Go Back   Android Forums > Android Forums Community > Site Updates & Announcements

New Forums: Nexus Player | Nexus 9
Like Tree101Likes

test: Reply
 
LinkBack Thread Tools
Old July 14th, 2012, 06:56 AM   #201 (permalink)
~Play Nice~
 
Unforgiven's Avatar
 
Join Date: Jun 2010
Location: Douglas, MA
Gender: Male
Posts: 25,034
 
Device(s): Moto X Developer Edition, Nexus 7 (2012 & 2013), Note II, S3
Carrier: Not Provided

Thanks: 15,703
Thanked 16,983 Times in 9,348 Posts
Default

Quote:
Originally Posted by GirlFriday View Post
Thank you for the notification and quick response. Unfortunately these things happen. There is no such thing as a hacker proof site. I'm sorry there are so many lazy people on this site though. This thread would be only half as long if it weren't for the people who couldn't be bothered to read through the thread or search and asked "are passwords salted and/or hashed" over and over and who reported the "x amount of attempts to log in to my account what gives?" OVER and OVER. You admins must have the patience of saints to put up with it.
Thank you for your kind words towards the folks that are dealing with this issue. They really had done a stand up job. Having had my SSN stolen a few times via companies like Disney and TJX I appreciate the level of detail, the timeliness, and honesty about what happened and what they have implemented.

As someone who has answered questions about login attempts again and again I can say I don't mind answering at all. This is/was a serious issue and folks are concerned not only for their own security, but for the security off AF, which is very thoughtful.

When I had the issue occur to me, it was very rapid fire (2 devices with three different forum apps all trying to connect). Reading through pages of "Good Job guys" and "your idiots" to find the solution is not as quick, or efficient, as simply asking again as someone will point out the solution and put that members mind at ease.

Advertisements
__________________

Join the fun and make some friends, register for free here.
If someone helped, hit Thanks, if you see rude or abusive posts, spam, or threads that need staff attention, hit Report.
Site Rules / Android Forums FAQ
*** Do you want to talk guns? ***

Unforgiven is offline  
Reply With Quote
The Following 2 Users Say Thank You to Unforgiven For This Useful Post:
EarlyMon (July 14th, 2012), El Presidente (July 14th, 2012)
sponsored links
Old July 14th, 2012, 07:44 AM   #202 (permalink)
Junior Member
 
Join Date: Mar 2010
Location: NC
Posts: 56
 
Device(s): Samsung Conquer 2.3.6
Carrier: Not Provided

Thanks: 2
Thanked 6 Times in 2 Posts
Default

I recently started using LastPass to generate long random passwords for each account, and this account was one of them. I'm changing it again, but for me, not worried about anything else.

I had been using LastPass to simply keep and login to accounts, but having it keep the crazy passwords was one step better I took earlier.

And thanks so much for being upfront and having the tips for everyone, that's great!
__________________
Medisoft Reports
dibba is offline  
Reply With Quote
Old July 14th, 2012, 07:50 AM   #203 (permalink)
Junior Member
 
Join Date: Mar 2010
Location: NC
Posts: 56
 
Device(s): Samsung Conquer 2.3.6
Carrier: Not Provided

Thanks: 2
Thanked 6 Times in 2 Posts
Default

One more thing you could have done better, IMO:

1. Emailed users about this, I don't post frequently, and just happened to come here and see this. It'd been nice to know ASAP to change my password earlier.

2. Even better: Reset everyone's password, and when they visit the site have them reset it. Or have a reset password link in the email from my suggestion above.
dibba is offline  
Reply With Quote
The Following User Says Thank You to dibba For This Useful Post:
EarlyMon (July 14th, 2012)
Old July 14th, 2012, 08:16 AM   #204 (permalink)
The PearlyMon
 
EarlyMon's Avatar
 
Join Date: Jun 2010
Location: New Mexico, USA
Posts: 46,462
 
Device(s): M8, LTEvo, 3vo, and Shift - Evo retired
Carrier: Sprint

Thanks: 42,774
Thanked 57,265 Times in 23,020 Posts
Default

I am trying to imagine the ensuing chaos or anger from emailing over one million people being much different than what we have seen already.

Personally, I have yet to have any new spam on the email account I use here or other intrusion attempts on it.

And we have had zero reports saying, I never posted that, or, that post doesnt sound like so-and-so.

I trust the Admin's play in this case.
__________________
|

Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.

Links: Site Rules / Guidelines -and- Zero Tolerance Policy (All Members Read)


For right-on help, the Thanks button is on the right of the post.
For anything out in left field, the /!\ report button is to the left.

Remember, it's our forums and we're all in this together - so let's keep it cool!

Shoot the breeze at the best new gun forum!
EarlyMon is online now  
Reply With Quote
The Following 4 Users Say Thank You to EarlyMon For This Useful Post:
Crashumbc (July 16th, 2012), El Presidente (July 14th, 2012), Rachel A (July 14th, 2012), Unforgiven (July 14th, 2012)
Old July 14th, 2012, 08:44 AM   #205 (permalink)
Junior Member
 
Join Date: Jun 2012
Location: Austin
Posts: 20
 
Device(s): HP touchpad
Carrier: Not Provided

Thanks: 2
Thanked 2 Times in 2 Posts
Default

Does this site use one way encryption for passwords?

