Important Notice - Security Breach

[dibba]

I recently started using LastPass to generate long random passwords for each account, and this account was one of them. I'm changing it again, but for me, not worried about anything else.

I had been using LastPass to simply keep and login to accounts, but having it keep the crazy passwords was one step better I took earlier.

And thanks so much for being upfront and having the tips for everyone, that's great!

 

[dibba]

One more thing you could have done better, IMO:

1. Emailed users about this, I don't post frequently, and just happened to come here and see this. It'd been nice to know ASAP to change my password earlier.

2. Even better: Reset everyone's password, and when they visit the site have them reset it. Or have a reset password link in the email from my suggestion above.

 

[EarlyMon]

I am trying to imagine the ensuing chaos or anger from emailing over one million people being much different than what we have seen already.

Personally, I have yet to have any new spam on the email account I use here or other intrusion attempts on it.

And we have had zero reports saying, I never posted that, or, that post doesnt sound like so-and-so.

I trust the Admin's play in this case.

 

[palmickey]

Does this site use one way encryption for passwords?

I wonder if any of this standard bulletin board software uses one way password encryption.

 

[veccster]

I received 37 login attempt failure notices this morning.

I had changed my password as soon as I saw this notice so I wonder...

 

[Unforgiven]

I received 37 login attempt failure notices this morning.

I had changed my password as soon as I saw this notice so I wonder...

Have you checked that you have updated your credentials in any apps you use to connect to the forums (Official AF app, Tapatalk, or Forum Runner). I had this happen to me.

 

[Slug]

I only registered on these forums because of your "greed" policies - hiding info and download links from unregistered users.

Sorry bud, you're not getting away with that!

You may be confusing AF with some other site you frequent - there is NO restriction on viewing imposed on unregistered guests. Posting yes, but guests can freely read.

You registered almost two years ago, and before yesterday your last contribution to the site was shortly after that. So excuse me if I find people suddenly coming back here whining about "amateur security" and making false claims about a site they've taken little interest in somewhat suspicious.

 

[jspidey]

UPDATE: I forgot to mention. If you are using an Android Application to access the forums (Tapatalk, Phandroid App) - they will not register the password change and may flood your email with "someone has tried to access your account" emails. Unfortunately the only advice I have for that is to uninstall/re-install the app, if you cannot change your password from within.

Just wanted to point this out if anyone missed it. I was wondering why I kept getting the emails as they state here with my IP address when I wasn't (knowingly) trying to login. It all makes sense now...lol.


Also, to the admins - thanks for the notification. I do agree with some others that an email might have been a better option, especially for those who do not log in frequently but other than that, nice job handling the situation.

 

[WPWoodJr]

Ah yes, the Phandroid app... silly me :stupid:

P.S. Does this forum support Tapatalk now?

Yes it does support Tapatalk

 

[Unforgiven]

Yes it does support Tapatalk

Yes, both Tapatalk and Forum Runner.

 

[xxoo]

Just heard this sad news, very lucky, our staff is making every effort to patch the vulnerability, they are commendable. May our circle more secure.

 

[veccster]

Have you checked that you have updated your credentials in any apps you use to connect to the forums (Official AF app, Tapatalk, or Forum Runner). I had this happen to me.

Yup...thats it! I use the AF app on my nexus and xoom. I'll go change them both. Thanks for the heads up!


That said...why are these apps logging in when I haven't used either in the past few days? I don't have any notifications set...they are just quiet apps until I open them and start using.

 

[EarlyMon]

Yup...thats it! I use the AF app on my nexus and xoom. I'll go change them both. Thanks for the heads up!


That said...why are these apps logging in when I haven't used either in the past few days? I don't have any notifications set...they are just quiet apps until I open them and start using.

Bet you dollars to donuts that it tries to login before seeing that you don't want notifications. Maybe got an intent to wake up and run during installation or initialization or something that isn't removed when no notifications are selected.

My browser lights up GPS and then decides I've blocked location data.

Some things in Android are just coded backwards from the user point of view.

Could be wrong about the site apps, but I'll bet that's it until a dev says otherwise.

 

[dautley]

Is anyone else getting the feeling this thread may be reaching the end of being productive? I know the AF staff is in between a rock and a hard place as far as locking it goes, but maybe look into replacing it with a FAQ soon?

