Have you seen the post in off topic containing member email addresses and passwords?
Announcement
Collapse
No announcement yet.
FAO webmaster
Collapse
X
-
The list only contains e-mail and an encrypted password (which is useless). However not good though.www.maestroturbo.org.uk - The Tickford Maestro Turbo Register
www.rover200.org.uk - The Rover 200/400 (R8) Owners Club
www.roverdiesel.co.uk - My Rover Diesel Site
-
Originally posted by MaestroTD View PostHave you seen the post in off topic containing member email addresses and passwords?1958 Ford Consul Convertible. I love this car
1965 Ford Zodiac Executive. Fab cruiser being restored
1997 Jaguar Xk8 Convertible. Such a fab car
2003 MGZT V8. BRG and new project
2004 MGZT cdti. Great workhorse
2004 MGZT V8. Black I love this car
Comment
-
Who is the webmaster?
It is a serious data protection leak.
If needs be I can do it - I would rather not but I have the know how to do so.
Upgrade licence for vbulletin is £136.71 if you decide to stick with it. My understanding is it is not the best on offer nowadays though.Last edited by Beaker; 2nd September 2015, 12:05.Rover 200 and 400 Owners Club (for wedge shape rovers, including coupe, tourer and cabriolet). - www.rover200.org.uk
Comment
-
What is the news on this?Rover 200 and 400 Owners Club (for wedge shape rovers, including coupe, tourer and cabriolet). - www.rover200.org.uk
Comment
-
Originally posted by E_T_V View PostThe list only contains e-mail and an encrypted password (which is useless). However not good though.
Mandatory password reset should be in order once the hole is closed.
PS i notice this forum use the tapatalk plugin which increases the attack surface
Comment
-
"Hashed and salted"....Hmmm..you know your stuff?? URL please.
>>Mandatory password reset should be in order once the hole is closed.<<
Yes.1989 MG Maestro Turbo #413
1986 MG Maestro EFi - Dead but still here
1985 Austin Maestro 1.3 L - Dead and in heaven
2001 Rover 75 CDT (Daily Runner)
Comment
-
Originally posted by Mat_C View Post"Hashed and salted"....Hmmm..you know your stuff?? URL please.
>>Mandatory password reset should be in order once the hole is closed.<<
Yes.
For example cbf25a5dfcd27656b9da96bf523bf09e:supertedaPu
It's a simple matter to then cross reference the hash with the original dump to get the email address.
After the colon you can see the exposed password and you will also notice the format includes 3 random letters at the end of the password, that's the 3 character random salt which vBulletin uses.
edit - excellent link if you're interested in knowing more about hashes/salts etc. It does mention there that 3 characters is a bit short for a good salt.
https://crackstation.net/hashing-security.htm#attacksLast edited by Uhtred; 7th September 2015, 09:22.
Comment
-
Thanks. Looks like people have been busy with their GPUs / BitCoin ASICs.
We've already gone through googling hashes and pswd resets on the other thread
P.S: I'm OK with the hashing/salting etc. SHA31989 MG Maestro Turbo #413
1986 MG Maestro EFi - Dead but still here
1985 Austin Maestro 1.3 L - Dead and in heaven
2001 Rover 75 CDT (Daily Runner)
Comment
-
Seems people even use facebook to post hashes!?
https://www.facebook.com/aymankhalfa...16000458584972
As previously mentioned, In the highly unlikely event that you've re-used your forum password for FB, PayPal etc I would get changing quickly!
EDIT : To clarify, the above only applies if FB/PayPal accounts use the same e-mail as well.Last edited by Mat_C; 7th September 2015, 12:48.1989 MG Maestro Turbo #413
1986 MG Maestro EFi - Dead but still here
1985 Austin Maestro 1.3 L - Dead and in heaven
2001 Rover 75 CDT (Daily Runner)
Comment
-
There needs to be an 'official' mass email via the forum software to notify everyone!Rover 200 and 400 Owners Club (for wedge shape rovers, including coupe, tourer and cabriolet). - www.rover200.org.uk
Comment
-
Here's what I've done so far:
Updated to vB 3.8.9 latest version - clean install of /forums directory.
Changed mySQL password
Deactivated the blog (unable to update it)
Got rid of photopost_gallery and photopost_classifieds - both vulnerable to attacks and out of date / not forwards compatible.
In particular, I found an exploit / backdoor script within photopost_gallery, from 10th July 2015.
Comment
-
Update:
I've also got rid of Tapatalk, just in case it was the attack vector.
Password expiry has been enabled, which means anyone logging on now will be asked to change their password.
And everyone's registered email has been sent a notification of the compromised database.
To answer the question above - vBulletin doesn't provide a way for a user to delete their account so if anyone wants to be removed just reply here or send me a PM and I will delete them (no undo facility!).
Comment
Comment