Data compromised - please change your password

vbimport

#1

PLEASE CHANGE YOUR PASSWORD!

An user contacted me that our site showed up on leakedsource.com. It seems the recent hacks, which we countered seemingly without any negative effect, had the intention to compromise user data.

This means we join the ranks of many large sites (LinkedIn, Twitter, Hotmail, Gmail etc.) of which the same happened and I will take action immediately informing our users.

Information that they obtained is the following:

[ul]
[li] username,
[/li][li] hashed password,
[/li][li] email,
[/li][li] register_date,
[/li][li] last_login,
[/li][li] birthday,
[/li][li] ipaddress
[/li][li] salt (used to enhance password protection)
[/li][/ul]

Passwords are properly encrypted and criminals should normally not be able to obtain them. However if they have a lot of computing power, no password will ever be safe, so it’s recommend to change it if you read it.

In general, don’t use the same password for multiple sites and change your password frequently!

Obviously, I’m very, very sorry that this happened, I will also take immediate action. I will ask our hosting company to make it impossible to write files in our forum directory (which we have before) so it’s no longer possible to upload the scripts we’ve seen during the hacks before. This is a temporarily solution.

I will also ask them what additional measures we can take.

I will also speed up the migration to Discourse, this means that we’ll have to work with an unpolished version that will slowly be polished. Vbulletin is simply too wide open to continue to use it (leaked source reports 939 Vbulletin forums to be compromised). Unfortunately this can’t be done in a couple of days, and I will go on holidays next week.

Regarding the data that is stolen, the data has ended up in a billion user data file that is unfortunately sold by cybercriminals. More information can be found at: https://www.leakedsource.com. On this website you can also find whether your email address is listed because it was obtained by other hacks.

As other leaks have learned, the hackers hope you use the same password on multiple services. Therefore it’s essential that you CHANGE YOUR (MYCE) PASSWORDS IMMEDIATELY and use different ones for different services.

Other possible consequences might be that you might receive additional spam messages to your email address and because they have your birthday this could be personalized to your birthday. So be aware.

Obviously we don’t take this lightly. It’s our responsibility to keep your data safe and we failed. I’m very upset about it and ashamed, but my feelings are the least important here, please make sure you change your password so you’ll be safe!

FAQ

Q: Why do I need to change my password if they are properly encrypted?
A: People often reuse passwords across sites. If the criminals that stole our data, or that from any other site, have sufficient computing power, they will be able to crack any password, how heavily encrypted it might be. Therefore, to be sure, please change it.

It is good behavior and recommended to use different passwords for differents sites and to change passwords frequently.

Q: How can I delete my account?
A: Due the nature of how forums work, we don’t delete accounts. To make sure you never hear from us again and to make sure your email can’t be compromised again, please login and then change your email address to a non-existing one here: http://club.myce.com/profile.php?do=editpassword

Q: How can I check whether my e-mail was also compromised in other hacks?
A: Please visitLeakedsource.com and enter your mail address. They currently have a record of more than 1 billion stolen mail addresses

Q: How could this happen?
A: Hackers use automated tools to scan for vulnerabilities. We use Vbulletin which is pretty old. We already had additional patches in place to prevent hacks, which proved to be working for a long time. But apparently hackers found a new method.

Quickly after we were hacked, we detected it and removed all traces the hackers left. Unfortunately our data was already compromised back then. We didn’t know until we found out 2 days ago, when an user reported it to us as it appeared on leakedsource.com


#2

done, I rather not see anyone starting to troll around here impersonating me. I suggest you take the advice and change it, better sooner than later :flower:

And no worries JW, this is not your fault. You operate online and online suck security-wise. You can only apply as much security as the server/software allows. A drag with the email of course, but since I am in charge of my own domains, hardly a loss - How old I am, well happy birthday… I never kept that hidden anyway :slight_smile:


#3

Done and completed…man when will this never end… lol :sad:


#4

VBulletin is like swiss cheese…full of holes! :bigsmile:
IMHO,it all went downhill from v 4.0 an up…


#5

Nobody could ever impersonate me, I’m too perfect.


#6

After 13 years on the site…probably time for me to change password anyways…


#7

Thank you everyone for your (kind!!) responses. BTW, as I wrote before, we did detect a hack before (but we didn’t know they stole our data) and we decided to serve them an infinite download if they wanted to access the page they previously used to get in. As they probably use robots, we hope that brings some damages to their system :wink:


#8

Thanks, been using a old simple password here for years so time to change to something a bit harder to power through anyways. Haven’t detected any issues here so far.


#9

[QUOTE=CDan;2776018]Nobody could ever impersonate me, I’m too perfect.[/QUOTE]

I think the staff here would know and block the account if some regulars suddenly starts to act strangely out of their context :bigsmile:


#10

[QUOTE=Xercus;2776024]I think the staff here would know and block the account if some regulars suddenly starts to act strangely out of their context :bigsmile:[/QUOTE] You mean as opposed to acting strangely [I]within[/I] context, as per usual? :smiley:


#11

If it weren’t for your sideways look at life DrageMester, this place would lack some features


#12

No one can impersonate me! I’m too kooky for anyone to even have the courage to try! I’m also mysterious and spooky. Did I mention I’m ooky?:eek::eek::cop::eek::flower::eek::confused::sad::eek::a:bigsmile::eek::eek::eek::eek::eek::eek:

Well, this breach certainly sucks. I’m going to need to smoke, now.

Why are you looking at me like that? You mean you need cigarettes to smoke? I thought everyone could smoke with their bodies! I suppose now you’re going to tell me you [I]don’t[/I] have an uncle who can produce electricity from his/her ears!:bigsmile::smiley:

BTW, you should put a news post on the website’s front page, so that everyone knows to update their passwords. At the moment, only people who visit the forum know about this unfortunate breach.


#13

done and complete. hope this would not happen again :frowning:


#14

Done thank you Dom for the alert.:slight_smile:


#15

they’re going to have a hard time compromising mine lol. Random combo of Letters, digits and symbols rather long. Now it’s even longer ^^

Perhaps it’s time for you guys to look into a 2factor authentication plugin, so even if they happened to know the exact password they’d still not get in


#16

Done… thank goodness for Windows Credentials manager :wink:


#17

Changed.

The perils of being online.

:sad:


#18

After consulting with our web hosting company, we’ve send out an email to our members that loggedin within the last two years. Users that logged in yesterday will not receive an email (to prevent mixups), as they have seen the notification that brought the users posting here.

We’ve decided not to email everyone, because some accounts date from 1999 and/or are simply so old that people might consider our mails more spam than a warning.

I will also update the start post accordingly. Together with our web hosting company we’ve put up even more additional measures to strengthen security.


#19

I wanted to change my password anyway :iagree:


#20

[QUOTE=~KIPPER~;2776020]After 13 years on the site…probably time for me to change password anyways…[/QUOTE]

Exactly what I was thinking . . . not that I post a ton on here anyway, but still. :cool: