This Site Has Been Hacked

[JD_Racer_Dad]

My Identity Protection service just notified me that my exact password and email address from this site has been published.
I've changed mine. So this is not a question, just information for you.

Edit from staff: We have found this report to be simply new alerts from a 4 year old breach. More info, here.

 

[Mikestony]

Hello and thanks for the heads up!
What identity protection service are you using, Verizon's?

I'll ping @Phases also, but I'm sure he'll run across this

 

[Phases]

I'd be curious to hear more, I expect this is from the breach we had several years ago. People are still being notified about that to this day.

http://androidforums.com/threads/important-notice-security-breach.580371/

 

[JD_Racer_Dad]

I'm using several. Some because all my personal information has been taken to include SS, birth date, mother's maiden name, home town, ......
CSID and myIDcare are two of them.
Don't know that I would ever use Verizon for anything beyond their cell service, painful to deal with. Did I say that? Girn
OPM, OSD, UofMD are just three place my personal data has been known to have been taken from.
Then Target, Home Depot, Micheal's, and several others where my cards have been replace because they were taken. Just lucky I guess.
Because of those above, several of mine are provided free for 2 to 5 years. So I use all of them.
The Yahoo thing was 2014 and just announced. But seemed to be just passwords.

Anyway, I'm assuming not much damage to me here because I don't use this password anywhere else. Just thought I'd post a note when I got the notice that my information here had been published.

 

[JD_Racer_Dad]

I'd be curious to hear more, I expect this is from the breach we had several years ago. People are still being notified about that to this day.

http://androidforums.com/threads/important-notice-security-breach.580371/

I read some of that thread. Did you notify users by email or only the announcement by Forum?

 

[Phases]

I'd have to blow the dust off the whole thing to be sure.. but I believe announcements were on AF and Phandroid without a mass email. I believe that's addressed in the thread somewere from our owner (as to why he chose not to email) - and all passwords were forced to be changed. But I'd have to read through it all to be sure. That was a long time ago.. 3 or 4 years.. and I'm mobile at the moment.

 

[Unforgiven]

...I believe that's addressed in the thread somewere from our owner (as to why he chose not to email)...

Here it is...

Not sending a mass e-mail to the 1,000,000+ members was my decision. Contrary to many of the assumptions made in this thread, the decision was NOT made because we don't care about our members and don't want to create more support related questions/work. The entire decision was based on technical challenges.

Android Forums previously leveraged E-Mail in many ways, including registration verification and instant e-mail notifications. As the site grew exponentially, AF was sending out thousands and thousands of E-Mails every hour, and mail servers began to assume our site was sending out spam. After 6 months of dealing with mail serving blacklists that created humongous problems, we de-prioritized E-Mail so the site could function more smoothly.

A one-off E-Mail to 1,000,000+ users could have an incredibly negative impact on the site, instantly sucking us back into a hole that took quite awhile to climb out of. We've been researching solutions for our E-Mail woes but I can assure you, it's much easier said than done. It's much more complicated than writing an E-Mail, uploading the E-Mail addresses, and pushing a button. The potential consequences are numerous and far reaching.

Again, I want to reiterate that this was my personal decision. Please don't point the fingers at our staff of Admins, Mods, and Guides- they've brought these matters to my attention swiftly and have the interest of AF members at the absolute top of their priority list. In fact, they deserve a huge round of a applause at the amazing job they've done and continue to do.

If you'd prefer to boo, then those boos should be directed at me, but hopefully I've alleviated at least some of your concerns as to the reason we can't currently fulfill your requests. We'll continue to look for opportunities to improve AF and this E-Mail deficiency is certainly a sore spot for us. As always, you're criticisms and suggestions are welcomed and appreciated- they help us improve which is our everlasting goal.

Thanks to everyone for sticking with us through thick and thin!

