Notice: AnandTech Forums User Data Compromised

[SparkyJJO]

I don't understand. You say plain text and then you say MD5. Doesn't sound right.

It is MD5 with a weak salt.

Weak salt sucks, I want organic sea salt!

 

[Elixer]

Who is in charge of security anyway?

Perhaps Ryan don't realize that after a db dump, using hashcat and a few high end GPUs, they can basically crack all the passwords in a few days or sooner?

https://www.troyhunt.com/data-breaches-vbulletin-and-weak/ talks about how easy vBulletin is to get all the passwords. (hence the need to reset all passwords automatically).

 

[Phynaz]

No update at all, no notification to users, no software fix.

Purch just sticking their fingers in their ears.

 

[Phynaz]

Who is in charge of security anyway?

Nobody, apparently.

 

[Platypus]

Who is in charge of security anyway?

Perhaps Ryan don't realize that after a db dump, using hashcat and a few high end GPUs, they can basically crack all the passwords in a few days or sooner?

https://www.troyhunt.com/data-breaches-vbulletin-and-weak/ talks about how easy vBulletin is to get all the passwords. (hence the need to reset all passwords automatically).

Nobody, the last time I brought this up with the purch people I basically got what amounts to "that's a nice idea *head pat* we'll keep it in mind" when anyone could have owned this site so badly. I guess someone finally did.

They need to replace all this garbage software and find someone who knows what the fuck they're doing. vB isn't the only problem they need to take care of...

 

[Tim]

In light of all of this, I'm just going to ask for my account to be deleted. It's obvious from reading this thread that our personal information is not safe here, nor has any recent attempts to make sure it stays safe by readily available updates been made.

I'm sure they'll reject my request for account deletion, just like they did the last time a few months back. I'll be changing my personal information to invalid information (in violation of their TOS) to keep my personal information safe regardless of what they decide to do or not do with my account.

 

[Krazy4Real]

Seriously? No update?

 

[John Connor]

Weak salt sucks, I want organic sea salt!

Well, if you had sea salt you wouldn't get your daily does of iodine.

 

[John Connor]

Seriously? No update?

Pffft. Don't hold your breath. The security in here is like the swinging door to a brothel. :twisted:

 

[John Connor]

Who is in charge of security anyway?

Perhaps Ryan don't realize that after a db dump, using hashcat and a few high end GPUs, they can basically crack all the passwords in a few days or sooner?

https://www.troyhunt.com/data-breaches-vbulletin-and-weak/ talks about how easy vBulletin is to get all the passwords. (hence the need to reset all passwords automatically).

And what's so comical is I bet VB has the Authy extension that can be deployed. Even IF the salt is weak and uses MD5 hashes, the hacker wouldn't be able to abuse someone's account. I deploy Authy on a crap Wordpress site FFS. I then deployed a plugin that upgraded the password hashes to Bcrypt.

 

[John Connor]

Now I have heard the database for this site is rather large. I gotta wonder if the hacker actually grabbed the whole thing. :hmm:

 

[jlee]

Several other forums I'm on have issued site-wide password resets already. I'm rather astonished that it hasn't happened here yet.

 

[jeffrey]

Hi gang,

We are investigating a potential data incident in the AnandTech Forum database. Based on the initial analysis, we believe that some (but not all) of our user names and other information may have been accessed. Our passwords in the database are encrypted and we currently do not have any reason to believe the incident resulted in those being revealed.

While we undertake the investigation and try to identify the scope and source of the incident, we would like to ask that our users change their passwords and to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too.

Purch, AnandTech, and the people who work here value your privacy and appreciate your loyalty to the site over the years. We want to say that we take this very seriously and are working hard to investigate and remedy any issues. We apologize for any inconvenience. If you have any questions or information, please leave a note in this thread or PM me. As we have updates on this, we will post them here.

-Thanks
Ryan Smith

Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

Bottom line: you have to consider the entire password database has been revealed and you should have forced a site-wide reset. The weak advice in the announcement does your users a disservice. As I reported to you yesterday an old PayPal account of mine that used the same creds as my account here was intruded into from China Tuesday evening, before I proactively changed the creds. I didn't even realize AT was the source until I received my own copy of the warning email with my own email address and forum password included.

This is not the right way to handle something like this, at all.

Ryan, is it true that you are lying to us?

 

[Elixer]

Now I have heard the database for this site is rather large. I gotta wonder if the hacker actually grabbed the whole thing. :hmm:

While it might be big, so can the pipes be to get the data. This could have been ongoing for days as well--we just don't know anything.
Depending on how bad the site was owned, they could have had root access to do anything.

