MacRumors Forums: Security Leak

[S.B.G]

Can anyone link password reset page please

https://forums.macrumors.com/profile.php?do=editpassword

 

[asleep]

Can anyone link password reset page please

https://forums.macrumors.com/profile.php?do=editpassword

 

[jlgolson]

Sounds like you might want to improve your team communication then. Imagine if the hackers brute-forced editor account passwords and started posting fake articles which linked to malware sites?

Entirely separate systems. We do not write MacRumors articles on the forums.

 

[iSee]

Dang, MR and Amazon are the last two sites where I use my old, simple password. Gotta go change both now to good (and different) ones.

 

[andiwm2003]

Does that mean I can post now any stupid **** and claim it wasn't me?

 

[HiRez]

Someone in an earlier thread posted a work around that will make iCloud Keychain or just Keychain standalone save the password on MR.

Enter your username and password on MR then DO NOT enter the site yet. Now refresh the Safari page with a command-r. You will then get the pop asking if you want to save the PW to Keychain. Go ahead and approve the PW save to Keychain then after that enter the site. Your username and PW are now saved in Keychain.

Wow, I can't believe that worked but it totally did! Doesn't make any sense, but thank you!

 

[Doctor Q]

Can anyone link password reset page please

To recover a lost or changed password: https://forums.macrumors.com/login.php?do=lostpw

To change your password once you can log in: https://forums.macrumors.com/profile.php?do=editpassword

 

[wackymacky]

vBulletin uses an MD5 hash with a salt to store passwords, so they're not being stored plain text, but who's to say they won't be brute forced? With breaches like this, you always assume the worst.

Am I not the only one who isn't worried about this?

What's the hacker going to do with my Mac Rumors account? Write troll-ish pro Android/windows post under my name?

Hopefully no-one is foolish to use the same a password with a webforum and another site (bank/email etc.?

 

[IGregory]

how ironic we just talked about this in ECommerce class today.

"should a company announce a security leak right away before the media gets wind of it or wait til they know what happened exactly and how to fix it?"

And the answer is?

 

[flyingspur]

Thank You 1Password, another password change

Wut he said!

 

[brdeveloper]

My password is pretty simple, but try to guess my usernames in other sites.

 

[Earendil]

It took me quite a while to figure out how to see it. And it doesn't appear to be visible publicly? And lastly, it's my old yahoo account that I haven't used as my primary account since... 2005?

Uh, gee MacRumors. If you were hacked, why not email your members to change their passwords, instead of posting it on your front page. Not everyone checks your site on a daily basis.

Not everyone has access to or checks the email they registered to the sight with. While that might have been a good idea (if possible, and not against the the site TOS) posting it to the front page was certainly a great idea.

You're the doof that blames the victim while ignoring the real issue? I think we deserve to know stuff like this right away.

Who says we didn't know it right away? Seriously, go find the quote that proves they waited a significant period of time without cause and come back to me, or even PM me personally so I'm sure not to miss it. All I see for times stamps around here are when it was reported to us, and when the attack happened. No where can I find when MacRumors Staff found out it happened.

If you used that password on another website, say your bank account, they can just brute force the username and have full access... unless there's a 2nd form of security, such as an authenticator.

But that's an indaviduals security flaw, not Macrumors. MacRumors can not be expected to have the same security as a bank. They HAVE to rely on users being smart enough not to use the same password. MacRumors has security equal to what they are protecting, which is your identity on this forum, nothing more.

This is like giving a babysitter the key to your house and when she gets mugged and robbed blaming her for the city getting broken into because, duh, the house key was ALSO the key to the city doncha know.

 

[DPazdanISU]

sadly this happens too often, good thing i use random passwords for everything

 

[V.K.]

Did anyone get an email alerting them to this...?

I don't think there was an email alert and I find that unacceptable. Posting info about the breach on the website is not enough. Not all users visit macrumors every day. I'm sure there are many that haven't been here in months. in case of a breach like this all users should be notified by email immediately.

 

[marco114]

funny passwords

I always thought it would be funny to have the password ********

then if some hacker got it, they would think they didn't.

 

[gnasher729]

What do I care if someone knows my password? What's the worst they can do? Spam the forums using my name? Say something mean to the mods?

If they know your macrumors password, that's all that can happen.
If your macrumors password is also your iTunes password, and the email address you gave to macrumors is also your Apple ID, they can do a lot more.

 

[IGregory]

Well, I'm not concerned because I don't have a repeat password on any of the sites I visit.

 

[gnasher729]

What's the hacker going to do with my Mac Rumors account? Write troll-ish pro Android/windows post under my name?

As we all know, that has happened to hundreds of account holders

 

[arn]

I don't think there was an email alert and I find that unacceptable. Posting info about the breach on the website is not enough. Not all users visit macrumors every day. I'm sure there are many that haven't been here in months. in case of a breach like this all users should be notified by email immediately.

it's coming

arn

 

[cwwilson]

The scariest day in MacRumors history.

 

[darkplanets]

I frequent here less and less given the changing nature and content of the site, but it would have been nice if you sent out a mass email.

It just so happens that I visited today and saw this article -- otherwise I would have zero clue my account details were compromised.

Fortunately, this is precisely why I use spam email addresses and other erroneous personal details on sites like these.

 

[Hoo03]

I don't think there was an email alert and I find that unacceptable. Posting info about the breach on the website is not enough. Not all users visit macrumors every day. I'm sure there are many that haven't been here in months. in case of a breach like this all users should be notified by email immediately.

Agreed, that would have been really helpful. I haven't been here in years so it was a pure coincidence that I was able to find this article and just now change my password.

 

[imwoblin]

Anyone having problems resetting password and email address? The new password blanks out as I try to save it. Wonky

 

[WhackyNinja]

I do (or did because I changed both of them to different things now)

Well thats good...pay close attention to any weird activity on your account

 

[djtech42]

Did anyone else have the iMessage/FaceTime message or the Yahoo break-in attempt? I want to know if this was an active attack across accounts. Not good if you used the same password for everything before the attack.