Our User Accounts Have Been Hacked

Moderators: DarthSkeptical, Fnord Serious, Chris, spid, Skyhawke, Darth Kramer, mikebo

User avatar
Chris
Cosmic Donor
Cosmic Donor
Posts: 1089
Joined: Sun Nov 13, 2005 4:48 am
Location: Toronto
Contact:

Our User Accounts Have Been Hacked

Postby Chris » Mon Sep 08, 2014 6:22 pm


User avatar
EarthFurst
Posts: 392
Joined: Mon Dec 04, 2006 7:25 am
Contact:

Re: Our User Accounts Have Been Hacked

Postby EarthFurst » Mon Sep 08, 2014 9:21 pm

Should we change our forum passwords as well?
Still trying to learn the ways of the ComicBookDB. http://en.wikifur.com/wiki/List_of_upcoming_comics

User avatar
Chris
Cosmic Donor
Cosmic Donor
Posts: 1089
Joined: Sun Nov 13, 2005 4:48 am
Location: Toronto
Contact:

Re: Our User Accounts Have Been Hacked

Postby Chris » Mon Sep 08, 2014 11:16 pm

Those are in a separate database, completely unconnected to the site's user database. That said, if your forum password is the same as your site password was, I recommend changing it.

GreatAtBoats
Posts: 1
Joined: Tue Sep 09, 2014 5:18 am

Re: Our User Accounts Have Been Hacked

Postby GreatAtBoats » Tue Sep 09, 2014 5:28 am

A little more information on how this came to your attention and what's being done about it would be nice.

I am also a little bit confused. How did the hacker obtain all users' passwords? The message on the main website says:

we eventually switched to encrypting those passwords in the database but, much to my chagrin, I neglected to eliminate the plain text passwords from the database.


Why would the passwords of users who registered after the switch to encryption be in the database as plaintext?

User avatar
Chris
Cosmic Donor
Cosmic Donor
Posts: 1089
Joined: Sun Nov 13, 2005 4:48 am
Location: Toronto
Contact:

Re: Our User Accounts Have Been Hacked

Postby Chris » Tue Sep 09, 2014 11:54 am

It came to my attention because I was told by the hacker. I'm addressing it by a) notifying everyone immediately, b) eliminating the plaintext passwords and c) our web host is investigating to determine how the server was breached and will move forward from there.

All users' passwords were still in the database as plaintext because there was a section of code in the registration that I missed that saved the passwords in plaintext even though we had switched to using encrypted passwords.

User avatar
aaronmoish
Posts: 66
Joined: Sun Mar 14, 2010 7:45 pm

Re: Our User Accounts Have Been Hacked

Postby aaronmoish » Fri Sep 12, 2014 10:12 am

Just an FYI for everyone, I received a notification from Amazon letting me know that they "As part of [...their...] routine monitoring, [...they...] discovered a list of email address and password sets posted online", of which my info was apparently on. As such, they automatically reset my password. So, if you used passwords on other sites similar to what you used here, remember to change those, too!

User avatar
Chris
Cosmic Donor
Cosmic Donor
Posts: 1089
Joined: Sun Nov 13, 2005 4:48 am
Location: Toronto
Contact:

Re: Our User Accounts Have Been Hacked

Postby Chris » Fri Sep 12, 2014 12:25 pm

There was a massive GMail e-mail/password list released two days ago by Russian hackers, something like 5 million accounts, though how accurate they are is under some question. If you have a GMail account, it may be a good idea to change your password. You can read more about it here.

Uthor
Posts: 194
Joined: Fri Jun 03, 2011 1:15 am

Re: Our User Accounts Have Been Hacked

Postby Uthor » Fri Sep 12, 2014 1:54 pm

aaronmoish wrote:Just an FYI for everyone, I received a notification from Amazon letting me know that they "As part of [...their...] routine monitoring, [...they...] discovered a list of email address and password sets posted online", of which my info was apparently on. As such, they automatically reset my password. So, if you used passwords on other sites similar to what you used here, remember to change those, too!


I got the same email, but my password still worked. That made me super paranoid.

I changed it anyway, but after logging into a private browser and typing in the url manually.

Supposedly my email wasn't part of that "Gmail" leak, so I don't know.

It's probably a good idea to set up two step verification on at least your important sites (email, anything to do with money, etc).
https://www.google.com/landing/2step/


Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest