Notice: AnandTech Forums User Data Compromised

[John Connor]

Mod_security?

You people seem to think TLS will solve the issue, HELLO! It was a database breach! TLS won't stop that. This was a hack. LMAO!

This is why I use an E-mail for forums ONLY and a very complicated password. God knows if this site even hashes the passwords with Bcrypt. Could be MD5. LOL!

 

[waggy]

This.

Plaintext passwords are out. The way this is being handled is ridiculous.

frankly you surprised? after the ******** with who was it..loke? that took over the moderator account. EVEN TOLD them it was ******.

now we find out that the users passwords were in plain text? they are hacked and don't force a reset?

**** wow.


edit: i will say the only reason i found out about this is from another site where the mods take this **** seriously and another member mentioned to change the password HERE'

Profanity is not allowed outside the social forums and you know it.
admin allisolm

 

[John Connor]

Uh oh! I see London I see France I see profanity from your pants...

 

[John Connor]

And VB doesn't use plain text passwords. It's either MD5 or Bcrypt hashed.

 

[Markbnj]

now we find out that the users passwords were in plain text? they are hacked and don't force a reset?

I don't remember anyone saying the passwords are stored in plain text. I have no inside knowledge but just judging from what I've seen over the last couple of days they were stored with the standard vbulletin md5 hash, and were broken using some combination of a dictionary and/or rainbow table attack. The md5 algorithm is exceedingly weak by current standards.

 

[waggy]

I don't remember anyone saying the passwords are stored in plain text. I have no inside knowledge but just judging from what I've seen over the last couple of days they were stored with the standard vbulletin md5 hash, and were broken using some combination of a dictionary and/or rainbow table attack. The md5 algorithm is exceedingly weak by current standards.

still amateurish to NOT have a forced reset. That's what shocks me the most. not that they were hacked. not that they have lackluster standards.

It's not like they pay for each password reset.

 

[Greenman]

still amateurish to NOT have a forced reset. That's what shocks me the most. not that they were hacked. not that they have lackluster standards.

It's not like they pay for each password reset.

I would assume the decision was made to avoid drawing excess attention to the issue, low profile and all that. This is after all a tech forum, none of us have credit card or personal information stored here. At worst someone comes along and has some fun posting porn and what not, then having a laugh as account after account gets banned.

 

[Red Squirrel]

Mod_security?

You people seem to think TLS will solve the issue, HELLO! It was a database breach! TLS won't stop that. This was a hack. LMAO!

This is why I use an E-mail for forums ONLY and a very complicated password. God knows if this site even hashes the passwords with Bcrypt. Could be MD5. LOL!

I think people are just suggesting that while we are on the topic of security. But yeah that would not stop the fact that there is a security hole in the software allowing someone to access the DB. And until they fix it, anything you change your password to, it's still vulnerable.

 

[Ichinisan]

Mod_security?

You people seem to think TLS will solve the issue, HELLO! It was a database breach! TLS won't stop that. This was a hack. LMAO!

This is why I use an E-mail for forums ONLY and a very complicated password. God knows if this site even hashes the passwords with Bcrypt. Could be MD5. LOL!

Is it conceivable that someone gained access to the database by capturing unencrypted traffic from an administrator, and the admin had used the same password for other things?

 

[Dude111]

Please upgrade the forum software.

vBulletin® Version 3.8.8 Alpha 1

This is the LAST good version of VBB!!!! (Version 4 and 5 are ugly and bloated garbage!!)

 

[Elixer]

I agree, sending pw in plain text is Not Good! Also, I don't know why they didn't force resets for everyone automatically.

I wondered this as well... I knew there was some talk about some kind of breach, but, didn't know for sure.

Mod_security?

You people seem to think TLS will solve the issue, HELLO! It was a database breach! TLS won't stop that. This was a hack. LMAO!

This is why I use an E-mail for forums ONLY and a very complicated password. God knows if this site even hashes the passwords with Bcrypt. Could be MD5. LOL!

I am not sure we know that.
For all we know, it could have been an admin's password that was used, and then they dumped the database, and not a attack on the database itself.

