Notice: AnandTech Forums User Data Compromised

[Ryan Smith]

Hi gang,

We are investigating a potential data incident in the AnandTech Forum database. Based on the initial analysis, we believe that some (but not all) of our user names and other information may have been accessed. Our passwords in the database are encrypted and we currently do not have any reason to believe the incident resulted in those being revealed.

While we undertake the investigation and try to identify the scope and source of the incident, we would like to ask that our users change their passwords and to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too.

Purch, AnandTech, and the people who work here value your privacy and appreciate your loyalty to the site over the years. We want to say that we take this very seriously and are working hard to investigate and remedy any issues. We apologize for any inconvenience. If you have any questions or information, please leave a note in this thread or PM me. As we have updates on this, we will post them here.

-Thanks
Ryan Smith

Update: 06/24:

We are investigating a data incident with respect to the AnandTech Forums database. We believe that some of our user names and other information may have been accessed. Although our passwords in the database are encrypted, we believe that it is advisable to expire all the passwords in use prior to June 24th, 2016. Consequently, the first time that you go to log in to the AnandTech forums after June 24th, 2016, you will be asked to set a new password.

We also suggest that, to the extent that you use the same user name or email and password combination on any other sites, you should change your passwords for those sites too. Generally, it is advisable to not use the same username or email and password combination for multiple sites. We also encourage users to use strong passwords – that is, long passwords with a mix of upper-case and lower-case letters, digits, and punctuation marks. There are a number of excellent password managers out there that make it easy to generate and store these kinds of passwords.
Should you have any problems accessing your AnandTech Forums account (and since you wouldn't be able to post here), please email forumhelp@anandtech.com.

Best regards,
AnandTech Forums

 

[Ryan Smith]

And on a personal note, please, please, please use different passwords for different sites. There are a number of excellent password managers out there that make it easy to generate and store passwords. The rate at which sites get compromised continues to increase, and it is not safe to share passwords with multiple sites, least one gets attacked and used as a springboard to get into your account at others.

 

[brianmanahan]

dang, that sucks

good thing i use a separate password for ATOT

 

[Ryan Smith]

good thing i use a separate password for ATOT

And if you do use a separate password like that, then the silver lining here is that the impact is minimal. That only takes a single password change, and your AT Forums account is unlikely to be of value to anyone besides you.

 

[Platypus]

Please implement TLS, it's 2016.

 

[Krazy4Real]

Please upgrade the forum software.

vBulletin® Version 3.8.8 Alpha 1

 

[Subyman]

A few other message boards I'm a part of were breached recently. Seems to be going around. Thanks for letting us know.

 

[Jodell88]

I changed my extremely long password to an even better extremely long password.

 

[TwiceOver]

Any password manager suggestions? Chrome/Android. LastPass at $12/yr isn't bad, trying that now.

 

[Viper GTS]

http://www.howtogeek.com/240255/pas...lastpass-vs-keepass-vs-dashlane-vs-1password/

Lastpass has worked great for me for the last 5 years. Random 20+ characters for every site, no duplicates. I have no idea what any of my passwords are and stuff like this is essentially a non-event.

Viper GTS

 

[JEDI]

dang, that sucks

good thing i use a separate password for ATOT

I don't remember my password on ATOT.
its been years since I bought a new computer

 

[Markbnj]

Ryan, I'm really pretty disappointed in the forum announcement. Most of the mods received emails yesterday with their passwords included in clear text. How can the board management state that they have no indication passwords were revealed? Getting a dozen of them in email is a pretty clear indication. Further, unless you have customized vbulletin the passwords are not encrypted, they are hashed using the very weak md5 algorithm.

Bottom line: you have to consider the entire password database has been revealed and you should have forced a site-wide reset. The weak advice in the announcement does your users a disservice. As I reported to you yesterday an old PayPal account of mine that used the same creds as my account here was intruded into from China Tuesday evening, before I proactively changed the creds. I didn't even realize AT was the source until I received my own copy of the warning email with my own email address and forum password included.

This is not the right way to handle something like this, at all.

 

[Platypus]

I've been bitching about the horrible security this site has for forever and have been constantly ignored. Why isn't anyone listening?

 

[pcslookout]

dang, that sucks

good thing i use a separate password for ATOT

Same here.

 

[clamum]

Thankfully about five years back I finally got a password manager (KeePass) and use that in conjunction with Dropbox (previously a USB thumb drive) to manage my passwords and access them from anywhere, including my phone. So I've had separate, strong passwords for all sites which gives me a little more comfort in situations like this.

I just shake my head when I'll be signing up for an account at some site and the password requirement limits me to like 8 characters, some even disallowing special characters. In 2016, no less. Ridiculous.

 

[Ken g6]

I wonder if an old vBulletin site like this could be upgraded to use SHA256 instead of MD5? My password apparently wasn't cracked - it was too random for most crackers - but it probably could be with a little work. And I rather expect the site to be hacked again if no major upgrades happen.

 

[Markbnj]

I wonder if an old vBulletin site like this could be upgraded to use SHA256 instead of MD5? My password apparently wasn't cracked - it was too random for most crackers - but it probably could be with a little work. And I rather expect the site to be hacked again if no major upgrades happen.

This applies to vbulletin 4, but the site is running on 3.8.8 (alpha!).

https://blog.technidev.com/changing-vbulletin-4-its-password-hashing-to-use-bcrypt/

SHA256 is in the fast hash category, so although it has a long-ish key it's still relatively easy to brute force using modern GPUs. Any large site today really needs to be running pbkdf2 or bcrypt.

But since the owners here did not want to force a site-wide reset for an actual breach I suspect they would be even less motivated to do it in order to upgrade the hash algorithm.

Edit: here is a good overview for anyone that is interested.

https://crackstation.net/hashing-security.htm

 

[CuriousMike]

Has the hole been patched?

If I change my password, will the intruder simply come back and pull the new passwords?

I want to change my password, but only when it makes sense.

 

[CuriousMike]

https://crackstation.net/hashing-security.htm

Great article.

 

[Viper GTS]

Has the hole been patched?

If I change my password, will the intruder simply come back and pull the new passwords?

I want to change my password, but only when it makes sense.

Whether it has or hasn't you should change now to invalidate the (extremely public, readily accessible, no technical barriers whatsoever to access) data that is already out there.

Let me be blunt here:

You're an idiot if you don't change now unless you are extremely confident in your password. As in 20+ characters, randomly generated, and never, ever used anywhere else. If you don't meet every single one of those characteristics change your password.

Viper GTS

 

[Markbnj]

You're an idiot if you don't change now unless you are extremely confident in your password. As in 20+ characters, randomly generated, and never, ever used anywhere else. If you don't meet every single one of those characteristics change your password.

100% agreed, and almost nobody meets those criteria for feeling secure.

 

[pcslookout]

I already saw some of the mods usernames and passwords out there.

 

[CuriousMike]

My point is: If there is a hole that got my password... and I change my password with the hole still open... then they'll have another password.

 

[Crono]

Maybe the main site should think about hiring an IT security expert to both write for the site and also maybe fix and harden the forums against future attacks while they are here. I'm sure covering computer/network security would be useful going forward, anyway. With IoT, the increasing number of connected devices, and more powerful cracking/hacking tools, things will only get worse not better.

 

[Viper GTS]

My point is: If there is a hole that got my password... and I change my password with the hole still open... then they'll have another password.

Better that one guy have your new password than the entire world having your current one.

Viper GTS