Hacienda Heights, CA
|reply to justin |
Re: site user password intrusion info
i can only hope that the other sites i'm a member of are as forthcoming, since it appears that a ton are being hacked. i wonder about arstechnicaforums.
i changed the password here (i must have caught your email before the forced-new), and changed the password in the associated gmail account (how can i be mad at you when i've been lax enough to cross use the same password?).
i looked at past login attempts (available at the bottom of the gmail page when you're logged in) and didn't see anything out of the ordinary, though gmailmanager checks often enough that another IP could have been already obliterated from the logs (reminds me - google should change that log so that it's not the last 20 login attempts, but the last 20 different IPs).
i also checked my gmail recovery settings - you can't see the answers to the personalized questions, so those are probably secure (depending on cross referencing other hacked sites, or some gmail hack), and the recovery email address for my gmail account (the one you can use to recover your password to the gmail account) has a password different from the old dslreports password AND the associated gmail account, so my gmail recovery settings appear to be completely secure from this hack.
if there is anything i would add to your warning email, Justin, is that a user that has cross used their dlsr password for the associated email account should double check their recovery settings for the associated email account to make sure: 1) that the cross-used password isn't also the password for the associated email account recovery email address (there has got to be a less confusing way to write that); 2) that the recovery settings for the associated email account haven't otherwise been changed.
question 1: is there any reason to also turn off POP access to the associated email account if you've already changed it's password? like: do we have to worry about timely password propagation across google's gmail server farm?
question 2: how secure are the new passwords? are you reasonably sure that the intruders are now blocked from accessing things they shouldn't have access to? once you encrypt/hash the email accounts and passwords for dslr, will you update us, and should we go ahead and plan on changing our passwords again then?
edit - whoops, actually i changed my password before the forced-new was enforced, so had to redo again this morning. hopefully we'll learn when the passwords are encrypted, and then i'll change it to something more permanent.