access to people's personal info, it's pretty damn irresponsible not to lock your screen even if you're going to be away for a minute. Shabby...
 
jjw141 said:
I completely agree with mspman. No time to read all the posts, so I might be repeating.

Just got the email *NOW*, so almost a week before I knew. Why not err on the cautious side and alert all users immediately?

And what the heck does this mean, "a moderator account being logged into by the hacker...? Was the moderator's workstation left unlocked? Having access to people's personal info, it's pretty damn irresponsible not to lock your screen even if you're going to be away for a minute. Shabby...
Click to expand...

Compromised Moderator account used a weak password which was exploited. /thread
 
mspman said:
That is patently false. A good hacker, once he has a password/email like that, can own you in hours. Right now, I can decrypt every single user's password in the database I manage in a matter of seconds (MD5 hash) with a 7-line java procedure. For Cripe's sake, you can unhash an MD5 password online for free. (Not a salted one... I haven't read the details of the salt, so I'll reserve my aggrevation.)

What's frustrating to me is that I *JUST* got the email now and I'm seeing this was posted on 11/12. That's a bigger issue.

Has anyone looked on the Darkweb to see if anyone posted the passwords/emails?
Click to expand...

There's nothing under MN state law (or even any federal law) that entitles you to notification for unauthorized access to your email address and password to a website. So the fact that you JUST got the email doesn't matter. There is no legal basis compelling any user notification for this incident, other than MR being good netizens.
 
1. My password for MR is unique, using a PW-Gen.
2. I changed my PW yesterday, 11/14/13...

So, am I OK or do I need to change again?
 
jjw141 said:
I completely agree with mspman. No time to read all the posts, so I might be repeating.

Just got the email *NOW*, so almost a week before I knew. Why not err on the cautious side and alert all users immediately?

And what the heck does this mean, "a moderator account being logged into by the hacker...? Was the moderator's workstation left unlocked? Having access to people's personal info, it's pretty damn irresponsible not to lock your screen even if you're going to be away for a minute. Shabby...
Click to expand...

The moderator MR account was hacked into not the moderators computer.
 
Seevee said:
Yea, I thing this sucks, and should have been notified right away....
Click to expand...

Everybody says this (not fast enough notification), and few have any idea what they are talking about.

Once a data breach occurs, the organization must assess the extent, scope and vector of attack. The first order of business is to mitigate the attack itself, then preserve any logs and other key information.

Only once that is complete, a forensic examination can begin to determine exactly what information may have been accessed and over what period of time, AND exactly who was affected.

Many times I have seen organizations that know they have had a data breach, but to tie in the names and addresses (physical or email) of their customers with the data that was breached can be very difficult and VERY time-consuming.

All of those steps generally take days, if not weeks to determine. Not to mention drafting the notifications to comply with the different laws in 47 states (that currently have such laws on the books). Also, there are regulatory notifications that sometimes take precedence over consumer notifications.

The worst thing an organization can do is issue a hasty notification and then find out:

1. There actually was not any unauthorized access to personal information, so no notification was necessary;

2. The breach involved more (or less) than originally thought, so the notifications were in error.

Most state laws provide NO specific time (other than reasonable) to notify affected individuals. Some states provide for 45 days. 30 days is generally considered to be "reasonable". Under HIPAA/HITECH, organizations have 60 days to notify affected patients when protected health information is accessed.

These time-periods are built into the laws, because it is not easy to make these determinations in a few days. Although everytime there is a breach, somebody always whines they weren't told fast enough. Believe me, it is much more difficult than you think.

And, by the way, under U.S. law, MacRumors had NO legal obligation to notifiy anybody of this event.
 
KingAndaval said:
Brilliant.

Thanks a ****ing million.

Now time to change my password on around 40 websites.

*leaves forum forever*
Click to expand...

That's your fault for using the same password on 40 websites. That's like owning 40 safes and using the same combination for them all.

jjw141 said:
I completely agree with mspman. No time to read all the posts, so I might be repeating.

