dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
57807

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna to justin

Premium Member

to justin

Re: site user password intrusion info

I didn't get the email and my pw was not altered here. Does that mean my info is safe?

Phil
Rojo Sol
Premium Member
join:2001-06-11
Downers Grove, IL

Phil

Premium Member

I didn't get the email either, but changed it anyways. Fortunately, the password I use here is only used here.
tsigo
join:2001-10-11
Mclean, VA

tsigo to justin

Member

to justin
It's good you could cut it off before they got the entire database, but man, plaintext passwords? What are you doing?

tmpchaos
Requiescat in pace
Numquam oblitus
join:2000-04-28
Hoboken, NJ

tmpchaos to zeusage

Numquam oblitus

to zeusage
said by zeusage:

Justin,

Will you please answer the question that several people have now asked.

Have the usernames also been compromised?

From what Justin posted, it was the email address and the associated site password.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna to Phil

Premium Member

to Phil
said by Phil:

I didn't get the email either, but changed it anyways. Fortunately, the password I use here is only used here.

Yep, I was advised to change my pw and did so, just to be sure.

Phil
Rojo Sol
Premium Member
join:2001-06-11
Downers Grove, IL

Phil to tmpchaos

Premium Member

to tmpchaos
said by tmpchaos:

said by zeusage:

Justin,

Will you please answer the question that several people have now asked.

Have the usernames also been compromised?

From what Justin posted, it was the email address and the associated site password.

In Justin's original post he says, "original site password". Is it the original or the current one? I'd have to imagine it's the current password, but just want to get clarification.
said by justin:

If your email/password was revealed (you received the alert email, or have discovered your login password has been changed by us already), all you need to do is think of what OTHER sites you use allow logins using your registered email address here, and your original site password.


Weirdal
Premium Member
join:2003-06-28
Grand Island, NE

Weirdal

Premium Member

said by Phil:

said by tmpchaos:

said by zeusage:

Justin,

Will you please answer the question that several people have now asked.

Have the usernames also been compromised?

From what Justin posted, it was the email address and the associated site password.

In Justin's original post he says, "original site password". Is it the original or the current one? I'd have to imagine it's the current password, but just want to get clarification.
said by justin:

If your email/password was revealed (you received the alert email, or have discovered your login password has been changed by us already), all you need to do is think of what OTHER sites you use allow logins using your registered email address here, and your original site password.

I'm fairly sure he said that because those whose passwords were compromised had them automatically changed. The "original" password means your password as of yesterday.

Phil
Rojo Sol
Premium Member
join:2001-06-11
Downers Grove, IL

Phil

Premium Member

said by Weirdal:

I'm fairly sure he said that because those whose passwords were compromised had them automatically changed. The "original" password means your password as of yesterday.

You're probably right.
rexxh
join:2002-03-16
Davis, CA

rexxh to justin

Member

to justin
thank you for alerting me to this. fortunately, the password they got is no longer a password i use but it is good to know that you guys are on top of it

fatness
subtle

join:2000-11-17
fishing

fatness to zeusage

to zeusage
said by zeusage:

Justin,

Will you please answer the question that several people have now asked.

Have the usernames also been compromised?

"email / password pairs"
That is what was stolen, not usernames.
But change your password if your account was affected since it's possible to log in by email address.

tmpchaos
Requiescat in pace
Numquam oblitus
join:2000-04-28
Hoboken, NJ

1 recommendation

tmpchaos to Phil

Numquam oblitus

to Phil
said by Phil:

said by tmpchaos:

said by zeusage:

Justin,

Will you please answer the question that several people have now asked.

Have the usernames also been compromised?

From what Justin posted, it was the email address and the associated site password.

In Justin's original post he says, "original site password". Is it the original or the current one? I'd have to imagine it's the current password, but just want to get clarification.
said by justin:

If your email/password was revealed (you received the alert email, or have discovered your login password has been changed by us already), all you need to do is think of what OTHER sites you use allow logins using your registered email address here, and your original site password.

It would be the password existing just before the system reset of the password- unless you happened to change it between about 3 and 9 pm yesterday.

SRF26
join:2000-04-03
Jamaica, NY

SRF26 to Phil

Member

to Phil
Justin,
I received your e-mail regarding the intrusion, but the system didn't change my password. I was able to access this site this morning and manually change my password. I've been a member since 20000 and my user name and password are unique to this site so there is limited exposure. As a precaution, I did change passwords on several otjer sites.

Regards...JL
zeusage
join:2002-06-04
Los Angeles, CA

zeusage to fatness

Member

to fatness
Thanks for the quick replies, and I appreciate your input; but I (and I imagine others) would like to here it from the horses mouth.

No usernames? Justin?

fatness
subtle

join:2000-11-17
fishing

fatness to La Luna

to La Luna
said by La Luna:

I didn't get the email and my pw was not altered here. Does that mean my info is safe?

