Notice: AnandTech Forums User Data Compromised

[CuriousMike]

I get what you're saying for this singular incident;

But if the code hasn't been patched, what's stopping the entire world from continuously pulling passwords ?

 

[boomerang]

Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

This is disturbing to say the least. I'm pretty disgusted to hear this. Thanks for laying it out there for us.

 

[boomerang]

Thankfully about five years back I finally got a password manager (KeePass) and use that in conjunction with Dropbox (previously a USB thumb drive) to manage my passwords and access them from anywhere, including my phone. So I've had separate, strong passwords for all sites which gives me a little more comfort in situations like this.

Same here but for much longer than five years. IMO, this is the way to do it. If someone doesn't like Dropbox, use your favorite.

 

[Bubbleawsome]

My password on here was my username lol. I thought I'd changed it

 

[SparkyJJO]

<sigh>

My password was crap but I didn't worry about it too much. I hate password managers for a few reasons. It's going to be hard to break the muscle memory of the last 14 years lol (yes it has been the same darn password this whole time!)

 

[Markbnj]

<sigh>

My password was crap but I didn't worry about it too much. I hate password managers for a few reasons. It's going to be hard to break the muscle memory of the last 14 years lol (yes it has been the same darn password this whole time!)

Heh, yeah mine was the same since 2005. Just laziness I guess.

 

[ultimatebob]

I changed my extremely long password to an even better extremely long password.

I changed my crummy password to another crummy password. If Purch can't secure their shit properly, what's the point in giving the hackers another good password to add to their bruteforce lists?

Save the good passwords for online retailers and banks which take their security seriously.

 

[Spacehead]

Please implement TLS, it's 2016.

I've been bitching about the horrible security this site has for forever and have been constantly ignored. Why isn't anyone listening?

I admit i know nothing about making it happen but it seems easy enough to have a secure login.

I get what you're saying for this singular incident;

But if the code hasn't been patched, what's stopping the entire world from continuously pulling passwords ?

Good question.
I assume that people that do change their password because of this are going to create a brand new one. So that would mean that we'll have to keep aware of when the hole gets fixed & then change passwords again.

 

[Jodell88]

I changed my crummy password to another crummy password. If Purch can't secure their shit properly, what's the point in giving the hackers another good password to add to their bruteforce lists?

Save the good passwords for online retailers and banks which take their security seriously.

Good luck brute forcing my passwords.

 

[Ferzerp]

On the one hand, thank you for finally driving me to using a password manager.

On the other hand, shame on you for failing to secure the data we have entrusted with you. Sadly, until there are stiff prescribed civil and criminal penalties for this security failures, I can see nothing changing.

 

[Ichinisan]

My point is: If there is a hole that got my password... and I change my password with the hole still open... then they'll have another password.

I thought of that too. I allowed Safari to generate one for now.

 

[Phynaz]

Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

Bottom line: you have to consider the entire password database has been revealed and you should have forced a site-wide reset. The weak advice in the announcement does your users a disservice. As I reported to you yesterday an old PayPal account of mine that used the same creds as my account here was intruded into from China Tuesday evening, before I proactively changed the creds. I didn't even realize AT was the source until I received my own copy of the warning email with my own email address and forum password included.

This is not the right way to handle something like this, at all.

This.

Plaintext passwords are out. The way this is being handled is ridiculous.

 

[Greenman]

I'm a little vague on why this is such a big deal. As far as I know there is no secret information being passed through the AT forums, there is no credit card or banking info attached to our accounts. Does it really matter if the accounts get hacked? At worst it would be inconvenient.
Is there something I don't understand or have missed entirely?

 

[Subyman]

On the one hand, thank you for finally driving me to using a password manager.

On the other hand, shame on you for failing to secure the data we have entrusted with you. Sadly, until there are stiff prescribed civil and criminal penalties for this security failures, I can see nothing changing.

Haha, same here. I finally chose one to start using. I memorized some 12 character, special character, capital, etc passwords that I used but I'm getting tired of remembering them with all the breaches recently. I've got too many passwords swirling in my head and they inevitably get used over again, so I've been changing to swapping everything to its own password.

Kind of a PITA, but shouldn't be too bad once I get the system in place.

 

[Markbnj]

This.

Plaintext passwords are out. The way this is being handled is ridiculous.

An example of the right way to handle it:

http://status.gotomypc.com/incidents/s2k8h1xhzn4k

 

[Ichinisan]

I'm a little vague on why this is such a big deal. As far as I know there is no secret information being passed through the AT forums, there is no credit card or banking info attached to our accounts. Does it really matter if the accounts get hacked? At worst it would be inconvenient.
Is there something I don't understand or have missed entirely?

Because many people foolishly use the same password for other services. Now, that password is in a hacker dictionary.

 

[norseamd]

Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

Bottom line: you have to consider the entire password database has been revealed and you should have forced a site-wide reset. The weak advice in the announcement does your users a disservice. As I reported to you yesterday an old PayPal account of mine that used the same creds as my account here was intruded into from China Tuesday evening, before I proactively changed the creds. I didn't even realize AT was the source until I received my own copy of the warning email with my own email address and forum password included.

This is not the right way to handle something like this, at all.

Thankyou.

 

[VeryCharBroiled]

My point is: If there is a hole that got my password... and I change my password with the hole still open... then they'll have another password.

my passwords are random by keepass and its so easy to change it why not do both?

btw i do meet that criteria that vipergts posted. this is just another hohum moment. another forum hack? whatever..

edit: btw the only surprises were that it was here and then than anandtech are idiots for having such a crap system. some wordpress site sure but here?? anandtech just went WAY down as a responsible tech site.

 

[Rebel44]

Why didnt everyone got some notification? I just learned about this - on Hardforum !!!

 

[Crono]

my passwords are random by keepass and its so easy to change it why not do both?

btw i do meet that criteria that vipergts posted. this is just another hohum moment. another forum hack? whatever..

edit: btw the only surprises were that it was here and then than anandtech are idiots for having such a crap system. some wordpress site sure but here?? anandtech just went WAY down as a responsible tech site.

That's insulting to WordPress. They actually have a good auto update feature.

 

[Element115]

I got a notice from my email service provider that something fishy was going on and they locked my account. First time that happened in ~18y using the internet. Quite a shitshow you guys!

 

[Jodell88]

I got a notice from my email service provider that something fishy was going on and they locked my account. First time that happened in ~18y using the internet. Quite a shitshow you guys!

Seeing that it happened months before you joined, this doesn't affect you.

Unless, wwybywb?

 

[Red Squirrel]

Question is, has the exploit been found and fixed? As a side note, is there a reason we don't use HTTPS for the forum? SSL certs have gotten pretty cheap.

 

[Chiefcrowe]

I agree, sending pw in plain text is Not Good! Also, I don't know why they didn't force resets for everyone automatically.

 

[Ichinisan]

I got a notice from my email service provider that something fishy was going on and they locked my account. First time that happened in ~18y using the internet. Quite a shitshow you guys!

You used the same password both places?