Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
All I want to know is was this reported to the proper authorities ?
Is that too much to ask ? Or does it take a 4 hour online meeting ?
Is that too much to ask ? Or does it take a 4 hour online meeting ?
C
champ01
Guest
How about a splash screen or a pop up and not a little banner on the frontpage.
"WE GOT HACKED!"
"YOUR ACCOUNT HAS BEEN COMPROMISED"
"CHANGE YOUR PASSWORD ASAP!"
IN A BIG GIANT FONT!
I'll be sending an mail today to have my account deleted.
"WE GOT HACKED!"
"YOUR ACCOUNT HAS BEEN COMPROMISED"
"CHANGE YOUR PASSWORD ASAP!"
IN A BIG GIANT FONT!
I'll be sending an mail today to have my account deleted.
That's certainly your right, but do you abandon every site, company that gets hacked as well?
For instance, in the past few years, I've had 2 credit card companies, 1 bank, MacRumors and Adobe get hacked. All with varying levels of security before the hacking. Do I cancel all my interactions because of hackers?
The exposure of MR's data is a lot more limited then my banks. This is a great site, and I think there are definitely lessons learned regarding this event. Its definitely a teachable moment, just from my perspective. While I kept different passwords across my accounts, I've decided to use a stronger password combination (thanks to 1Password)
iPhone/iPad =universal so pay once.
Mac you have to pay again.
----------
Tapatalk is fully functional!
I really think it's time to stop the ranting. If people wish to leave the site, as Maflynn says, that's up to them, but in terms of getting the site back up and running, and the amount of effort and work that doing this type of thing takes, I'd rather see a few thank you's to the staff for all the effort.
I have 4 credit cards and several bank accounts.....I have no intention of changing them every time an exploit comes to light. There is no such thing as perfect bullet proof software.
NASA has been hacked.
The F.B.I have been hacked
Just to put things in perspective here.
I have 4 credit cards and several bank accounts.....I have no intention of changing them every time an exploit comes to light. There is no such thing as perfect bullet proof software.
NASA has been hacked.
The F.B.I have been hacked
Just to put things in perspective here.
100's of forums get hacked each day. Why would the authorities care when they have far more pressing things to do?
My own forum, a UK based gaming community at www.GRcade.co.uk was under a DDoS attack that lasted about a week. It just prompted us to improve security and learn from it.
Unclear. It's virtually impossible to secure any system. There are only the hacked or soon to be hacked.
I've read just about all the posts in this thread and I'm convinced that the majority concerns is about preventative measures (i.e. why didn't MR use stronger encryption, etc.) This indicates that most of those who masquerade as forum security experts, cryptographers and lawyers in their posts are hardly those who have real credentials to be making those comments.
A proper security strategy doesn't focus on just the "if" it will happen, but more about "when" it happens. Well MR was breached, and I believe they did a decent job at knowing what to do "when" it happened. MR's is a high profile site, so in terms of a risk analysis it was only a matter of time before this happened.
To those who think MR or any other site has a "hack proof" implementation, a determined person or group with enough resources, time and skills can and will breach their target, eventually. So don't blame MR's for your email accounts and other forum logins and such for being hijacked because you were too careless in using duplicated login/usernames/passwords elsewhere. Learn to protect yourself better.
A proper security strategy doesn't focus on just the "if" it will happen, but more about "when" it happens. Well MR was breached, and I believe they did a decent job at knowing what to do "when" it happened. MR's is a high profile site, so in terms of a risk analysis it was only a matter of time before this happened.
To those who think MR or any other site has a "hack proof" implementation, a determined person or group with enough resources, time and skills can and will breach their target, eventually. So don't blame MR's for your email accounts and other forum logins and such for being hijacked because you were too careless in using duplicated login/usernames/passwords elsewhere. Learn to protect yourself better.
While I agree that everything you read on the internet should be taken with a grain of salt, are those people you're referring to running the forum? It's a rhetorical question: of course they're not. If I'm an expert in something but have no decision-making authority at a place that I frequent, then how does a problem in that venue devalue my expertise?
(Note that I'm not a security expert, I'm just taking issue with this line of reasoning.)
There's a difference in having expertise versus having more knowledge than the average Joe.
Give me an example and I'll provide a response to that question.
And on a slightly more positive note (apologies to all)...
SEARCH functions is back up!
Thanks, arn!
SEARCH functions is back up!
Thanks, arn!