I wonder if any of this standard bulletin board software uses one way password encryption.
palmickey is offline  
Reply With Quote
Old July 14th, 2012, 09:22 AM   #206 (permalink)
Member
 
Join Date: Apr 2010
Location: Western PA
Posts: 472
 
Device(s): GNex - LTE ........ Moto Xoom ........................ Droid Incredible ............... *no apples*
Carrier: Not Provided

Thanks: 71
Thanked 56 Times in 51 Posts
Default

I received 37 login attempt failure notices this morning.

I had changed my password as soon as I saw this notice so I wonder...
veccster is offline  
Reply With Quote
The Following User Says Thank You to veccster For This Useful Post:
EarlyMon (July 14th, 2012)
Old July 14th, 2012, 09:25 AM   #207 (permalink)
~Play Nice~
 
Unforgiven's Avatar
 
Join Date: Jun 2010
Location: Douglas, MA
Gender: Male
Posts: 25,034
 
Device(s): Moto X Developer Edition, Nexus 7 (2012 & 2013), Note II, S3
Carrier: Not Provided

Thanks: 15,703
Thanked 16,983 Times in 9,348 Posts
Default

Quote:
Originally Posted by veccster View Post
I received 37 login attempt failure notices this morning.

I had changed my password as soon as I saw this notice so I wonder...
Have you checked that you have updated your credentials in any apps you use to connect to the forums (Official AF app, Tapatalk, or Forum Runner). I had this happen to me.
Unforgiven is offline  
Reply With Quote
The Following 2 Users Say Thank You to Unforgiven For This Useful Post:
EarlyMon (July 14th, 2012), veccster (July 14th, 2012)
Old July 14th, 2012, 09:44 AM   #208 (permalink)
Check six!
 
Slug's Avatar
 
Join Date: Aug 2009
Location: Inverness, UK
Gender: Male
Posts: 18,083
 
Device(s): Sony Xperia Z
Carrier: EE

Thanks: 2,772
Thanked 11,511 Times in 5,850 Posts
Send a message via Skype™ to Slug slugbrem@gmail.com
Default

Quote:
Originally Posted by xploited View Post
I only registered on these forums because of your "greed" policies - hiding info and download links from unregistered users.
Sorry bud, you're not getting away with that!

You may be confusing AF with some other site you frequent - there is NO restriction on viewing imposed on unregistered guests. Posting yes, but guests can freely read.

You registered almost two years ago, and before yesterday your last contribution to the site was shortly after that. So excuse me if I find people suddenly coming back here whining about "amateur security" and making false claims about a site they've taken little interest in somewhat suspicious.
dautley likes this.
Slug is online now  
Reply With Quote
The Following 10 Users Say Thank You to Slug For This Useful Post:
agentc13 (July 14th, 2012), Crashumbc (July 16th, 2012), D-U-R-X (July 15th, 2012), dautley (July 14th, 2012), EarlyMon (July 14th, 2012), El Presidente (July 14th, 2012), Rachel A (July 14th, 2012), Unforgiven (July 14th, 2012), veccster (July 14th, 2012), Xyro (July 14th, 2012)
Old July 14th, 2012, 10:33 AM   #209 (permalink)
New Member
 
Join Date: Apr 2011
Posts: 14
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 5 Times in 3 Posts
Default

Quote:
Originally Posted by Phases View Post
UPDATE: I forgot to mention. If you are using an Android Application to access the forums (Tapatalk, Phandroid App) - they will not register the password change and may flood your email with "someone has tried to access your account" emails. Unfortunately the only advice I have for that is to uninstall/re-install the app, if you cannot change your password from within.
Just wanted to point this out if anyone missed it. I was wondering why I kept getting the emails as they state here with my IP address when I wasn't (knowingly) trying to login. It all makes sense now...lol.


Also, to the admins - thanks for the notification. I do agree with some others that an email might have been a better option, especially for those who do not log in frequently but other than that, nice job handling the situation.
jspidey is online now  
Reply With Quote
The Following User Says Thank You to jspidey For This Useful Post:
Unforgiven (July 14th, 2012)
Old July 14th, 2012, 11:29 AM   #210 (permalink)
Junior Member
 
Join Date: Nov 2009
Posts: 50
 
Device(s): Droid X, Bionic, RAZR Maxx
Carrier: Not Provided

Thanks: 7
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by CuBz View Post
Ah yes, the Phandroid app... silly me

P.S. Does this forum support Tapatalk now?
Yes it does support Tapatalk
WPWoodJr is offline  
Reply With Quote
sponsored links
Old July 14th, 2012, 11:32 AM   #211 (permalink)
~Play Nice~
 
Unforgiven's Avatar
 
Join Date: Jun 2010
Location: Douglas, MA
Gender: Male
Posts: 25,034
 
Device(s): Moto X Developer Edition, Nexus 7 (2012 & 2013), Note II, S3
Carrier: Not Provided

Thanks: 15,703
Thanked 16,983 Times in 9,348 Posts
Default

Quote:
Originally Posted by WPWoodJr View Post
Yes it does support Tapatalk
Yes, both Tapatalk and Forum Runner.
Unforgiven is offline  
Reply With Quote
Old July 14th, 2012, 12:48 PM   #212 (permalink)
New Member
 
Join Date: Jun 2012
Posts: 1
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 1 Time in 1 Post
Default

Just heard this sad news, very lucky, our staff is making every effort to patch the vulnerability, they are commendable. May our circle more secure.
xxoo is offline  
Reply With Quote
The Following User Says Thank You to xxoo For This Useful Post:
EarlyMon (July 14th, 2012)
Old July 14th, 2012, 01:51 PM   #213 (permalink)
Member
 
Join Date: Apr 2010
Location: Western PA
Posts: 472
 
Device(s): GNex - LTE ........ Moto Xoom ........................ Droid Incredible ............... *no apples*
Carrier: Not Provided

Thanks: 71
Thanked 56 Times in 51 Posts
Default

Quote:
Originally Posted by Unforgiven View Post
Have you checked that you have updated your credentials in any apps you use to connect to the forums (Official AF app, Tapatalk, or Forum Runner). I had this happen to me.
Yup...thats it! I use the AF app on my nexus and xoom. I'll go change them both. Thanks for the heads up!


That said...why are these apps logging in when I haven't used either in the past few days? I don't have any notifications set...they are just quiet apps until I open them and start using.
veccster is offline  
Reply With Quote
Old July 14th, 2012, 02:25 PM   #214 (permalink)
The PearlyMon
 
EarlyMon's Avatar
 
Join Date: Jun 2010
Location: New Mexico, USA
Posts: 46,462
 
Device(s): M8, LTEvo, 3vo, and Shift - Evo retired
Carrier: Sprint

Thanks: 42,774
Thanked 57,265 Times in 23,020 Posts
Default

Quote:
Originally Posted by veccster View Post
Yup...thats it! I use the AF app on my nexus and xoom. I'll go change them both. Thanks for the heads up!


That said...why are these apps logging in when I haven't used either in the past few days? I don't have any notifications set...they are just quiet apps until I open them and start using.
Bet you dollars to donuts that it tries to login before seeing that you don't want notifications. Maybe got an intent to wake up and run during installation or initialization or something that isn't removed when no notifications are selected.

My browser lights up GPS and then decides I've blocked location data.

Some things in Android are just coded backwards from the user point of view.

Could be wrong about the site apps, but I'll bet that's it until a dev says otherwise.
EarlyMon is online now  
Reply With Quote
Old July 14th, 2012, 02:46 PM   #215 (permalink)
Premium Member
 
dautley's Avatar
 
Join Date: Jul 2010
Location: Dickson, TN.
Posts: 1,776
 
Device(s): M8, LG Ally Retired, BIONIC XT875 Retired, Nexus 7, Nexus 10.
Carrier: Verizon

Thanks: 306
Thanked 481 Times in 314 Posts
Default

Is anyone else getting the feeling this thread may be reaching the end of being productive? I know the AF staff is in between a rock and a hard place as far as locking it goes, but maybe look into replacing it with a FAQ soon?
dautley is offline  
Last edited by dautley; July 14th, 2012 at 02:52 PM.
Reply With Quote
Old July 14th, 2012, 03:29 PM   #216 (permalink)
Senior Member
 
trparky's Avatar
 
Join Date: Jun 2011
Location: Cleveland, Ohio, United States
Posts: 691
 
Device(s): Galaxy Note 3 Galaxy S4
Carrier: AT&T

Thanks: 18
Thanked 136 Times in 98 Posts
Send a message via AIM to trparky Send a message via MSN to trparky
Default

How did they get in? SQL injection? Remote code injection?
__________________
Tom
trparky is offline  
Reply With Quote
Old July 14th, 2012, 03:49 PM   #217 (permalink)
Junior Member
 
Join Date: Jun 2010
Posts: 19
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Thumbs down

No, these things don't just "happen". Admins put up with it because they know they are ultimately the ones who failed.

This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.


Quote:
Originally Posted by GirlFriday View Post
Thank you for the notification and quick response. Unfortunately these things happen. There is no such thing as a hacker proof site. I'm sorry there are so many lazy people on this site though. This thread would be only half as long if it weren't for the people who couldn't be bothered to read through the thread or search and asked "are passwords salted and/or hashed" over and over and who reported the "x amount of attempts to log in to my account what gives?" OVER and OVER. You admins must have the patience of saints to put up with it.
mkanet is offline  
Reply With Quote
Old July 14th, 2012, 04:00 PM   #218 (permalink)
Senior Member
 
carmendiva's Avatar
 
Join Date: Feb 2010
Location: New Yor
Gender: Female
Posts: 2,556
 
Device(s): Samsung Galaxy S3
Carrier: Not Provided

Thanks: 134
Thanked 118 Times in 96 Posts
Default

Just now hearing about this.
Sorry to hear about this but good to see a lot of effort being taken to rectify this situation.

I had to also change the password on my formspring. So many people being hacked these days.
__________________
Visit my Page and ask me questions Anonymously
http://www.formspring.me/carmen4ever
carmendiva is offline  
Reply With Quote
Old July 14th, 2012, 04:18 PM   #219 (permalink)
Premium Member
 
dautley's Avatar
 
Join Date: Jul 2010
Location: Dickson, TN.
Posts: 1,776
 
Device(s): M8, LG Ally Retired, BIONIC XT875 Retired, Nexus 7, Nexus 10.
Carrier: Verizon

Thanks: 306
Thanked 481 Times in 314 Posts
Default

Quote:
Originally Posted by mkanet View Post
Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords?
Give me a break!!
Bank websites are hacked into all the time, just do a Google search Let me google that for you and see what you get, lol!

