Security Incident - Please Change Your Password

Status
Not open for further replies.

K7MFC

WRAA720
Joined
Nov 18, 2017
Messages
863
Location
Phx, AZ
What a bunch of armchair quarterbacks. Interesting how everyone professes to be a cybersecurity expert -- using Google Search doesn't make ya one.

I'm not professing to be an expert, nor do I have any knowledge of the incident beyond what has been communicated to users here, but a decade of software development experience makes me a bit more than an armchair quarterback who did a couple Google searches. The fact that code review was described as "cursory" and that the review was performed after the code was already in production is a bit surprising. I do apriciate the quick resposne and resolution, and I hope the RadioReference team learned from the incident.
 
Last edited:

buddrousa

Member
Premium Subscriber
Joined
Jan 5, 2003
Messages
11,224
Location
Retired 40 Year Firefighter NW Tenn
This site has been open from day 1 in the original post from Thursday or Friday of this week when a member posted we may have been hacked it was looked at fixed and we were told what happen. I have seen on the news Banks have been hacked and the knew but did not tell the members for almost a year. Put a sock in it.
 

Ant9270

The Green Weenie
Joined
Aug 31, 2018
Messages
493
Accidents happen, folks. It’s the internet, it’s bound to happen. On another note, I know you said that it is believed that no premium membership info/CC info was leaked.. However, I just had a bunch of unauthorized purchases on my card that was linked to my membership. I’m sure it’s probably completely unrelated, but figured I’d just give you guys a heads up. Keep up the good work.
 

ecps92

Member
Joined
Jul 8, 2002
Messages
14,360
Location
Taxachusetts
Access my what ? O the Camera that was never plugged in ?
I received one of those extortion attempts . It is titled Save yourself . It says they have your password and and your accounts and have been accessing your camera . I changed my password immediately . Hard to believe people can be so disgusting.
 

AK9R

Lead Wiki Manager and almost an Awesome Moderator
Super Moderator
Joined
Jul 18, 2004
Messages
9,293
Location
Central Indiana
...nor do I have any knowledge of the incident beyond what has been communicated to users here...
Folks, the purpose of this thread was to alert users to a problem, what the staff has done to address the problem, and what the staff believes users should do to help protect yourselves from the problem.

If you want to be an armchair quarterback, the NFL regular season starts in a couple of weeks.
 

visegrip72

Member
Joined
Dec 19, 2002
Messages
152
Location
Lake Worth, Fl
I am one who's been receiving these emails also, and based on the email address & password, I assumed it was this site (or a computer/network I used to access the site). I sent something into the support team only a day or two before this announcement. I received a reply stating how the passwords were stored, and that they were still going to investigate and be sure. I then later received another message pointing me to this thread. That was FAST, and responsive!

I've received a ton of these style emails using other email addresses and passwords I use on other sites as well. Some I recently receive include passwords I have not used in years. This stuff does happen sadly. There's only so much everyone can do. You can have the best anti-virus software ever dreamed of, and if you are the (un)lucky one to catch it first, your anti-virus will have no clue on it and you'll be infected, dealing with whatever damage it does.

I do think RadioReference handled this issue quite well. As mentioned by an earlier post, how long do banks or other major businesses take to tell you of breaches. The data in those instances are a TON more sensitive than what is here. Think about bank, health, etc records. Also, I don't know about most of you, but I get to use this forum for FREE and so can everyone else, even without creating an account! Those banks and others you pay for and expect security. This is just a simple site.

Furthermore, of any of you who did receive similar emails, how many even reported it? How can they fix a problem they don't know exists? Same thing with the virus example, how can the anti-virus block the virus unless it knows the signature?

It was a vulnerability. There are people out there trying to find these all day long everywhere. You can do everything you can, but there may still be something out there out of your control that has the issue. Maybe the hosting service, maybe the db system, could be some other thing.

Again, I believe RadioReference did a great, speedy job of taking care of this. I've appreciated this site before, and I do even more now. It sucks it happened, but it did, they did what they can to prevent the same exact thing from happening again.
 

K7MFC

WRAA720
Joined
Nov 18, 2017
Messages
863
Location
Phx, AZ
Folks, the purpose of this thread was to alert users to a problem, what the staff has done to address the problem, and what the staff believes users should do to help protect yourselves from the problem.

Will there be any email or direct message announcement to all users? This thread could potentially not be seen by all users.
 

dallascowboys

Member
Joined
Feb 23, 2009
Messages
683
Location
Dothan Alabama
Updated my password, the only thing is I did not get an E-mail from RR stating that my password was reset. Also thanks to all for the heads up on this matter, JOB WELL DONE.
 

ad8g

Member
Feed Provider
Joined
Jun 20, 2011
Messages
71
Location
Cleveland, Ohio
All - this is the reason you use a different password for everything. Use a password manager like 1Password, Keepass, LastPass, etc.

It’s a pain in the rear, but it’s about the only way to protect yourself from sites that store your credentials using weak hashes (or worse, two-way encryption) and get compromised.

