MacRumors Forums: Security Leak

[Z3man]

ya. no one takes kindly to changing software. it's a massive change.

arn

With the amount of users on here, believe me you would get lynched. I spend a lot of time on here now and that is mainly because i don't spend any time on av forums.com anymore, its so awkward to use i just can't be bothered. All you have to do is look at xenforo's own website to see how poor it is.

 

[oxchris]

Useless

I'm extremely annoyed as I asked for my account to be deleted back in 2008 when I last logged in! Seems MacRumors just doesn't care about other people's data.

 

[S.B.G]

I'm extremely annoyed as I asked for my account to be deleted back in 2008 when I last logged in! Seems MacRumors just doesn't care about other people's data.

If you wish to have your account deleted, please read the FAQ under 'How do I cancel my account' and then send your request to the admins via the Contact form. They will respond to you within a few days.

SBG

 

[MyMac1976]

Maybe I just don't get it..

The site was hacked and peoples username and password were exposed. Are you guys seriously using your professional email and real data to log into a forum? This is why gmail/hotmail are free use them and all the spam goes to a box you never see or check?

 

[jafingi]

Maybe I just don't get it..

The site was hacked and peoples username and password were exposed. Are you guys seriously using your professional email and real data to log into a forum? This is why gmail/hotmail are free use them and all the spam goes to a box you never see or check?

You will be surprised to know how many people use the same password across all sites/email/online banking, and that the password they use is really simple, either just using numbers and dictionary words. Most people are plain stupid, and doesn't really care about the strength of their password.

But when hacks like these happen, they always blame the site, but doesn't think of their own ignorance. Of course, everything can be hacked/cracked. It can happen for Macrumors, Microsoft, Apple, and everyone else. In most cases, the weakest link are the users' simple passwords. One breach in one database, could easily give a hacker access to your logins everywhere else.

That said, it would be a welcome change, if Macrumors fixed the encryption/hashing on the passwords to not use MD5. I know that VB is written for MD5, but it shouldn't be that difficult to change to some more secure methods. For example password_hash() in PHP 5.5 that uses a one-way algorithm (bcrypt). It is resistant to bruteforce-attacks/rainbowtables, as you can make it slower.

 

[NorfolkMustard]

12 days and you still haven't sent emails to all affected users? (got my email today). If apple can send marketing emails to millions of users in the space of a couple of days, a little forum certainly can. mailchimp etc. send 4 billion emails a month.

 

[MyMac1976]

You will be surprised to know how many people use the same password across all sites/email/online banking, and that the password they use is really simple, either just using numbers and dictionary words. Most people are plain stupid, and doesn't really care about the strength of their password.

But when hacks like these happen, they always blame the site, but doesn't think of their own ignorance. Of course, everything can be hacked/cracked. It can happen for Macrumors, Microsoft, Apple, and everyone else. In most cases, the weakest link are the users' simple passwords. One breach in one database, could easily give a hacker access to your logins everywhere else.

That said, it would be a welcome change, if Macrumors fixed the encryption/hashing on the passwords to not use MD5. I know that VB is written for MD5, but it shouldn't be that difficult to change to some more secure methods. For example password_hash() in PHP 5.5 that uses a one-way algorithm (bcrypt). It is resistant to bruteforce-attacks/rainbowtables, as you can make it slower.

If you're using a forum password for you banking and investment accounts then I don't much feel sorry for you. If this was 1992 then I'd be pissed too but it's we've only got 5 weeks left in 2013.

 

[jafingi]

If you're using a forum password for you banking and investment accounts then I don't much feel sorry for you. If this was 1992 then I'd be pissed too but it's we've only got 5 weeks left in 2013.

I don't. I work as an IT professional with mostly security and pentesting etc. But many people (the majority) use the same password everywhere.

----------

If apple can send marketing emails to millions of users in the space of a couple of days, a little forum certainly can. mailchimp etc. send 4 billion emails a month.

They can, because they have a high reputation.

 

[S.B.G]

12 days and you still haven't sent emails to all affected users? (got my email today). If apple can send marketing emails to millions of users in the space of a couple of days, a little forum certainly can. mailchimp etc. send 4 billion emails a month.

For reference, Arn posted here and here advising that it isn't easy sending 800,000+ emails at once. They have to stagger and trickle them out which is why it took so long for you to get yours.

 

[NorfolkMustard]

They can, because they have a high reputation.

mail.macrumours.com has a bad reputation for sending spam? they use DKIM, DomainKeys and spf - they have a fine reputation.

besides, anyone can use mailchimp et al. Any and all methods should have been used to directly and quickly inform users of the breach.

