Wolfie Posted November 23, 2012 Report Share Posted November 23, 2012 During the last few years, I haven't been that active in my community, though I have been keeping the site updated and made a few changes here and there and have some changes that are planned and may eventually get done. However that's not the reason for this message. There are two brief sections to this email. First being some details about the situation that happened and the other is a summary of what site members need to do. Summary...Account information may have been downloaded, so if you are using the same or similar password on other sites that you have used here, then PLEASE go change those passwords IMMEDIATELY. My apologies on any inconvenience this may cause. Steps have been taken to strengthen the security and integrity of the server this site is hosted on as well as this site itself. This site has also been tested to ensure it is clean and as I learn new information, I am using it to check for any other security holes to ensure that nothing has been overlooked. While it is not certain if any information was actually downloaded, the fact remains that it could have happened and I felt it important to make all members aware of the situation. Also, if you have any friends who are members of this site, please make sure that they are also aware of the situation in case they did not see this message. More detailed description...Recently, many sites were affected by a vulnerability that allowed hackers to compromise the integrity of its files and data. This unfortunately includes the sites that I run as well, thus the reason for this message. The database was found to have a couple of lines of extra code added to it and while that code has been removed, however the fact that the database was compromised means that members account information may have also been accessed. The software that I have been using does not store the passwords in plaintext, meaning that the password itself is not stored. Instead, it is run through a one-way mathematical algorithm to generate what is known as a password 'hash'. What this means, in plain wording, is that the password is replaced with a value that will only be reached when that same password is used again, but there is no way to reverse the process. This is why anyone who has ever forgotten their password cannot have their password sent to them and must instead reset their password completely. In short, the company making the software I use takes security very seriously. Unfortunately, with access to the database and therefore the possibility that members data has been downloaded, it is possible for hackers to use 'brute force' methods to attempt to determine what passwords were being used. What this means is that with the hash values, they can run a program that will go through every possible password from one character long to 20 or more characters in length and eventually come across the correct combination. As such and as a precaution, I am encouraging EVERYONE to please change their passwords on other sites if they happened to be using the same or similar password on this site. I have already forced a reset on everyone's password here, so the next time anyone attempts to sign into this community, they will need to reset their password first. While this may seem like a pointless effort now, it's actually a smart idea. Assuming that a hacker did indeed grab the data necessary to find out peoples passwords, they will not be able to gain access to any accounts here. It also forces everyone to change their password, so anyone who hasn't forgotten their password will end up being forced to change it anyway. In closing...As I said before, it is not known for certain if any information was actually downloaded. That doesn't mean that this warning to change your account password should be ignored. Only that even if it hasn't been downloaded, it's still a good idea to go ahead and update your information so you know that YOU are the one accessing your account and not someone else. If you are a member of other communities that have forums, they too may have been compromised and you should consider changing your password on those other sites as well. If you are friends with an admin of another community that has forums and they have any questions, they may contact me for more details. Link to comment Share on other sites More sharing options...
Recommended Posts