Important Notice - Security Breach

[Phases]

salted

 

[Intruder]

I assure you this most certainly isn't the first time this has happened since the BBS days, it happens all the time. Most places never tell the users about intrusions.

In fact, I'd bet most mid-moderately successful sites don't even know it happens to them. The hackers/spiders don't leave thank you notes behind (most the time ). You have to have some pretty keen eyes and/or software to spot the clues sometimes.

Deleting your account won't make any difference at this point. Even so, no one can do anything (at least here) with a regular user account that can't be reversed. However, if you would like your account deleted, let me know.

Why not read what I posted you reply is meaningless I said " It's the FIRST time it's happened to ME since the BBS days!"
I am fully aware this happens on other websites and forums, but none of the forums I use because security is priority number 1 As I see it not poxy banners and crap most of us will block anyway, it's either admin or the hosting company to blame, if it's the later why trust em again??
I mean come on Vbull is as good as it gets......
Also deleting my account via the DB would work if this was to happen again, as when we you leave a forum the account still lays there not deleted from the tables....
Int

 

[The Absolute]

Great work!!!

 

[karendar]

Yay... I feel safe now. :|

 

[A.Nonymous]

salted

Thanks. I feel much better now about not changing my password on every single site.

 

[Intruder]

Yay... I feel safe now. :|

Glad someone does and what your basing that on god only knows.....


Int

 

[Phases]

Why not read what I posted you reply is meaningless I said " It's the FIRST time it's happened to ME since the BBS days!"
I am fully aware this happens on other websites and forums, but none of the forums I use because security is priority number 1 As I see it not poxy banners and crap most of us will block anyway, it's either admin or the hosting company to blame, if it's the later why trust em again??
I mean come on Vbull is as good as it gets......
Also deleting my account via the DB would work if this was to happen again, as when we you leave a forum the account still lays there not deleted from the tables....
Int

I know what you wrote - I am implying that of all the forums you apparently frequent over all these years, I'm more than willing to bet more than one of them has had a breach whether or not you or they know.

I understand how databases work and when people leave.

I also understand you're upset. Our guys found the holes, and patched them. It wasn't through vBulletin. This was unfortunately, but it happened. I think it's more common than you think. That's not to minimize the situation at all - just being realistic.

We could have done like some and NOT detected it at all, or turned the other cheek and chose not to let anyone know on the chance that nothing will come of it from here. Or waited till trouble arouse and "then" found the evidence.

We've done the best we could. I'm sorry you're unforgiving. I will be happy to remove your account if you wish. But please don't litter the thread with rash or nonconstructive replies, especially to other users who aren't addressing you at all.

Thanks for understanding.

 

[Intruder]

I know what you wrote - I am implying that of all the forums you apparently frequent over all these years, I'm more than willing to bet more than one of them has had a breach whether or not you or they know.

I understand how databases work and when people leave.

I also understand you're upset. Our guys found the holes, and patched them. It wasn't through vBulletin. This was unfortunately, but it happened. I think it's more common than you think. That's not to minimize the situation at all - just being realistic.

We could have done like some and NOT detected it at all, or turned the other cheek and chose not to let anyone know on the chance that nothing will come of it from here. Or waited till trouble arouse and "then" found the evidence.

We've done the best we could. I'm sorry you're unforgiving. I will be happy to remove your account if you wish. But please don't litter the thread with rash or nonconstructive replies, especially to other users who aren't addressing you at all.

Thanks for understanding.

I am not "unforgiving" as you put it, just after a little reassurance that plans are inplace to minimize this happening again...
btw 3 of the said forums I am / was either or a mod or admin so fairly sure I would have known...

 

[Cythes]

I just changed my password on here Nothing in GMAIL yet but I will be changing it on there as well just for safe measure. Thanks for the heads up!

 

[TheRealKTFO]

I appreciate the heads up and the honesty from the staff about the breach.

I must ask...

Did the sever/developer team happen to get any information about the hackers, such as their IP address(s)?

Hey, you never know. Maybe they were stupid enough not to spoof their IP and "someone" could give 'em a little payback...:ridinghorse:

 

[WPWoodJr]

Generally username aren't but the passwords are. I think (if they were able to grab the DB) they may be able to gain access using the encrypted password to other site where you used the same one. It is very tricky as they would need to know your username as well as well as gain file access to that site. They shouldn't be able to decrypt the password either as that is damn near impossible assuming the site software uses a reasonable encryption methodology and the key isn't ridiculously simple.

With a good password dictionary they should be able to break the password in seconds, like happened on LinkedIn. Any site where you used the same username/password is at risk. I was surprised that this wasn't mentioned in the OP's post. If the password is broken, they would not need "file level access" to access your stuff on another site.

