Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
I assure you this most certainly isn't the first time this has happened since the BBS days, it happens all the time. Most places never tell the users about intrusions.
In fact, I'd bet most mid-moderately successful sites don't even know it happens to them. The hackers/spiders don't leave thank you notes behind (most the time ). You have to have some pretty keen eyes and/or software to spot the clues sometimes.
Deleting your account won't make any difference at this point. Even so, no one can do anything (at least here) with a regular user account that can't be reversed. However, if you would like your account deleted, let me know.
salted
Yay... I feel safe now. :|
Why not read what I posted you reply is meaningless I said " It's the FIRST time it's happened to ME since the BBS days!"
I am fully aware this happens on other websites and forums, but none of the forums I use because security is priority number 1 As I see it not poxy banners and crap most of us will block anyway, it's either admin or the hosting company to blame, if it's the later why trust em again??
I mean come on Vbull is as good as it gets......
Also deleting my account via the DB would work if this was to happen again, as when we you leave a forum the account still lays there not deleted from the tables....
Int
I know what you wrote - I am implying that of all the forums you apparently frequent over all these years, I'm more than willing to bet more than one of them has had a breach whether or not you or they know.
I understand how databases work and when people leave.
I also understand you're upset. Our guys found the holes, and patched them. It wasn't through vBulletin. This was unfortunately, but it happened. I think it's more common than you think. That's not to minimize the situation at all - just being realistic.
We could have done like some and NOT detected it at all, or turned the other cheek and chose not to let anyone know on the chance that nothing will come of it from here. Or waited till trouble arouse and "then" found the evidence.
We've done the best we could. I'm sorry you're unforgiving. I will be happy to remove your account if you wish. But please don't litter the thread with rash or nonconstructive replies, especially to other users who aren't addressing you at all.
Thanks for understanding.
Generally username aren't but the passwords are. I think (if they were able to grab the DB) they may be able to gain access using the encrypted password to other site where you used the same one. It is very tricky as they would need to know your username as well as well as gain file access to that site. They shouldn't be able to decrypt the password either as that is damn near impossible assuming the site software uses a reasonable encryption methodology and the key isn't ridiculously simple.
They are one way hashed. They are not clear text passwords, like the only way i could see what a users password was is if i got there one way hashed password and then tried every combination of characters i could think of run it through the same hasing algorithm and if the two match then i know your password. Its actually quite secure if you can throttle how fast you can try combinations of characters like we do with only allowing 5 attempts and then waiting 15 minutes, but if they have just the hash they can try many combinations very fast with a program. If you password is very random then it probably won't be found.
For instance lets say you had a password of just lower case letters and it was 8 letters long. that would be 23^8 == 78310985281 different possible passwords, that in the hackers "worse case" have to be tried and hashed, not impossible, but not trivial either. If you had upper case letters as well as lower case then 46^8 == 20047612231936 so even harder. This assumes that your password is just random letters, if you have some word or combination of words you can find in the dictionary, or a birthday, or something else common, then they could try these first and make the attack easier.
Do you salt the password to prevent dictionary attacks?
I wanted to say thanks for updating the banner up top. I saw it yesterday, but honestly thought it was some sort of lame ad for me to be a sucker and click on. Today, knowing that it says all those things, made me actually take it seriously and click on it.
Glad someone does and what your basing that on god only knows.....
Int
I think thats one vote (the first vote) for TVictory as lead designer!
Tell that to the FBI, they're currently trying to imprison a British Citizen for the crime of finding out if he could hack into their servers by actually doing it. If they're fallible, then there's no hope for anyone.
Responsibility for security ALWAYS lies with the user AND the provider.
Personally I was forced to set up a more clever password system after my "usual" password got hacked on eBay (no real harm done) and I still used that password for all web forums up until yesterday (since there's little real damage anyone can do by posting as me). Thankfully, I have LastPass, so I have a handy list of which forums I haven't changed the password yet. There's no way I could remember hundreds of passwords,so a system is the only possibility.
In my case I use passW0rd%X where X is the first letter of the site I'm on. It's hardly uncrackable, unlike my Wifi password which is a 52-character string, but it'll stop casual hackers.
Sometimes that's an error generated by our app trying to log in or other web confusion.
To see if it's that or something worse, please google: my ip
And compare to that found in that sort of email.
To Phases and the Neverstill Team - thanks for being never still on our protection!
It wasn't me, I swear!