dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

Bloom County
reply to baloosh

Re: site user password intrusion info

7/6/2000 actually


Brooklyn, NY
reply to baloosh
actually my account got hit as well so 1999-11-19

Texas Gooner
San Benito, TX
·Time Warner Cable
reply to justin
Thanks for the quick response Justin. I got your email last night and quickly changed my password. Luckily the username and password were unique and almost original to this forum so I didn't lose anything that I can tell. Also, I've been using lastpass for the last few months so I've got different ids for all the sites I frequent.
An appeaser is one who feeds a crocodile, hoping it will eat him last. - Sir Winston Churchill


Seattle, WA
reply to justin
After not logging on to DSLR in a really long time, I logged on just the day before (4/26) to change my password because I shared it with PSN.

So I'm glad I did that when I did, otherwise the hacker would have gotten a password that I had previously shared among a lot of sites.

But now it's changed again! Thanks for letting us know, Justin!

Germantown, OH
reply to CylonRed
Beat both of you...


Regarding the password here, for good or bad, it was a "simple" one. Over time, other sites or new sites I've joined (banking, Paypal, etc) started requiring more complex ones ... I HOPE, at least !!


Philadelphia, PA
reply to justin
wow, didn't know my account was that old. lucky me. time to change some passwords.


Bedford, TX

1 recommendation

reply to sremick
I totally agree with this. I couldn't believe that passwords was not encrypted in a one way encryption. This is the case of not a could have, should have, encryption should have been done since day 1.

The email I got said my account was compromised, good thing is that I never use the password that I use for less secured website (that doesn't contain my credit card info and such) for banking, credit card or any website that has my credit cards which I use a much stronger password and they all have different passwords.

Climax, MI
reply to justin
I'm guessing some parts of the site are down?


I don't know why that would be, but i'm unable to change the order of my ff.
I found the key to success but somebody changed the lock.

Valencia, CA
·Time Warner Cable

1 recommendation

reply to pintnight
I have to say I'm shocked too. BBR runs stories about sites getting hacked all the time. The Gawker and PSN events should have been a cue to think about your users' safety and beef up your security.

This site was born during a more innocent age, I suppose, but .... c'mon. You have active security forums, that alone makes you a juicy target. Disappointing.

AT&T U-Hearse - RIP Unlimited Internet 1995-2011
Rethink Billable.


Randallstown, MD

1 recommendation

reply to justin
Every day in security, we're apprised of the very same things that has happened here.


Chicago, IL
reply to Hall
didn't beat many here: 8/17/2000...bad days back then for Ameritech DSL!

Well, it just shows it's a good thing I've been squishing out other passwords recently, but now I have to run through KeePass (at least I've had that backup!) and figure out what needs changing.

I appreciate the tutorial a few pages back on generating strong site-specific passwords...I could never figure out how to do that in a way that wouldn't overtax this ancient mind.

Off to change a few more sites...


Ottawa, ON
·Rogers Hi-Speed

1 recommendation

reply to justin
Password notification received, and password changed. I would like to see just what format of passwords DSLR accepts. I use a password store that lets me use very long and very secure passwords that I do not have to commit to memory. Will the DSLR system accept passwords that are 64 characters long comprised of mixed case/digits/special characters? Or is there a limit of, say, 8 characters with no special characters? I've seen sites that will seemly accept a long password via paste, but quietly truncate the entry at the text box.

I want to create as ugly a password as possible.
"I reject your reality and substitute my own."
Expand your moderator at work


Saint Peters, MO
reply to justin

Re: site user password intrusion info

I haven't participated here in ages, I was one of the "lucky" ones who had their email/password compromised, I initially panicked but quickly figured out it was unique to this site so no harm no foul.

Thanks for letting us know in a timely fashion, hopefully the hackers didn't have enough time to screw anyone over.

Syracuse, NY
·Verizon FiOS
reply to fatness
said by fatness:

I just had the system generate another random password and send it to the email address on your account.

Could you do the same for me? I still haven't seen the email after two attempts and I just checked the antipspam system and it's not in there.

Andrew J
Lancaster, PA
reply to justin
Got the message and don't see any other problems.


Hacienda Heights, CA

1 edit
reply to justin
i can only hope that the other sites i'm a member of are as forthcoming, since it appears that a ton are being hacked. i wonder about arstechnicaforums.

i changed the password here (i must have caught your email before the forced-new), and changed the password in the associated gmail account (how can i be mad at you when i've been lax enough to cross use the same password?).

i looked at past login attempts (available at the bottom of the gmail page when you're logged in) and didn't see anything out of the ordinary, though gmailmanager checks often enough that another IP could have been already obliterated from the logs (reminds me - google should change that log so that it's not the last 20 login attempts, but the last 20 different IPs).

i also checked my gmail recovery settings - you can't see the answers to the personalized questions, so those are probably secure (depending on cross referencing other hacked sites, or some gmail hack), and the recovery email address for my gmail account (the one you can use to recover your password to the gmail account) has a password different from the old dslreports password AND the associated gmail account, so my gmail recovery settings appear to be completely secure from this hack.

if there is anything i would add to your warning email, Justin, is that a user that has cross used their dlsr password for the associated email account should double check their recovery settings for the associated email account to make sure: 1) that the cross-used password isn't also the password for the associated email account recovery email address (there has got to be a less confusing way to write that); 2) that the recovery settings for the associated email account haven't otherwise been changed.

question 1: is there any reason to also turn off POP access to the associated email account if you've already changed it's password? like: do we have to worry about timely password propagation across google's gmail server farm?

question 2: how secure are the new passwords? are you reasonably sure that the intruders are now blocked from accessing things they shouldn't have access to? once you encrypt/hash the email accounts and passwords for dslr, will you update us, and should we go ahead and plan on changing our passwords again then?

edit - whoops, actually i changed my password before the forced-new was enforced, so had to redo again this morning. hopefully we'll learn when the passwords are encrypted, and then i'll change it to something more permanent.

