Notice: AnandTech Forums User Data Compromised

[fralexandr]

:| it's possible to set the new password to the same current password...

 

[Dude111]

Purch bought a forum. Nobody told them they'd have to maintain it.

Morons.

He is doing the best he can......

How good is XenForo?

Not as good as this

 

[cirrrocco]

So that's why I was prompted to change my password.

Can anyone recommend a random password generator?

Rossman

https://sourceforge.net/projects/passwordsafe/

or keepass, heard there were some vulnerabilities at keepass but I use passwordsafe.

It is also portable and can be used across multiple platforms. Initital setup and usage will take about 30 mins but it is a breeze after that

 

[ultimatebob]

:biggrin:

Yeah I probably would not log on to here on an untrusted network like a public wifi or something. I'm not sure why they don't go to https.

But right now the priority should probably be to figure out how the db was leaked. Unless it's someone crooked at the data centre that sniffed traffic, but that would only really get a handful of passwords. I think this was an actual db leak. I guess if you happen to get an admin password... then you have the keys to everything.

From what I've heard, it's a security hole in these older versions of vBulletin. There are a bunch of other forums that got hacked in the same way.

 

[Ichinisan]

1) just happen to notice the message at the top of forum several days after the stuff hits the fan.

2) immediately change password.

3) several days later am told at login that my password is over 900 days old and it *has* to be changed.

4) <sigh>

Edit: 5) and just now received my first official email notification of issues.

6) <double sigh>

I went through the same thing (already changed my password and now I'm being prompted to change again). I expected it though. I wouldn't expect the password I set several days ago to be secure if the actual vulnerability used to exploit the site hadn't been identified and closed.

My problem with the forced reset is that it said the email update was "optional" I cleared the stuff my browser auto completed there (it put my username in the "new email" field and put my email address in the "confirm email" field), but then the site complained and said email was required. I had to get Safari to generate new password suggestions 3-4 times and I'm not sure which one I ended up with.

 

[Ichinisan]

And why did I have to change a brand new password that the system claimed was 905 days old?

And seriously, to be notified this long after the suspected breach *really* isn't good practice.

I expected another change. You and I changed our passwords before any vulnerability was identified or closed.

 

[JEDI]

1) just happen to notice the message at the top of forum several days after the stuff hits the fan.

2) immediately change password.

3) several days later am told at login that my password is over 900 days old and it *has* to be changed.

4) <sigh>

Edit: 5) and just now received my first official email notification of issues.

6) <double sigh>

also forced password change also tells you your current email addr.

didn't realized the email addr I had on file for this forum was from an email site that stopped existing 10yrs ago.

 

[Spacehead]

IIRC, they got rid of the more frequent scheduled maintenance as well. Knowing Anand and co were techies, whatever that maintenence was could have been for very good reason, i.e data backups or something, given that they did it every week.

And a lot of members bitched about the downtime. I don't think any amount of maintenance is going to help much if the underlying software is out of date.
While it's always good do have backups, unless they were installing super secrete security fixes every week then a problem/breach like this is bound to happen in this day in age.

 

[fshagan]

U do realize that this announcement could have been made 4 days ago when the breach was discovered, right?

You are complaining about four days?

The other site I mention took months to force password resets, and then only forced the password reset without any other information. One of the users discovered the list of forums hacked, which included them. I believe they finally admitted it, but only in an oblique "don't blame us" way.

Four days is fast. White hat hackers typically give companies 30 days to implement new security before they advertise vulnerabilities they find. Microsoft does updates every Tuesday, even for security holes in our operating systems that have much more sensitive information on most of us than this forum does.

 

[GoodRevrnd]

^^ Purch shill.

 

[SOFTengCOMPelec]

Redacted.
Contradictory information found.

 

[Bubbleawsome]

Had the same issue as Victorian gray. I'd already changed my password and was told it was 900 something days old and had to be changed. Oh well.

