Englishforum security breach?

[3Wishes]

I don't know for sure, but I have a feeling that the message is still being tweaked before it is sent out.

Now that it appears the breach is from many years ago, to me there's less of a sense of urgency. I'd guess that the admins want to get the information right, determine how many accounts to deactivate vs notify, etc. before sending out a blanket email.

You lot have all changed your passwords by now and weren't waiting on the email, right??

[Clocker]

	Quote:	Editor Bob
	Furthermore, all dormant accounts, those which have not logged in since 01.01.17, will be permanently deleted. The posts from deleted accounts will remain published but labelled as authored by "Guest".

That will still leave a lot of 'dormant' accounts fully active and open to abuse. Surely this should be 'since 1.1.18' ??? ...

[robBob]

	Quote:	Editor Bob
	The following security notice is being distributed. In an abundance of caution, we will force a reset of all user passwords sometime during 16th/17th January 2019. All users will be emailed this security notice. Furthermore, all dormant accounts, those which have not logged in since 01.01.17, will be permanently deleted. The posts from deleted accounts will remain published but labelled as authored by "Guest". A small handful of dormant accounts will be preserved for historical community reasons.

Does this imply that I am doomed to end up someday being a guest and not a ghost?


And are all legends doomed to be guested away?

[me.anon]

	Quote:	Clocker
	That will still leave a lot of 'dormant' accounts fully active and open to abuse. Surely this should be 'since 1.1.18' ??? ...

In any case Mr Sean Connery has had a narrow escape. Since May 2016 his only posts have been on this thread. Or maybe this is an example of an account which has been hacked, and already in use by an imposter

But I guess it would be enough simply to clear the passwords of all 'dormant' accounts and to carefully scrutinize any request from the person claiming to be the owner for a new password, especially if the the "owner" also claims no longer to have access to the Email address associated with the a account (the latter not being a foolproof test though).

[Village Idiot]

	Quote:	robBob
	And are all legends doomed to be guested away?

Yes, that is my fear as well. Old conversations would lose so much of their richness if it was simply "guest" talking to "guest".

Slight tweak of the plans there.

Only accounts which have never posted, and have not logged in since 01.01.18 will be deleted. This is approximately 58,000 accounts.

Users who have one or more posts to their name will not be deleted, no matter how inactive they have since become.

The pruning should happen early this week.

[bigblue2]

very curious,

So how does deleting old accounts solve / sort / explain / help etc etc a security breach ??

sorry but it seems like EF are totally burying their heads and trying to deflect, given the mother company is based in the EU I think editor bob you should be taking things a tad more seriously.

It doesn't fix past breaches, but it reduces exposure going forward - both to the server and to the users. Your account can't be hacked if you don't have an account.

[bigblue2]

	Quote:	Editor Bob
	It doesn't prevent past breach. But it reduces exposure going forward - both to the server and to the users. Your account can't be hacked if you don't have an account.

please read back what you just posted out loud.

I often type a reply quickly then go back and fix the grammar and spelling moments after. Apologies for that.

Do you have anything helpful to add to the discussion?

	Quote:	bigblue2
	please read back what you just posted out loud.

....slowly

[bigblue2]

	Quote:	Editor Bob
	I often type a reply quickly then go back and fix the grammar and spelling moments after. Apologies for that. Do you have anything helpful to add to the discussion?

??? wow


OK, as soon as you where made aware of a potential breach a cpuple of things should have happened

1. EF taken off line while you installed the latest patches of everything
2. ALL accounts should be locked and emails sent with instruction on how to change your password to unlock your account.

these are fairly standard breach actions.

deleting old accounts??? seriously, whats the point? if they have the database and decrypted it then the horse has already bolted, they have your email, your (old*) password and your EF account details so the scam can still work.

stop pretending to do something and do something, or hire someone who can.

* maybe

And what is the plan besides deleting old unused accounts?

Has a notification even gone out in any way, or do only those that stumble upon these topics have awareness?

[k_and_e]

	Quote:	Editor Bob
	Slight tweak of the plans there. Only accounts which have never posted, and have not logged in since 01.01.18 will be deleted. This is approximately 58,000 accounts. Users who have one or more posts to their name will not be deleted, no matter how inactive they have since become. The pruning should happen early this week.

Would those be the accounts of spammers, of which all posts have been deleted?

[bigblue2]

How does this work?

[bigblue2]

check out some of these fines, just sayin


https://www.google.com/search?q=fine...hrome&ie=UTF-8

20,000 euro for a german forum
https://www.welivesecurity.com/2018/...ces-fine-gdpr/

got your attention yet?

[krlock3]

	Quote:	bigblue2
	OK, as soon as you where made aware of a potential breach a cpuple of things should have happened

As you say, please read what you posted out loud. I do like this new word cpuple!

[bigblue2]

	Quote:	krlock3
	As you say, please read what you posted out loud. I do like this new word cpuple!

it wasn't due to any typo or grammar issues of bob's post, more that it was just total b0ll0cks

[krlock3]

How many b0ll0cks?

A cpuple?

[Clocker]

	Quote:	Editor Bob
	Only accounts which have never posted, and have not logged in since 01.01.18 will be deleted. This is approximately 58,000 accounts. Users who have one or more posts to their name will not be deleted, no matter how inactive they have since become.

There are really 58'000 accounts with no posts? The forum can be read without even having an account. Why would 58'000 people create accounts but never post?

How many accounts are there with at least one post?!