The big difference here is that at least AF told us in a timely manner.

If people are experiencing problems because of what happened or have questions about it then fine, but I have to wonder when AF is going to put their foot down on unfounded, uneducated, blanket statements such as this.
dautley is offline  
Last edited by dautley; July 15th, 2012 at 11:58 AM.
Reply With Quote
Old July 14th, 2012, 04:23 PM   #220 (permalink)
The PearlyMon
 
EarlyMon's Avatar
 
Join Date: Jun 2010
Location: New Mexico, USA
Posts: 46,462
 
Device(s): M8, LTEvo, 3vo, and Shift - Evo retired
Carrier: Sprint

Thanks: 42,774
Thanked 57,265 Times in 23,020 Posts
Default

Quote:
Originally Posted by mkanet View Post
No, these things don't just "happen". Admins put up with it because they know they are ultimately the ones who failed.

This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.
How much money do people have on deposit with us?

Have you ever accessed any forum via secure http?

Where is the funding for this uncrackable forum software?

I respect your opinion but to compare an online friendly forum to a financial institution just seems a little over the top to me.

I do agree that this is all Phases fault though.

If he hadn't crafted and maintained such a mellow, fun, and informative hangout, this joint would have never grown to over a million members, and if the site had remained tiny, it probably wouldn't have been a target.

So, that part is Admin's fault.

I will agree that AndroidForums.com isn't up to the standards of the NSA or CIA, but neither are they so asleep at the switch upstairs, either.

In any case, I have advised that we get help from this security expert -

http://www.youtube.com/watch?v=RCUBxgdKZ_Y

But I don't think that the boss is going to go for it.
EarlyMon is online now  
Last edited by EarlyMon; July 14th, 2012 at 05:02 PM.
Reply With Quote
The Following 2 Users Say Thank You to EarlyMon For This Useful Post:
Prinny (July 14th, 2012), Slug (July 15th, 2012)
sponsored links
Old July 14th, 2012, 09:40 PM   #221 (permalink)
Senior Member
 
jikhead's Avatar
 
Join Date: Apr 2010
Posts: 758
 
Device(s): Galaxy Nexus, Droid Incredible (WiFi only)
Carrier: Not Provided

Thanks: 9
Thanked 185 Times in 107 Posts
Default

Quote:
Originally Posted by veccster View Post
I received 37 login attempt failure notices this morning.

I had changed my password as soon as I saw this notice so I wonder...
Me too, about a dozen attempts today.
jikhead is offline  
Reply With Quote
Old July 14th, 2012, 10:09 PM   #222 (permalink)
The PearlyMon
 
EarlyMon's Avatar
 
Join Date: Jun 2010
Location: New Mexico, USA
Posts: 46,462
 
Device(s): M8, LTEvo, 3vo, and Shift - Evo retired
Carrier: Sprint

Thanks: 42,774
Thanked 57,265 Times in 23,020 Posts
Default

Quote:
Originally Posted by jikhead View Post
Me too, about a dozen attempts today.
Do you use an app to access the forums?
EarlyMon is online now  
Reply With Quote
Old July 14th, 2012, 10:11 PM   #223 (permalink)
Senior Member
 
jikhead's Avatar
 
Join Date: Apr 2010
Posts: 758
 
Device(s): Galaxy Nexus, Droid Incredible (WiFi only)
Carrier: Not Provided

Thanks: 9
Thanked 185 Times in 107 Posts
Default

Quote:
Originally Posted by EarlyMon View Post
Do you use an app to access the forums?
No, I just use the news app on my phone.
jikhead is offline  
Reply With Quote
Old July 14th, 2012, 11:00 PM   #224 (permalink)
Senior Member
 
Rachel A's Avatar
 
Join Date: Aug 2010
Location: In front of my S3
Gender: Female
Posts: 2,459
 
Device(s): VZW GS3 4.0.4 Rooted, Droid Incredible (Retired) , Motorola Xoom 4.0.4 (Unrooted)
Carrier: Not Provided

Thanks: 607
Thanked 869 Times in 637 Posts
Default

Quote:
Originally Posted by mkanet View Post
This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.
There are bank sites out there that limit your password to only 8 characters and with letters and numbers only. Nothing else.

I can atest with personal knowledge that yes, there are bank sites configured that contain multiple potential attack vectors just waiting a good simple exoit.

I've had cell phone companies want to read my password to the first person who says they're me whoever I call. All they would need would be my name and my cell number. From that the CSR would volunteer them my account password which would allow them to log in as me, view my account and change anything.

I've worked on systems when our security has been extremely hampered by the need to interface to a mainframe. My heart crashes when I hear that we have to match a set of password parameters that the main frame.

All these things and more we had. We had two factor auththentication, multiple domains separating each tier and long passwords changed on a 42 day basis. Hell, it would take me a day to update all my passwords on all the systems when I had to change.

You can have it more and more besides. But unless you're willing to pony up the huge amount of dollars a ring fenced trip wired, glass breaking system, the bad guys are going to get in.

It's called life. You take a trip to work and use a car everyday because it makes fiscal sense to you. Sure you could go the whole hog and buy a swadding chieften tank and probably be even more secure but it would make any sense to do that.