 

[copland007]

I just got a notification also...

http://screencast.com/t/MTZefW1sBi8

 

[geost]

I got this notification from my OPM myIDCare as well. I was shocked and couldn't believe that this forum was breached and nothing was done about it. I immediately came to this forum right now and changed my password. Thanks for notifying us by EMAIL (yes I read the quote above but STILL). Even then, you guys should have taken precautions to invalidate our current passwords and require new ones to log into the site. Did you? Nope, apparently not because I just logged in with my hacked password. Thank a lot fellas.

 

[JD_Racer_Dad]

Here it is...

Thanks for the repost. If I'm reading it correctly emails were not sent which may be fine by it's self but a required password change would have been good. My old password still worked from before that hack referenced.
I have a bunch of site passwords which I'm sure you do as well and many I don't go back to for long periods of time. I use a different one for each. Many like this site don't have a lot of personal information so not as damaging if lost. All the same several over time have been hacked and have required a new password if nothing else when logging on after an event. Again my old password continued to work here.

In the hack world, some are just to cause damage here and now with little thought to long term. The ones of most concern are the ones with a long term focus, say 5 years or more. Steal and do not use for years, collect personal information from several sites (emails in common) and then after time has passed and an individual's guard is down use the information for personal damage or financial gain/damage. I know this from what has been taken of mine (not here).

Some sites require a password change periodically. Maybe a good idea here.

 

[wacktool]

Same here. Just woke up to this alert from my credit monitoring as well.

 

[Phases]

So the alert actually gives you the plain text password?

That would be an interesting and unfortunate turn of events, seeing how passwords were hashed and salted and rehashed.. quite the rainbow table would be needed..

Do let me know.

 

[JD_Racer_Dad]

So the alert actually gives you the plain text password?

No the alert is not secure. They have it and you can see it via a secure link process.

 

[Phases]

But you can actually see one way or another what the password is/was?

If we did not force password changes at the time.. I know we did for staff, we'd need to do it now.

Though, what would be gained by credentials on this site should take a back seat to what else could be done with them elsewhere. ESPECIALLY if one's email account on file uses the same password as the login here.

If passwords have been released..you would want to move fast to change passwords on all accounts out there that use the same, email and banking acounts first.

 

[Phases]

If you can indeed see the password itself either in the alert or via the secure link process please let me know. This would escalate the problem exponentially.

It'd be an quick action item for us, for AF itself, to expire all old passwords.. but the danger for users outside of AF would be increased so I'd want to talk to Rob about notifying old account holders that hadn't changed passwords since.. about this development.

Also bear with me please I'm in a low coverage area working on my phone.

Thanks,

 

[JD_Racer_Dad]

But you can actually see one way or another what the password is/was?

If we did not force password changes at the time.. I know we did for staff, we'd need to do it now.

Though, what would be gained by credentials on this site should take a back seat to what else could be done with them elsewhere. ESPECIALLY if one's email account on file uses the same password as the login here.

If passwords have been released..you would want to move fast to change passwords on all accounts out there that use the same, email and banking acounts first.

You did not force a password changes. Mine still worked.
The password is not in the alert. It's covered by ***. But they have/found it. I called previously to find out what the alert meant and what they recovered/found.
Yes a person should change all accounts that use the same email and password. I personally use a different password for all accounts.

 

[Phases]

I'm inclined to believe it's either the hashed passwords published OR plain text of easy or dictionary based passwords able to be found using rainbow tables that considered the vb hashing process. Which neither case is good, but we did know at the start that the hashes were accessed and could be published.

If they're being released as the plain text version I'd definitely like to know.

Sounds like we're not 100% sure. I wonder if Rob can inquire through the monitoring agency to find out.

 

[AZgl1500]

I am a moderator on a motorcycle forum. the host of that forum also hosts 1,198 other forums.

their host database was hacked and passwords stolen like a year or two ago????
then along comes a security alert from xyz security service, and OMG the IT folks go into a Super Panic Mode!!!

What ever will we do to be safe????? Let's close it all down, right now, yeah, that is the thing to do....

So, instead of putting up a notice on the forums for all of us to change our passwords while we could still access the forums, they decided instead to do two things:
1. they deleted every password on the entire host database..... several million users were instantly shut down....
okay, lots of folks have not updated their email addresses in years, even if they could remember what their password was.....

