MacRumors Forums: Security Leak

[N19h7m4r3]

Well I guess I was right when I saw the strange new pop up on the forums.

I made a post about it, and BAM the forums went down. Glad I didn't enter anything into it.

Thank goodness I got 1Password this year.

 

[furi0usbee]

Hey, if everyone uses a unique password for all their *****, no worries. I could care less if someone got my MR password. What are they gonna do, post comments IN FAVOR of Windows 8? I changed it none the less.

 

[PracticalMac]

Thanks for keeping the site together.

Don't know what I will do if you vanish!

 

[djtech42]

Do you have the same password on your Apple ID as you do on MacRumors

I do (or did because I changed both of them to different things now)

 

[Earendil]

don't you think its time to move mac rumors forum to something more solid or at least offer two factor authentication?

two factor authentication for a forum on computers?! Are you kidding me? Are you that worried that someone is going to take the time to impersonate "kildjean" and make us all think you are a bad person or something?

There is absolutely nothing you can "take" from me with my login and password here, though you could do me some damage by deleting all my history and forum posts. But that would be malicious with no financial gain for the person carrying out the deed. Since I'm betting my personal enemies are not the ones that broke into the site, I have zero to worry about. Oh, and my password is changed.

Wait... are you worried because you used the same login/password everywhere? Naaaa, you wouldn't be that stupid, would you?

 

[zOlid]

sigh.... Why where this not on the front page ASAP?

 

[Schizoid]

Were passwords hashed, salted, plain text...?

Mine was salted, peppered and Bombay spiced, with a dash of nutmeg.

 

[lewdvig]

I use a garbage pw for sites like this - but it is still pretty annoying.

I'd like it if these sites would provide a 'delete acct' function.

Eventually they'll get sued and add it. That's the american way, innovation though lawsuit.

 

[getstuff4less]

Why not use last pass? It's free and works on all platforms.
https://lastpass.com/

 

[Doctor Q]

Or, like me, just use 1Password and never worry again.

Everyone should reminder that even secure passwords should be changed now and then, in case they are stolen in transit or reverse engineered out of a stolen database.

 

[coolfactor]

i don't understand why the internet still uses MD5. Isn't SHA256 much more secure?

Developers can be lazy. It would be simple for vBulletin to add another field indicating the hash used for a given password and then migrate to SHA1 or SHA256 going forward. Or maybe MacRumors is still running a older version of vBulletin. Only they know the full story behind this, and sometimes it takes incidents like this to raise the bar and tighten belts.

 

[scbn]

Ha, that's the exactly same thing that happened to me yesterday. So the hacker uses our emails registered with MacRumors and tried to get to Yahoo email accounts, using the same passwords. I didn't use the same password, so I guess they failed. But they could get into someone else account.

Interesting. I use a Yahoo email for my profile on this site. I received a notification from Yahoo saying my account was locked due to suspicious activity. I was surprised, as I hadn't been doing anything with it in the last few days.

Wonder if they were trying to hack into my Yahoo account from data stolen here?

I use a different password for every site that I have an account, and several different user names across those various sites.

 

[coolfactor]

don't you think its time to move mac rumors forum to something more solid or at least offer two factor authentication?

I would disagree. Something more solid would be to implement HTTPS, which currently isn't supported and would be trivial to.

 

[Mildredop]

PSA: Password managers like 1Password and iCloud Keychain are definitely something everyone should look into. These types of leaks are never fun, but you'll rest easier knowing that all of your logins are randomly generated and unique.

So what's stopping someone cracking the master password and getting all the random ones for each of my logins in one go?

 

[Earendil]

sigh.... Why where this not on the front page ASAP?

Who said it wasn't? People keep saying this but I see no evidence that they didn't. All we have from the article is:
"Yesterday, the MacRumors Forums were targeted and hacked"
Knowing when it was hacked is not the same thing as finding out when it was hacked. And, once suspicions are raised they needed to confirm it so that they don't waste a bunch of our time for absolutely no reason. I greatly appreciate this.

In the mean the passwords are hashed, so it'll take time for them to be broken, AND we here at MacRUmors are all smart enough to not use the same password everything, or at least in places where it matters, right?