Also, if you want to be fancy, use a different email address. If you have gmail, you can put a +(whatever) after your username. For example: example+radioreference.com@gmail.com will still go to example@gmail.com. That way, when you are eventually compromised, you’ll know where it came from.
 

blantonl

Founder and CEO
Staff member
Super Moderator
Joined
Dec 9, 2000
Messages
11,097
Location
San Antonio, Whitefish, New Orleans
The arm chair quarterbacking isn't helpful right now. Just because you are a software developer or work in the information security field doesn't make you an expert on our development practices, code review and release processes, and how we addressing this specific issue.

We're working through a process right now, and our objective first and foremost was to communicate honestly and quickly in public what happened and what we are doing, and then to take steps to mitigate the issue.

Bugs and security incidents happen. CISOs and software developers have incidents happen on their watch occasionally, even at the highest level of proficiencies... so please let us work through our playbook and plans on our end to further address. The greatest technologists can easily be humbled at times, so don't ever forget that.

Thanks for your patience.
 

MTS2000des

5B2_BEE00 Czar
Joined
Jul 12, 2008
Messages
5,173
Location
Cobb County, GA Stadium Crime Zone
All,

IT happens. Sites get hacked. The leadership here acted within hours. Better response than many municipal governments and mega-corporations. None of us know their back end better than those who built it, so let's give them credit due for catching it FAST and responding FAST.
No small animals were harmed. Seriously.
I am sure some have had a rough few days with no sleep.
 

ad8g

Member
Feed Provider
Joined
Jun 20, 2011
Messages
71
Location
Cleveland, Ohio
Please don’t blow this off as “it happens,” that doesn’t exactly instill confidence that you guys will work hard to protect our privacy in the future.

You used a hashing algorithm that has been recommended against since the mid-2000s because of how badly insecure it is.

Security is hard. I get it, I work in the industry and change is difficult. But this really should have been caught sooner, because the weaknesses in MD5 have been known for years and years.

Interestingly, it is still (unfortunately) very widely used in popular CMSs.

All that said, thanks for being transparent and keeping us up-to-date, hopefully you’ve learned from this and can improve going forward.
 
U

UnixOp

Guest
Yes, security incidents happen, what is concerning me is the responses from the administration staff to the user base about arm chair quarter backs, if anyone in my corp made a public comment like this to a user (or users) they would be fired in a heart beat for breaching the corp standards of business practices and ethics (they make us review and sign a new ethics doc every year). Perhaps you should only have your PR dept sending out responses to these types of messages, or have a boilerplate that you can paste once into the forum and then walk away from that forum post. I can imagine you are all very tired and over worked from addressing this issue lately, but please don't take it out on the user base for asking questions or offering their 2 cents in the midst of a fairly serious security breach. The responses from staff to users has me concerned about professional responsibilities. I had the RR forum admins enable 2FA on my forum account months ago, perhaps you can turn on 2FA for the rest of the site now ?
 

R8000

Low Battery
Premium Subscriber
Joined
Dec 19, 2002
Messages
1,009
Lindsey, thanks for keeping us informed of what has happened. Thankfully, I haven't had any problems, maybe I was one of the users not affected. I am not a website expert, software coder nor a security expert. I just build and maintain large public safety radio systems. I leave all the web stuff to the experts. Thanks again for the hard work and dedication.
 

blantonl

Founder and CEO
Staff member
Super Moderator
Joined
Dec 9, 2000
Messages
11,097
Location
San Antonio, Whitefish, New Orleans
Yes, security incidents happen, what is concerning me is the responses from the administration staff to the user base about arm chair quarter backs, if anyone in my corp made a public comment like this to a user (or users) they would be fired in a heart beat for breaching the corp standards of business practices and ethics (they make us review and sign a new ethics doc every year). Perhaps you should only have your PR dept sending out responses to these types of messages, or have a boilerplate that you can paste once into the forum and then walk away from that forum post. I can imagine you are all very tired and over worked from addressing this issue lately, but please don't take it out on the user base for asking questions or offering their 2 cents in the midst of a fairly serious security breach. The responses from staff to users has me concerned about professional responsibilities. I had the RR forum admins enable 2FA on my forum account months ago, perhaps you can turn on 2FA for the rest of the site now ?

We're not taking anything out on the user base or anyone. We're asking you politely to let us handle the situation as we deem necessary. I definitely don't need anyone lecturing me on how to handle this issue. Our team is responding appropriately. We're not making excuses. So please, pretty please, let us address the issue.

Additionally, I stand by my comments and how we've handled this issue. Period.
 

BOBRR

Member
Joined
Dec 15, 2004
Messages
1,468
Location
Boston, MA
Hello,

In my 80's now, so bear with me with a dumb question please:

Where exactly, and how, do I find the place to enter a new Password ? Link to ?

And, I'm a Premium Subscriber.
Does this "carry over" automatically ?

Thanks,
Bob
 

riccom

Upstate S.C.
Premium Subscriber
Joined
Jul 2, 2004
Messages
1,318
Location
Kansas City Mo
Under the account dashboard when you click your name on the top of the screen you will see on the lower left to change the password
 
Status
Not open for further replies.
Top