Go Back   English Forum Switzerland > Support > Support > Forum support  
Reply
 
Thread Tools Display Modes
  #141  
Old 23.01.2019, 16:56
nigelr's Avatar
Forum Veteran
 
Join Date: Apr 2009
Location: Aargau
Posts: 1,712
Groaned at 118 Times in 59 Posts
Thanked 2,140 Times in 942 Posts
nigelr has a reputation beyond reputenigelr has a reputation beyond reputenigelr has a reputation beyond reputenigelr has a reputation beyond reputenigelr has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
I got an email from the admin team. Have you not received one?
No, and nothing when I logged in, but I may not be part of the breach even though my email address is on the list when I check the links that people have put up (but it isn't unique to the EF).
Reply With Quote
  #142  
Old 23.01.2019, 17:13
Ato Ato is offline
Forum Veteran
 
Join Date: Oct 2017
Location: ZH
Posts: 1,760
Groaned at 23 Times in 23 Posts
Thanked 3,304 Times in 1,351 Posts
Ato has a reputation beyond reputeAto has a reputation beyond reputeAto has a reputation beyond reputeAto has a reputation beyond reputeAto has a reputation beyond reputeAto has a reputation beyond repute
Re: Englishforum security breach?

I found the email, in my junk folder. Sounds like something is being done, I'm no expert on these things though.

EDIT: Is it possible to have a prompt when signing in to change your password? It'd make it easier for those who don't check their junk folder.
Reply With Quote
This user would like to thank Ato for this useful post:
  #143  
Old 23.01.2019, 17:14
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
I got an email from the admin team. Have you not received one?
Nope (also nothing in spamfolders)

Tho if they are certain that this happened for example in 2009 (just an example) And they also are certain that after that initial breach no info has been leaking out due to this breach there is no need to inform since I joined afterwards. However admins should know that a lot of people will not receive such email, or will simply not read it, which is why a message should have appeared on the homepage.

Now don't get me wrong, I know this sucks majorly for EF, I've had my own sites and just something simple like resetting all passwords will cost a significant part of all accounts to simply become void due to many reasons, but info received from them is simply to little and actions taken seem also to little. I once got a breach (noticed the same day), and we immediately put out a msg on the homepage with all we knew, we shut down the thing and realising that our software was no longer safe enough for todays standards we shut down for two weeks to do a full transition to new software where members only could log in again after retrieving a new password in their mail, and I deleted all accounts that did not have been active during the last 6 months also after 3 months we deleted all account info we had on those accounts that never applied for a new password losing almost another 3rd of all accounts (mind those all have been active in the last 6th months before the breach), so fresh start, new software, up to date security, and all fully open towards the members to see how we handled all.

Getting a breach is nothing to be ashamed of and can never be 100% prevented, but there is a certain level of safety to be expected by members, and it should also be dealt with in certain ways.
Reply With Quote
This user would like to thank for this useful post:
  #144  
Old 23.01.2019, 17:16
TypeR's Avatar
Newbie 1st class
 
Join Date: May 2016
Location: Basel
Posts: 10
Groaned at 0 Times in 0 Posts
Thanked 9 Times in 7 Posts
TypeR has no particular reputation at present
Re: Englishforum security breach?

I didn't get any notification from EF...
Reply With Quote
This user would like to thank TypeR for this useful post:
  #145  
Old 23.01.2019, 17:16
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
I got an email from the admin team. Have you not received one?
Not sure how much it may have changed from what was posted here earlier, but for those who may not have seen it, here's the email text:

Quote:
DETAILS

On 13th and 15th January 2019 two members of English Forum reported receiving extortionist emails. These emails revealed their forum passwords written in clear text. The emails went on to threaten these users with blackmail and demanded payment via cryptocurrency.

In both cases the revealed passwords were old. This leads us to believe that a years-old copy of the membership database is circulating in the wild. Although passwords are stored in encrypted format (salted double-MD5 hash) it is possible that some weaker passwords from that leaked version of the database have recently been deciphered.

If you receive such an extortion email, DO NOT pay the ransom.

Instead, change your password. And if you used the same password on any other site, change it there too. It is best practice to use a unique password for each site.

All members are being emailed this security alert and urged to change their passwords. Accounts with unchanged passwords will be locked. Furthermore, all dormant accounts are being permanently deleted. A dormant account is defined as one which has not logged in for over a year and has never made a public post to the forum.

We have also submitted a "cross-border data breach notification" to the relevant GDPR authority, which in our case is "Datainspektion" in Sweden. We are currently working on upgrading our vBulletin forum software to the latest version. Although we do not know of any security hole in our server, the upgraded vBulletin version should close any unknown holes.

