Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26

Thread: possible data breach?

  1. #16
    Join Date
    May 2019
    Location
    Key Largo, Florida
    Posts
    223
    Thanks
    27
    Thanked 26 Times in 21 Posts
    EP Points
    2500

    Default

    Users(especially admins) changing passwords regularly is standard 'best practices' to thwart unknown breaches(which I'm sure the admins here are aware of since password changes for everyone regularly is standard practice), data breaches in message boards are inevitable; not just in vBulletin. There is no cause for alarm, it's better to know about a breach to be on the lookout for future ones than to assume there has never been a breach with a false sense of security.

  2. #17
    Join Date
    Feb 2011
    Posts
    239
    Thanks
    74
    Thanked 93 Times in 36 Posts
    EP Points
    450

    Default

    One thing I suggest is to make it unable for people to reuse their old passwords during these forced yearly/bi-yearly changes, iirc you can just enter your old one and it gets accepted as new.

  3. #18
    Join Date
    Jan 2011
    Posts
    1
    Thanks
    2
    Thanked 1 Time in 1 Post
    EP Points
    5

    Default

    Just checked my password, It was in KeePass and 30 characters long.


    Quote Originally Posted by Return of Dill View Post
    Users(especially admins) changing passwords regularly is standard 'best practices' to thwart unknown breaches(which I'm sure the admins here are aware of since password changes for everyone regularly is standard practice)
    The industry is slowly changing their viewpoint on this.
    It's much better to just have one difficult-to-crack password, instead of constantly changing it.
    The reason is because of people simply tacking a '1' to their old password, or forgetting them altogether.
    And if one's using a password manager with sufficiently strong password generator, any chance of getting a password cracked is close to 0. And even if an adversary does manages to crack it, it's only useful for one site.

    Otherwise a valid alternative is two factor authentication.

    Source
    http://people.scs.carleton.ca/~paulv...authorcopy.pdf
    Last edited by Jazzmarazz; 10th-June-2019 at 18:58. Reason: merged posts

  4. The Following User Says Thank You to ecko For This Useful Post:


  5. #19
    Join Date
    May 2019
    Location
    Key Largo, Florida
    Posts
    223
    Thanks
    27
    Thanked 26 Times in 21 Posts
    EP Points
    2500

    Default

    Quote Originally Posted by ecko View Post
    The industry is slowly changing their viewpoint on this.
    It's much better to just have one difficult-to-crack password, instead of constantly changing it.
    The reason is because of people simply tacking a '1' to their old password, or forgetting them altogether.
    And if one's using a password manager with sufficiently strong password generator, any chance of getting a password cracked is close to 0. And even if an adversary does manages to crack it, it's only useful for one site.

    Otherwise a valid alternative is two factor authentication.

    Source
    http://people.scs.carleton.ca/~paulv...authorcopy.pdf
    I meant to change hard to crack passwords in case there is an existing unknown breach. An ounce of prevention is worth a pound of cure.

  6. #20
    Join Date
    Mar 2017
    Posts
    22
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by WorkNoFun View Post
    One thing I suggest is to make it unable for people to reuse their old passwords during these forced yearly/bi-yearly changes, iirc you can just enter your old one and it gets accepted as new.
    That would require holding onto hashes of old passwords. Probably not the brightest idea in the event of a data breach.

  7. #21
    Join Date
    Mar 2001
    Location
    India
    Posts
    7,476
    Thanks
    32
    Thanked 281 Times in 122 Posts
    EP Points
    770

    Default

    There was a public announcement on the forums that was visible for several months. This is what it said in general:

    Recently our forum suffered a data breach. Our preliminary investigation reveals that user data may have been compromised. This includes email addresses, encrypted passwords, and profile information. We have taken immediate security measures to prevent such breaches in the future.