Running a Web Site like AF requires a lot of decisions as to what should be utilized and where does its p&l stand. If the ROI on the tank is high enough then I guess you're gonna be having fun every day grinding over those other schmucks who kept their car... Same with these guys - at what point to they say the cost of security is greater than the advantages having it.

For what is essentially a fan Site with little to no PID I'd imagine the budget ain't gonna stretch for no tank...
mamawm likes this.
__________________
If I helped you then please consider thanking me. A thanks produces lots of warm and fuzzies and is cheaper and easier than buying me a round of booze.
Rachel A is offline  
Reply With Quote
The Following User Says Thank You to Rachel A For This Useful Post:
Unforgiven (July 14th, 2012)
Old July 15th, 2012, 12:28 AM   #225 (permalink)
Senior Member
 
jikhead's Avatar
 
Join Date: Apr 2010
Posts: 758
 
Device(s): Galaxy Nexus, Droid Incredible (WiFi only)
Carrier: Not Provided

Thanks: 9
Thanked 185 Times in 107 Posts
Default

Is this the IP address everyone else is seeing trying to access your account?

[Redacted]
jikhead is offline  
Last edited by Xyro; July 15th, 2012 at 01:50 AM.
Reply With Quote
Old July 15th, 2012, 01:52 AM   #226 (permalink)
4 8 15 16 23 42
 
Xyro's Avatar
 
Join Date: Dec 2009
Location: UK
Posts: 12,264
 
Device(s): SGS3, Nexus 7, HTC Desire HD, HTC Hero (GSM)
Carrier: Orange

Thanks: 3,286
Thanked 7,686 Times in 4,019 Posts
xyro.af@gmail.com
Default

Quote:
Originally Posted by jikhead View Post
Is this the IP address everyone else is seeing trying to access your account?

[Redacted]
That is the exact same IP that you just made that post from. A device on your network is responsible.
__________________
Site Rules/Guidelines

If you see a post that needs a mod's attention, hit the button.
Xyro is online now  
Reply With Quote
The Following User Says Thank You to Xyro For This Useful Post:
EarlyMon (July 15th, 2012)
Old July 15th, 2012, 03:34 AM   #227 (permalink)
Junior Member
 
Join Date: May 2011
Posts: 16
 
Device(s):
Carrier: Not Provided

Thanks: 3
Thanked 0 Times in 0 Posts
Default

thanks for the update admin !
MrAsian is offline  
Reply With Quote
Old July 15th, 2012, 05:57 AM   #228 (permalink)
Member
 
Join Date: Jul 2011
Posts: 198
 
Device(s):
Carrier: Not Provided

Thanks: 28
Thanked 60 Times in 28 Posts
Default

Quote:
Originally Posted by wetbiker7 View Post
Whoever hacked AF got my password and tried to access my account. That sux man!
I see that you got it all figured out, which is great. I did want to say being a programmer myself who has implemented user databases with salted password hashes, it is very unlikely that the hackers will be able to figure out the stored passwords. Honestly, it wouldn't even be worth their effort unless it was for a person who they specifically targeted.

Of course, this does depend on the complexity of the salt somewhat. Does anyone know if the hackers may have been able to determine what the salt was?
Kamel is offline  
Reply With Quote
Old July 15th, 2012, 06:26 AM   #229 (permalink)
Senior Member
 
trparky's Avatar
 
Join Date: Jun 2011
Location: Cleveland, Ohio, United States
Posts: 691
 
Device(s): Galaxy Note 3 Galaxy S4
Carrier: AT&T

Thanks: 18
Thanked 136 Times in 98 Posts
Send a message via AIM to trparky Send a message via MSN to trparky
Default

There is something that I'm involved with on the Internet that's been known to help stop exploits like this. It's kind of like a firewall/intrusion detection system for PHP scripts. It uses a series of rules to detect common exploit techniques used by hackers and has been known to stop SQL injection, cross-site scripting exploits, and remote code injection. It has been proven very effective in stopping the bad guys.

If you guys here want to know about it, contact me. I'll be glad to get you into contact with the lead developer.

When I was developing a site that stored passwords I remember making the password hash based on SHA512 with four pieces of random data along with the username and password as part of the the data that's hashed.
trparky is offline  
Last edited by trparky; July 15th, 2012 at 06:29 AM.
Reply With Quote
Old July 15th, 2012, 08:56 AM   #230 (permalink)
New Member
 
Join Date: Jul 2012
Posts: 3
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by trparky View Post
There is something that I'm involved with on the Internet that's been known to help stop exploits like this. It's kind of like a firewall/intrusion detection system for PHP scripts. It uses a series of rules to detect common exploit techniques used by hackers and has been known to stop SQL injection, cross-site scripting exploits, and remote code injection. It has been proven very effective in stopping the bad guys.

If you guys here want to know about it, contact me. I'll be glad to get you into contact with the lead developer.

When I was developing a site that stored passwords I remember making the password hash based on SHA512 with four pieces of random data along with the username and password as part of the the data that's hashed.

mod security ?
Atomic rules. (or the whole ASL suite)

To me it's pointless to run any website of any kind of user base without mod_security rules. I'm sure they already would have that. :P Although I don't actually run any site without it. even if it has 5 hits lol

But even a WAF is not perfect. There is a lot more to security than just a WAF and a Firewall, a secured kernel. disabling of services that are known to cause issues, and even the hardware on the data center end, Keeping software up to date as well of course. If with as much knowledge someone may have in security there is always ways to improve or learn things. If your not critical of that knowledge you have you can never move forward and learn more. People that have good practices and are not egoistical about being secure are better off.

