• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Important Notice - Security Breach

Status
Not open for further replies.
Thank you for being open, honest and straight forward with all the members. And for watching our backs. :)

I applaud you all. :congrats:


On a side note, if anyone wants to steal my identity you're welcome to it. :D
 
Thanks for your prompt action and advice. I changed my password immediately and had no problem in changing my Tapatalk password.
 
Am I the only one upset at having to (again) change all my forum and email passwords? We hear about hacking attempts all the time. The time to harden the servers was when you heard of other servers being compromised.... waaay before last week.

I'm seriously hoping this was a wake-up call and you'll be more pro-active going forward.

Also, this little message at the top of the forum is not enough enough. I was on this forum for 3 hours before noticing the message at the top. I believe the standard is to EMAIL all users. Not everyone checks in daily. Not everyone is active.

Congrats for keeping the server up and checking for malware, but IMO, there's room for improvement.
 
i will let my friends over at android.net know about these attacks they use the same software and tell them to be on the look out for these kinds of attacks this is serious stuff
 
The team on this site is amazing, they jumped right on it in a split second. Had all staff aware of pending password changes. Its because of the incredible team here that makes me feel happy to be a guide!
 
Would the username/passwords not be encrypted in the database?
 
Now i don't want to point fingers, but if anyone happens to see this guy, i would really like to bring him in for questioning:


AC13 is on double secret probation LOL!! :p

All kidding aside, thanks for the quick action, and a special thanks to Steven for helping me out yesterday. :)
 
Would the username/passwords not be encrypted in the database?

Generally username aren't but the passwords are. I think (if they were able to grab the DB) they may be able to gain access using the encrypted password to other site where you used the same one. It is very tricky as they would need to know your username as well as well as gain file access to that site. They shouldn't be able to decrypt the password either as that is damn near impossible assuming the site software uses a reasonable encryption methodology and the key isn't ridiculously simple.
 
i am also very surprised at how quick a solution was offered to everyone, it didnt take any time, and the matter got resolved very quickly. I am also glad to know that this community will gladly inform people of situations that arise, and want you to protect yourself in every way possible.

I say thank you to everyone involved, you guys/gals are what makes this place the best place to come to.

A "solution" shouldn't have been needed. This type of thing should not have happened in the first place.
 
After changing my password, I just received this email:


Dear wetbiker7,

Someone has tried to log into your account on Android Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: [Redacted]

I have been getting this same message all day since I changed my password and finally realized its my Phandroid that is trying to login with my old password. I updated my password on the app on my phone and it is all fixed now.
 
Would the username/passwords not be encrypted in the database?


They are one way hashed. They are not clear text passwords, like the only way i could see what a users password was is if i got there one way hashed password and then tried every combination of characters i could think of run it through the same hasing algorithm and if the two match then i know your password. Its actually quite secure if you can throttle how fast you can try combinations of characters like we do with only allowing 5 attempts and then waiting 15 minutes, but if they have just the hash they can try many combinations very fast with a program. If you password is very random then it probably won't be found.

For instance lets say you had a password of just lower case letters and it was 8 letters long. that would be 23^8 == 78310985281 different possible passwords, that in the hackers "worse case" have to be tried and hashed, not impossible, but not trivial either. If you had upper case letters as well as lower case then 46^8 == 20047612231936 so even harder. This assumes that your password is just random letters, if you have some word or combination of words you can find in the dictionary, or a birthday, or something else common, then they could try these first and make the attack easier.
 
A "solution" shouldn't have been needed. This type of thing should not have happened in the first place.

As someone who spent 10+ years as a Web Master for a $26 billion a year manufacturing company managing 50+ web domains (with a 40+ person IT team in charge of security), I can say that as admins and staff get smarter so do hackers. The CIA, FBI, credit card companies and processers, etc. get hacked every day.
 
Also, this little message at the top of the forum is not enough enough. I was on this forum for 3 hours before noticing the message at the top.

i actually agree with this as well. It's 4 tiny words in Red. Most users ignore the bold letters that says sticky

It would probably be better to have a bigger banner notification at the top of the forum. It too took me an hour or so before i saw it today once i got logged in.
 
I'm not saying other sites would not do this, but I'm glad that AF admins chose to disclose this information. I think it was not only the right thing to do, but also responsible and shows that they have our best interests at heart.

And anyone who reuses email/password/username might want to change those other ones as well.... never hurts right ;)
 
I'm not saying other sites would not do this, but I'm glad that AF admins chose to disclose this information. I think it was not only the right thing to do, but also responsible and shows that they have our best interests at heart.

And anyone who reuses email/password/username might want to change those other ones as well.... never hurts right ;)

I agree with you entirely on this. I changed my password immediately, and I also changed my email password, though they are different. Could not hurt to be safe anyway.
 
I just spent 2 hours changing forum and email passwords for work and home and still have a tablet left.
 
I know who the culprit is!!!

:mad:

Gasp!

The "Butler" done it!

Butler%20Service.jpg
 
Status
Not open for further replies.
Back
Top Bottom