 

[Elixer]

As a security precaution we expired all passwords, as that was the safest thing to do. "905 days" is just an artifact of how we went about it.

Not sure why anyone cares why it says 9xx days, that is a very minor issue that had to do with setting the db fields the way it was done.

The bigger issue still at large is, was the breach actually found?
Was it the outdated forum software, or something else?

 

[John Connor]

I can almost guarantee it was this old ass software.

 

[Red Squirrel]

Yeah there could be a known exploit. Definitely would be worth upgrading, and it's not like there's any mods or anything so it would be a pretty easy upgrade.

 

[Spacehead]

Yeah there could be a known exploit. Definitely would be worth upgrading, and it's not like there's any mods or anything so it would be a pretty easy upgrade.

Nothing is ever easy around here.

 

[Carson Dyle]

Didn't these guys also buy up Tom's Hardware and some other cheap tech sites that were fading? I look over there and those forums look to be fairly up to date and competently run. I guess this site didn't come with any employees, just the dimwits who continue to volunteer to moderate.

Not quite sure why a data breach makes you think you have license to start calling out the mods. Take some time to reconsider the wisdom of that course.
admin allsiolm

 

[Elixer]

Hmm, isn't Joe Pishgar the Senior Community Manager from Purch still around?
I would think this would be his team fixing things as his team fixed the other forum issues. (I think?)

 

[Dualist]

Good thing I used LastPass to generate a password for AT before the breach. Just generated a new one today and all is good.

 

[Markbnj]

I expected another change. You and I changed our passwords before any vulnerability was identified or closed.

Same, surprise not found.

 

[JimKiler]

I expected another change. You and I changed our passwords before any vulnerability was identified or closed.

Agreed, this "change your password notice" is weak until we also hear the vulnerability is plugged.

 

[Red Squirrel]

Nothing is ever easy around here.

lol true, this place is like a government, stuff that should be easy is overcomplicated 10 fold.

 

[JimKiler]

Hi gang,

We are investigating a potential data incident in the AnandTech Forum database. Based on the initial analysis, we believe that some (but not all) of our user names and other information may have been accessed. Our passwords in the database are encrypted and we currently do not have any reason to believe the incident resulted in those being revealed.

While we undertake the investigation and try to identify the scope and source of the incident, we would like to ask that our users change their passwords and to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too.

Purch, AnandTech, and the people who work here value your privacy and appreciate your loyalty to the site over the years. We want to say that we take this very seriously and are working hard to investigate and remedy any issues. We apologize for any inconvenience. If you have any questions or information, please leave a note in this thread or PM me. As we have updates on this, we will post them here.

-Thanks
Ryan Smith

Update: 06/24:

We are investigating a data incident with respect to the AnandTech Forums database. We believe that some of our user names and other information may have been accessed. Although our passwords in the database are encrypted, we believe that it is advisable to expire all the passwords in use prior to June 24th, 2016. Consequently, the first time that you go to log in to the AnandTech forums after June 24th, 2016, you will be asked to set a new password.

We also suggest that, to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too. Generally, it is advisable to not use the same username or email and password combination for multiple sites. We also encourage users to use strong passwords &#8211; that is, long passwords with a mix of upper-case and lower-case letters, digits, and punctuation marks. There are a number of excellent password managers out there that make it easy to generate and store these kinds of passwords.
Should you have any problems accessing your AnandTech Forums account (and since you wouldn't be able to post here), please email forumhelp@anandtech.com.

Best regards,
AnandTech Forums

Ryan, since someone was able to send me my password via email when will your statement be corrected?

Also since you have not indicated the vulnerability has been patched my new password is incredibly weak. Let us know so we can use strong passwords.

 

[Krazy4Real]

Any update? Has the vulnerability been patched?

 

[Tim]

Any update? Has the vulnerability been patched?

^This

I'm providing false e-mail (in violation of the TOS) and a weak password until we are updated. Even then I may never trust them with my personal information again.

Would actually prefer my account here to be deleted, but they're too hardcore to allow that to happen...