Hacked SDMB

Did they get only usernames and passwords?

Edit - just seen the announcement.

If I had to guess, I’d assume they got


There’s nothing else really to get except anything you might have in your profile and, of course, your posts.

edit: Link to relevant announcement.

I thought they tortured my Mama’s PIN from me when I registered.

So the passwords were hashed, but were they salted and hashed? And were they hashed with a cryptographically strong hash algorithm? Given the age of vBulletin in use here it wouldn’t be surprising to find out they were hashed without a salt and using md5. :rolleyes:

Changed my password, as suggested in the announcement. Otherwise, doesn’t really appear to be much to be worried about. The email address associated with my account here has a different password.

Same here. But, why would someone want to hack this message board, if there is not any financial or personal info stored here?

Nice, turns out I had an ancient Earthlink email address associated with my account. Maybe I’ll just leave it that way.

But is it the same as your Amazon email address/password or any other accounts across the internet?

Something nice about Amazon, though, is that anytime you change the shipping address you have to reenter your credit card number. It was annoying at first, but it makes sense.

Some people hack just for the fun of it. Just the challenge of beating someone’s security. Or to practise their skills before attacking some other site.

…or to grab a username/pswd combo and try it elsewhere.


Lots of people use the exact same username and password on pretty much every site they need a login for. The SDMB isn’t such a big deal, but their Gmail or eBay or Apple accounts might be.

So, any recent posts I made here that are factually incorrect, in poor taste, or contain embarrassing grammatical errors, I get to blame on the hackers, right?

I pity any other Amateur Barbarian out there who used my password. (My username is unique to this board, and the email is a disposable one.)

I would also like to know more details about exactly how the passwords were stored.

I too am interested in how the passwords were stored… are the admins looking to switch forum softwares instead? vBulletin is aging, and there are lots of new solutions out there.

My favourite by far is NodeBB (http://nodebb.org)

VB passwords are md5, but have been hashed and salted since at least 2006. The version SDMB uses was released some point after April 2008.

On a tangent, how does the engine generate a new password when you request one? E.g. if you’ve forgotten your password, you can opt to have it reset, in which case Straight Dope emails you a new one. I assume it’s randomly-generated but could hackers “turn” the engine and make it send out passwords they choose?

Relevant thread: http://www.vbulletin.org/forum/showthread.php?t=178091

I see no reason why TPTB should divulge such info though. I trust that such discussion could go on for pages. Thanks to the admins for giving us a heads up.

I just got an email from the SDMB essentially saying the same thing in Ed’s post.
It has a phone number!
Does it ring in the Moderators Dungeon, or Fortress of Solitude or dungeon?