AT should have forced password resets for all, and a e-mail about what is known so far.

 

[Element115]

Seeing that it happened months before you joined, this doesn't affect you.

Unless, wwybywb?

Oh, I think I missed where it was said that it was before I joined. If that it is of course not related. First time I joined up.

You used the same password both places?

No I did not. But it seems somebody tried to access my email account repeatedly (and unsuccessfully) and they locked it. If I was one of the last to join right when they hacked the forum maybe they thought my password would be current???

 

[mikeymikec]

Do we know what date this compromise occurred on? I'm asking because I changed my password on the 16th of June and I'm wondering if I have to change it again.

 

[John Connor]

I am not sure we know that.
For all we know, it could have been an admin's password that was used, and then they dumped the database, and not a attack on the database itself.

Not sure if you can dump the database in the forum its self or not. I know it can be done in the phpBB forum software. If not it would be a SQL injection or something. It seems though, given the last breach someone was able to write a script to the site that grabbed passwords. Which makes me wonder if mod_security is even used. Fail2ban could help... Take it up a notch and add a htaccess firewall, a PHP scripted firewall and block dedicated hosts. That's what I do. LOL!

TLS can be done for free though with LetsEncrypt. Just set the command to auto renew every three months as that is when the LetsEncrypt Cert expires. It's FREE!

 

[Red Squirrel]

Should be able to dump from the admin panel I think.

 

[ViviTheMage]

another huge vBulletin hack n grab, I am guessing AT isn't in this one though:

http://www.zdnet.com/article/hacker...reds-of-verticalscope-car-tech-sports-forums/

 

[John Connor]

another huge vBulletin hack n grab, I am guessing AT isn't in this one though:

http://www.zdnet.com/article/hacker...reds-of-verticalscope-car-tech-sports-forums/

And then I read this linked article from there. http://www.zdnet.com/article/twitter-32-million-credentials-accounts-selling-online/

Time for Authy! Authy everywhere! I use it in WordPress!

 

[Krazy4Real]

This is the LAST good version of VBB!!!! (Version 4 and 5 are ugly and bloated garbage!!)

It's not a good version anymore when it's not supported and full of security vulnerabilities.

 

[Platypus]

Mod_security?

You people seem to think TLS will solve the issue, HELLO! It was a database breach! TLS won't stop that. This was a hack. LMAO!

This is why I use an E-mail for forums ONLY and a very complicated password. God knows if this site even hashes the passwords with Bcrypt. Could be MD5. LOL!

No, TLS wont solve the issue that happened, it's just another example of how shitty the security on this site is and has been for a long time. And like another user said, who knows, it could have been the fact that PLAINTEXT passwords are floating around every time you log in here on a network you don't control. I've been posting this request for a long time in various places, I had hoped someone would actually read it if I posted it in this giant site compromise thread.

And yes, it *was* md5...

 

[John Connor]

I don't understand. You say plain text and then you say MD5. Doesn't sound right.

It is MD5 with a weak salt.

 

[JimKiler]

I use my AT forum password for 50 other websites were i do not store sensitive information. Until this site notifies me I will not change my password since i do not use a password manager. But I am not stupid enough to use this password on my email or banking/shopping websites.

 

[Subyman]

I don't understand. You say plain text and then you say MD5. Doesn't sound right.

It is MD5 with a weak salt.

I believe he means since the site doesn't use HTTPS, when you type your password in, it gets sent to their server as plaintext.

 

[John Connor]

Oh, that makes sense.

 

[Spacehead]

Do we know what date this compromise occurred on? I'm asking because I changed my password on the 16th of June and I'm wondering if I have to change it again.

Looks like March 15 of this year if you believe the leakedsource info in this thread-
http://forums.anandtech.com/showthread.php?t=2476731


I think that we'll all have to change our passwords again after whatever the problem is/was is fixed. At this point i'm not sure if this is an AnandTech, vBullitin or some other problem. Looks like a bunch of other forums have been breached lately though.

 

[Spacehead]

I really hope this works & catches on:
SQRL (Secure Quick Reliable Login)

No more worrying if some website/company has their security up to date because there is no more username & passwords to store.