If you prefer to delete your account, please send a brief request by replying to this email. Your account and all personal data will be permanently deleted. Public posts of deleted accounts will remain online, but labelled as authored by "Guest". For other enquiries relating to data privacy and security on English Forum Switzerland, feel free to reply.

The timing of this incident suggests it might be related to the "breach of breaches" that was recently in the news. The headline from Wired was: "An astonishing 773 million records exposed in monster breach". From that article: "The breach claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked. It looks like a completely random collection of sites purely to maximize the number of credentials available to hackers. There are no obvious patterns, just maximum exposure."

To our knowledge no other websites from The Local have been affected.
Reply With Quote
The following 2 users would like to thank for this useful post:
  #146  
Old 23.01.2019, 17:18
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post

EDIT: Is it possible to have a prompt when signing in to change your password?
If you don't change it the account will be locked, so you'll be prompted to reset it the next time you try to log in.
Reply With Quote
The following 2 users would like to thank for this useful post:
  #147  
Old 23.01.2019, 17:21
Treverus's Avatar
Forum Legend
 
Join Date: Dec 2007
Location: Work in ZH, live in SZ
Posts: 12,239
Groaned at 351 Times in 284 Posts
Thanked 23,463 Times in 8,477 Posts
Treverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond repute
Re: Englishforum security breach?

I got the email this afternoon. The most obvious part:
Quote:
If you prefer to delete your account, please send a brief request by replying to this email. Your account and all personal data will be permanently deleted. Public posts of deleted accounts will remain online, but labelled as authored by "Guest". For other enquiries relating to data privacy and security on English Forum Switzerland, feel free to reply.
So if several users decide to get their accounts deleted will we lose the entire logic in 15 years of conversations?

This seems to be an extremely half baked idea… and I dont think thats how GDPR works.
Reply With Quote
This user would like to thank Treverus for this useful post:
  #148  
Old 23.01.2019, 17:24
Guest
 
Posts: n/a
Re: Englishforum security breach?

NVM, received the email 2 minutes ago.

And I am pleased by what I read.

Some things to the devs/admins tho, at what date will accounts be locked when passwords are not to be changed? And will eventually locked accounts be simply deleted? And if so up to what date can members approach staff to have their account unlocked (if possible)
Reply With Quote
This user would like to thank for this useful post:
  #149  
Old 23.01.2019, 17:29
Village Idiot's Avatar
Forum Legend
 
Join Date: Jul 2009
Location: Basel
Posts: 3,701
Groaned at 35 Times in 32 Posts
Thanked 6,966 Times in 2,251 Posts
Village Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond repute
Re: Englishforum security breach?

Password changed. Please be careful with it.
Reply With Quote
  #150  
Old 23.01.2019, 17:32
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
I got the email this afternoon. The most obvious part:

So if several users decide to get their accounts deleted will we lose the entire logic in 15 years of conversations?

This seems to be an extremely half baked idea… and I dont think thats how GDPR works.
Thing is to comply they would else have to review how personal the username is and if info in postings should be seen as something that could help identifying who is behind that specific username.

Could be much work that nobody wants to do, what would be a better solution is if instead of guest the account would be stripped of all personal data and would be assigned a random greyed username or start numbering the guest accounts.
Reply With Quote
  #151  
Old 23.01.2019, 17:35
Tom1234's Avatar
Forum Legend
 
Join Date: Jan 2007
Location: Kanton Luzern
Posts: 16,526
Groaned at 582 Times in 457 Posts
Thanked 24,744 Times in 9,963 Posts
Tom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
I got the email this afternoon. The most obvious part:

So if several users decide to get their accounts deleted will we lose the entire logic in 15 years of conversations?

This seems to be an extremely half baked idea8230; and I dont think thats how GDPR works.
It's already happened in some cases. A post from this afternoon
Reply With Quote
This user would like to thank Tom1234 for this useful post:
  #152  
Old 23.01.2019, 17:40
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
It's already happened in some cases. A post from this afternoon
That must be an error somehow. (or due to unrelated issues)
Reply With Quote
  #153  
Old 23.01.2019, 17:42
Tom1234's Avatar
Forum Legend
 
Join Date: Jan 2007
Location: Kanton Luzern
Posts: 16,526
Groaned at 582 Times in 457 Posts
Thanked 24,744 Times in 9,963 Posts
Tom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond repute
Re: Englishforum security breach?