We Want... A Shrubbery
Hamilton, OH
reply to hurleyp
said by hurleyp:

Password notification received, and password changed. I would like to see just what format of passwords DSLR accepts. I use a password store that lets me use very long and very secure passwords that I do not have to commit to memory. Will the DSLR system accept passwords that are 64 characters long comprised of mixed case/digits/special characters? Or is there a limit of, say, 8 characters with no special characters? I've seen sites that will seemly accept a long password via paste, but quietly truncate the entry at the text box.

I want to create as ugly a password as possible.

I'd be curious about this, too. I got the e-mail from Justin this morning and quickly changed my password, though it's in the same general format I use with a lot of sites. I recently started using Lastpass (www.lastpass.com) to manage my passwords. Since it can generate long, complex, passwords and then auto fill them, I'm thinking of changing all my online passwords to something unique for every site.
Golf is a relatively simple game, played by reasonably intelligent people, stupidly.

Tag?, What Tag? TAG You're it.

Anna, TX
·Grayson County T..
reply to justin
Changed Password. Join date is 2002-03-10
(10th year!) so I'm on the early side of the history of the website. I have groups of passwords i use on other sites. Most other sites the usernames are different, but same password. That is now changed. I use the base password and then different passwords on the end of that. I would recommend a rotation password. At work my password is changed every 90 days. The only thing I worry about is it is 8 Charters long. I will now be researching SQL injection to see what SQL/SQL injection is.

humor\ Best firewall is the 3 inch air gap from the network cable being unplugged. \humor


Chico, CA

1 edit
reply to psx_defector
said by psx_defector:

said by nklb:

Is there any correlation between the user accounts affected? (Similar member numbers or join date? frequent posters? seemingly completely random?)

Judging by the posters on this thread, it sounds as though they got the first part of the table. Oldest join date is 2002. So if they were slurping the table down, it would start from the first account and go forward.

It definitely isn't by amount of posts, I've been lurking in the background for a bit. Just never felt like posting anything.

Actually my join date is older than stated above.


There was one site that used the password in question: this one. I had actually used it as the password on a couple of routers but I changed those as well after receiving the notification mail.
Madness takes its toll. Please have exact change.

Grand Island, NE

1 edit
reply to Rick
said by Rick:

First..Justin, as far as I'm concerned if you spend one single minute beating yourself up over this on my or many people i'm sure who frequent this site, then you spent one minute too long.

Actually this was a pretty huge security mistake that should never had happened. 135,000+ users now have their passwords in someone's hands. Your post belongs in a topic like this, not this one. He absolutely should beat himself up about this.

I am glad I woke up to find this thread though.
»[Info] The DSLR Orangeface extension 2.0!


Grandville, MI
reply to justin
I can say this wrecked havoc with me. (As a very old account it was from the days that I used a coordinated email and password for most accounts). I spend most of the morning hours (12 AM - 1:30 AM) auditing my accounts and vulnerability. Although I wasn't pleased to get the email I am happy in the rapidity of your communication and the openness of it as well. I trust that this will mean an update to security (as mentioned) as well.

Bloom County
reply to Weirdal
Not all of the accounts were compromised - last number I read was 9K.

Germantown, OH
said by CylonRed:

Not all of the accounts were compromised - last number I read was 9K.

Isn't that what they always say ?

Per Ardua Ad Astra
ExMod 2002-04
reply to justin
Dear Justin,

First of all, I must admit that I'm somewhat surprised by the storage of passwords in plain text. Then again, just like tonycpsu, I do develop software as well and I too would hate it if all my skills would be judged against a single bug or moment of failure. Software will basically never be perfect*, and in all the years that I'm a member here (quite a while) you and the rest of the team have done an awesome job to keep things running while growing in both size and functionality.

But sometimes things just happen, sadly this attack has hit your website.

Having an compromised/affected user account, I appreciate it very, very much that you are honest and clear in your e-mail. Many companies/people would not have the guts to do this.

And please consider switching to a hashed (+salt) password when you've got the time for it/all of this behind you!

* Unless one takes extreme measures, e.g. the process/team behind the software for the Space Shuttle.

Proud Union THUG
Fort Worth, TX
reply to justin
I would appreciate a reply to my E-Mail.

Android, There's a hack for that

Cape Coral, FL
reply to justin
Thanks Justin, I am keeping a close eye on my email account, got to love Google for their two step verification.
Just a quick note, I've been a member for over 10 years and this the first time something like this happened.
It says a lot about your commitment to your members, thanks again.

Pasadena, MD
reply to justin
no problems here, never used same password twice. thx for keeping informed.

Cum Grano Salis
Lasalle, QC
reply to justin
Just to clarify:
- They got the Email we used to register at DSLR
- They got our DSLR password
So this could be bad only if we used our DSLR password somewhere else.

Did they also got our DSLR user name or user ID ?
Did they get any other information that can help those idiots to identify us (location, Zip code, etc.) ?
Festina Lente

Metal Head
Escondido, CA
reply to justin
Got the email this morning and promptly changed my password, luckily this is the only site with that password so hopefully I should be all good.

Thanks Justin for the quick response.