Possible Security Breach at Mu-43.com

Discussion in 'Help and Feedback' started by Amin Sabet, Sep 11, 2013.

  1. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    As some of you know, our sister site SeriousCompacts.com was hacked yesterday due to a vBulletin forum software exploit. That security hole has been addressed, this site does not appear to have been hacked, and I am not aware of any breach of our database, member emails, or passwords.

    However, the fact that they hacked another forum on the same server means that it is possible that they somehow accessed secure information for this forum as well. Anyone who has setup an account here is encouraged to change their password both on this site and also on any other website that uses an identical or similar password.

    I apologize for this breach of security and will continue to do my best to prevent things like this from happening.
     
    • Like Like x 4
  2. Narnian

    Narnian Nobody in particular ...

    Aug 6, 2010
    Midlothian, VA
    Richard Elliott
    Thank you for being up front about it - knowledge is the best security. I don't blame you, just the bad guys.

    I finally got around to changing all of my passwords to be different and encourage others to do the same. It is less convenient but definitely more secure as I only have one password to change now instead of 60.

    One way to manage it is to use password management tools such as LastPass.
     
  3. Lawrence A.

    Lawrence A. Mu-43 All-Pro

    Mar 14, 2012
    New Mexico
    Larry
    How do you change your password? Maybe because I'm on a new tablet, I cannot see how to do it.
     
  4. Narnian

    Narnian Nobody in particular ...

    Aug 6, 2010
    Midlothian, VA
    Richard Elliott
    Click on the User Control Panel link, "User CP" above in the second toolbar.

    You will then see menu options on the left side of the screen, including "Edit Email and Password". It works on my iPad.
     
    • Like Like x 1
  5. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    • Like Like x 1
  6. Amin Sabet

    Amin Sabet Administrator

    Apr 10, 2009
    Boston, MA (USA)
    Unfortunately I had to uninstall vBSEO to improve site security, which means that our new Thanks button is gone and along with it all the thanks that were given since the switch :(.
     
    • Like Like x 3
  7. RobWatson

    RobWatson Mu-43 Hall of Famer

    Good! I was turning into a thanks whore ...
     
    • Like Like x 6
  8. hazwing

    hazwing Mu-43 All-Pro

    Nov 25, 2012
    Australia
    oh no! Lost all my thanks :)
     
  9. digitalandfilm

    digitalandfilm Mu-43 All-Pro

    Jul 18, 2011
    It's a "thankless" job- but someone has to do it.
     
    • Like Like x 4
  10. Just Jim

    Just Jim Mu-43 Top Veteran

    941
    Oct 20, 2011
    ...nice one!
     
    • Like Like x 1
  11. koehntopp

    koehntopp New to Mu-43

    5
    Jan 7, 2013
    This is a good time to remind people to use a password manager like http://lastpass.com or 1Password, which helps in so many ways:

    - it makes a change like this a 10 second excercise, including generating a new strong password and distributing it to all your browsers

    - it helps you picking the same password as on other sites because it's so hard to remember separate ones.

    Frank.
     
    • Like Like x 1
  12. Lawrence A.

    Lawrence A. Mu-43 All-Pro

    Mar 14, 2012
    New Mexico
    Larry
    Boooooo!
    Good job!
     
  13. Lawrence A.

    Lawrence A. Mu-43 All-Pro

    Mar 14, 2012
    New Mexico
    Larry
    Thanks. Once on a real computer it was easier. I'm new to the tablet world, although the Surface is very handy. (It's been trashed, but I returned both an Android machine and an iPad, and like the Surface much better. A very personal perference.)
     
  14. zpierce

    zpierce Super Moderator

    661
    Sep 26, 2010
    Minneapolis, MN
    Zach
    What hash algorithm does the sites use for the passwords?
     
  15. Promit

    Promit Mu-43 All-Pro

    Jun 6, 2011
    Baltimore, MD
    Promit Roy
    I am not a security professional, but I have friends who are. Do this. Do this, and use distinct randomized passwords for everything across the web. Security breaches are common, but this will dramatically limit the damage. Sites will be compromised, all the time. Just takes one idiot running a web server with unhashed or poorly hashed passwords to expose your entire digital life when you share passwords.
     
  16. BrittonPatrick

    BrittonPatrick  

    9
    Sep 2, 2013
    new york city
    this is really a bad happening and thinking upon the security and hacking as both are trying to be best from each other and both remains short at times
     
  17. beanedsprout

    beanedsprout Mu-43 Veteran

    429
    Apr 13, 2013
    north central Ohio
    Oh brother
     
  18. caimi

    caimi Mu-43 All-Pro

    Apr 13, 2012
    middle US
    Caimi caimiphotography.com
    Why can'r I post pictures?

    Since your security breach I cannot post pictures from my gallery to a forum. May be a coincidence but I never had this problem before. How do I fix it?
     
  19. luiztakei

    luiztakei Mu-43 Regular

    106
    Dec 13, 2012
    Luiz
    That's a good question. Does anyone know what algorithm is used?

     
  20. Promit

    Promit Mu-43 All-Pro

    Jun 6, 2011
    Baltimore, MD
    Promit Roy
    The forum software is vBAdvanced, which apparently uses two rounds of md5 with a salt, specifically $hash=MD5(MD5($password)+$salt). So that's fairly poor, not quite as bad as a single step MD5 but highly vulnerable all the same.