Yes. The accounts that got the email were the affected accounts that had logged in within the last 12 months. But there's certainly no harm in a password change.
quote:
I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts.

dandelion
MVM
join:2003-04-29
Germantown, TN

dandelion to justin

MVM

to justin
I never received an email but changed password just in case, thanks for the quick action Justin.

Logan Five
join:2001-09-06
Ohio

Logan Five to justin

Member

to justin
Justin,

Thanks for the quick heads up. Only use this user name here and this password here so limited damage as I see it. Why anyone would use the same name and password combo on different sites is beyond me.

Logan
microcomp
join:2001-01-30
Santa Rosa, CA

microcomp to justin

Member

to justin
Thanks for the heads up and warning about the email address and password. I had an old password on this site but checked my log-ins through Roboform and found several important sites that still had the same combination of email address and password. Thanks to you I was able to change these and feel much more secure about avoiding problems. As one of the 8% whose information was compromised I appreciate the effort you made to inform us quickly about the problem. I hope you are protected now and good luck in the future with these unmentionables.
Thanks for informing us quickly.

Zorack
join:2001-12-14
Fayetteville, WV

Zorack to justin

Member

to justin
The email I got prompted me to change passwords on several sites much earlier than I had anticipated doing,I procrastinate too much on stuff like this(I changed email addresses as well)

Phil
Rojo Sol
Premium Member
join:2001-06-11
Downers Grove, IL

Phil to Logan Five

Premium Member

to Logan Five
said by Logan Five:

Why anyone would use the same name and password combo on different sites is beyond me.

Simple. It's easy to remember and I would wager the vast majority of Internet users today use the same email/password combo across multiple accounts.

Alcohol
Premium Member
join:2003-05-26
Climax, MI

Alcohol to Logan Five

Premium Member

to Logan Five
said by Logan Five:

Justin,

Thanks for the quick heads up. Only use this user name here and this password here so limited damage as I see it. Why anyone would use the same name and password combo on different sites is beyond me.

Logan

Because most people expect the sites to keep their information safe.

Although using the same password for your online banking and internet forums is not a good idea. I don't see the problem with using a common password for your forums/useless accounts.

bfloeagle
join:2001-02-09
Depew, NY

bfloeagle to justin

Member

to justin
Sucks to have "won" but I appreciate the openness and quick response to the issue.
Bobcat79
Premium Member
join:2001-02-04

Bobcat79 to justin

Premium Member

to justin
said by justin:

So your password has actually changed, and you should recover it, and change it to something you want.

But it's still being stored as clear text, so we should not expect the new password to be safe.

Words can't express the extent of my disappointment about what I thought was one of the more competently-programmed sites. I could see doing this in the beginning, but you had over 11 years to fix this instead of making numerous cosmetic changes.

Logan Five
join:2001-09-06
Ohio
Actiontec F2250

Logan Five to Alcohol

Member

to Alcohol
I agree most people would but nonetheless seems foolish and not very security conscious to use the same name and password for more than one site.

Well to each his own, you don't see a problem with it and I do, but I am not one of the ones worrying about it.

Logan

cbcalhoun
Premium Member
join:2000-09-04
Newark, OH

cbcalhoun to justin

Premium Member

to justin
Changed, Thanks!
cberardelli
join:2000-12-01
Italy

cberardelli to justin

Member

to justin
did anybody notice any suspect activity after the attack? I mean people trying to access your accounts with the email/pw stolen. Unfortunately my email/pw combo was used on a bunch of other sites so I spent a substantial amount of time changing it.

Gbcue
Premium Member
join:2001-09-30
Santa Rosa, CA

Gbcue

Premium Member

8% = 135,000 members!

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

1 recommendation

justin to zeusage

Mod

to zeusage
No usernames. No uids.

they extracted email, password pairs only.

hence the advice to consider mainly and a priority what sites that may unlock that are high value.

Nobody who did this will care that they can now login as you at "horse fanciers socal" or whatever community.

They may want to test their data against facebook and twitter (spam opportunities) or access to yahoo/gmail accounts (again, spam opportunities) or paypal/amazon (fraud opportunities). Those would be the first places to change if necessary.
zeusage
join:2002-06-04
Los Angeles, CA

zeusage

Member

Thank you.

bky
Premium Member
join:2002-07-05
Austin, TX

1 recommendation

bky to Bobcat79

Premium Member

to Bobcat79
said by Bobcat79:

said by justin:

So your password has actually changed, and you should recover it, and change it to something you want.

But it's still being stored as clear text, so we should not expect the new password to be safe.

Words can't express the extent of my disappointment about what I thought was one of the more competently-programmed sites. I could see doing this in the beginning, but you had over 11 years to fix this instead of making numerous cosmetic changes.

This.
Until Justin/the site confirms that passwords are now being stored properly (not just hashed, but also per-user salted) I would recommend using a completely different, even weaker, password than used anywhere else.

The fact that I even have to point out security policies to a site like this makes me think seriously about how often this occurs.
Expand your moderator at work