Your right Macman45..................it should have never started in the 1st place. Life is a series of pulls back and forth, good things and bad things. All of us take certain things for granted, even when we know we should never take anything for granted. Might be good idea to plan on a web site being hacked, when it happens then it's part of your plan. If things go along smooth, then you can work it in with nothing to bitch about.
The words of W H Auden might shin light on what happened.
"Fate succumbs many a species: one alone jeopardizes itself."
Suppose I'm a security expert and I happen to spend my off-time on MacRumors, advising people and helping to troubleshoot. I am not in any administrative or staff position at the forum, which is to say, I do not know the specifics about how the forum is set up or run, nor am I involved in the setup or operation of the forum. The forum gets hacked. What you seem to be saying is that my expertise would be questionable, simply by virtue of my being here and somehow not having prevented what happened?
C
champ01
Guest
Its not that I got bad feelings against MacRumors. I've been here for years and plan to stick around reading whats to come.
It just feels that I haven't been contributing much anyway so the next logical step would be why keep the account. I've shared my opinions, most of the times probably more bs than anything useful. Time for me to just back off, sit and chill. Let others share their opinions.
I see what you're trying to say.
However my reply to that would be not necessarily because I don't know what you mean by "security expert" as there's no such thing. Most security professionals specialize in specific areas. A jack of all trades professional isn't necessarily the best in certain specific areas which is why most work in teams whether associated within the same company or within their sphere of contacts.
My comment referred to posts which indicated how MR should be doing this or that, should've done this or that (i.e. salting, hashing, etc.) and what not, and I'm willing to bet that most don't really understand the nature of how those elements really work.
If they're real "experts", the standard way to work towards a solution is via private consultation, as PM's and/or email correspondence. From there you could work your "expertise" by asking questions so you can provide the forum administrators a workable process towards an effective resolution. Because some users are posting their "expertise" out in the open, in my experience that's usually a sign of someone who's trying to pretend to be someone they're not.
Last edited:
This site is using an ancient version of vbulletin (3.8?) when they are on 5 something. Granted, when vBulletin was bought out they ruined the software with 4 and above.
I'm honestly not that mad at the site being hacked, **** happens but am a little pissed at the weak password hashing. Surely there must be a modification over at vb.org that has a different hashing scheme.
Somebody apparently cracked my password because I use the same one for Steam and they were able to login (luckily it was blocked thanks to SteamGuard). Change your passwords people! (Why the **** isn't it mandatory on next login...im pretty sure that functionality is built into VB)
I offer an apology, because now I see what you are trying to say, as well
You're remarking mostly on the people in this thread who are coming down on MacRumors for doing (or not doing) one thing or another. I thought that you were making a remark on all forum users in general.Again, sorry for the misunderstanding.
Here we go with the hashing again. Why are you upset over the hashing method when in fact you admitted to being careless in using duplicate passwords for other sites/services, the fault is yours. If your MR login info was unique to MR exclusively, what can a malicious user do with it other than impersonate you on the forums until you change your password? As a user (which all of us are), you have a responsibility to maintain your own security by minimizing your risks, should a compromise occur.
The breach to MR had nothing to do with hashes. As it was already stated numerous times by the mod(s), the method used was an account compromise which had mod/admin level privileges using a weak login/pass combo. Even with higher levels of encryption, a password such as abc123 or happycat2013 can be extracted with enough time.
You have nothing to apologize for. You gave me the opportunity to clarify my previous post so I hope it's much clearer now.Ledgem said:
Last edited:
From my view the MF would be a much more informative site for Mac help which is what it is supposed to be. If all the goodie two shoes who spend time and wasted bandwidth complaining about everything they read, would just leave and let the rest of us enjoy asking software questions and receiving help from the sincere members who would be left. That is not going to fly.............there are always some who enjoy jumping on the soap box and making derogatory statements. Maybe a change of name for our forum might be in line. Call it the MacForum for complainers.
MR's already offer numerous areas for support related content. However this thread resides within the News Discussion area so it's going to have the most opinionated and emotional comments out of the rest. It's not unique to MR's and it gets just as silly/heated in the Android/Windows/Linux/Photoshop forums as well.
And on a slightly more positive note (apologies to all)...
SEARCH functions is back up!
Thanks, arn!
Are they? Score, I wanted to use them over the past couple of days. The guy who hacked into the MacRumours forums seems a bit eccentric to me.