1. Are you ready for the Galaxy S20? Here is everything we know so far!
Thread Status:
Not open for further replies.

Important Notice - Security Breach

Discussion in 'Site Updates & Announcements' started by Phases, Jul 10, 2012.

  1. TVictory

    TVictory Well-Known Member

    Each user has his/her own unique salt.
     


    Kn1nJa likes this.
  2. Unforgiven

    Unforgiven ...eschew obfuscation...
    Moderator

    They are salted as well. This was mentioned by the forum admin earlier in the thread so I am just repeating what he said as I really don't know what that means. ;)

    Seems like peanuts to me.:D
     
  3. Xyro

    Xyro 4 8 15 16 23 42
    Moderator

    They were salted, yes.
     
  4. TVictory

    TVictory Well-Known Member

    Thanks for hitting up the reddit thread in /r/android.
     
  5. Xyro

    Xyro 4 8 15 16 23 42
    Moderator

    No problem :)

    I probably should have thought to post it there when I found /r/android a few days ago.
     
  6. Blacklight82

    Blacklight82 Well-Known Member

    Changed my password but someone tried 50 times (got 10 emails) to get into my account. Pathetic punk.
     
  7. Unforgiven

    Unforgiven ...eschew obfuscation...
    Moderator

    Check your phone for any apps that connect to the forum (Tapatalk, Forum Runner, or the official AF app) as they will keep polling the site under your old credentials. Log out of those apps and log back in with your new password.
     
    jbenham likes this.
  8. Xyro

    Xyro 4 8 15 16 23 42
    Moderator

    If you want to send us the IP from the emails, we'll be able to compare them to the IPs you've used to visit the site previously.

    Please send it via PM or by reporting your post though - it's highly likely that it's your own IP as Unforgiven explained.
     
  9. Blacklight82

    Blacklight82 Well-Known Member


    Done and done.
     
  10. wly

    wly Newbie

    If you guys really cared about security of your users, you would send out a mass email to every user with the information you provided in this post.

    I don't log in often and found out about this from slashdot.
     
  11. droidsix

    droidsix Lurker

    Whoa! Take it easy...

    You obviously have no clue just how challenging it is to recover from a breach like this.

    They did an excellent job of getting this under control.
     
  12. Rootmepls

    Rootmepls Android Enthusiast

    Saw the news on Slashdot and came right over. Gave me time to change my sig on this site. Luckily I'm one of those people that uses a different password on every site so no worries.

    Keep up the good work!
     
  13. djb28

    djb28 Android Enthusiast

    Thanks for the warning and the info. The time spent to help us understand the threat and the possibilities is terrific. On the other hand. Although I have changed password, I am still getting an email box full of attempt emails even still at 1 AM. Friday. Someone is still trying to access.
     
  14. djb28

    djb28 Android Enthusiast

    I dont know if it helps. But the person who attempted to log in to my account has tried 18 times so far tonight. Each and every email says the same IP address from them. [Hidden]
     
  15. Xyro

    Xyro 4 8 15 16 23 42
    Moderator

    That IP comes within a range of myvzw (Verizon, I believe) addresses that you have regularly used to post here.

    Please check update your outdated password on all of your forum related apps, even if you don't think they're the culprit, and let us know if they stop.
     
    jbenham likes this.
  16. DenverRalphy

    DenverRalphy Android Enthusiast

    QFT. If I hadn't been reading Slashdot, it would have been a while before I learned about it. A mass email takes only a few moments to send out.
     
    heero884 likes this.
  17. DMC-12

    DMC-12 Newbie

    ^^This! Agreed. :-/
     
  18. xploited

    xploited Newbie

    Oh damn how much I hate you guys now.

    I only registered on these forums because of your "greed" policies - hiding info and download links from unregistered users.

    Not only do you lock up information posted on your forums (kudos to the android openness spirit), you also don't bother patching the forums against knows exploits.

    But hey, thank you for leaking my info to spammers / thiefs. Luckily I use separate passwords for public forums and my main sensitive accounts.

    And I find out about this from major news sites? I guess you didn't bother sending a mass email to your user list either.

    Lesson of the day - don't make people register if you are amateurs in security.
     
    heero884 and knightresearch like this.
  19. El Presidente

    El Presidente Beware The Milky Pirate!
    VIP Member

    I'm sorry you feel that way, it obviously wasn't intentional and the admin and devs have done all they can to be as transparent as possible about what went on and what they've done to resolve.

    Fwiw, we're not the only site (Android or otherwise) that requires registration to view download links, it's not that uncommon. Likewise, we're not the only high profile site/organisation to be a victim of something like this and we most certainly won't be the last. As above, Phases and the rest of the team have done all they can to ensure everyone is fully informed of what went on and what they're doing to ensure something like this doesn't happen again.
     
  20. Crashumbc

    Crashumbc Android Expert

    Personally, I think you should ban the idiots posting stupid crap. like the few above me.

    They

    A. HAVE NO UNDERSTANDING computer security. It's like saying anyone that's ever had their car broken into, is at fault. You can lock your, use security system, park in "safe" areas. It CAN still happen.

    B. Probably have been violated on a dozen forums, they just never knew because, most admins don't have balls to do the responsible thing and notify their user base. (much less offer a detailed explanation)

    Again, phases and others, you have my heart felt thanks for doing the right thing. I feel bad for the crap your getting.
     
    NightAngel79 and mamawm like this.
  21. jbenham

    jbenham Android Enthusiast

    And done. :) Had 12 attempts on my account last night.
     
  22. jbenham

    jbenham Android Enthusiast

    I do not have Verizon or any other cell phone service.
     
  23. Xyro

    Xyro 4 8 15 16 23 42
    Moderator

    That post was directed at djb28, as he posted his IP too (although I edited it out).

    Did you PM the IP from your email to one of the other moderators to check? I didn't get it and don't see any reports from you.
     
  24. Pitamakan

    Pitamakan Android Enthusiast

    I have to agree that AF's public response to this was woefully inadequate. In order for people to hear about the breach -- and the need to change their password -- they've either needed to be regular visitors to the site, or regular readers of some of the tech sites. People who aren't in one of those categories are still unaware that they have a possibly-hacked password.

    AF has roughly a million registered user accounts at this point, and I think it's very safe to say that the strong majority of those accounts are currently inactive. That means that there are almost certainly several hundred thousand people out there who need to change their online passwords, but still haven't been notified of that yet.

    A mass e-mail is the only responsible action when something like this happens.
     
    heero884 and knightresearch like this.
  25. mamawm

    mamawm Well-Known Member

    To those who are still receiving the emails about someone trying to access your account, PLEASE, PLEASE, go to Google play and download the free app Network Info II. Once you launch it touch IP at the top of the screen and it will obtain your external IP address . This is the IP address used by your internet service provider. You will most likely find that this is the same IP address trying to access your account.
     
    jbenham likes this.
Loading...

Share This Page

Loading...