Capitalization is the difference between helping your Uncle Jack
off a horse and helping your uncle jack off a horse.
Sorry we didn't make this clear enough, we did email people to say we need them to change their passwords. We didn't feel it was right to email people and state "please change your password" we felt it was right to force the change. We do appreciate all feedback and hope we don't need to do things differently if it happens again, but if it does we will
gupsterg (16-08-2016)
Capitalization is the difference between helping your Uncle Jack
off a horse and helping your uncle jack off a horse.
It's good of you to highlight this, my only concern lies with other vB (or similar) forums I signed up to years ago and used a generic password and haven't changed them in ages - is the hash / salt ok to presume these other forums are still reasonably secure?
hexus trust : n(baby):n(lover):n(sky)|>P(Name)>>nopes
Be Careful on the Internet! I ran and tackled a drive by mining attack today. It's not designed to do anything than provide fake texts (say!)
My advice is no, you cannot assume that. It's a bad idea to use the same password in multiple places, because although each hash will be different due to salt, if just one of them gets successfully cracked (say, weak password or simply enough time/effort put in), then a hacker can just try that extracted username/password combo in an array of other locations.
I think presuming anything is secure is a dangerous approach. It's a ballache but it does make sense to use different passwords for each site.
Consider that vB being so popular (historically, less so now) and the reluctance of many sites to update the code that has been heavily modified to suit their needs make it an attractive target for attackers.
Some exploits I have seen in the past have been absolute clangers and given pretty much full server access. Stealing the database is one thing, but grabbing encryption keys from config files, or even modifying code to grab credentials at the point of login make your salted hashed passwords that little bit less reliable, if they were even used in the first place. I've run a couple of large vB boards in the past and I seem to recall password hashing being optional in earlier versions.
Having said that, I actually do a similar thing to you, I have a "standard" password (and throwaway email aliases) that I'll use for most sites that don't hold any personal information. I have more secure (and unique) passwords for important stuff like email, paypal, Hexus etc.
I'd say so long as you can guarantee your email, banking and anything that has personal or financial details on it is safe, then you should be fine - that's what these people are ultimately trying to get at. They have very little interest in logging in to your old forum accounts and posting videos of Rick Astley, and if they do it's not much effort to fix.
Good job Hexus on the way this was handled, it's always a bit gutting having to tell your users the bad news, but we all know the score. It happens and the worst thing you can do is try and cover it up.
Must say I'm a bit shocked that even in 2016, the password reset process involves sending me an email with both my username and new password in plain text.
It's really disappointing that vB has so many security vulnerabilities Hopefully HEXUS can switch to more secure software at some point
XtremeSystems recently had a massive breach and lost years' worth of posts. Hexus do at least keep offline backups, right?
Pob255 (22-08-2016)
Obligatory XKCD moment:
http://www.xkcd.com/792/
Hmm, am I the only one who doesn't remember the email the email used to register Hexus?
Hi
Since receiving the email regarding the possible data breach a few days ago I have not been able to log into my account (Username: Kanoe) using my previous password and trying to trigger a password reset either via the link in the email I received or by the password reset from the FAQ section has not worked and I don't receive an email to enable me to reset the password.
Would an admin be able to help me get back into my account?
Kind regards
Kanoe
There are currently 1 users browsing this thread. (0 members and 1 guests)