Security and Privacy Issue : May-2014

[SeijiSensei]

Quote:

Originally Posted by Hiss13

Is there anything the hacker can probably do with the IP Addresses of the users? That's the one thing I'm worried about here...

Not really. First, if you're connected to the Internet via a router, it's the router's address that appears in the logs. If you're concerned, you can visit http://whatsmyip.net to see what your address is now. Then disconnect your router and leave it off for a day. You should get a new address. You can probably also call your ISP and ask them to reset your address.

But I wouldn't worry much about this. I have thousands of IP addresses in my logs, so does anyone else who runs a web server. If you have a computer connected to the Internet for any length of time, the chances are good that it will be scanned by some automated hacking process out there. My logs are full of these events, too. So just because someone has your IP doesn't mean there's much benefit there.

[Guardian Enzo]

Damn, it's midnight here, I have to be out early tomorrow and I'm wracking my brain trying to figure out every place that I could possibly have used a similar password. What a royal pain in the ass.

[MeoTwister5]

Somewhat ironic that I changed the common password I used for most sites except animesuki. Meaning if they got my password here, it's a password I no longer use.

Derp.

[Peanutbutter]

Whoa, this is pretty big.

But I have always separate my "real" online persona (of which there is almost none because I am such a loner), and my "for fun" various accounts and stuff.

Good effort in carrying the mitigation effort. Hope the damage is minimised.

[HasuMasu]

Quote:

Originally Posted by MeoTwister5

Curiously, is this mod a account a new mod or an old mod?

A very old one from 2003.

[DragoMuseveni]

Yeah but except from that announce he didn`t post from 2006 . That is pretty weird

[HasuMasu]

He logged in and sent messages fairly recently though.

[hinakatbklyn]

While I've been reading up on news and anime here once in a while, my actual active time has been very minimal at best. Haven't noticed anything concerning private messages when I am on.

Most of my passwords related to real world or important matters were different from here so I shouldn't worry too much.

Don't know if my limited activity would be enough to be considered an old or dormant account given the situation however.

[NightWish]

Quote:

Originally Posted by Hiss13

Is there anything the hacker can probably do with the IP Addresses of the users?

Unlikely. The IP revealed is less and less meaningful over time. If concerned, see SeijiSensei's post about switching off your router to get a new address.

TL;DR…

more detail

Sorry; dynamic content not loaded. Reload?

Quote:

Originally Posted by Frailty

Does this mean that our passwords and other related stuff that uses the same e-mail we use here, might be compromised?

will changing our current e-mail used help?

The user data risk is mostly around the MD5 hash of the password and the salt being released. The leak of the email is very troubling and might result in you getting more spam, but provided you follow normal precautions and do not reuse passwords, it shouldn't in itself be a problem. If you use the same password on your email as you did on your account here you MUST chance them as soon as possible. That would be a significant risk. If changing email is an option for you then, yes, burning the one you used on the forum previously will reduce your exposure. Not an option for everyone unfortunately.

TL;DR…

password hash information

Sorry; dynamic content not loaded. Reload?

Quote:

Originally Posted by SeijiSensei

Accounts with anything other than ordinary user access should be closed once a person has retired from administrative duties; at most allow a one or two month grace period. The fact that an admin account was used for this exploit is its most troubling aspect, as I'm sure you all know.

That is normally the case and has been so for more recent absentees.

In this case it isn't clean how long ago the account was used; that is still under investigation. I must admit I don't know the level of activity due to being busy off-site myself.

In the interests of accuracy, the account did not have administrator privileges, but a moderator privileges. The issues was less the level of privilege and more the fact that any privilege was still there, when maybe we should have removed them a long while ago. The account actually dates back before this forum before forked (split into two different forums).

[Kirito]

Whoa. This is a messy issue. When I couldn't log on I thought I did something that got me banned, but that's thankfully not the case.

"Takes sighs of relief"

I made sure to check my profile and PMs and so far nothing alarming on my end, and I had sure other info regarding my user name wasn't shared. It's nice to that measures are taken shape and I can't wait to see what they'll be. It's a worrying issue but I think it'll be okay for the time being.

[DragoMuseveni]

Is good i`m paranoic and my passwords are 35 characters long . The IP if may add , can be find out very fast if you talk with someone on facebook or messenger . The most important problem here was the md5 hash but if you`re not using the same password on every site you log in you don`t have a problem

[abc0716]

Luckily I don't use the same password on here with other important sites (with few characters different only, perhaps not-so safe). But I still change the password for my accounts on most sites anyway.

Since I planned to change password (on almost all sites I often use) on long time ago, but I always felt too lazy to do it. Perhaps now is the 'best' time to settle this 'case' ?

[itisjustme]

Realistically a lot of people use the same passwords for multiple sites, and a lot of people probably forgot about this website while still having an account and they got their information stolen, that's a real problem. IP addresses also aren't nessarily dynamic depending on your country/ISP afaik.

Is it even necessary for moderators to know private info such as passwords and IP address and such?

[DragoMuseveni]

or for your ip you can use vpn to be sure your ip isn`t find out

[npal]

So... eh... Why did this take 6 whole days to announce?

[D-KLAC]

well this is bit unexpected give go fresh over to start in to enter on this place.

really find this wonder can online area get safety for all users?

[Krono]

Quote:

Originally Posted by itisjustme

Is it even necessary for moderators to know private info such as passwords and IP address and such?

The moderators do not know passwords. The forum itself however needs to know what your password looks like after it's encrypted so you can log in. The hacker got the database containing those encrypted passwords. That they got the database of encrypted passwords and details about the encryption used makes it fairly easy to figure out the passwords.

As for IP addresses, yes that's something that moderators generally need to know. It's the chief means of spotting someone using an alt to evade a ban, or serve as a sock-puppet.

Quote:

Originally Posted by npal

So... eh... Why did this take 6 whole days to announce?

That was the time required to realize there was a problem, determine the extent of the problem, and fix the problem. Telling everyone to change passwords while security is still broken can lead to more passwords being compromised. Leaving users with two passwords it's no longer safe to use, instead of just one.

[milan kyuubi]

Question: With the info that the hacker collected. What can he/she do with it?

Few months ago I had my Twitter account hacked. And person was using my account for spamming. But I deleted all the spam messages, and changed the password. And that took care of it.

[Krono]

Quote:

Originally Posted by milan kyuubi

Question: With the info that the hacker collected. What can he/she do with it?

Few months ago I had my Twitter account hacked. And person was using my account for spamming. But I deleted all the spam messages, and changed the password. And that took care of it.

From what they described, the main thing is the hacker likely got people's username/email address/password combinations. They can use that to attempt to log in as you on other services where the same username/password combination is used. How problematic that would be depends on the services they succeed in logging in to.

Same name/password for other anime forums? Not that big a deal. Same name/password for Amazon/Apple? Big problem.

[MrTerrorist]

Damm. That was scary.
No wonder i couldn't login.