MacRumors Forums: Security Leak

[Labrat561]

Thank You 1Password, another password change

Huh, That's funny I use Password1 as my password.

 

[dannyyankou]

So I guess that's why safari was asking for my username and password. Time to change it

 

[jlgolson]

My only complaint is that it was not posted sooner. I do appreciate this posting showing what happened but last night when the forums went down would have been a great time to post something. There were at least 5 new article posts from when they went down.

I come to macrumors to get my Apple rumors and news.

Where do I go to get my macrumors news?

The operations side of the forums has nothing to do with the editorial side. The writers didn't know this had happened until today.

 

[gmanist1000]

I tend to temporarily write down the automatically generated password, enter this into my various apps, then destroy this temporary record.

You should periodically replace your passwords as a matter of course, so I don't find any issue with having no quick access to my password.

(Note however I do use a memorable - albeit cryptic - password for things such as my email which I do use on a lot of other devices)

I believe you can find your passwords from Settings > Safari > Passwords & Autofill > Saved Passwords

 

[thedarkhorse]

yay only like the 5th online service in the past year I use to have a breach!

 

[gmanist1000]

Genuine question -

Say, for example, that I let Safar create a complex password for my online banking site. It will be saved and available across Safari on all of my devices. That's great!

How about when I need to enter the complex password into my online banking iOS app? How does that work?
Obviously I didn't memorize the password. Can I copy and paste it from Safari?

I want to love this feature, but I use so many apps with log-ins that I don't know how useful it will be for most sites that also have apps.

Settings > Safari > Passwords & AutoFill > Saved Passwords

 

[S.B.G]

Last I checked... personal computers can get viruses, can be hacked remotely. I would not feel safe keeping all my passwords in a spreadsheet. Please get 1Password, you'll thank me for it. Boy does it make your life easier (with Safari/Chrome plugin), not to mention a lot safer.

Maybe Peace uses GPGTools or TruCrypt to encrypt said spreadsheet or HDD/SSD and the password to unlock it is in his head. Then he's covered.

Not gonna happen. Thanks tho !

 

[dannyp1996]

I believe you can find your passwords from Settings > Safari > Passwords & Autofill > Saved Passwords

There you go, proof that there is always something new to learn! Thanks!

 

[RabidMacFan]

Passwords were hashed with MD5?! That's not good...

 

[darkslide29]

I believe you can find your passwords from Settings > Safari > Passwords & Autofill > Saved Passwords

Wow, so they are all there. Handy, yet a little scary lol.
At least it asked for my unlock pw again once I selected my saved passwords.
Thanks!

 

[petsounds]

vBulletin uses an MD5 hash with a salt to store passwords, so they're not being stored plain text, but who's to say they won't be brute forced? With breaches like this, you always assume the worst.

MD5? That's ridiculous. They might as well just leave them as plain-text, about as much good as it'll do.

 

[Weaselboy]

Same problem here, I cannot get MacRumors to work with iCloud Keychain.

Someone in an earlier thread posted a work around that will make iCloud Keychain or just Keychain standalone save the password on MR.

Enter your username and password on MR then DO NOT enter the site yet. Now refresh the Safari page with a command-r. You will then get the pop asking if you want to save the PW to Keychain. Go ahead and approve the PW save to Keychain then after that enter the site. Your username and PW are now saved in Keychain.

 

[petsounds]

The operations side of the forums has nothing to do with the editorial side. The writers didn't know this had happened until today.

Sounds like you might want to improve your team communication then. Imagine if the hackers brute-forced editor account passwords and started posting fake articles which linked to malware sites?

 

[cntwtfrmynwmbp]

So just to be sure: there was no malware spread through this attack?

 

[B4U]

For forums, discussion board, and anything that does not affect myself personally in terms of financial info and personal info, I never use any complicated password...(It takes too much memory to remember all those)

For all others, they are all military grade password...So there is no need to worry...being active duty formerly learnt so much there...

 

[Jimbo47]

A forum I used to be an admin on had something similar happen. I assume it was done the same way. Somehow they gained access to a moderator's account, and changed it to an admin account even though mods could not edit user groups. They ended up making their way into the database and getting everybody's info (same thing that happened here). While they were at it they decided to completely destroy the entire forum by deleting stuff and all that jazz. Luckily backups were done regularly so we only had to revert back a few hours. The only thing users reported was getting random emails directing them to a phishing site. The hacker spoofed their email to look like it came from the forum's domain. The default security that vBulletin puts on passwords is weak sauce (did I really just say that?), so it shouldn't take somebody with experience to figure them out, which is why its crucial to change your passwords for other places if you use the same email address. If you use the same password, but a different email address/username, they shouldn't be able to do anything. But if you use the same email and password for everything, I would suggest changing them.

 

[MacDawg]

I for one won't be losing any sleep over this at all

 

[arn]

So just to be sure: there was no malware spread through this attack?

no evidence of malware

arn

 

[iPad Air]

Same here

I mean, will not be losing any sleep over this. Changed my pass. Thanks MacRumors for being open and honest.

 

[nwcs]

Thankfully I have been using 1Password for a while and didn't share this password with any other site. I guess I'll get more spam to my email, though. Oh well, the benefits I've had from being on this site far outweigh some spam annoyance.

 

[cntwtfrmynwmbp]

no evidence of malware

arn

Thanks!

 

[Airforcekid]

Good thing I had a LastPass randomized password before I was using the same for every site that would have been a lot worse changed it to a new random password to be safe though.

 

[Earendil]

I assumed that the passwords were hashed but, as they say, if you assume anything it will make an ASS out of U and Me.

Did you assume that because it states it RIGHT IN THE ARTICLE?!

 

[Mad Mac Maniac]

Have you considered they have your e-mail? Do you have an unique e-mail for each website?

Oh right I did think about that possibility before, but forgot to investigate it. It took me quite a while to figure out how to see it. And it doesn't appear to be visible publicly? And lastly, it's my old yahoo account that I haven't used as my primary account since... 2005? AND it has a different password than MR. So I think I'm safe

 

[ritmomundo]

Uh, gee MacRumors. If you were hacked, why not email your members to change their passwords, instead of posting it on your front page. Not everyone checks your site on a daily basis.