 

[jafingi]

mail.macrumours.com has a bad reputation for sending spam?

I didn't say that. Stop putting words in my mouth.

 

[appleheaven]

Closing account

Where is the link to close a forum account?

 

[aristobrat]

besides, anyone can use mailchimp et al.

Seems to me that the infamous MailChimp, which has direct relations with major ISPs, is saying the same thing that arn (who doesn't have direct relations with major ISPs) said.

How fast does MailChimp deliver email?

The time it takes to deliver your campaign to your entire list depends on the size of your list, and on the current mail queue at MailChimp.

Technically it could take us 45 minutes to send 1 million emails. Beyond this ISPs require messages be throttled to groups of 2,000 or less and sent at rates from 5 to 30 minutes apart. We can send email pretty darn fast, but ISPs, some email servers and spam filters on the other hand can't receive bulk mail as quickly. Speed of delivery is then dependent how quickly they are receiving incoming email which can vary from time of the day to time of the year.

http://kb.mailchimp.com/article/how-fast-does-mailchimp-deliver-email/

----------

Where is the link to close a forum account?

About 10 posts up.

If you wish to have your account deleted, please read the FAQ under 'How do I cancel my account' and then send your request to the admins via the Contact form. They will respond to you within a few days.

SBG

 

[arn]

We use an email delivery service (Sendgrid). We consulted with them and we sent emails even a little faster than they recommended.

If you think I'm lying about that, then there isn't much else I can say to convince you.

arn

 

[NorfolkMustard]

We use an email delivery service (Sendgrid). We consulted with them and we sent emails even a little faster than they recommended.

If you think I'm lying about that, then there isn't much else I can say to convince you.

arn

Now you're putting words into my mouth

There are many other respected mail services you could be using in addition to your own. Also, if you're purposefully delaying emails, shouldn't the announcement of this issue be at the top of macrumors.com, like the link to the forums is?

Are you still using MD5 to store my password?

 

[aristobrat]

There are many other respected mail services you could be using in addition to your own.

What's the difference between the service you recommended (MailChimp) and the service arn went with (SendGrid)?

Looks like both companies are the top two players in the "respected mail services" market that you keep talking about.

 

[S.B.G]

shouldn't the announcement of this issue be at the top of macrumors.com, like the link to the forums is?

There was (maybe still is) a banner that appeared atop every forum page announcing the incident and linking to this thread. You must have clicked it away with the 'x' (like I did) and it disappeared.

Since I closed it on my account, I don't know if it's still active right now or not. But it was there and made known.

----------

I want to make it clear that Macrumors is refusing to close accounts associated with this "attack". They want us to provide another password so they can sell that one as well.

That is untrue.

If you wish to have your account deleted, please read the FAQ under 'How do I cancel my account' and then send your request to the admins via the Contact form. They will respond to you within a few days.

Because of the breach there is a steady flow of account cancelation requests and it's taking much longer than usual to handle them all. Please be patient and your Contact will be answered.

 

[aristobrat]

There was (maybe still is) a banner that appeared atop every forum page announcing the incident and linking to this thread. You must have clicked it away with the 'x' (like I did) and it disappeared.

Since I closed it on my account, I don't know if it's still active right now or not. But it was there and made known.

Not to take words from his mouth, but I think his point was that a banner similar to the forum banner should have been on the main MacRumors site (and not just the forum).

 

[S.B.G]

Not to take words from his mouth, but I think his point was that a banner similar to the forum banner should have been on the main MacRumors site (and not just the forum).

The same banner that was over the forums was also on the front page as well.

 

[S.B.G]

I just checked and the banner is still active for those who haven't clicked it away yet. It's overtop the forum pages but now gone from the front page.

 

[npro1464]

Didn't this happen a couple years ago? I have a very stupid password for these forums, now.

 

[aussiebird52]

Been Hacked

My Apple account has been hacked - I wonder whether the MacRumors Forums Security Leak has anything to do with it
Not Happy

 

[Zmanbaseball2]

My Apple account has been hacked - I wonder whether the MacRumors Forums Security Leak has anything to do with it

Not Happy

If it was the same password than yes your info was leaked. You just learned your lesson for life.

 

[raniel]

smh, that's why i use different password for every account.

 

[annk]

My Apple account has been hacked - I wonder whether the MacRumors Forums Security Leak has anything to do with it
Not Happy

If it was the same password than yes your info was leaked. You just learned your lesson for life.

Yeah, if you use the same password for more than one site, and one of those sites gets hacked, you risk your security on the others. This applies to any site to which you entrust your information.

smh, that's why i use different password for every account.

Very wise.