 

[JayLenochiniMac]

No wonder why my bank account was emptied out this morning.

 

[stuffradio]

Don't forget the salt.

I personally prefer to pepper my passwords.

 

[ASKendrew]

Thanks for the heads up, I've just put iCloud Keychain to test!

 

[Peace]

No wonder why my bank account was emptied out this morning.

Ya. You need a better job man.

Ten bucks ain't gonna cut it for me.




/Levity

 

[cjmillsnun]

So if you used a secure password, the chances of reverse engineering it is small ?

No. Once they have worked out the hash and the salt, all passwords are vulnerable.

 

[furi0usbee]

Have you considered they have your e-mail? Do you have an unique e-mail for each website?

Emails are public... I'm not that paranoid that I'm going to create an email for every login. 20 alpha/numeric/special is enough security for me. Any site that will let me I use 20.

 

[burgman]

Have you considered they have your e-mail? Do you have an unique e-mail for each website?

Have you considered that all the spam email you get means others have your email also?

 

[costabunny]

I personally prefer to pepper my passwords.

I prefer mine with relish

but as always its good common sense to use unique passwords (and I find that most users do not follow this simple measure) - I guess coming from a paranoid culture myself (navy family and having worked with gov agencies its easy for me to say).

good to see the admins took swift action - best try and catch the little crackers (sorry am old school), before any huge damage is done, and pull the site from production.

Good work guys n gals - I feel your pain and well done indeed.

 

[djtech42]

Same problem here, I cannot get MacRumors to work with iCloud Keychain.

1. Latest version of Mavericks on MacBook Air.
2. iCloud Keychain will offer to generate a password for me (and it autofills the fields when offered).
3. Try to login on MacRumors and it will never autofill the fields.
4. Using latest version of Safari, I have "AutoFill user names and passwords" and "Allow AutoFill even for websites that..." checked in the preferences.
5. Disabling popup blocking, disabling Safari Extensions, and restarting Safari and the Mac did not help.
6. MacRumors does not show up in the Passwords section of the Safari preferences, nor in the Keychain Access app. In other words, it offered to save the password for me, generated a password for me, and filled it, but seems like it never saved it.
7. Also tried it on the iPad winning iOS 7.0.3, same deal there.
8. I have other sites that are working with iCloud Keychain (and are visible int he preferences and in Keychain Access, so I know it's not that the whole thing is not working.

Any ideas what I'm doing wrong?

Tried all of this and can't get it to work either

 

[Krevnik]

An informative post by rmwebs that I'll put here for more exposure.

I have my doubts about the informative nature of that particular post. The glaring things that pop out to me:

1) Hashing is a different problem than encryption. With RSA or AES, you still have a key floating around. You don't use it for one-way encryption (AES is reversible with the key you encrypted with!), and you never use two-way encryption on passwords. You don't want the plaintext recoverable. Ever. Encrypting the hashes may slow things down a bit, but only in the sense that the attacker will now be rooting around your server for the encryption key as well. And if you use RSA as one-way encryption, it's no better than a weak hash around your hash. You gain nothing other than the complexity of your own security model, which may introduce vulnerabilities and bugs that reduce the overall security of the system.

2) MD5/SHA1 are cracked in the sense that you can generate a database of collisions. It may or may not actually match the password + salt. So they are cracked for cases where there is no salt (collisions are just as valid as the original string), and as file signatures, since it has been shown that MD5 hashes of files can indeed be forged by matching the hash with different content. When it comes to passwords, they are weak because of how quickly you can hash them. A more complicated and cryptographically secure hash will take longer to hash, meaning an attacker can try fewer keys per second against the hash.

He is wrong that MD5/SHA1 are reversible, unless you don't use salt.

2) The real solution is using PBKDF2 hashing algorithms or similar. Which incidentally, isn't terribly different from bcrypt's implementation of hashing. So he's right there. But the goal here is to slow down dictionary attacks and the like long enough so that users can change their passwords. The problem here is that if they have the hash, it really is just a matter of time before it can be broken, even if it is on the order of months.