MacRumors Forums: Security Leak

[troublegum]

2. If you used the same password on other sites, please change those as well.

this is my favourite part.

 

[wrkactjob]

Any stupid/drunken threads I make from now on I can confidently attribute to my account having been hacked and the work of an imposter.

Any good contributions that get thumbs up are by the real me.

 

[Slinkwyde]

It's because when it comes to all forms of security, some degree of risk analysis/assessment has to be performed, whether it's a formal process (structured and detailed) or informal (in your head). My risk analysis of a compromise of someone getting a hold of my MR login info would result in nothing more than someone able to impersonate me on the forums. Having access to my bank account info and MR's login are on opposite ends in terms of the hazard potential for each compromise.

I agree that information on a forum is generally pretty low risk, but as I said in an earlier post, there is a little more at risk than one might immediately think.

• There are private messages between users, conversations which were thought to be somewhat private. Some PMs are only PMs to keep from derailing public threads (or are otherwise only relevant to specific people) and aren't actually all that sensitive, but some information or conversation may be mildly sensitive. Not financial or medical, but perhaps embarrassing in some way. Sometimes on forums people exchange contact info and even shipping addresses via PM.
• An attacker could impersonate a mod or admin and gain access to whatever private forums, messages, and reports that mod or admin has access to, plus the ability to randomly ban users, lock threads or delete posts that people may have put some time and effort into.
• An impersonator could edit a member's older posts, inserting nasty material that comes up in the Google searches of potential employers. The job candidate would probably never learn why they were denied the interview (and thus couldn't reply with "The site was hacked. I didn't write that."), and the mods and member never correct the posts because they're so old that they were edited without being noticed.
• As more and more large databases are breached and their passwords cracked, attackers learn more and more about what passwords people in general tend to use, and this strengthens their password lists and rule sets for other, completely unrelated attacks (source).

Again, I agree that forums are fairly low risk if the password isn't reused. This isn't a financial, medical, or social networking website, and I'm not saying to sound the alarm. I'm just pointing out a few additional concerns that people may not think about at first.

 

[Doctor Q]

Tip: Removing Private Messages

An additional but smaller risk is private messages, because some of those inboxes and sent boxes contain information and conversation that was thought to be somewhat private, and some portion of it (however small) might be slightly sensitive.

Users who would like to remove their private messages without losing the content can download them in plain text format, CSV (spreadsheet-style) format, or XML (tagged and structured) format, and then delete them from the forums.

Here's how:

1. Go to your Private Message page.
   
   
2. Click one of the Download all private Messages as choices at the bottom right of the page: XML, CSV, or Text.
   
   
3. Select all messages on the screen by clicking the Messages: checkbox at the top right of the message list.
   
   
4. Select "Delete" after the Selected Messages: label at the bottom of the message list, then click the Go button.
   
   
5. Repeat Steps 3 and 4 if you have another page of Inbox messages.

You can change the Jump to Folder: drop-down to Sent Items (or another PM folder) and do the same steps for those PMs.

 

[Artista]

This is VERY OUTRAGEOUS

 

[Slinkwyde]

Users who would like to remove their private messages without losing the content can download them in plain text format, CSV (spreadsheet-style) format, or XML (tagged and structured) format, and then delete them from the forums. [...]

Thanks for the info, Doctor Q. I'm glad there's a way to do that. It probably doesn't do anything about the copies of the messages in the other person's inbox and sent box, but it helps some. The feature is also handy for people who want to keep a local copy of some of the content they've written, in case MacRumors forum ever goes away or they lose access to their account. I like it.

Just FYI, I made quite a few edits to my posts since the version you quoted, and added several new points and details that I thought of. Just in case you're interested.

 

[bobr1952]

Another option (suggested by someone in a different MR thread) is to not even answer the security questions with real words. Instead, have 1PW generate a new long random string for each question and use that as your answer, and then store each question & answer pair in the 1PW notes field.

Yeah, that is a good suggestion although I find it more interesting to just make up stuff that has no relation to my life history. And of course, I make a note of it in 1Password so I don't forget what I entered.

 

[Slinkwyde]

Yeah, that is a good suggestion although I find it more interesting to just make up stuff that has no relation to my life history. And of course, I make a note of it in 1Password so I don't forget what I entered.

