Notice: AnandTech Forums User Data Compromised

Ryan Smith

The New Boss
Staff member
Oct 22, 2005
537
117
116
www.anandtech.com
Hi gang,

We are investigating a potential data incident in the AnandTech Forum database. Based on the initial analysis, we believe that some (but not all) of our user names and other information may have been accessed. Our passwords in the database are encrypted and we currently do not have any reason to believe the incident resulted in those being revealed.

While we undertake the investigation and try to identify the scope and source of the incident, we would like to ask that our users change their passwords and to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too.

Purch, AnandTech, and the people who work here value your privacy and appreciate your loyalty to the site over the years. We want to say that we take this very seriously and are working hard to investigate and remedy any issues. We apologize for any inconvenience. If you have any questions or information, please leave a note in this thread or PM me. As we have updates on this, we will post them here.

-Thanks
Ryan Smith

Update: 06/24:

We are investigating a data incident with respect to the AnandTech Forums database. We believe that some of our user names and other information may have been accessed. Although our passwords in the database are encrypted, we believe that it is advisable to expire all the passwords in use prior to June 24th, 2016. Consequently, the first time that you go to log in to the AnandTech forums after June 24th, 2016, you will be asked to set a new password.

We also suggest that, to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too. Generally, it is advisable to not use the same username or email and password combination for multiple sites. We also encourage users to use strong passwords – that is, long passwords with a mix of upper-case and lower-case letters, digits, and punctuation marks. There are a number of excellent password managers out there that make it easy to generate and store these kinds of passwords.
Should you have any problems accessing your AnandTech Forums account (and since you wouldn't be able to post here), please email forumhelp@anandtech.com.

Best regards,
AnandTech Forums
 
Last edited:

Ryan Smith

The New Boss
Staff member
Oct 22, 2005
537
117
116
www.anandtech.com
And on a personal note, please, please, please use different passwords for different sites. There are a number of excellent password managers out there that make it easy to generate and store passwords. The rate at which sites get compromised continues to increase, and it is not safe to share passwords with multiple sites, least one gets attacked and used as a springboard to get into your account at others.
 

Subyman

Moderator <br> VC&G Forum
Mar 18, 2005
7,876
32
86
A few other message boards I'm a part of were breached recently. Seems to be going around. Thanks for letting us know.
 

Jodell88

Diamond Member
Jan 29, 2007
8,762
30
91
I changed my extremely long password to an even better extremely long password.
 

TwiceOver

Lifer
Dec 20, 2002
13,544
44
91
Any password manager suggestions? Chrome/Android. LastPass at $12/yr isn't bad, trying that now.
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

Bottom line: you have to consider the entire password database has been revealed and you should have forced a site-wide reset. The weak advice in the announcement does your users a disservice. As I reported to you yesterday an old PayPal account of mine that used the same creds as my account here was intruded into from China Tuesday evening, before I proactively changed the creds. I didn't even realize AT was the source until I received my own copy of the warning email with my own email address and forum password included.

This is not the right way to handle something like this, at all.
 

Platypus

Lifer
Apr 26, 2001
31,046
321
136
I've been bitching about the horrible security this site has for forever and have been constantly ignored. Why isn't anyone listening?
 

clamum

Lifer
Feb 13, 2003
26,252
403
126
Thankfully about five years back I finally got a password manager (KeePass) and use that in conjunction with Dropbox (previously a USB thumb drive) to manage my passwords and access them from anywhere, including my phone. So I've had separate, strong passwords for all sites which gives me a little more comfort in situations like this.

I just shake my head when I'll be signing up for an account at some site and the password requirement limits me to like 8 characters, some even disallowing special characters. In 2016, no less. Ridiculous.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,365
4,073
75
I wonder if an old vBulletin site like this could be upgraded to use SHA256 instead of MD5? My password apparently wasn't cracked - it was too random for most crackers - but it probably could be with a little work. And I rather expect the site to be hacked again if no major upgrades happen.
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
I wonder if an old vBulletin site like this could be upgraded to use SHA256 instead of MD5? My password apparently wasn't cracked - it was too random for most crackers - but it probably could be with a little work. And I rather expect the site to be hacked again if no major upgrades happen.

This applies to vbulletin 4, but the site is running on 3.8.8 (alpha!).

https://blog.technidev.com/changing-vbulletin-4-its-password-hashing-to-use-bcrypt/

SHA256 is in the fast hash category, so although it has a long-ish key it's still relatively easy to brute force using modern GPUs. Any large site today really needs to be running pbkdf2 or bcrypt.

But since the owners here did not want to force a site-wide reset for an actual breach I suspect they would be even less motivated to do it in order to upgrade the hash algorithm.

Edit: here is a good overview for anyone that is interested.

https://crackstation.net/hashing-security.htm
 

CuriousMike

Diamond Member
Feb 22, 2001
3,044
543
136
Has the hole been patched?

If I change my password, will the intruder simply come back and pull the new passwords?

I want to change my password, but only when it makes sense.
 

Viper GTS

Lifer
Oct 13, 1999
38,107
433
136
Has the hole been patched?

If I change my password, will the intruder simply come back and pull the new passwords?

I want to change my password, but only when it makes sense.
Whether it has or hasn't you should change now to invalidate the (extremely public, readily accessible, no technical barriers whatsoever to access) data that is already out there.

Let me be blunt here:

You're an idiot if you don't change now unless you are extremely confident in your password. As in 20+ characters, randomly generated, and never, ever used anywhere else. If you don't meet every single one of those characteristics change your password.

Viper GTS
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
You're an idiot if you don't change now unless you are extremely confident in your password. As in 20+ characters, randomly generated, and never, ever used anywhere else. If you don't meet every single one of those characteristics change your password.

100% agreed, and almost nobody meets those criteria for feeling secure.
 

CuriousMike

Diamond Member
Feb 22, 2001
3,044
543
136
My point is: If there is a hole that got my password... and I change my password with the hole still open... then they'll have another password.
 

Crono

Lifer
Aug 8, 2001
23,720
1,502
136
Maybe the main site should think about hiring an IT security expert to both write for the site and also maybe fix and harden the forums against future attacks while they are here. I'm sure covering computer/network security would be useful going forward, anyway. With IoT, the increasing number of connected devices, and more powerful cracking/hacking tools, things will only get worse not better.
 
Last edited:

Viper GTS

Lifer
Oct 13, 1999
38,107
433
136
My point is: If there is a hole that got my password... and I change my password with the hole still open... then they'll have another password.
Better that one guy have your new password than the entire world having your current one.

Viper GTS