I'm new here, but I run some fairly high traffic sites. Personally I think how it was handle was pretty good. I mean what really can they do after the fact. For anyone that runs a "Server" themselves and thinks that security is something that isn't an everyday job, then they don't know what they are doing, and for others complaining about the breach I assume are completely clueless.(They problably have one small site that know one will hack because it's pointless)

For a site with low traffic say 10K pageviews a month you might have 100's of attacks a month. If you get a million page views a month you now are in the 100,000 or more attacks per month. Bigger the site the more of a target the site is, and the more likely you'll get hit eventually. It's really expodentail. Best thing you can do is be on top of it with as much of the knowledge you have an keep learning and improving.
srpurdy is offline  
Last edited by srpurdy; July 15th, 2012 at 09:12 AM.
Reply With Quote
sponsored links
Old July 15th, 2012, 09:17 AM   #231 (permalink)
Junior Member
 
Bigdog999's Avatar
 
Join Date: Jul 2010
Location: Framingham, Ma
Posts: 43
 
Device(s): Nexus 7, Droid Razr Maxx, Motorola Xoom
Carrier: Not Provided

Thanks: 0
Thanked 1 Time in 1 Post
Default

I too have started seeing a lot of false attempts to enter the site after I changed my password.
Bigdog999 is offline  
Reply With Quote
Old July 15th, 2012, 09:44 AM   #232 (permalink)
Junior Member
 
V.Lee's Avatar
 
Join Date: Jan 2011
Posts: 50
 
Device(s):
Carrier: Not Provided

Thanks: 12
Thanked 4 Times in 4 Posts
Default

I just happened to log in today and see this. (Yes an email might have gotten me here sooner, but I understand that the admin staff was a bit busy ).

Many thanks to the staff who are obviously working hard on addressing both the problem itself *and* the multiple comments here.


I did want to mention one thing which I wouldn't bring this up except for the timing. The other day I got an email from Facebook that
"Your Facebook account was recently logged into from a computer, mobile device or other location you've never used before. For your protection, we've temporarily locked your account until you can review this activity and make sure no one is using your account without your permission.".

The reason I'm mentioning it is that the email was sent on 7/11 in the morning. Yes, same password (although not any more!). On line, FB brought up a map where it says the ip was located, and showed a map of Japan. (Which is pretty far from the mid-Atlantic where I am). I don't understand internet security or ips at all, so that part may not be meaningful. I'm just passing it along in case it means anything to those of you tracking this down.
V.Lee is offline  
Reply With Quote
Old July 15th, 2012, 10:27 AM   #233 (permalink)
Member
 
Trimbaud's Avatar
 
Join Date: Aug 2011
Location: Pennsylvania
Gender: Male
Posts: 214
 
Device(s): ZTE Warp (Boost), Nexus 7, Acer A200, Motorola Droid X2, iphone4
Carrier: Boost

Thanks: 70
Thanked 32 Times in 25 Posts
Tony.g.hicks
Default

Still having problems related to the phandroid forum app. I uninstalled and reinstalled, as suggested-still can't log in that way.
Thanks for all the rest. Love the forum
Trimbaud is offline  
Reply With Quote
Old July 15th, 2012, 06:33 PM   #234 (permalink)
Junior Member
 
GirlFriday's Avatar
 
Join Date: Mar 2012
Gender: Female
Posts: 97
 
Device(s): Galaxy Nexus, Galaxy Tab 3 8.0, Galaxy Tab 2 7.0, Dell Latitude 10 (Win8)
Carrier: Sprint

Thanks: 32
Thanked 13 Times in 9 Posts
Default

Wow..rude and arrogant much?

Newsflash. Yahoo was hacked. Twitter was hacked. LinkedIn was hacked. Amazon was hacked. Sony was hacked repeatedly. The largest credit card payment processor in the U.S. was hacked. It happens to the big boys too. I am a webmaster for about half a dozen sites. It's not an easy job and fighting hackers and spammers and idiotic script kiddies is quite a battle. There is no such thing as a hacker proof website. Period. All webmasters can do is work hard to stay one step ahead. Hackers are always creating new ways to do things and new exploits. It never ends.

Get off your high horse.

Quote:
Originally Posted by mkanet View Post
No, these things don't just "happen". Admins put up with it because they know they are ultimately the ones who failed.