2. they set the forums up, yes, all 1, 199 forums to send out emails to all of the members "right now".....

This caused a huge flood of emails to email servers and they all decided that a DNS block was in effect, so they just shut down all email messages from the forums.... period!
​

step #1 blocked me and all other moderators from being able to get on the forums and start Damage Control. I was locked out for 5 days.....

step #1 has a backup plan to send you a new Password if you requested the forum to do so. Well, all of the email servers had put a block on our forum emails.... so, none of us ever received that new password email update, and that is assuming that your current email is the same that the forum has.

Step #2 was also a disaster, as most of our members could not even remember what email address they had used, much less what the password was that their browsers were "remembering" for them...

that nightmare is still having bad side effects, and it happened 5 months ago, maybe 6??
I have posted up my personal phone number in the "Bad Password" message, and I still get 3 to 5 calls a day to help folks repair their passwords.... that was the only way I could fix the mess created by a very bad decision.


IMO, just blanking out all passwords is the worst thing that can happen to a healthy forum. My forum has not recovered the activity that it enjoyed just 7 or 8 months ago... it is just a thin shell of its' former self.

.once you piss folks off that badly, they never come back.

Much better to just post up a notice: "Please change your password"

 

[geost]

But you can actually see one way or another what the password is/was?

If we did not force password changes at the time.. I know we did for staff, we'd need to do it now.

Though, what would be gained by credentials on this site should take a back seat to what else could be done with them elsewhere. ESPECIALLY if one's email account on file uses the same password as the login here.

If passwords have been released..you would want to move fast to change passwords on all accounts out there that use the same, email and banking acounts first.

Am I reading this correct that you force changed passwords for admins but NOT everyone else? If this is true then all I can say is wow. Clearly security is not important to androidforums, never mind the security of others who potentially use the same user/pw on other sites/forums. Regardless, this is the very first thing that should have been done when this breach occurred. Not just for admins... if that's the case.

As for the password, it is shown with asterisks. However, the username and email is visible. Asterisks or not, a breach is a breach. Our information is out there for hackers and script kiddies to play with it because of this site. Just because you don't believe our credentials will cause damage to AF doesn't mean it can't happen at all or anywhere else from your breach.

 

[watsonword]

My Identity Protection service just notified me that my exact password and email address from this site has been published.
I've changed mine. So this is not a question, just information for you.

Mine as well!!!

 

[Phases]

We do know the damages it can have outside AF. The entire point in hacker interest in sites like this is to get clues needed to get into accounts of more consequence. Email etc.

Do have a look at the announcments on AF and Phan a few years back when this happened.

I'm most curious if this is new or residual.

 

[Phases]

I've passed this info up to our owner and technical staff.

We need to determine if this is new info or this particular monitoring service is a bit behind on finding what has been out there a long time. (The haveibeenpawned website has been notifying people regularly for a long while now.)

Appreciate the heads up!

 

[tsh332]

Same notifications from MyID Care and CSID Identity Protection Services, my username and password from this site are being sold online. Would be nice for folks to have been notified the site was compromised as many users probably use a common username and password for multiple websites. Fortunately, I don't but many people do. It is irresponsible for any website not to notify registered users when this info is compromised.

 

[JD_Racer_Dad]

I am a moderator on a motorcycle forum. the host of that forum also hosts 1,198 other forums.

"

AZgl1500, sorry to hear about your situation. Two extremes are do nothing and over react as I think you might agree.
I just think a middle ground that some of the sites I frequent use is a reset when you attempt to log on periodically if you haven't changed yours on your own. Many sites of interest to users are not frequented regularly. Only when they have a question or problem. Like this one for many, when you first get your new phone or have a problem.
Me and my Sportster 880 use a couple bike sites as well. Hope you have a great day.

 

[KSmithInNY]

Checking in to say i too was notified (kroll - web watcher) last night that my email address and password from this website are available online. This doesn't seem like an old hack. Multiple people suddenly getting notified from different services at the same time is an indicator this isn't residual damage.