I got an email as a vBulletin forum owner that their own forums had been hacked and that they reset all vBulletin.com members passwords.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
I just got that too. So it's way beyond the use of old software. It's just VB itself now.
Clearly you didn't read my post or you would have seen the part where I said "I'm not mad at the site.."
Wrong. Cracking some of the more modern hashing algorithms will take more time than the age of the universe not to it is currently thermodynamically impossible. Of course that may change if a weakness is found in the algorithm but there you have it...
Clearly you absolutely have no idea what your talking about.
Part of it consisted of a dictionary word, but why would I want to remember or type a complicated password from my phone for a random forum that I am registered to? (That was my logic)
All the guy got was hashed passwords. If he cracked them in that amount of time, then we all have bigger problems to deal with in terms of internet security.
----------
Hey, did anyone ever say what the original password was for the admin who had his account hacked? Was it a very easy password to begin with? Maybe MR should make all admins use 20+ character passwords?
----------
https://howsecureismypassword.net
The password: doyouwanttoknowasecret
will only take 106 trillion years...
Note, I would never use a password I type online... just use for reference. Just string together some favorite numbers, some song lyrics, and your birthday. Everyone can have a password that will stand the test of eternity.
I read your post thoroughly, on one hand you said you weren't "mad at the site being hacked...", then you followed up with "pissed at the weak password hashing" which involved how MR's was setup, so in essence you contradicted yourself. I for one wouldn't care if there wasn't any hashing involved and my pass for MR was stored in plain text, a compromise would only allow them to impersonate me here, as my login/pass combo isn't used anywhere else.
I can tell you have no idea how encryption technologies work. What does thermodynamics have anything to do with what we're talking about here? Are you saying that the behavior of varying temperatures had something to do with hashing or your careless use of duping your login/pass elsewhere?
I've already stated that time is a key factor among others, in addition to available resources which I also stated.
Just because it'll take you years to extract the data you need because you're trying to do it on a Macbook Pro for example, doesn't mean there aren't better more effective machines that can actually do it. Even if a home user were to spend thousands building a top dollar, code cracking machine, it doesn't even compare to what some of the other powerhouses out there can do. There's a reason why cloud services exist for that purpose.
More time than the age of the universe? I see that you read this in some article or saw a message using a program somewhere, because those who work with encryption knows that simply isn't true. Encryption is all about protecting you now. For instance, top encryption methods back 10-15 years ago isn't as difficult to deal with today. 10-15 years from now, that'll likely be true about today's encryption methods.
Someone recently used your password to try to sign in to your Google Account ***********@gmail.com. This person was using an application such as an email, client or mobile device.
We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Sunday, 17 November 2013 11:37:03 o'clock UTC
IP Address: 113.243.146.18
Location: Chenzhou, Hunan, China
If you do not recognise this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.
*facepalm well done macrumors. well done
We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Sunday, 17 November 2013 11:37:03 o'clock UTC
IP Address: 113.243.146.18
Location: Chenzhou, Hunan, China
If you do not recognise this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.
*facepalm well done macrumors. well done
The email is the most important one of all (with the exception of your bank account). It is the key to unlock all of your other services.
----------
*facepalm* well done Steve000, well done.
Seriously use a different password on your email to ALL of your other services. It's critical as it is the gateway to your other services.
Did you know about the MR breach before getting that email? If so why didn't you immediately change any passwords that you had reused on other sites?
It's a life lesson though and I'm glad it happened to me a few months ago when someone used a really old password from a defunct gaming forum to get into my PayPal (which I also rarely used). I now use LastPass to manage my more than 60 accounts all with unique passwords.
There's definitely something fishy going on.
I use Gmail and have used it since 2004. In that time, 98% of spam e-mails have gone straight to my spam box, skipping my inbox altogether. I get maybe one spam e-mail that actually gets in to my inbox maybe once every 2-3 months, if that.
The last 3-4 days, I have received around 8-10 spam e-mails all that went straight to my inbox - they weren't detected as spam.
Coincidence? Possibly... but I don't think I had 8-10 spam e-mails make my inbox in the past YEAR and now I have had that many in 3 or 4 days? It's a bit odd.
I don't open them so I'm alright on that front. I'm also less worried about security as I changed all my passwords to unique 32 character passwords using LastPass. I've also set up LastPass with a different e-mail account to the one I use everyday and won't be giving this address out to anyone or anything except LastPass.
I use Gmail and have used it since 2004. In that time, 98% of spam e-mails have gone straight to my spam box, skipping my inbox altogether. I get maybe one spam e-mail that actually gets in to my inbox maybe once every 2-3 months, if that.
The last 3-4 days, I have received around 8-10 spam e-mails all that went straight to my inbox - they weren't detected as spam.
Coincidence? Possibly... but I don't think I had 8-10 spam e-mails make my inbox in the past YEAR and now I have had that many in 3 or 4 days? It's a bit odd.
I don't open them so I'm alright on that front. I'm also less worried about security as I changed all my passwords to unique 32 character passwords using LastPass. I've also set up LastPass with a different e-mail account to the one I use everyday and won't be giving this address out to anyone or anything except LastPass.
I bet if I said I was leaving everyone here would be glad.
Important point is how would you feel ? We make choices, then reap the results of those choices. Stay if you want, leave if you have a good reason.
----------
Thats is a good evaluation.........after all it is called MacRumors !
The vBulletin attack seems to have been from October-ish, according to some posts (above). And not known about until now.
We do believe that our moderator account had a password taken from vBulletin.org and that was used to access MacRumors.
Given the lag time between October and now, it's very possible that many other forums have been hacked and simply don't know it yet. In fact, one of the files used in the MacRumors hack was hosted on another legitimate looking site, so we suspect they have been hacked as well. I contacted them, notifying them, but haven't heard back.
arn
We do believe that our moderator account had a password taken from vBulletin.org and that was used to access MacRumors.
Given the lag time between October and now, it's very possible that many other forums have been hacked and simply don't know it yet. In fact, one of the files used in the MacRumors hack was hosted on another legitimate looking site, so we suspect they have been hacked as well. I contacted them, notifying them, but haven't heard back.
arn
No. I am referring to the energy required to crack modern day hashing. The computational power required for some of them is against the laws of physics. Not even taking into account time. I think the weakest algorithm is what, O(^^256)? You are overestimating the capabilities of cloud computing when every computer working on the planet working toward cracking them currently take more time than the universe's age. Clearly you don't even remotely understand the mathematics involved.
Why are you taking about 10-15 years from now? You keep spinning around in circles more than Linda Blair in the exorcist!
I suggest you stop digging yourself deeper and deeper with your nonsensical posts.
Last edited:
You try sending over 800,000 emails at once. I guarantee your ISP will block your email account as a potential spammer. These things are done in batches and take time. And yes it does take that long when there are that many people to email.
Weakest Link
Any website is as secure as it's weakest link, and this case it seems to be an account with Admin/superuser privilages. This means that the owners of the site do not have security policies and/or do not carry out audit of their policies regarding security making it easy to get a bite of the
Any website is as secure as it's weakest link, and this case it seems to be an account with Admin/superuser privilages. This means that the owners of the site do not have security policies and/or do not carry out audit of their policies regarding security making it easy to get a bite of the
I really love reading your articles, I really do, but this seems to happen often, & I don't understand why our passwords are saved on your database like the poster below said. I will have to delete accounts if this happens again. Your fans & customers will not enjoy taking time out of their day to change & reset their passwords; this seems to be happening way too often it seems like there is no security!
Just curious....
Prior to this most recent event...how often have you had to change your MR password?
And how long did it take you to accomplish that task?
Last edited: