dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
47990
share rss forum feed


B52GUNR
KM 7D love and D3 Nirvana
Premium,MVM
join:2001-03-06
Vallejo, CA

1 recommendation

reply to justin

Re: site user password intrusion info

I've been a member of this for $DIETY knows how long, and this is the first time this has ever happened.

I do use this password on a lot of sites, but none of my financial sites. Ehn, I've been neeeding an impetus to change my password anyway .

Thanks for the quick heads up, Justin.

To the other members who got hacked, before beating up on Justin realize that this has never happened before and I know for a fact he will make it so it can't happen again.
--
Some assembly required, your mileage may vary, no pixels were harmed in the writing of this post. Brain cells, though, are a different matter. You want fries with that?


gateguy
Premium
join:2001-02-12
Reisterstown, MD
Reviews:
·Verizon FiOS
reply to MxxCon

said by MxxCon:

Folks, this is another wake up call to start using some password management system. Don't use the same (or a few of the same) passwords everywhere. Please make sure that each login has a unique strong password. Use apps like LastPass or KeePass. They have a proven track record of keeping your passwords secure and will allow you to have unique logins everywhere without having to remember each one.

I second, your approach.

I am a Mac user (at home) and use the built in Key Chain application. Every site has a unique password.

I use the built in complexity gauge during password generation.
--
Without data, it is just an opinion


sremick
FreeBSD on the desktop

join:2001-11-11
Bristol, VT

3 recommendations

reply to justin

I have to join the others and express my shock/disappointment/irritation that any website in 2011... especially a technically-savvy one such as this one... would be storing passwords in cleartext in the database. There are no excuses for such irresponsible handling of user data.

I mean, come on... the concept of 1-way password hashes have been the standard in Unix-style OSes for decades now. This isn't rocket science.

And although in a utopian world I'd have 100 or so unique passwords for each and every site I have an account at, this is just not practical. Nor is remembering every site I have a login at that uses my email address.
--
»www.ninstation.com/



Rick
Premium,MVM
join:2001-02-06
Waterbury, CT

5 recommendations

reply to justin

Just a few thoughts and comments.

First..Justin, as far as I'm concerned if you spend one single minute beating yourself up over this on my or many people i'm sure who frequent this site, then you spent one minute too long.

If out of TEN years..(or is it 11 now, i can't even recall now or see the date to be sure)..of frequenting this site on a VERY regular basis I can only say you have ran a first class operation.

And so, let's be more than clear here. It is the LOW LIFES who did this who are at fault. And who are to blame. And one can only hope for THEM that they're first on the list of Sony customers to have every account they ever had stolen and hijacked and used by someone just like them.

What you and everyone who runs a website is up against is you can build Fort Knox here, spending years in the process 24 hours a day..7 days a week which you have here...only to have some
low life losers come along and try to find and exploit one weakness in it.

What is AMAZING to me is that in all these years, this is ALL that's ever happened given that huge disadvantage you and others are under. And while it's certainly not good..you are doing exactly what you can and should be.

Another testament to your abilities is how FAST you caught it...how FAST you identified who was affected and how FAST you warned us.

Justin..there is NOTHING to be ashamed about with your actions here.

With that said, having been a long time member the site has had my oldest and primary email address and the password i've used here while it hasn't been the same as elsewhere was a variation of others that although it would have taken some time to figure out..I'm sure would have eventually. And so, i've spent the last 3 hours revisiting all my sites and redoing many of my passwords.
What was DEFINITELY helpful was that i've used roboform for several years and so it was just a matter of going down the list and revisiting all the sites. I'm glad I had that or many of these sites would have been obscure names by now I barely even recall visiting. What comes out of this for me is again a reminder to make sure that passwords vary from site to site. And that they're different enough to not even make a connection. I also think that a program like roboform is worth it's weight in gold just to maintain a listing and to help manage the many passwords and user names we all deal with out there on the net.

Like many, I was very anxious after having received the email I did which also got to the point of being very angry as well.
But not an ounce of that was directed at this site or the many efforts Justin and others have always put forth on our behalf and I am GLAD it's happening on someone like Justins watch where I KNOW it will be fixed.

And lastly, I would like to suggest that if it hasn't been done already..that you call the FBI. Something of this size and scope should be reported to them right away IMO.

Best of luck Justin and all at resolving this and moving on from it.

~Rick



Squirrelly

join:2000-10-24
Harrisburg, PA

thanks



nklb
Premium
join:2000-11-17
Ann Arbor, MI
kudos:2
reply to justin

Is there any correlation between the user accounts affected? (Similar member numbers or join date? frequent posters? seemingly completely random?)

I also am not happy that the passwords were stored in plaintext, but at least they won't be able to use mine elsewhere.



subhunter1

@click-network.com
reply to Dersgniw

Password reset is not working for me, it is not emailing me a reset



fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

I just had the system generate another random password and send it to the email address on your account.
--
ain't gonna pee pee the bed tonight


butchie

join:2000-12-29
Phoenix, AZ
reply to justin

How do i change my password?



Zupe
Premium,MVM
join:2001-11-29
New York, NY

1 recommendation

said by butchie:

How do i change my password?

»/prof/passwd
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?

psx_defector

join:2001-06-09
Allen, TX
kudos:1
reply to nklb

said by nklb:

Is there any correlation between the user accounts affected? (Similar member numbers or join date? frequent posters? seemingly completely random?)

Judging by the posters on this thread, it sounds as though they got the first part of the table. Oldest join date is 2002. So if they were slurping the table down, it would start from the first account and go forward.

