Security Incident - Please Change Your Password

[K7MFC]

What a bunch of armchair quarterbacks. Interesting how everyone professes to be a cybersecurity expert -- using Google Search doesn't make ya one.

I'm not professing to be an expert, nor do I have any knowledge of the incident beyond what has been communicated to users here, but a decade of software development experience makes me a bit more than an armchair quarterback who did a couple Google searches. The fact that code review was described as "cursory" and that the review was performed after the code was already in production is a bit surprising. I do apriciate the quick resposne and resolution, and I hope the RadioReference team learned from the incident.

 

[buddrousa]

This site has been open from day 1 in the original post from Thursday or Friday of this week when a member posted we may have been hacked it was looked at fixed and we were told what happen. I have seen on the news Banks have been hacked and the knew but did not tell the members for almost a year. Put a sock in it.

 

[K7MFC]

I have seen on the news Banks have been hacked and the knew but did not tell the members for almost a year. Put a sock in it.

That is what is called a "fallacy of false privation" - the RadioReference incident is not diminished because some other organization had a bigger, more severe incident.

 

[Ant9270]

Accidents happen, folks. It’s the internet, it’s bound to happen. On another note, I know you said that it is believed that no premium membership info/CC info was leaked.. However, I just had a bunch of unauthorized purchases on my card that was linked to my membership. I’m sure it’s probably completely unrelated, but figured I’d just give you guys a heads up. Keep up the good work.

 

[ecps92]

Access my what ? O the Camera that was never plugged in ?

I received one of those extortion attempts . It is titled Save yourself . It says they have your password and and your accounts and have been accessing your camera . I changed my password immediately . Hard to believe people can be so disgusting.

 

[Hit_Factor]

Don't forget to change your passwords on other sites if you use the same password on accounts like bank and credit cards.

I hope no one was foolish enough to use their RR credentials at a financial site.

 

[AK9R]

...nor do I have any knowledge of the incident beyond what has been communicated to users here...

Folks, the purpose of this thread was to alert users to a problem, what the staff has done to address the problem, and what the staff believes users should do to help protect yourselves from the problem.

If you want to be an armchair quarterback, the NFL regular season starts in a couple of weeks.

 

[visegrip72]

I am one who's been receiving these emails also, and based on the email address & password, I assumed it was this site (or a computer/network I used to access the site). I sent something into the support team only a day or two before this announcement. I received a reply stating how the passwords were stored, and that they were still going to investigate and be sure. I then later received another message pointing me to this thread. That was FAST, and responsive!

I've received a ton of these style emails using other email addresses and passwords I use on other sites as well. Some I recently receive include passwords I have not used in years. This stuff does happen sadly. There's only so much everyone can do. You can have the best anti-virus software ever dreamed of, and if you are the (un)lucky one to catch it first, your anti-virus will have no clue on it and you'll be infected, dealing with whatever damage it does.

I do think RadioReference handled this issue quite well. As mentioned by an earlier post, how long do banks or other major businesses take to tell you of breaches. The data in those instances are a TON more sensitive than what is here. Think about bank, health, etc records. Also, I don't know about most of you, but I get to use this forum for FREE and so can everyone else, even without creating an account! Those banks and others you pay for and expect security. This is just a simple site.

Furthermore, of any of you who did receive similar emails, how many even reported it? How can they fix a problem they don't know exists? Same thing with the virus example, how can the anti-virus block the virus unless it knows the signature?

It was a vulnerability. There are people out there trying to find these all day long everywhere. You can do everything you can, but there may still be something out there out of your control that has the issue. Maybe the hosting service, maybe the db system, could be some other thing.

Again, I believe RadioReference did a great, speedy job of taking care of this. I've appreciated this site before, and I do even more now. It sucks it happened, but it did, they did what they can to prevent the same exact thing from happening again.

 

[K7MFC]

Folks, the purpose of this thread was to alert users to a problem, what the staff has done to address the problem, and what the staff believes users should do to help protect yourselves from the problem.

Will there be any email or direct message announcement to all users? This thread could potentially not be seen by all users.

 

[dallascowboys]

Updated my password, the only thing is I did not get an E-mail from RR stating that my password was reset. Also thanks to all for the heads up on this matter, JOB WELL DONE.

 

[ad8g]

All - this is the reason you use a different password for everything. Use a password manager like 1Password, Keepass, LastPass, etc.

It’s a pain in the rear, but it’s about the only way to protect yourself from sites that store your credentials using weak hashes (or worse, two-way encryption) and get compromised.

