Problems accessing forums?

[DR]

Dear All,


Firstly, this is one of those posts you never plan to do, but we feel it ss important to update everyone and protect as best we can.

We have sent notifications to all members who have been active in the last 6 months to notify them that they need to change their password because of a security leak due to a series of vulnerabilities in vB, some of which have been of a high severity over the past few months. We have been patching these, but as a high-traffic site there’s always an increased risk, and we want to protect all users and admins the best we can.

Whilst the vB passwords are salted and hashed, and are safely stored, we recommend users choose strong passwords, as these security methods are weakened by common, short, or simple passwords.

Please be vigilant against fake/phishing emails going forwards; we rarely email people on the forums and we would never ask for your username or password. If you are not sure if the email is genuine, please, of course, double check.

We wanted to be transparent with you - the only information which we believe the latest attack could have taken is email, IP, and salted/hashed password.

We want to apologise for any inconvenience caused, and we wanted to notify you as soon as information has come to light in order to protect you.

The forums are fully patched and secure per vBulletin’s guidelines, and we are keeping an eye on things.

Thanks

David

[Nifl]

Yeah, I noticed that my login data seems to have appeared on some internet database for hacked data and that I got targeted by port scans a lot a while ago <_<
Getting hacked at some point is unavoidable for bigger websites. Making sure people are aware of that reality and telling them if something happens is what's important.

[Rob_B]

So to be clear, there HAS been a data breach or there *might* have been and if so you *think* they could only access email/ip/salted PW ?

[DR]

So to be clear, there HAS been a data breach or there *might* have been and if so you *think* they could only access email/ip/salted PW ?

We have seen reports of some data having been taking, and that said data is the later, but we are not prepared to try and only reset those we can confirm have had information lifted, so we have taken action across all logins.

[Guy]

Thanks for the transparency David.

Having worked trying to keep a VBB forum running a few years ago I know what it can be like.
No arguments from me on acting first and asking for forgiveness after!

[watercooled]

Phew that's a relief - I thought it was just my account, so thanks for the sticky!

It also reminded me that I still have my account tied to an old ISP email address, which I can thankfully still access but thought I'd finished migrating from. Good job this reminded me then!

[maddocks2379]

Thanks for the Email, is this all Vb forums or selected ones? just wondering if i should change my password on other Vb and warn users there


EDIT: my first post after joining 4 years ago.... lol, i've been lurking all this time and i was sure i'd posted

[DR]

Thanks for the Email, is this all Vb forums or selected ones? just wondering if i should change my password on other Vb and warn users there


EDIT: my first post after joining 4 years ago.... lol, i've been lurking all this time and i was sure i'd posted

We don't know who else has had the same issue, obviously thats forum specific

[watercooled]

It seems I've lost my picture and my posts are waiting for moderation on other threads - are just playing it safe to guard against account hijacks or have I broken something?

[chinf]

I didn't receive any notification (and I still don't see any), so the first I knew was when my login state was cleared and my subsequent login attempts were rejected. As I use a password manager, I knew my password was correct, so was worried about my account being compromised and password changed by malicious act. Glad it turns out it wasn't, but still I wonder if anyone else failed to receive notice?

[edit: Sod's Law - within one minute after posting I receive the notification via email...]

[peterb]

Phew that's a relief - I thought it was just my account, so thanks for the sticky!

It also reminded me that I still have my account tied to an old ISP email address, which I can thankfully still access but thought I'd finished migrating from. Good job this reminded me then!

It seems I've lost my picture and my posts are waiting for moderation on other threads - are just playing it safe to guard against account hijacks or have I broken something?

I have reset your account to its correct status; it was showing as moderated.

If you haven't already done so, reset your password.

All your posts should now be visible.

[The Hand]

Thanks for the heads up DR, I've had the same password since 2004, so it's about time I changed it. lol

[aramil]

Thanks for the heads up

~password reset

[TheAnimus]

Obviously the right choice, hopefully the hashing function is a good one!

One little thing, the reset email gives you a new password, not a one time token. So it's really important that users should change it, but it doesn't force that.

[peterb]

Thanks for the Email, is this all Vb forums or selected ones? just wondering if i should change my password on other Vb and warn users there


EDIT: my first post after joining 4 years ago.... lol, i've been lurking all this time and i was sure i'd posted

Given the quality and vigilance of the HEXUS team, it's probably safe to say that if there are vulnerabilities that HEXUS hasn't caught, they are likely to exist in other VB installations, so it would be prudent to change the passwords on those too.

[DR]

Obviously the right choice, hopefully the hashing function is a good one!

One little thing, the reset email gives you a new password, not a one time token. So it's really important that users should change it, but it doesn't force that.

Yep it's a standard vB trigger, we didn't want to get involved with Tokents as it could create more headaches