It definitely isn't by amount of posts, I've been lurking in the background for a bit. Just never felt like posting anything.


slash
Premium,MVM
join:2001-03-01
Boston
reply to justin

I am disappointed that this happened, but I appreciate you getting ahead of this Justin. Your notification and honesty is much appreciated.
--
Why not?



need help

@gs.com
reply to fatness

*help*

I guess I was one of the lucky ones to have their password changed. Problem is, I now can't even get the password info sent to me via email. I haven't changed it in ages but it was registered under one of 3 addys that I have...all of which do not work.

What do I do now?

Thank you.

User name = nynjspeed



fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

It is registered under a yahoo address


Robert Morrisson

join:2000-03-31
Silver Spring, MD

1 recommendation

reply to justin

Many thanks for being up front with the information rather than trying to hide the bad news, as some major companies have done.

It is truly amazing what evils lurk in the hearts of men. DSL Reports has just discovered some of them. Crackers like this should be found out, arrested, and tried. If convicted they should be treated with mercy.

My definition of "mercy" includes water boarding, burning splinters under the nails, iron maidens, racks, a cat-o-nine-tails, and third rails. It would also include a team of encyclopedia salesmen from a religious cult who will not take "no" for an answer.

Additional mercy includes being forced to listen to 37 hours of commercials in a foreign accent explaining how GEICO will save them money on car insurance.


pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to justin

I'm tempted to get a gmail account for every place I go. However, on reflection, eventually google will get hacked, and life as we know it will come to an end. We may have to live offline, and use green paper bills for commerce. Ohh the pain.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use."



donkeypunch

@ptd.net
reply to butchie

Same here. I reset pw twice and am not receiving a reset email.



tonycpsu

join:2000-11-30
Pittsburgh, PA

2 recommendations

reply to justin

Justin,

I come at this from the perspective of someone who develops security monitoring tools for a living. My first comment is that you are to be commended for your fast, responsible disclosure of the problem, and for fixing the SQL injection bug. Obviously, we're all hoping you spend a good amount of time combing the rest of the site's source for further exploitable vulnerabilities over the coming days, but your initial turnaround on this is worthy of praise.

In terms of being beaten up about this, I'd hate it if my skills as a programmer were judged based on only my worst bugs. I think that the more time we waste beating you up on this is time we're not spending learning how to avoid these mistakes ourselves in the future.

With that in mind, could you tell us all a bit about how you were first alerted of this attack in progress? What was your first indication, and how did you follow up to determine the scope of the attack? Were you just operating off of server logs on the web server, RDBMS, etc. or do you run an IDS/IPS that helped you figure out what was happening?

Finally, are you absolutely, 100% certain that the 8% of accounts you've already emailed are the only ones who are compromised, and what makes you sure that others were not? I bring up this last point because often times attackers will have a way of covering up their tracks. At a minimum, I think a front page post on this is in order to let everyone else on the site who isn't following this forum know that there's a remote chance their credentials were also exposed.

Thanks again for your quick response, and I hope you'll share some more details of how you detected and responded to this attack with us soon so that we can all learn from your mistakes.
--
TV: Dish Network
Internet: FiOS 15/5



cowboyro
Premium
join:2000-10-11
Shelton, CT

1 recommendation

reply to justin

It is year 2011. SQL injection should be a thing of the past. It puzzles me why so many still don't use stored procedures (of course without dynamic SQL inside) - beside poor programming skills or sheer laziness. Not a hit at Justin, just a thought...
That being said my passwords are fairly unique for each site.



SteelersFan

join:2001-02-12
Rockwall, TX
Reviews:
·AT&T U-Verse
reply to tonycpsu

Wow! Two zingers in one week (PSN and DSLR). Thanks for the quick notice Justin. I do appreciate it and fortunately had a unique password for this site. For those recommending lastpass type software, isn't that putting yourself in the same type of boat. You're basically utilizing one password to access all of your passwords. There was something a little unsettling about that for me. I typically store all my passwords in a password protected Excel password file on my laptop. Probably not the best place in the world, but at least it's local and I don't take my laptop around that much. I am open to other suggestions or thoughts.



fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14
reply to donkeypunch

I don't know what account is yours?



Donkaroo

join:2000-07-02
Hawley, PA

I finally got the reset email. Thanks anyway fatness.



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13
reply to justin

Honesty, transparency and courage to admit and own up to a mistake. Well done for having it all.

Cudni



jfgnet
12 Step Program
Premium,MVM
join:2001-02-14
Limbo
reply to justin

Thanks for the heads up, changed passwords on all systems just to be safe, since email addy was found also.



yock
TFTC
Premium
join:2000-11-21
Miamisburg, OH
kudos:3
reply to justin

Thanks for the swift notification, Justin. I don't imagine there is much, if anything, your userbase can do to help, but do say so if there is.
--
Have more fun with your GPS.
Geocaching.com



fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

1 recommendation

Send lawyers, guns, and money.


mhochman1

join:2001-01-06
Bar Harbor, ME

How was I to know she was with the Russians too?



yock
TFTC
Premium
join:2000-11-21
Miamisburg, OH
kudos:3
reply to fatness

I have no money to send, which means I've had no need of lawyers or guns to have them to send either. =)
--
Have more fun with your GPS.
Geocaching.com



jengersnap

join:2000-09-14
Ridgeway, ON
reply to justin

Bummer. Not a lottery I wanted to win, for sure. Durn email account is my primary of over 10 years, with a password that cannot be changed by me. I'm at the mercy of a company I no longer have any affiliation with, hoping someone there can change the pw.



Shorty
Premium
join:2001-01-19
Vermont, USA

2 edits
reply to justin

The sh** has hit the fan...

Edit: Just to be clear, I didn't intend to reply directly to Justin. I'm not smart enough to figure out how to reply "blankly" like others do.