Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

Same password, everywhere...

"If you used the same password on any other site, change it there also."

How important is this? I've used this same password EVERYWHERE, but it's nothing as important such as my bank/credit accounts or email accounts.

Also, when I try to use the iCloud Keychain, it doesn't auto-fill. And when I try to retrieve that password in the Keychain app, I can't find it. So, I end up resetting the password via MacRumors. Am I doing something wrong?
 
So does that mean I have an excuse for any bad posts from this point forward..... Ahhhh, I didn't post that...
 
Peace said:
A very lucrative amount of passwords that "could" bring them a lot of money and/or goods.

Besides it happened once before during a live feed of a MacWorld keynote by Jobs.
Click to expand...
And that is why my MacRumors password is one of my unique ones. I have always recognized this place as a higher profile one. Though I had planned on getting 1Password later this month. ;)

Also wasn't that the MW2009 keynote stream? That was a fun time on /g/.
 
I'm not sure I can trust any of the previous posts.
Those posts could have been written by the hackers using your account. :rolleyes:
 
Sheza said:
You could have ****ing told us as soon as it happened, the forum had been in maintenance mode for ages, why not tell us as soon as you put it like that?
Click to expand...

Are you a doof who uses the same username and password for everything? That's your own fault. Otherwise, why does it matter when they told us?
 
cxcole1 said:
Thanks for letting people in Pakistan and Russia read my emails and not telling us as soon as it happened so i could change my password............
Lucky i had nothing too important... but I'm sure others did.
not a fan right now of you MacRumors.

Do the right thing when something bad happens and let everyone know so we can protect ourselves.
Click to expand...

July? The forum was hacked yesterday

----------
coldjeanzzz said:
If the passwords were stored in plain text, I think I'm done with this website.
Click to expand...

They weren't... They were hashed and salted. READ THE ARTICLE
 
A little tip that I use

Not the most secure thing in the world, but...

I use one email provider for forums, newsletters, coupons, etc. all that stuff. I use a password on that account I don't use anywhere else.

I have one email I use for my banks, etc.

My iTunes account and password are only used for my Apple ID, and nothing else

I have a dozen other passwords I use on everything else, so some protection built in.

That said? Going to start switching over to Safari generated, or maybe long phrases as that comic illustrated.
 
arn said:
They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn
Click to expand...

MacRumors said:
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]


Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher.

In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. What this means for you, if you have a MacRumors Forums account, is the following:

1. Change your password on our forums. If you have any problems, please contact us.

2. If you used the same password on any other site, change it there also.

There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass, 1Password or iCloud keychain in Mavericks.

Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.

We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.

Article Link: MacRumors Forums: Security Leak
Click to expand...

I'm quoting the above in the vain hope that people read it and realise that their passwords were hashed and salted and not stored in plain text.
 
aawil said:
I decided to give icloud keychain a try, 3 passwords later and I've given up. Back to something I can remember.
Click to expand...
In most cases, the passwords aren't generated to be easy to remember. Rather, they're supposed to be long and difficult for computers to crack. The point of software like 1Password and iCloud Keychain is to make it so that you don't have to remember the passwords. Because the software exists across multiple devices, the hope is that you'll just log in with the software. It isn't practical for every single account (such as accounts where you might need to log in on a work computer, and wouldn't have access to your iCloud Keychain or 1Password), but it works well for many.

cjmillsnun said:
What I will ask is when is the forum software going to be updated. It's still on VB 3.8.7 which is a 2011 release. I know VB costs money, however It does make me wonder about patches on the database and apache
Click to expand...
Version 4 of the forum software represented a radical change of style, which many people dislike. This is part of the reason why so many forums using the VB package are still on version 3. Any external plugins that the site uses would also need to be adapted for new versions. That's probably another reason.

portishead said:
What do I care if someone knows my password? What's the worst they can do? Spam the forums using my name? Say something mean to the mods?
Click to expand...
The worst they can do? Learn your email address, your user name, and your password. If your password wasn't created with a random generator, then they'd have an idea of how you choose your passwords. If you use the same username on any other sites, they'd likely be able to gain access to them. If any of those sites have security questions, they might be able to gain access to your answers. All of this information can be compiled and then used against juicier targets than web forums, where they can gain even more details about you. At absolute worst, this could lead to identity theft, leaving you to clean up a credit mess after a criminal went on a spending or activity spree, posing as you.

Is it likely that this would actually happen? It doesn't seem like it, but these types of things are unfortunately very common and their incidence only seems to be increasing. As the saying goes, "it isn't paranoia if they really are out to get you." Your information and identity has monetary value to a lot of people, so consider that they are indeed out to get you, and operate accordingly.
 
jadot said:
Um, why not tell us when it happened? This is totally unacceptable. Where's the accountability here?
Click to expand...


What does it matter. I am pretty sure you did not use the same password for a forum that you do for your bank or email account. That would be pretty stupid.
 
Back around the time of the Sony PSN hack I gave all my accounts individual passwords. The only ones that are the "same" are a handful of message boards and other unimportant sites. Guess I'll need to switch those up too now.
 
starbird said:
Not the most secure thing in the world, but...

I use one email provider for forums, newsletters, coupons, etc. all that stuff. I use a password on that account I don't use anywhere else.

I have one email I use for my banks, etc.

My iTunes account and password are only used for my Apple ID, and nothing else

I have a dozen other passwords I use on everything else, so some protection built in.

That said? Going to start switching over to Safari generated, or maybe long phrases as that comic illustrated.
Click to expand...

lol i know, i ****ed up, i read july and got happy to a reason why my account was hacked then. you guys are right on standby ready for people eh lol
 
petsounds said:
MD5? That's ridiculous. They might as well just leave them as plain-text, about as much good as it'll do.
Click to expand...

Kind of like sending them in plain text when you login without SSL? MacRumors does not use SSL so that's just as bad if not worse, but no one really made a big deal about it over the years.

Seriously, this is a computer forum, not a bank. No big deal. Change your password and move on. The only real problem here is if a person used the same password on other sites, which is said person's own fault.

I honestly can't understand the contempt I'm reading here. If companies like Adobe, LinkedIn, Facebook, Apple, etc. can be compromised (and they no doubt have entire security departments) how do you expect MacRumors to be suddenly invincible to every compromise?

Seriously, this is a computer forum. Change your password and move on.
 
portishead said:
What do I care if someone knows my password? What's the worst they can do? Spam the forums using my name? Say something mean to the mods?
Click to expand...

If you used that password on another website, say your bank account, they can just brute force the username and have full access... unless there's a 2nd form of security, such as an authenticator.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back