So is the problem only for people who have used the mobile version of RR?
Possible Security Breach of email addresses and passwords
- Thread starter RadioMan0520
- Start date
- Status
No, the mobile version of RR was the attack vector... they used a vulnerability there to walk through the user database and pull email addresses and encrypted passwords because of a bug. It was fixed in July, but they had enough time to pull about 25% of the user accounts on the site.
Interesting, thanks. If you know how many were affected is there a way to know who is affected?
It's best to assume your account has been affected and change your password ASAP.
Can you elaborate on this? How did you make the determination this was the method used by the attacker to decrypt the passwords?
belvdr
No longer interested in living
- Joined
- Aug 2, 2013
- Messages
- 2,567
Usually the salt is something the admin provides, not the developer, so I'm confused. Unless, of course a default salt was used.
In reviewing the logs we believe we had rolled out a fix in July which closed the vulnerability right around when the attacker was at about 25% mark for user accounts, but we're going to assume that anyone's account could have been compromised. That's all I can really say at this point as to affected accounts.
Those who had passwords decrypted probably had easy to decrypt passwords or weak passwords, but we don't know what the watermark was for complexity. For instance, I have a number of user accounts in the system that I believe would have been taken by the attacker, however I use complex passwords, and none of my passwords were decrypted - and therefore I never received any of the emails from the hackers for ANY of the accounts that I own.
We were using an older hashing protocol with a single salt.
Those who had passwords decrypted probably had easy to decrypt passwords or weak passwords, but we don't know what the watermark was for complexity. For instance, I have a number of user accounts in the system that I believe would have been taken by the attacker, however I use complex passwords, and none of my passwords were decrypted - and therefore I never received any of the emails from the hackers for ANY of the accounts that I own.
We were using an older hashing protocol with a single salt.
For what it is worth, since 2005 I used a simple and common password and I have not received an email from an attacker, or from whomever they probably sold it to if mine was harvested. I use a Gmail email account and I rarely check it, so I had stuff in there from May 2019. Nothing found in the inbox or spam folder asking for payment/ransom etc...again for whatever that is worth. (I am now using a complex password)
ion_op
Member
Where were the emails sent, here on RR or the email address in your account? I have received no spam mentioning RR. PW changed.
Last edited:
- Joined
- Feb 20, 2003
- Messages
- 1,214
Should we go ahead and change our password or wait for the force password change?
I've rolled out the new password management functions, so you can go ahead and change your password now.
If you change your password now, we won't reset your password when we do the mass password change that's going to happen here shortly.
If you change your password now, we won't reset your password when we do the mass password change that's going to happen here shortly.
Hopefully a one-way hash with a large salt.........
I don't think anyone has mentioned that if by chance you used the same email address and password for other sites you should change those as well
Thanks Lindsay!
Thanks Changed and Updated
eorange
♦RF Enabled Member♦
My compromised PW was long, complex, and almost zero chance it would be vulnerable to a dictionary attack. FYI.
nd5y
Member
What is the maximum password length allowed and what characters allowed/not allowed for the new system?
There aren't any restrictions that I am aware of.
- Status