Quote:
That must be an error somehow. (or due to unrelated issues)
What part of E-Bob's email did you not understand?
Reply With Quote
  #154  
Old 23.01.2019, 17:49
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
What part of E-Bob's email did you not understand?
What part of Bob's email makes it logical that this happened?

Inactive accounts have been deleted, but this was not about an inactive account, and blocking accounts does not give them guest status. Besides that why would they start blocking before a lot of us have not even gotten an email yet.
Reply With Quote
  #155  
Old 23.01.2019, 18:00
Belgianmum's Avatar
Roastbeef & Yorkshire mod
 
Join Date: Jan 2010
Location: Neuchâtel
Posts: 13,494
Groaned at 251 Times in 212 Posts
Thanked 22,684 Times in 9,267 Posts
Belgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
I got the email this afternoon. The most obvious part:

So if several users decide to get their accounts deleted will we lose the entire logic in 15 years of conversations?

This seems to be an extremely half baked idea8230; and I dont think thats how GDPR works.
Quote:
What part of Bob's email makes it logical that this happened?

Inactive accounts have been deleted, but this was not about an inactive account, and blocking accounts does not give them guest status. Besides that why would they start blocking before a lot of us have not even gotten an email yet.
The way I understand it is that the user in question (Meister) chose to use the option of deleting their account that was offered in the email we all received.

Last edited by Belgianmum; 23.01.2019 at 18:14.
Reply With Quote
The following 6 users would like to thank Belgianmum for this useful post:
  #156  
Old 23.01.2019, 18:20
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
The way I understand it is that the user in question (Meister) chose to use the option of deleting their account that was offered in the email we all received.
An option I quickly overlooked.

Hint: Don't read/type in between cleaning, cooking and having the kid.
Reply With Quote
The following 2 users would like to thank for this useful post:
  #157  
Old 23.01.2019, 18:29
Tom1234's Avatar
Forum Legend
 
Join Date: Jan 2007
Location: Kanton Luzern
Posts: 16,526
Groaned at 582 Times in 457 Posts
Thanked 24,744 Times in 9,963 Posts
Tom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond reputeTom1234 has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
The way I understand it is that the user in question (Meister) chose to use the option of deleting their account that was offered in the email we all received.
How did you work out it was Meister?
Reply With Quote
The following 2 users would like to thank Tom1234 for this useful post:
  #158  
Old 23.01.2019, 18:30
roegner's Avatar
Moderately Dutch
 
Join Date: May 2011
Location: Zurich
Posts: 11,370
Groaned at 379 Times in 317 Posts
Thanked 14,642 Times in 6,770 Posts
roegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond repute
Re: Englishforum security breach?

Quote:
Nope (also nothing in spamfolders)

Nothing, and my email address is still valid.
Reply With Quote
  #159  
Old 23.01.2019, 18:38
Ouchboy's Avatar
Forum Legend
 
Join Date: Jun 2008
Location: Baden
Posts: 3,324
Groaned at 61 Times in 50 Posts
Thanked 5,645 Times in 2,149 Posts
Ouchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
It's already happened in some cases. A post from this afternoon


Someone got summerained??
Reply With Quote
The following 3 users would like to thank Ouchboy for this useful post:
  #160  
Old 23.01.2019, 18:43
nigelr's Avatar
Forum Veteran
 
Join Date: Apr 2009
Location: Aargau
Posts: 1,712
Groaned at 118 Times in 59 Posts
Thanked 2,140 Times in 942 Posts
nigelr has a reputation beyond reputenigelr has a reputation beyond reputenigelr has a reputation beyond reputenigelr has a reputation beyond reputenigelr has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
The way I understand it is that the user in question (Meister) chose to use the option of deleting their account that was offered in the email we all received.
When you say "the email we all received" did only people active before a certain date get an email? I saw a post on this thread but no email....
Reply With Quote
This user would like to thank nigelr for this useful post:
Reply

Tags
englishforum hack, password stolen, security breach, security password hack




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security breach: avoid buying online and using ATMs [Heartbleed Vulnerability] olygirl TV/internet/telephone 27 07.06.2014 16:10
A security breach happened at [fill in the blank aSwissInTheUS Daily life 1 21.05.2014 19:44
Major security breach at LinkedIn Castro TV/internet/telephone 13 07.06.2012 18:17
US issued card holders take note ( security breach issue ) jrspet International affairs/politics 1 31.03.2012 15:54
Guardian Jobs in UK - Security Breach transition International affairs/politics 0 26.10.2009 14:51


All times are GMT +2. The time now is 11:50.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0