Just got the email *NOW*, so almost a week before I knew. Why not err on the cautious side and alert all users immediately?

And what the heck does this mean, "a moderator account being logged into by the hacker...? Was the moderator's workstation left unlocked? Having access to people's personal info, it's pretty damn irresponsible not to lock your screen even if you're going to be away for a minute. Shabby...
Click to expand...

For one, Arn couldn't send out a mass email since Macrumors has upwards of 800,000 members, and his email provider does not allow that.
For another, the moderator had a weak password (potentially obtained from the adobe leak)

danilko1 said:
1. My password for MR is unique, using a PW-Gen.
2. I changed my PW yesterday, 11/14/13...

So, am I OK or do I need to change again?
Click to expand...

No, the passwords were lifted on 11/12, so they don't have the hash of your current password.
 
Last edited by a moderator:
been using lastpass for couple of years. all of my passwords are generated using lastpass. no reuse of any passwords. so i just logged in to macrumors, changed my password and that was it. easy
 
Wtf...

I realize this post is 33 pages in, so who knows who will actually read it, but I have a couple things to say about this.

I have been here since 01/2005, I just got an email TODAY.
If you send out notices in batches how come it took so many days, when I have been here for nearly 9 years. I should have been nearer the top of the list.

I read MR everyday, I have noticed it is different on my phone, so I am not sure why I missed the original post.
Regardless I think it is BS I wasn't emailed SOONER!

I have to say this is the first time I really feel disappointed in this site, and I would like an answer as to why it took so long to let me know about this.
 
camomac said:
I realize this post is 33 pages in, so who knows who will actually read it, but I have a couple things to say about this.

I have been here since 01/2005, I just got an email TODAY.
If you send out notices in batches how come it took so many days, when I have been here for nearly 9 years. I should have been nearer the top of the list.

I read MR everyday, I have noticed it is different on my phone, so I am not sure why I missed the original post.
Regardless I think it is BS I wasn't emailed SOONER!

I have to say this is the first time I really feel disappointed in this site, and I would like an answer as to why it took so long to let me know about this.
Click to expand...

Because you were one of over 800,000 people that needed emailing. Any idea how long that takes? It's probably done in no specific order.
 
Right, I understand that, I just don't understand the order. I would think that it would have been based on something other than random luck- it took 3 days to let me know. I am within the first 50,000 people who registered here.
 
camomac said:
Right, I understand that, I just don't understand the order. I would think that it would have been based on something other than random luck- it took 3 days to let me know. I am within the first 50,000 people who registered here.
Click to expand...

So you think because you are one of the 50,000 first people who registered here makes you more important than any other user that register after you? we all are equal , even a user that was registered 3 days ago needs to get this email as soon as possible like you do.

Now as it was said before , since this site has a huge database it takes a while till it sends a notice to all those users. the order might be randomed , but that doest matter.
 
tmp2 said:
So you think because you are one of the 50,000 first people who registered here makes you more important than any other user that register after you? we all are equal , even a user that was registered 3 days ago needs to get this email as soon as possible like you do.

Now as it was said before , since this site has a huge database it takes a while till it sends a notice to all those users. the order might be randomed , but that doest matter.
Click to expand...

I agree. We are all equal and equally screwed if Lol was to sell our info to someone else but we can't have assumed we were always protected to the fullest degree... especially by a forum website. it is what it is.
 
mspman said:
Right now, I can decrypt every single user's password in the database I manage in a matter of seconds (MD5 hash) with a 7-line java procedure.
Click to expand...

Let's set apart the Java reference for a moment...
md5 is not an encryption algorithm. You can not decrypt md5 hashes.
Comparing hashes using a database is searching for possible collisions, no encryption involved whatsoever.
And to prove your claim, use your 7 lines of Java to "decrypt" this please:

098086498E2DEC79C3D4D9268B602839

That's my ex MR password, unsalted. I'm confident you'll never find it out. :)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back