Also, if you want to be fancy, use a different email address. If you have gmail, you can put a +(whatever) after your username. For example: example+radioreference.com@gmail.com will still go to example@gmail.com. That way, when you are eventually compromised, you’ll know where it came from.

 

[blantonl]

The arm chair quarterbacking isn't helpful right now. Just because you are a software developer or work in the information security field doesn't make you an expert on our development practices, code review and release processes, and how we addressing this specific issue.

We're working through a process right now, and our objective first and foremost was to communicate honestly and quickly in public what happened and what we are doing, and then to take steps to mitigate the issue.

Bugs and security incidents happen. CISOs and software developers have incidents happen on their watch occasionally, even at the highest level of proficiencies... so please let us work through our playbook and plans on our end to further address. The greatest technologists can easily be humbled at times, so don't ever forget that.

Thanks for your patience.

 

[MTS2000des]

All,

IT happens. Sites get hacked. The leadership here acted within hours. Better response than many municipal governments and mega-corporations. None of us know their back end better than those who built it, so let's give them credit due for catching it FAST and responding FAST.
No small animals were harmed. Seriously.
I am sure some have had a rough few days with no sleep.

 

[ad8g]

Please don’t blow this off as “it happens,” that doesn’t exactly instill confidence that you guys will work hard to protect our privacy in the future.

You used a hashing algorithm that has been recommended against since the mid-2000s because of how badly insecure it is.

Security is hard. I get it, I work in the industry and change is difficult. But this really should have been caught sooner, because the weaknesses in MD5 have been known for years and years.

Interestingly, it is still (unfortunately) very widely used in popular CMSs.

All that said, thanks for being transparent and keeping us up-to-date, hopefully you’ve learned from this and can improve going forward.

 

[UnixOp]

Yes, security incidents happen, what is concerning me is the responses from the administration staff to the user base about arm chair quarter backs, if anyone in my corp made a public comment like this to a user (or users) they would be fired in a heart beat for breaching the corp standards of business practices and ethics (they make us review and sign a new ethics doc every year). Perhaps you should only have your PR dept sending out responses to these types of messages, or have a boilerplate that you can paste once into the forum and then walk away from that forum post. I can imagine you are all very tired and over worked from addressing this issue lately, but please don't take it out on the user base for asking questions or offering their 2 cents in the midst of a fairly serious security breach. The responses from staff to users has me concerned about professional responsibilities. I had the RR forum admins enable 2FA on my forum account months ago, perhaps you can turn on 2FA for the rest of the site now ?

 

[R8000]

Lindsey, thanks for keeping us informed of what has happened. Thankfully, I haven't had any problems, maybe I was one of the users not affected. I am not a website expert, software coder nor a security expert. I just build and maintain large public safety radio systems. I leave all the web stuff to the experts. Thanks again for the hard work and dedication.

 

[blantonl]

Yes, security incidents happen, what is concerning me is the responses from the administration staff to the user base about arm chair quarter backs, if anyone in my corp made a public comment like this to a user (or users) they would be fired in a heart beat for breaching the corp standards of business practices and ethics (they make us review and sign a new ethics doc every year). Perhaps you should only have your PR dept sending out responses to these types of messages, or have a boilerplate that you can paste once into the forum and then walk away from that forum post. I can imagine you are all very tired and over worked from addressing this issue lately, but please don't take it out on the user base for asking questions or offering their 2 cents in the midst of a fairly serious security breach. The responses from staff to users has me concerned about professional responsibilities. I had the RR forum admins enable 2FA on my forum account months ago, perhaps you can turn on 2FA for the rest of the site now ?

We're not taking anything out on the user base or anyone. We're asking you politely to let us handle the situation as we deem necessary. I definitely don't need anyone lecturing me on how to handle this issue. Our team is responding appropriately. We're not making excuses. So please, pretty please, let us address the issue.

Additionally, I stand by my comments and how we've handled this issue. Period.

 

[BOBRR]

Hello,

In my 80's now, so bear with me with a dumb question please:

Where exactly, and how, do I find the place to enter a new Password ? Link to ?

And, I'm a Premium Subscriber.
Does this "carry over" automatically ?

Thanks,
Bob

 

[riccom]

Under the account dashboard when you click your name on the top of the screen you will see on the lower left to change the password

 

[doctordialtone]

.....

Where exactly, and how, do I find the place to enter a new Password ?

Upper right hand corner.

Click on your username.