This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.
Crashumbc and mamawm like this.
GirlFriday is offline  
Reply With Quote
The Following 4 Users Say Thank You to GirlFriday For This Useful Post:
Crashumbc (July 16th, 2012), Rachel A (July 15th, 2012), trparky (July 15th, 2012), V.Lee (July 15th, 2012)
Old July 16th, 2012, 12:25 PM   #235 (permalink)
Junior Member
 
Join Date: Nov 2011
Location: London - UK
Posts: 24
 
Device(s): SGSII / T-Mobile UK
Carrier: Not Provided

Thanks: 7
Thanked 0 Times in 0 Posts
Default

Thanks for the heads up re the breach guys, just wish you could send a email out to everybody so we can get the changes done before further damage if any.
I never share same pass on accounts but know many people does and would be important if everyone could change their passwords before attempts are made on other forums and websites.
All the best and keep on with the work.
OKara is offline  
Reply With Quote
Old July 16th, 2012, 03:24 PM   #236 (permalink)
Member
 
jcash3's Avatar
 
Join Date: Jul 2010
Location: Anchorage, AK
Posts: 294
 
Device(s): Galaxy Nexus
Carrier: Not Provided

Thanks: 54
Thanked 30 Times in 26 Posts
Default

I just received this email:


Android Forums noreply@androidforums.com
12:14 PM (8 minutes ago)




to me


Dear jcash3,

Someone has tried to log into your account on Android Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: {mod removal}

All the best,
Android Forums


Being that I haven't logged on in a while... I wonder how many times they were in my account.
jcash3 is offline  
Last edited by NightAngel79; July 16th, 2012 at 03:48 PM. Reason: remove IP, admin/mods can still see it
Reply With Quote
Old July 16th, 2012, 03:27 PM   #237 (permalink)
~Play Nice~
 
Unforgiven's Avatar
 
Join Date: Jun 2010
Location: Douglas, MA
Gender: Male
Posts: 25,034
 
Device(s): Moto X Developer Edition, Nexus 7 (2012 & 2013), Note II, S3
Carrier: Not Provided

Thanks: 15,703
Thanked 16,983 Times in 9,348 Posts
Default

jcash, chances are you have an app on your phone trying to connect to AF. Update your login credentials on anything that connects (e.g. the official AF app, Tapatalk, Forum Runner, etc.) and it should take care of it.
Unforgiven is offline  
Reply With Quote
Old July 16th, 2012, 03:31 PM   #238 (permalink)
Member
 
jcash3's Avatar
 
Join Date: Jul 2010
Location: Anchorage, AK
Posts: 294
 
Device(s): Galaxy Nexus
Carrier: Not Provided

Thanks: 54
Thanked 30 Times in 26 Posts
Default

Quote:
Originally Posted by Unforgiven View Post
jcash, chances are you have an app on your phone trying to connect to AF. Update your login credentials on anything that connects (e.g. the official AF app, Tapatalk, Forum Runner, etc.) and it should take care of it.

That IP address isn't the same as what is on my phone...
jcash3 is offline  
Reply With Quote
Old July 16th, 2012, 03:33 PM   #239 (permalink)
Member
 
jcash3's Avatar
 
Join Date: Jul 2010
Location: Anchorage, AK
Posts: 294
 
Device(s): Galaxy Nexus
Carrier: Not Provided

Thanks: 54
Thanked 30 Times in 26 Posts
Default

Not to mention I just got another notification saying the same thing. The only app that I have is the Phandroid app, and I don't have any login information saved in it.
jcash3 is offline  
Reply With Quote
Old July 16th, 2012, 03:36 PM   #240 (permalink)
Community Manager
Thread Author (OP)
 
Phases's Avatar
 
Join Date: Sep 2008
Location: Nashville, TN
Gender: Male
Posts: 7,225
 
Device(s): Galaxy Note 3
Carrier: Verizon

Thanks: 705
Thanked 16,405 Times in 3,159 Posts
phases78@gmail.com
Default

Uninstall the Phandroid App and see what that does..
__________________
Every forum should have a Phases.
Phases is offline  
Reply With Quote
The Following User Says Thank You to Phases For This Useful Post:
jcash3 (July 16th, 2012)
sponsored links
Old July 16th, 2012, 03:39 PM   #241 (permalink)
Member
 
jcash3's Avatar
 
Join Date: Jul 2010
Location: Anchorage, AK
Posts: 294
 
Device(s): Galaxy Nexus
Carrier: Not Provided

Thanks: 54
Thanked 30 Times in 26 Posts
Default

Quote:
Originally Posted by Phases View Post
Uninstall the Phandroid App and see what that does..
Just did that, looks like that may be the problem. I opened the app and go another notification. Didn't know that it had saved my info.
jcash3 is offline  
Reply With Quote
Old July 16th, 2012, 03:41 PM   #242 (permalink)
Community Manager
Thread Author (OP)
 
Phases's Avatar
 
Join Date: Sep 2008
Location: Nashville, TN
Gender: Male
Posts: 7,225
 
Device(s): Galaxy Note 3
Carrier: Verizon

Thanks: 705
Thanked 16,405 Times in 3,159 Posts
phases78@gmail.com
Default

It's notorious for that bug. I expect you'll be good now.
Phases is offline  
Reply With Quote
The Following User Says Thank You to Phases For This Useful Post:
jcash3 (July 16th, 2012)
Old July 16th, 2012, 03:42 PM   #243 (permalink)
4 8 15 16 23 42
 
Xyro's Avatar
 
Join Date: Dec 2009
Location: UK
Posts: 12,264
 
Device(s): SGS3, Nexus 7, HTC Desire HD, HTC Hero (GSM)
Carrier: Orange

Thanks: 3,286
Thanked 7,686 Times in 4,019 Posts
xyro.af@gmail.com
Default

Quote:
Originally Posted by jcash3 View Post
I just received this email:


Android Forums noreply@androidforums.com
12:14 PM (8 minutes ago)




to me


Dear jcash3,

Someone has tried to log into your account on Android Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: (removed)

All the best,
Android Forums


Being that I haven't logged on in a while... I wonder how many times they were in my account.
You've posted from very similar IPs from Verizon in the past, so it's most likely you were assigned that at some point recently. I'm sure that it will be the same case for you as with everyone else before, that an android app is to blame, so please check to make sure your apps have your updated password and then see if more emails arrive.

So far all cases of these login attempts have been users' own phones attempting to log in with old passwords
Xyro is online now  
Last edited by agentc13; July 16th, 2012 at 04:42 PM.
Reply With Quote
The Following User Says Thank You to Xyro For This Useful Post:
jcash3 (July 16th, 2012)
Old July 16th, 2012, 04:02 PM   #244 (permalink)
Member
 
jcash3's Avatar
 
Join Date: Jul 2010
Location: Anchorage, AK
Posts: 294
 
Device(s): Galaxy Nexus
Carrier: Not Provided

Thanks: 54
Thanked 30 Times in 26 Posts
Default

Seems to have resolved my problem. Thanks for the help.
jcash3 is offline  
Reply With Quote
The Following User Says Thank You to jcash3 For This Useful Post:
Xyro (July 16th, 2012)
Old July 16th, 2012, 04:35 PM   #245 (permalink)
4 8 15 16 23 42
 
Xyro's Avatar
 
Join Date: Dec 2009
Location: UK
Posts: 12,264
 
Device(s): SGS3, Nexus 7, HTC Desire HD, HTC Hero (GSM)
Carrier: Orange

Thanks: 3,286
Thanked 7,686 Times in 4,019 Posts
xyro.af@gmail.com
Default

Quote:
Originally Posted by jcash3 View Post
Seems to have resolved my problem. Thanks for the help.
Glad to hear it
Xyro is online now  
Reply With Quote
Old July 16th, 2012, 08:31 PM   #246 (permalink)
Member
 
rootbrain's Avatar
 
Join Date: Dec 2011
Location: Colorado, USA
Posts: 354
 
Device(s):
Carrier: Not Provided

Thanks: 8
Thanked 50 Times in 42 Posts
Default

The fact you stepped up to it and admitted the problem openly gives me confidence that you have and are doing what is necessary to prevent it from happening again.

Thanks for your diligence and HONESTY.

Quite refreshing....
rootbrain is offline  
Reply With Quote
The Following User Says Thank You to rootbrain For This Useful Post:
AntimonyER (July 16th, 2012)
Old July 16th, 2012, 11:23 PM   #247 (permalink)
Junior Member
 
GirlFriday's Avatar
 
Join Date: Mar 2012
Gender: Female
Posts: 97
 
Device(s): Galaxy Nexus, Galaxy Tab 3 8.0, Galaxy Tab 2 7.0, Dell Latitude 10 (Win8)
Carrier: Sprint

Thanks: 32
Thanked 13 Times in 9 Posts
Default

Good grief! Take the time to read the darn thread or at least search it!!



Quote:
Originally Posted by jcash3 View Post
I just received this email:


Android Forums noreply@androidforums.com
12:14 PM (8 minutes ago)




to me


Dear jcash3,

Someone has tried to log into your account on Android Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: {mod removal}

All the best,
Android Forums


Being that I haven't logged on in a while... I wonder how many times they were in my account.
GirlFriday is offline  
Reply With Quote
Old July 16th, 2012, 11:53 PM   #248 (permalink)
The PearlyMon
 
EarlyMon's Avatar
 
Join Date: Jun 2010
Location: New Mexico, USA
Posts: 46,462
 
Device(s): M8, LTEvo, 3vo, and Shift - Evo retired
Carrier: Sprint

Thanks: 42,774
Thanked 57,265 Times in 23,020 Posts
Default

Quote:
Originally Posted by GirlFriday View Post
Good grief! Take the time to read the darn thread or at least search it!!
It's ok.

We don't mind folks asking whatever they need or want to get this all sorted.

For everything else, there's always the trunk monkey.
EarlyMon is online now  
Reply With Quote
The Following 3 Users Say Thank You to EarlyMon For This Useful Post:
agentc13 (July 17th, 2012), Prinny (July 17th, 2012), Unforgiven (July 17th, 2012)
Old July 17th, 2012, 01:49 AM   #249 (permalink)
Junior Member
 
Join Date: May 2012
Posts: 47
 
Device(s):
Carrier: Not Provided

Thanks: 5
Thanked 7 Times in 4 Posts
Default

Thanks for the hard work which you have done for US
chrisluger2012 is offline  
Reply With Quote
The Following User Says Thank You to chrisluger2012 For This Useful Post:
EarlyMon (July 17th, 2012)
Old July 17th, 2012, 12:09 PM   #250 (permalink)
New Member
 
Join Date: Nov 2011
Posts: 2
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

The email account associated with my androidforums account was compromised on 7/11/12. I started to receive failed delivery status emails for those spam attempts from my account to dead email addresses.

I was notified of the spam by a person in my address book. Embarrassing.

I had not logged into the forum in some time and did so today at random. I agree with some of the previous posters that an email from this site informing me of the breach would have helped.
bris1112 is offline  
Reply With Quote
Reply


Go Back   Android Forums > Android Forums Community > Site Updates & Announcements
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 01:21 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.