Have no idea if it has to do with the hacking, but I ran both my anti-virus & my two malware softwares (HitmanPro & Malwarebytes) and they found a ton of crap all over my main computer…the one I use 80% of the time on the SDMB.
I run them something like twice a week – one is on a schedule – and normally they find nothing to one or two intrusions.
Might be a good idea for others do the same?
I had a hapax password for SDMB already, but now I have a different one.
(I have a couple of passwords I reuse, but everything really important has a hapax anyway.)
Not all of them. There are some entries in KeePass where I don’t list a username and/or use some cutesy nickname for the site and don’t list the URL.
(Also, I have KeePass on a thumb drive, and obviously that password is also a hapax.)
Good thing I actually checked my mail yesterday. It was probably best that I change my p/w anyway, since 12345 wasn’t very secure. (Now it’s 12345678.)
You don’t think they have all of our personal info already? 
It seems that the SDMB isn’t the only VBBS that’s been hacked recently: the OpenSUSE forums got hacked too.
It as though you have the ability to read my mind! Clearly the reknown in which your name is held for great wisdom is well deserved, and there can be no doubt that you possess vigorous sexual prowess as well.
The board has 155,983 members of whom 6,826 are active. The point being that posters you see are probably not representative of the wider database. Figure 5% have bad security practices (conservative estimate, I would say) and 5% of those can be breached by a lazy hacker. 155983*.05*.05 = 390 vics. Score an average of $2000 from each and that’s $780,000 gross. If the hacker can skim 20% of that (for much of the hacking might be done by subcontractors or clients), that’s $156,000. So the incentives are there, especially in countries that turn a blind eye towards such conduct.
After first, second and third cuts on the data, the hacker’s clients could attempt reputational attacks, but only if the humor gods are willing.
To put all this in perspective though, Cupid Media once had 42 million passwords stolen.
You know, with something like this, you might want to send out PMs and/or emails. There may be a lot of people who only come around every once in a while, which means their accounts will be vulnerable longer.
An ideal situation would be to lock out all the accounts but send emails with links/codes that will unlock them. But I doubt vBulletin is set up to handle that out of the box.
I did get an email.
Are you sure the e-mail address in your profile is current and correct?
And the alternative?
Password cracking is better than ever. Each time a sight with unencrypted passwords gets cracked, password crackers not only have more possible passwords to try, but also learn various ways people generate passwords. Biblical quotes, pithy sayings, musical verses, Wikipedia articles, etc. The hackers know all the tricks. It’s like those who hide their jewel safe behind the big picture in the bedroom. “No one will ever look there!” Right.
Hackers know people repeat account names and passwords. Your account here may also be similar to your email account (Google or Yahoo maybe?) with the same password. Maybe they’ll try Amazon and Facebook. Maybe some big bank. Wonder if you have an account at Bank of America or CapitalOne.
That’s why passwords should be long, random, and unique for each and every site. If the hackers crack one, they don’t have access to your other accounts. Of course, I have 200+ accounts stored in my password manager. You think I can remember 200+ account names and passwords. I can barely remember my name before I have coffee.
So, what do you do? You could have a password log book.
A password manager may be our only choice.
I have a lot of complicated and hard to guess passwords for financial accounts, email accounts, etc. and use a password manager. There was a time I would log in with the same account and password, but through out the last few years, I’ve been modifying those accounts with new and tougher passwords.
However, I really haven’t done that with forums like this. It never seemed to be worth the effort. The account and password here may be the same account and password I used for the Nickleback Fan Forum page. I just checked my password manager and see that I have a dozen or so duplicates. I changed the password of this forum (should have done it earlier), but what about the other forums?
Is it worth the time and effort to change those passwords? What would be the damage if some one took over an account to one of these forums?
Thanks for this, Tuba.
Judging by your use of the phrase “The script got corrupted somehow” in the post you linked to above, sounds like it may not have been a hack so much as just a corrupted (somehow) bit of programming.
I know, I’m just wondering what is their next step now, which sites will they try first. There’s the possibility that this hacking was just “for show”, but the Walmart transactions and malware above may reflect their true intent.
Do American banks NOT use 2 factor authentication yet? I thought all banks had it.
I, for one, believe that discussing our personal password strategies in a highly visible thread on a website that’s just been hacked is a wonderful idea. :rolleyes:
As long as those forums cannot link to any personal info beyond your username and whatever it is you talk about there, the worst that can happen is somebody can troll as you. If it’s possible they can link to stuff like financial info, absolutely change them asap. Otherwise, don’t worry too much about it.
Perhaps if we all paid $50.00 a year for membership, they could afford something you like. 
In a properly designed security system, secrecy rests entirely in the keys, not in the methodology. Educating more people about good password management (how to generate ones that are easy to remember but hard for attackers to guess or brute-force, avoiding bad practices such as reuse of passwords on multiple sites) provides a herd-immunity effect by making cybercrime more difficult.
I just checked it when I changed my password, and it was correct.
Aha! It got sent to my spam folder. Guess there’s not much the board can do about that.
The way I’m interpreting buddha_david’s point is that all this discussion about password-generation strategies does bring our keys closer to public knowledge. All it takes is an outline of the logic behind someone’s password choice, and a few hours investigating that poster’s background, to discover the means of generating keys to his or her other accounts.
Perhaps your comment was directed only at the discussion of password vaults like LastPass and KeePass. As long as both themes are running side-by-side in the same thread, and some people are determined to rely on their memories of handcrafted passwords rather than the flash drives where password vaults are saved, it’s helpful to expand on the distinction.
I didn’t make the connection until right now, but on the day the email about the hack came out, I also found myself mysteriously subscribed to 40-50 unfamiliar Twitter feeds, most of which were in languages I don’t read (Turkish, Arabic, Japanese). Of the ones I could understand, some were from Illinois (mostly groundkeepers, for some reason).
Naturally, when I poked around having re-read the hack mail, I discovered that my Twitter account and my SMDB account… had the same password, and pointed to my usual email address. :smack: Both passwords have since been changed.
I don’t know if the two are connected, but lordy it do seem suspicious… It doesn’t sound like too many people have been adversely affected by this, yay yay, but later today I’m going through my various accounts and updating passwords, I guess.