• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Notice: AnandTech Forums User Data Compromised

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
I get what you're saying for this singular incident;

But if the code hasn't been patched, what's stopping the entire world from continuously pulling passwords ?
 
Markbnj said:
Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.
Click to expand...
This is disturbing to say the least. I'm pretty disgusted to hear this. Thanks for laying it out there for us.
 
clamum said:
Thankfully about five years back I finally got a password manager (KeePass) and use that in conjunction with Dropbox (previously a USB thumb drive) to manage my passwords and access them from anywhere, including my phone. So I've had separate, strong passwords for all sites which gives me a little more comfort in situations like this.
Click to expand...
Same here but for much longer than five years. IMO, this is the way to do it. If someone doesn't like Dropbox, use your favorite.
 
<sigh>

My password was crap but I didn't worry about it too much. I hate password managers for a few reasons. It's going to be hard to break the muscle memory of the last 14 years lol (yes it has been the same darn password this whole time!)
 
SparkyJJO said:
<sigh>

My password was crap but I didn't worry about it too much. I hate password managers for a few reasons. It's going to be hard to break the muscle memory of the last 14 years lol (yes it has been the same darn password this whole time!)
Click to expand...

Heh, yeah mine was the same since 2005. Just laziness I guess.
 
Jodell88 said:
I changed my extremely long password to an even better extremely long password.
Click to expand...

I changed my crummy password to another crummy password. If Purch can't secure their shit properly, what's the point in giving the hackers another good password to add to their bruteforce lists?

Save the good passwords for online retailers and banks which take their security seriously.
 
Platypus said:
Please implement TLS, it's 2016.
Click to expand...

Platypus said:
I've been bitching about the horrible security this site has for forever and have been constantly ignored. Why isn't anyone listening?
Click to expand...
I admit i know nothing about making it happen but it seems easy enough to have a secure login.



CuriousMike said:
I get what you're saying for this singular incident;

But if the code hasn't been patched, what's stopping the entire world from continuously pulling passwords ?
Click to expand...
Good question.
I assume that people that do change their password because of this are going to create a brand new one. So that would mean that we'll have to keep aware of when the hole gets fixed & then change passwords again.
 
ultimatebob said:
I changed my crummy password to another crummy password. If Purch can't secure their shit properly, what's the point in giving the hackers another good password to add to their bruteforce lists?

Save the good passwords for online retailers and banks which take their security seriously.
Click to expand...
Good luck brute forcing my passwords.
 
On the one hand, thank you for finally driving me to using a password manager.

On the other hand, shame on you for failing to secure the data we have entrusted with you. Sadly, until there are stiff prescribed civil and criminal penalties for this security failures, I can see nothing changing.
 
Markbnj said:
Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

Bottom line: you have to consider the entire password database has been revealed and you should have forced a site-wide reset. The weak advice in the announcement does your users a disservice. As I reported to you yesterday an old PayPal account of mine that used the same creds as my account here was intruded into from China Tuesday evening, before I proactively changed the creds. I didn't even realize AT was the source until I received my own copy of the warning email with my own email address and forum password included.

This is not the right way to handle something like this, at all.
Click to expand...

This.

Plaintext passwords are out. The way this is being handled is ridiculous.
 
I'm a little vague on why this is such a big deal. As far as I know there is no secret information being passed through the AT forums, there is no credit card or banking info attached to our accounts. Does it really matter if the accounts get hacked? At worst it would be inconvenient.
Is there something I don't understand or have missed entirely?
 
Ferzerp said:
On the one hand, thank you for finally driving me to using a password manager.

On the other hand, shame on you for failing to secure the data we have entrusted with you. Sadly, until there are stiff prescribed civil and criminal penalties for this security failures, I can see nothing changing.
Click to expand...

Haha, same here. I finally chose one to start using. I memorized some 12 character, special character, capital, etc passwords that I used but I'm getting tired of remembering them with all the breaches recently. I've got too many passwords swirling in my head and they inevitably get used over again, so I've been changing to swapping everything to its own password.

Kind of a PITA, but shouldn't be too bad once I get the system in place.
 
Greenman said:
I'm a little vague on why this is such a big deal. As far as I know there is no secret information being passed through the AT forums, there is no credit card or banking info attached to our accounts. Does it really matter if the accounts get hacked? At worst it would be inconvenient.
Is there something I don't understand or have missed entirely?
Click to expand...

Because many people foolishly use the same password for other services. Now, that password is in a hacker dictionary.
 
Markbnj said:
Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

Bottom line: you have to consider the entire password database has been revealed and you should have forced a site-wide reset. The weak advice in the announcement does your users a disservice. As I reported to you yesterday an old PayPal account of mine that used the same creds as my account here was intruded into from China Tuesday evening, before I proactively changed the creds. I didn't even realize AT was the source until I received my own copy of the warning email with my own email address and forum password included.

This is not the right way to handle something like this, at all.
Click to expand...

Thankyou.
 
CuriousMike said:
My point is: If there is a hole that got my password... and I change my password with the hole still open... then they'll have another password.
Click to expand...

my passwords are random by keepass and its so easy to change it why not do both?

btw i do meet that criteria that vipergts posted. this is just another hohum moment. another forum hack? whatever..

edit: btw the only surprises were that it was here and then than anandtech are idiots for having such a crap system. some wordpress site sure but here?? anandtech just went WAY down as a responsible tech site.
 
Last edited:
VeryCharBroiled said:
my passwords are random by keepass and its so easy to change it why not do both?

btw i do meet that criteria that vipergts posted. this is just another hohum moment. another forum hack? whatever..

edit: btw the only surprises were that it was here and then than anandtech are idiots for having such a crap system. some wordpress site sure but here?? anandtech just went WAY down as a responsible tech site.
Click to expand...

That's insulting to WordPress. They actually have a good auto update feature. 😀
 
I got a notice from my email service provider that something fishy was going on and they locked my account. First time that happened in ~18y using the internet. Quite a shitshow you guys!
 
Last edited:
Element115 said:
I got a notice from my email service provider that something fishy was going on and they locked my account. First time that happened in ~18y using the internet. Quite a shitshow you guys!
Click to expand...
Seeing that it happened months before you joined, this doesn't affect you.

Unless, wwybywb?
 
Question is, has the exploit been found and fixed? As a side note, is there a reason we don't use HTTPS for the forum? SSL certs have gotten pretty cheap.
 
I agree, sending pw in plain text is Not Good! Also, I don't know why they didn't force resets for everyone automatically.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top