 

[WPWoodJr]

They are one way hashed. They are not clear text passwords, like the only way i could see what a users password was is if i got there one way hashed password and then tried every combination of characters i could think of run it through the same hasing algorithm and if the two match then i know your password. Its actually quite secure if you can throttle how fast you can try combinations of characters like we do with only allowing 5 attempts and then waiting 15 minutes, but if they have just the hash they can try many combinations very fast with a program. If you password is very random then it probably won't be found.

For instance lets say you had a password of just lower case letters and it was 8 letters long. that would be 23^8 == 78310985281 different possible passwords, that in the hackers "worse case" have to be tried and hashed, not impossible, but not trivial either. If you had upper case letters as well as lower case then 46^8 == 20047612231936 so even harder. This assumes that your password is just random letters, if you have some word or combination of words you can find in the dictionary, or a birthday, or something else common, then they could try these first and make the attack easier.

Do you salt the password to prevent dictionary attacks?

 

[SamsungAdmire]

Yass at the new borders around the notice, otherwise i would'nt of noticed at all.

 

[kelela92]

I wanted to say thanks for updating the banner up top. I saw it yesterday, but honestly thought it was some sort of lame ad for me to be a sucker and click on. Today, knowing that it says all those things, made me actually take it seriously and click on it.

 

[LBPHeretic]

Do you salt the password to prevent dictionary attacks?

Phases already mentioned above that they were hashed and salted. That is about the best one can do.

Android Forums has been proactive in warning people and completely transparent about the situation. I get that some people are irked over this, but given the circumstances, things were handled expediently and professionally.

 

[TVictory]

I wanted to say thanks for updating the banner up top. I saw it yesterday, but honestly thought it was some sort of lame ad for me to be a sucker and click on. Today, knowing that it says all those things, made me actually take it seriously and click on it.

I think thats one vote (the first vote) for TVictory as lead designer!

 

[AMTrombley0924]

Just want to make sure that the staff knows that we honestly do appreciate your hard work. I'm sure you can tell by the hundreds of "thank you's" already, but I just wanted to get mine in too.

 

[karendar]

Glad someone does and what your basing that on god only knows.....


Int

It was somewhat of a sarcastic response, as I never feel safe when someone has a possibility of compromising my account information. But at least I can feel good about the fact I secure my password where it matters and do not repeat passwords unless I don't care as much about my access. And a forum access isn't something that I really care deeply about.

 

[silverfang77]

Thank you for the headsup. Better safe than sorry.

 

[Member243850]

I just wanted to say thanks to Phases and all the gang for being honest about this hey...

I think that is really noble actually you hear me guys!

I am proud of all you losers!

I think you guys are just great and don't stress, I didn't have any important info about me that I will lose sleep over at night.

Except my secret hidden thread of me with Naked sexy female Roaches!

I like a the ladies...

Spoiler

You Suck!

 

[Member243850]

I think thats one vote (the first vote) for TVictory as lead designer!

NO

Don't vote for this bum!

Vote for me and I will promise free guides on:

"How to Troll Like A Champion!"

And that I swear on my mothers grave!

 

[!on]

Tell that to the FBI, they're currently trying to imprison a British Citizen for the crime of finding out if he could hack into their servers by actually doing it. If they're fallible, then there's no hope for anyone.

Responsibility for security ALWAYS lies with the user AND the provider.

Personally I was forced to set up a more clever password system after my "usual" password got hacked on eBay (no real harm done) and I still used that password for all web forums up until yesterday (since there's little real damage anyone can do by posting as me). Thankfully, I have LastPass, so I have a handy list of which forums I haven't changed the password yet. There's no way I could remember hundreds of passwords,so a system is the only possibility.

In my case I use passW0rd%X where X is the first letter of the site I'm on. It's hardly uncrackable, unlike my Wifi password which is a 52-character string, but it'll stop casual hackers.

Thanks to wikileaks fiasco & other things I took my account off paypal. Removed details from amazon & itunes. I think the internet is not such a safe place to keep money! Banking has extra security fields to fill (memorable info). You're right about the users responsibility. It's best not to keep a two grand mountain bike in a garden shed!

Also I check old hotmail accounts' junk mail for suspicious behaviour. Old msn contacts have cropped up (been hacked) trying to sell me stuff. Obviously not them, so when you see something like that it means change your passwords.

 

[Familyguy1]

Sometimes that's an error generated by our app trying to log in or other web confusion.

To see if it's that or something worse, please google: my ip

And compare to that found in that sort of email.

To Phases and the Neverstill Team - thanks for being never still on our protection!

Thats quite interesting considering about a week ago I contacted you about the same thing...hmm.

Glad it is resolved though, thanks guys!

 

[Glas67]

Just for notifying everyone that there is a potential hazard is a lot to be thankful for, as it is a lot more information than some websites would divulge.

 

[jerofld]

It wasn't me, I swear!

Yeah, everyone knows that you use an iPod touch and wouldn't be caught dead using an iPod color (or whatever it is).