PLEASE CHANGE YOUR PASSWORD!
An user contacted me that our site showed up on leakedsource.com. It seems the recent hacks, which we countered seemingly without any negative effect, had the intention to compromise user data.
This means we join the ranks of many large sites (LinkedIn, Twitter, Hotmail, Gmail etc.) of which the same happened and I will take action immediately informing our users.
Information that they obtained is the following:
- hashed password,
- salt (used to enhance password protection)
Passwords are properly encrypted and criminals should normally not be able to obtain them. However if they have a lot of computing power, no password will ever be safe, so it's recommend to change it if you read it.
In general, don't use the same password for multiple sites and change your password frequently!
Obviously, I'm very, very sorry that this happened, I will also take immediate action. I will ask our hosting company to make it impossible to write files in our forum directory (which we have before) so it's no longer possible to upload the scripts we've seen during the hacks before. This is a temporarily solution.
I will also ask them what additional measures we can take.
I will also speed up the migration to Discourse, this means that we'll have to work with an unpolished version that will slowly be polished. Vbulletin is simply too wide open to continue to use it (leaked source reports 939 Vbulletin forums to be compromised). Unfortunately this can't be done in a couple of days, and I will go on holidays next week.
Regarding the data that is stolen, the data has ended up in a billion user data file that is unfortunately sold by cybercriminals. More information can be found at: https://www.leakedsource.com. On this website you can also find whether your email address is listed because it was obtained by other hacks.
As other leaks have learned, the hackers hope you use the same password on multiple services. Therefore it's essential that you CHANGE YOUR (MYCE) PASSWORDS IMMEDIATELY and use different ones for different services.
Other possible consequences might be that you might receive additional spam messages to your email address and because they have your birthday this could be personalized to your birthday. So be aware.
Obviously we don't take this lightly. It's our responsibility to keep your data safe and we failed. I'm very upset about it and ashamed, but my feelings are the least important here, please make sure you change your password so you'll be safe!
Q: Why do I need to change my password if they are properly encrypted?
A: People often reuse passwords across sites. If the criminals that stole our data, or that from any other site, have sufficient computing power, they will be able to crack any password, how heavily encrypted it might be. Therefore, to be sure, please change it.
It is good behavior and recommended to use different passwords for differents sites and to change passwords frequently.
Q: How can I delete my account?
A: Due the nature of how forums work, we don't delete accounts. To make sure you never hear from us again and to make sure your email can't be compromised again, please login and then change your email address to a non-existing one here: http://club.myce.com/profile.php?do=editpassword
Q: How can I check whether my e-mail was also compromised in other hacks?
A: Please visitLeakedsource.com and enter your mail address. They currently have a record of more than 1 billion stolen mail addresses
Q: How could this happen?
A: Hackers use automated tools to scan for vulnerabilities. We use Vbulletin which is pretty old. We already had additional patches in place to prevent hacks, which proved to be working for a long time. But apparently hackers found a new method.
Quickly after we were hacked, we detected it and removed all traces the hackers left. Unfortunately our data was already compromised back then. We didn't know until we found out 2 days ago, when an user reported it to us as it appeared on leakedsource.com