The Site > DSLReports.com > Site Bugs > site user password intrusion info

reply to justin

Re: site user password intrusion info

reply to justin
Justin, thanks for gettin this done quickly. Now if banks that get hacked can do the same, we'll be in a better place.

reply to justin
I got the email, but my password had not been scrambled. I created a new password anyway. I'm glad I hadn't used the original password anywhere else.

reply to justin
Yeah, just an FYI, I got the email also, but when I went to the dslreports.com website, I was already logged in and able to post just fine without changing anything.
--
Don't touch that, it's the history eraser button you fool!

reply to justin
I'm glad I used my alias email address versus my actual email address and my password here is nothing like any of my other passwords on any other forums/accounts.

Judging by the other messages, I think they were grabbing any web based email accounts and hoping the passwords matched up. Then fire off password reminders to grab other stuff.

Just goes to show you, make your passwords unique for all services you use.

reply to justin
Justin, what about logins with rpxnow, was that info compromised in some way? could they somehow use the fact that I'm authenticated using that system to access other sites that implemented rpxnow?

Justin, I really hope you'll update your system to support long secure passwords. Not just 12 lower case chars long.

Folks, this is another wake up call to start using some password management system. Don't use the same (or a few of the same) passwords everywhere. Please make sure that each login has a unique strong password. Use apps like LastPass or KeePass. They have a proven track record of keeping your passwords secure and will allow you to have unique logins everywhere without having to remember each one.
--
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is)

reply to psx_defector
Yeah, I had about few dozen web sites that used the same password as this site and a few others that used a variation of the same password. Including my Battle.NET account.

Needless to say, those sites now use random passwords now that have been generated with random characters.
--
Tom

reply to Steimes

reply to justin

reply to justin
I've been a member of this for $DIETY knows how long, and this is the first time this has ever happened.

I do use this password on a lot of sites, but none of my financial sites. Ehn, I've been neeeding an impetus to change my password anyway .

Thanks for the quick heads up, Justin.

To the other members who got hacked, before beating up on Justin realize that this has never happened before and I know for a fact he will make it so it can't happen again.
--
Some assembly required, your mileage may vary, no pixels were harmed in the writing of this post. Brain cells, though, are a different matter. You want fries with that?

reply to MxxCon

reply to justin
I have to join the others and express my shock/disappointment/irritation that any website in 2011... especially a technically-savvy one such as this one... would be storing passwords in cleartext in the database. There are no excuses for such irresponsible handling of user data.

I mean, come on... the concept of 1-way password hashes have been the standard in Unix-style OSes for decades now. This isn't rocket science.

And although in a utopian world I'd have 100 or so unique passwords for each and every site I have an account at, this is just not practical. Nor is remembering every site I have a login at that uses my email address.
--
»www.ninstation.com/

reply to justin
Just a few thoughts and comments.

First..Justin, as far as I'm concerned if you spend one single minute beating yourself up over this on my or many people i'm sure who frequent this site, then you spent one minute too long.

If out of TEN years..(or is it 11 now, i can't even recall now or see the date to be sure)..of frequenting this site on a VERY regular basis I can only say you have ran a first class operation.

And so, let's be more than clear here. It is the LOW LIFES who did this who are at fault. And who are to blame. And one can only hope for THEM that they're first on the list of Sony customers to have every account they ever had stolen and hijacked and used by someone just like them.

What you and everyone who runs a website is up against is you can build Fort Knox here, spending years in the process 24 hours a day..7 days a week which you have here...only to have some
low life losers come along and try to find and exploit one weakness in it.

What is AMAZING to me is that in all these years, this is ALL that's ever happened given that huge disadvantage you and others are under. And while it's certainly not good..you are doing exactly what you can and should be.

Another testament to your abilities is how FAST you caught it...how FAST you identified who was affected and how FAST you warned us.

Justin..there is NOTHING to be ashamed about with your actions here.

With that said, having been a long time member the site has had my oldest and primary email address and the password i've used here while it hasn't been the same as elsewhere was a variation of others that although it would have taken some time to figure out..I'm sure would have eventually. And so, i've spent the last 3 hours revisiting all my sites and redoing many of my passwords.
What was DEFINITELY helpful was that i've used roboform for several years and so it was just a matter of going down the list and revisiting all the sites. I'm glad I had that or many of these sites would have been obscure names by now I barely even recall visiting. What comes out of this for me is again a reminder to make sure that passwords vary from site to site. And that they're different enough to not even make a connection. I also think that a program like roboform is worth it's weight in gold just to maintain a listing and to help manage the many passwords and user names we all deal with out there on the net.

Like many, I was very anxious after having received the email I did which also got to the point of being very angry as well.
But not an ounce of that was directed at this site or the many efforts Justin and others have always put forth on our behalf and I am GLAD it's happening on someone like Justins watch where I KNOW it will be fixed.

And lastly, I would like to suggest that if it hasn't been done already..that you call the FBI. Something of this size and scope should be reported to them right away IMO.

Best of luck Justin and all at resolving this and moving on from it.

~Rick

thanks

reply to justin
Is there any correlation between the user accounts affected? (Similar member numbers or join date? frequent posters? seemingly completely random?)

I also am not happy that the passwords were stored in plaintext, but at least they won't be able to use mine elsewhere.

reply to Dersgniw
Password reset is not working for me, it is not emailing me a reset

I just had the system generate another random password and send it to the email address on your account.
--
ain't gonna pee pee the bed tonight

reply to justin
How do i change my password?