Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

The fact that someone with high level access had their password hacked means either this hacker was fairly sophisticated or the password was easily guessable, that is inexcusable for a moderator to have a simple password.

The front page was up for most of the outage so while if you didn't know what the root cause was you suspected a hacker and that should have been mentioned the second you got word. Even just a simple "we don't have all of the details but your information may have been compromised" would have been enough. No need to wait 12 hours and then only tell us after being pressured into it. At the least all of the passwords should have been reset the second you sensed trouble.
 
Peace said:
Are you saying the hacker got in by way of a God's account ?
Click to expand...

Only Arn knows the details of what happened but from his OP of this thread, there was a moderator account that was compromised and somehow, I have no idea how, the hacker was able to escalate that account to have higher privileges.

Under normal circumstances, moderator accounts shouldn't be able to do that.
 
cjmillsnun said:
They use something called a rainbow table.

http://en.wikipedia.org/wiki/Rainbow_table

To break the salt the VB uses they'll look for people who use 'password' or 12345 as their password (the reason being lots of people will use them). This will let them find out what the salt (the bit that's added into the hash) is. Once they've done that, they can go through and reverse engineer the passwords.
Click to expand...
Thanks for that info.
 
Ok so some people are being overly aggressive here:

1) the article clearly states "... and (hashed) password is now known." HASHED. The second highest uprated comment as of now is complaining that the passwords have *edit: not* been hashed. They have been. Learn to read. They certainly aren't stored in plaintext.

2) Others are complaining about MacRumors leaving far too long before telling us; they have only left a day. In terms of what a hacker can do with any data in one day, given the passwords are hashed, this is somewhat limited.

3) Its not as if MacRumors asked to be hacked, or didn't take any measures to prevent hacking - now clearly those measures have been proven to be ineffective but of all the forums in the world I would imagine MacRumors is pretty up to date on the security software used to protect it. Certain I worry much more about the forums I am members of using old front-ends to host their forum where the interfaces have been updated for known security flaws - in those cases hacking is really much more trivial since the flaw is public knowledge.

4) If you are stupid enough to use the same password for everything then shame on you for blaming MacRumors, and if you aren't that stupid then you have nothing to worry about hackers gaining access to your MacRumors password. Just change it and they now have a redundant password and very limited information on you. Sure, I use my MacRumors password for a few sites but only sites with few personal details where the risk of data loss in a hack is minimal and I want the convenience of a single password. Only an idiot uses one password for everything between their computer root and the least secured of connections.

tl;dr grow up and stop all blaming MacRumors for a load of things they didn't do. If you hate it that much, move to a different forum.
 
Last edited:
MacRumors Down

I thought I was on the healthcare website....:D

sorry to hear that..Glad you're back up and running
 
Yahoo Acct disabled yesterday evening

Interesting. I use a Yahoo email for my profile on this site. I received a notification from Yahoo saying my account was locked due to suspicious activity. I was surprised, as I hadn't been doing anything with it in the last few days.

Wonder if they were trying to hack into my Yahoo account from data stolen here?

I use a different password for every site that I have an account, and several different user names across those various sites.
 
Hope the fingerprint thing evolves so that important stuff like bank accounts are protected in that non-hackable way.

Passwords simply suck and do no good when the place you use them gets hacked.
 
Times like this make me happy I use 1Password with a different password generated for every site.
 
cjmillsnun said:
They use something called a rainbow table.

http://en.wikipedia.org/wiki/Rainbow_table

To break the salt the VB uses they'll look for people who use 'password' or 12345 as their password (the reason being lots of people will use them). This will let them find out what the salt (the bit that's added into the hash) is. Once they've done that, they can go through and reverse engineer the passwords.
Click to expand...

Wouldn't it be easier for them to just register users with a certain password on their own before hacking the forum to find out about the salt?

Anyways I registered at this forum mainly to troll around, so i didn't use my standard email address or password. So I couldn't care less about my password being bruteforced..
 
This shouldn't be a big problem if the passwords were hashed. I suppose it could be cracked eventually with some time and resources, but at least you have time.
 
larrylaffer said:
iCloud Keychain does not work with this site. In fact, I just changed my password to use the iCloud one, and Safari didn't autofill the login form, negating the purpose altogether.
Click to expand...

Same problem here, I cannot get MacRumors to work with iCloud Keychain.

1. Latest version of Mavericks on MacBook Air.
2. iCloud Keychain will offer to generate a password for me (and it autofills the fields when offered).
3. Try to login on MacRumors and it will never autofill the fields.
4. Using latest version of Safari, I have "AutoFill user names and passwords" and "Allow AutoFill even for websites that..." checked in the preferences.
5. Disabling popup blocking, disabling Safari Extensions, and restarting Safari and the Mac did not help.
6. MacRumors does not show up in the Passwords section of the Safari preferences, nor in the Keychain Access app. In other words, it offered to save the password for me, generated a password for me, and filled it, but seems like it never saved it.
7. Also tried it on the iPad winning iOS 7.0.3, same deal there.
8. I have other sites that are working with iCloud Keychain (and are visible int he preferences and in Keychain Access, so I know it's not that the whole thing is not working.

Any ideas what I'm doing wrong?
 
Hey, NSA, you already have all my account and password information, was this forum really necessary??? ;-)

BTW, thanks, Arn, for the information!
 
cjmillsnun said:
They use something called a rainbow table.

http://en.wikipedia.org/wiki/Rainbow_table

To break the salt the VB uses they'll look for people who use 'password' or 12345 as their password (the reason being lots of people will use them). This will let them find out what the salt (the bit that's added into the hash) is. Once they've done that, they can go through and reverse engineer the passwords.
Click to expand...

So if you used a secure password, the chances of reverse engineering it is small ?
 
Well sorry isn't going to cut it this time. Go back to the drawing board and see what else you can come up with for our trouble. :mad:
 
Mad Mac Maniac said:
well, considering how this is the only website where I use the "Mad Mac Maniac" psuedonym I'm not really too worried. The worse that can happen is hackers can strart trolling you guys. Oh the horrors! :p
Click to expand...

Have you considered they have your e-mail? Do you have an unique e-mail for each website? :D
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back