 

[trparky]

How did they get in? SQL injection? Remote code injection?

 

[mkanet]

No, these things don't just "happen". Admins put up with it because they know they are ultimately the ones who failed.

This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.

Thank you for the notification and quick response. Unfortunately these things happen. There is no such thing as a hacker proof site. I'm sorry there are so many lazy people on this site though. This thread would be only half as long if it weren't for the people who couldn't be bothered to read through the thread or search and asked "are passwords salted and/or hashed" over and over and who reported the "x amount of attempts to log in to my account what gives?" OVER and OVER. You admins must have the patience of saints to put up with it.

 

[carmendiva]

Just now hearing about this.
Sorry to hear about this but good to see a lot of effort being taken to rectify this situation.

I had to also change the password on my formspring. So many people being hacked these days.

 

[dautley]

Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords?

Give me a break!!
Bank websites are hacked into all the time, just do a Google search Let me google that for you and see what you get, lol!

The big difference here is that at least AF told us in a timely manner.

If people are experiencing problems because of what happened or have questions about it then fine, but I have to wonder when AF is going to put their foot down on unfounded, uneducated, blanket statements such as this.

 

[EarlyMon]

No, these things don't just "happen". Admins put up with it because they know they are ultimately the ones who failed.

This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.

How much money do people have on deposit with us?

Have you ever accessed any forum via secure http?

Where is the funding for this uncrackable forum software?

I respect your opinion but to compare an online friendly forum to a financial institution just seems a little over the top to me.

I do agree that this is all Phases fault though.

If he hadn't crafted and maintained such a mellow, fun, and informative hangout, this joint would have never grown to over a million members, and if the site had remained tiny, it probably wouldn't have been a target.

So, that part is Admin's fault.

I will agree that AndroidForums.com isn't up to the standards of the NSA or CIA, but neither are they so asleep at the switch upstairs, either.

In any case, I have advised that we get help from this security expert -

http://www.youtube.com/watch?v=RCUBxgdKZ_Y

But I don't think that the boss is going to go for it.

 

[jikhead]

I received 37 login attempt failure notices this morning.

I had changed my password as soon as I saw this notice so I wonder...

Me too, about a dozen attempts today.

 

[EarlyMon]

Me too, about a dozen attempts today.

Do you use an app to access the forums?

 

[jikhead]

Do you use an app to access the forums?

No, I just use the news app on my phone.

 

[Rachel A]

This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.

There are bank sites out there that limit your password to only 8 characters and with letters and numbers only. Nothing else.

I can atest with personal knowledge that yes, there are bank sites configured that contain multiple potential attack vectors just waiting a good simple exoit.

I've had cell phone companies want to read my password to the first person who says they're me whoever I call. All they would need would be my name and my cell number. From that the CSR would volunteer them my account password which would allow them to log in as me, view my account and change anything.

I've worked on systems when our security has been extremely hampered by the need to interface to a mainframe. My heart crashes when I hear that we have to match a set of password parameters that the main frame.

All these things and more we had. We had two factor auththentication, multiple domains separating each tier and long passwords changed on a 42 day basis. Hell, it would take me a day to update all my passwords on all the systems when I had to change.

You can have it more and more besides. But unless you're willing to pony up the huge amount of dollars a ring fenced trip wired, glass breaking system, the bad guys are going to get in.

It's called life. You take a trip to work and use a car everyday because it makes fiscal sense to you. Sure you could go the whole hog and buy a swadding chieften tank and probably be even more secure but it would make any sense to do that.

Running a Web Site like AF requires a lot of decisions as to what should be utilized and where does its p&l stand. If the ROI on the tank is high enough then I guess you're gonna be having fun every day grinding over those other schmucks who kept their car... Same with these guys - at what point to they say the cost of security is greater than the advantages having it.

For what is essentially a fan Site with little to no PID I'd imagine the budget ain't gonna stretch for no tank...

 

[jikhead]

Is this the IP address everyone else is seeing trying to access your account?

[Redacted]

 

[Xyro]

Is this the IP address everyone else is seeing trying to access your account?

[Redacted]

That is the exact same IP that you just made that post from. A device on your network is responsible.