I use a random multi-word generator for that, and the results are often amusing.

 

[lindsaycat]

Delete account?

Is it possible to just remove your account all together? I can't seem to find a place in the account preferences to do so.

 

[aristobrat]

I really love reading your articles, I really do, but this seems to happen often, & I don't understand why our passwords are saved on your database like the poster below said. I will have to delete accounts if this happens again. Your fans & customers will not enjoy taking time out of their day to change & reset their passwords; this seems to be happening way too often it seems like there is no security!

You created your account here yesterday. So you created an account just to say that you will have to delete your account if this happens again?

You don't need an account here to read their articles.

This has never happened here before, so your "seems to happen often" and "seems to be happening way too often" comments make no sense.

 

[Slinkwyde]

Is it possible to just remove your account all together? I can't seem to find a place in the account preferences to do so.

Several pages back, I think they were saying to use the contact form but to be patient because there are a lot of members here.

 

[lindsaycat]

Several pages back, I think they were saying to use the contact form but to be patient because there are a lot of members here.

Thanks! I'll try that. Just don't post enough to merit having an account anymore, so going back to lurker status

 

[IoWbookworm]

Cancelling my membership

It is probably there somewhere but I want to cancel my membership and cannot find any way to do so, some advice please.

 

[pixelcoder]

Macrumors just informed me of this today, Nov 17, which is five days after the fact. This delay is unacceptable. To say that mass emails can't all be sent out at once is fine, but to take five days to get around to completing the task? Garbage.

Don't you think it's better to be informed five days after than never at all? Sending all emails simultaineously would just cause the blacklisting of their mailservers.
I would rather ask why people feel free to hack all those sites (MacRumors, vBulletin, a while ago Adobe,...) - just because nothing is really safe thesedays?

 

[jafingi]

It is probably there somewhere but I want to cancel my membership and cannot find any way to do so, some advice please.

Try reading the post just above yours.

 

[ogee]

Hacked again or just nothing left to read ?

I am just getting a front page with a couple of adds and a message saying "No items found"

Has MR been attacked again or are we full out of rumours ?

 

[vincebio]

oh-oh, is it happening again???

the front page disappearing again, just like last week!!

 

[TsunamiTheClown]

I am just getting a front page with a couple of adds and a message saying "No items found"

Has MR been attacked again or are we full out of rumours ?

Yeah was wondering the same thing, getting that message as well.

 

[gold-dragon]

delete

I want to leave the forum, how to delete my account ? thanks

 

[Shrink]

This is VERY OUTRAGEOUS

I'm certain that your extensive knowledge of the site justifies that eloquent, well reasoned and informative post.

Oh...wait...this is your SECOND post.

Nice one, Mate.

 

[Slinkwyde]

I'm certain that your extensive knowledge of the site justifies that eloquent, well reasoned and informative post.

Oh...wait...this is your SECOND post.

Nice one, Mate.

It's possible that some of these people forgot the password to an old account and created a new one, but I'm just speculating.

 

[arn]

I am just getting a front page with a couple of adds and a message saying "No items found"

Has MR been attacked again or are we full out of rumours ?

no. that's an old bug we haven't tracked down.

arn

 

[Shrink]

It's possible that some of these people forgot the password to an old account and created a new one, but I'm just speculating.

You might be right...but I believe that would constitute re-registration...opening a second account, which is a major Rule violation.

If you forget your password, it is possible to re-set your password, not open a second account.

 

[S.B.G]

I want to leave the forum, how to delete my account ? thanks

If you wish to have your account canceled please read the FAQ under "How do I cancel my account?" and then you can send your request to us via the Contact form.

 

[GoCubsGo]

I really love reading your articles, I really do, but this seems to happen often, & I don't understand why our passwords are saved on your database like the poster below said. I will have to delete accounts if this happens again. Your fans & customers will not enjoy taking time out of their day to change & reset their passwords; this seems to be happening way too often it seems like there is no security!

You are the poster child for hackers. All passwords should be changed periodically, intrusion or not. I can see how the 5 seconds it takes to change your password can hinder your bottom line.