Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

Slinkwyde said:
I agree that information on a forum is generally pretty low risk, but as I said in an earlier post, there is a little more at risk than one might immediately think.

  • There are private messages between users, conversations which were thought to be somewhat private. Some PMs are only PMs to keep from derailing public threads (or are otherwise only relevant to specific people) and aren't actually all that sensitive, but some information or conversation may be mildly sensitive. Not financial or medical, but perhaps embarrassing in some way. Sometimes on forums people exchange contact info and even shipping addresses via PM.
  • An attacker could impersonate a mod or admin and gain access to whatever private forums, messages, and reports that mod or admin has access to, plus the ability to randomly ban users, lock threads or delete posts that people may have put some time and effort into.
  • An impersonator could edit a member's older posts, inserting nasty material that comes up in the Google searches of potential employers. The job candidate would probably never learn why they were denied the interview (and thus couldn't reply with "The site was hacked. I didn't write that."), and the mods and member never correct the posts because they're so old that they were edited without being noticed.
  • As more and more large databases are breached and their passwords cracked, attackers learn more and more about what passwords people in general tend to use, and this strengthens their password lists and rule sets for other, completely unrelated attacks (source).

Again, I agree that forums are fairly low risk if the password isn't reused. This isn't a financial, medical, or social networking website, and I'm not saying to sound the alarm. I'm just pointing out a few additional concerns that people may not think about at first.
Click to expand...

All of which are controllable by the user.

- Exchanging sensitive information is the fault of the user(s).

- Login/pw behaviors are already known (i.e. some combos extending to 14 char combinations are already known). There are tons of information advising users to adopt better methods of choosing login/pw's.

- Pre-employment screenings of individuals based on their post behavior depends on what the user reveals to the employer.
 
Zmanbaseball2 said:
Thanks for clearing that up. Anytime frame on when the whole website will be back up and fully functional?
Click to expand...

we're almost back at full functionality. as we went along, we seem to have introduced a lot of bugs and broken things. for a while it was 1 step forward, 2 steps back.

arn
 
MacRumors Forums Security Leak

the first thing i want to say, Leak, it implies internal fault when that is not the case. a thought process that is not in compliance might seem trivial but i do not believe it is. algorithm is an explanation.
i thank you for the notification, but i take care of my own security.
i believe allowing infiltration is the only way to apprehend it. if there is a better way please enlighten me.
if anyone want's to be me U r insane and no matter how hard U try, U can't be. i have no problem with passwords except that they are required.
i like a place where i remain a silent listener at times
slayerwulfe
 
panurge said:
Just changed my password... but what's the use if everything is sent with regular HTTP anyway?
Click to expand...
The use is that this is just a discussion forum and in itself doesn't really matter if someone can get your password. Where it most certainly matters is if you have used the same password for other sites that contain financial or more personal information. In which case, using a new different password for MacRumors is kind of important, regardless of whether or not it uses HTTP or HTTPS.
 
arn said:
we're almost back at full functionality. as we went along, we seem to have introduced a lot of bugs and broken things. for a while it was 1 step forward, 2 steps back.

arn
Click to expand...

Thanks for your efforts - I appreciate your time and effort gutting the valuable resource up and running again
 
arn said:
we're almost back at full functionality. as we went along, we seem to have introduced a lot of bugs and broken things. for a while it was 1 step forward, 2 steps back.

arn
Click to expand...

Add my thanks, too.:D

I can't imagine what a horror show the past few days have been for you, and I appreciate all the work you had to do to get the site back up and running.
 
Shrink said:
Add my thanks, too.:D

I can't imagine what a horror show the past few days have been for you, and I appreciate all the work you had to do to get the site back up and running.
Click to expand...

I would like to add my thanks three:)

PJ.
 
I don't trust this site any more. How do I delete my account for good?

There should be an option to do that but I can't find it in my account.
 
bushido said:
how ironic we just talked about this in ECommerce class today.

"should a company announce a security leak right away before the media gets wind of it or wait til they know what happened exactly and how to fix it?"
Click to expand...

I don't know about ecom, but I can tell you that business ethics and leadership would be to get out in front of it, apologize, take responsibility, and clearly state what is being done to rectify the problem. Sounds like MR did that to me. Hackers should be shot. Of course it might be BHO using the NSA to get early release information on the next gen ipad.....
 
**I do not know what is going on in this thread

I am not the same "lol" who has been posting in this thread. That person hijacked my account. I recently started getting email notifications from people posting in this thread so I went and recovered my password so I can stop the notifications.

Good luck with the security leak, MacRumors!
 
Last edited:
Reset all accounts?

If you know you've been breached then why have you not reset everyones accounts and force a password change? :mad:
 
I saw this when i refreshed the page:
I didn't write anything, i canceled it.
 

Attachments

  • Skjermbilde 2013-11-20 kl. 15.38.19.png
    Skjermbilde 2013-11-20 kl. 15.38.19.png
    263.8 KB · Views: 152
Shrink said:
Add my thanks, too.:D

I can't imagine what a horror show the past few days have been for you, and I appreciate all the work you had to do to get the site back up and running.
Click to expand...

I was going to reply "Ditto", but I figured I'd get put in time out for a one word reply.:D
 
Let me get this straight ...

The attack was known to have been used four months ago against a similar site, and your site was still vulnerable now?

And I bet "3rd party security researcher" is code of "unpaid volunteer."
 
virus infected emails

Over the past 2 to 3 days, I've received several virus laden emails to the email address used on my MacRumors account. This is an unusual occurrence, so I suspect that the email address was compromised and is now being used to distribute viruses.
 
whoa.

Northgrove said:
Oh damn. Picking HorseBatteryStaple for sure now.
Click to expand...
Dude. Now EVERYBODY knows your password... c'mon now.
:D
Excellent comment, man. The issue is cryin' for some levity. Many thanks.

----------
Hyper-X said:
All of which are controllable by the user.

- Exchanging sensitive information is the fault of the user(s).

- Login/pw behaviors are already known (i.e. some combos extending to 14 char combinations are already known). There are tons of information advising users to adopt better methods of choosing login/pw's.

- Pre-employment screenings of individuals based on their post behavior depends on what the user reveals to the employer.
Click to expand...

Soooo helpful. I feel like I just sat in the Matrix "learning chair", someone just jammed the input cord into the back of my head and played me the "password course". Many thanks. Blinking pretty wide right now...
 
someone hacked my best buy acct this morning and placed an order, got it cleared up, but wonder if there's a connection?
 
Blackened said:
someone hacked my best buy acct this morning and placed an order, got it cleared up, but wonder if there's a connection?
Click to expand...

Of course there is.

Any future hacks, bugs, glitches, identity thefts, and hang nails happening to any of the 850,000 members on this site are clearly caused by the hack on MacRumors.

There...I said it. No need for anyone to ask any more...:D

:rolleyes: ;)
 
That explains it.. I woke up in the middle of the night to take a leak and had a little side spray action and soaked the floor.. Thanks macrumors
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back