Seem they are running Apache/2.2.15 (CentOS), using Amazon's data center
Website: forums.anandtech.com
Status: Outdated Software detected. Immediate Action is Recommended.

Seems Ryan only responds in twitter messages, anyone care to ask him what they found out so far, and why there isn't a need to reset all accounts?

 

[Ryan Smith]

Seems Ryan only responds in twitter messages, anyone care to ask him what they found out so far, and why there isn't a need to reset all accounts?

Oh I see you guys. I am not the only person at Purch working on this, so any statement I make has to be signed off by the appropriate parties first.

 

[Carson Dyle]

Oh I see you guys. I am not the only person at Purch working on this, so any statement I make has to be signed off by the appropriate parties first.

Sounds like quite the responsive organization. Another year or two of conference calls and contractor discussions and maybe you guys will manage to upgrade your infrastructure. I won't be holding my breath.

I'm wondering at what point Purch decides these forums are no longer profitable and unceremoniously shuts them down. Given the total lack of resources that have been given to their maintenance, I'd have to think that day is getting close.

 

[John Connor]

Should be a no brainer to anyone reading this that you should have changed your password already. I did and it's a PITA now that I have to enter a new one as I keep forgetting I changed it.

 

[Crono]

Sounds like quite the responsive organization. Another year or two of conference calls and contractor discussions and maybe you guys will manage to upgrade your infrastructure. I won't be holding my breath.

I'm wondering at what point Purch decides these forums are no longer profitable and unceremoniously shuts them down. Given the total lack of resources that have been given to their maintenance, I'd have to think that day is getting close.

I'm sure things would go quicker if we had Axl Rose's lawyers threatening them.

 

[Markbnj]

Ryan, is it true that you are lying to us?

There's no reason to accuse anyone of lying. He's one guy doing a job, and I'm sure he has to go with what his internal people tell him.

They're wrong, of course, but that's probably not Ryan's fault.

 

[norseamd]

There's no reason to accuse anyone of lying. He's one guy doing a job, and I'm sure he has to go with what his internal people tell him.

They're wrong, of course, but that's probably not Ryan's fault.

But considering that they are wrong, and if stuff does get worse, will Ryan be the one who gets scapegoated?

 

[Dude111]

They need to replace all this garbage software and find someone who knows what the fuck they're doing. vB isn't the only problem they need to take care of...

I dont want this beautiful s/w replaced with garbage!!!! -- To be quite blunt about it......

avsforum.com/forum is having the same issues.......


I love anandtech!!

 

[jlee]

I dont want this beautiful s/w replaced with garbage!!!! -- To be quite blunt about it......

avsforum.com/forum is having the same issues.......


I love anandtech!!

AVS Forum also issued password resets, as did TundraSolutions, SubaruForester.org, KawasakiMotorcycle.org, and a handful of others.

 

[Elixer]

Should be a no brainer to anyone reading this that you should have changed your password already. I did and it's a PITA now that I have to enter a new one as I keep forgetting I changed it.

Well, yeah, that is a given I assume, but, that don't guarantee anything if the back door is still open so to speak.

Thinking some more on this, until the breach has been fixed, and there are no other presents left on the server, (which basically means clean install CENTOS again, and install an updated version of the forum software), then, and only then can they be sure that nothing more can happen.
I would even nuke all admin / moderator accounts, in case that they added records to the db, and could still download the db, and then do a mass reset of all passwords.

Which translates to I expect downtime for AT while they reinstall everything from scratch.

 

[Ryan Smith]

Update: 06/24:

We are investigating a data incident with respect to the AnandTech Forums database. We believe that some of our user names and other information may have been accessed. Although our passwords in the database are encrypted, we believe that it is advisable to expire all the passwords in use prior to June 24th, 2016. Consequently, the first time that you go to log in to the AnandTech forums after June 24th, 2016, you will be asked to set a new password.

We also suggest that, to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too. Generally, it is advisable to not use the same username or email and password combination for multiple sites. We also encourage users to use strong passwords – that is, long passwords with a mix of upper-case and lower-case letters, digits, and punctuation marks. There are a number of excellent password managers out there that make it easy to generate and store these kinds of passwords.
Should you have any problems accessing your AnandTech Forums account (and since you wouldn't be able to post here), please email forumhelp@anandtech.com.

Best regards,
AnandTech Forums

 

[Victorian Gray]

1) just happen to notice the message at the top of forum several days after the stuff hits the fan.

2) immediately change password.

3) several days later am told at login that my password is over 900 days old and it *has* to be changed.

4) <sigh>

Edit: 5) and just now received my first official email notification of issues.

6) <double sigh>