    In addition, we have reset all user passwords because of this incident. Please note that if you used the same password on EPForums and on another site in combination with your username or email address, we strongly recommend that you change your passwords on the other websites immediately.
    The announcement expired after a few months that's why it's no longer visible. We had taken action back then and it seems like the news reports are trying to make it look like we hid it from our users or something. We had a full security audit back then.

  8. #22
    Join Date
    Mar 2017
    Posts
    22
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by MasJ View Post
    There was a public announcement on the forums that was visible for several months.
    You're telling me there is no surviving copy of this public announcement on the internet?

    https://www.google.com/search?q="Rec...+compromised."

  9. #23
    Join Date
    Jun 2009
    Posts
    17,696
    Thanks
    608
    Thanked 1,205 Times in 741 Posts
    EP Points
    7710

    Default

    Google

    Spoiler warning:

  10. #24
    Join Date
    Jun 2002
    Location
    Wall Sconce
    Posts
    18,775
    Thanks
    352
    Thanked 12,453 Times in 1,097 Posts
    EP Points
    45060

    Default

    Quote Originally Posted by iambreakingthelaw View Post
    You're telling me there is no surviving copy of this public announcement on the internet?

    https://www.google.com/search?q="Rec...+compromised."
    I'm sure you can find something with some internet cache. But vBulletin announcements expire. That's why you don't see anything here.
    *PSA* Wii Redump collector's can now unscrub ISO files. So scrubbed games can now be verified. You can find the program to do this here

  11. #25
    Join Date
    Mar 2001
    Location
    India
    Posts
    7,476
    Thanks
    32
    Thanked 281 Times in 122 Posts
    EP Points
    770

    Default

    Quote Originally Posted by iambreakingthelaw View Post
    You're telling me there is no surviving copy of this public announcement on the internet?

    https://www.google.com/search?q="Rec...+compromised."
    It's not our responsibility to ensure that announcements are cached by 3rd party services. If you look at this archive.org cache from July 2018, you'll see the message at the top talks about a data breach and links to an announcement:

    https://web.archive.org/web/20180708....epforums.org/

    vBulletin expires announcements automatically and maybe has settings to prevent caching by services, I really don't know.

  12. #26
    Join Date
    May 2002
    Location
    Sesame Street. In your cookies jar ^_^
    Posts
    36,075
    Thanks
    1,331
    Thanked 1,154 Times in 540 Posts
    EP Points
    2280

    Default

    Quote Originally Posted by MasJ View Post
    There was a public announcement on the forums that was visible for several months. This is what it said in general:



    The announcement expired after a few months that's why it's no longer visible. We had taken action back then and it seems like the news reports are trying to make it look like we hid it from our users or something. We had a full security audit back then.
    I stand corrected, I went to our internal discussion on the matter and I've checked the panel to find out the original announcement, available from April 28th to July 1st 2018, is still there. It read as follows:

    Recently our forum suffered a data breach. Our preliminary investigation reveals that user data may have been compromised. This includes email addresses, encrypted passwords, and profile information. We have taken immediate security measures to prevent such breaches in the future.

    In addition, we have reset all user passwords because of this incident. Please note that if you used the same password on EPForums and on another site in combination with your username or email address, we strongly recommend that you change your passwords on the other websites immediately.

    To re-gain access to your account you will have to go through the Reset Password procedure. The instructions to reset your password are below:


    Navigate to the password reset page
    Enter your email address, this is the email address you signed up with for your EPForums/EmuParadise account
    You will receive an email with a password reset link
    Once you click the link you will receive an email with your new password
    Login to EPForums with your new password
    You should then update your password. Please choose a strong and unique password to safeguard your account.


    If you have trouble with any of the steps outlined above, please email [email protected]. We will be happy to assist you.
    As I already said, old news.

Similar Threads

  1. Replies: 0
    Last Post: 25th-February-2018, 21:21
  2. Replies: 5
    Last Post: 25th-July-2014, 21:37
  3. Program needed to make a data base for ringtones
    By Eagle_Eye16 in forum Free 4 All
    Replies: 18
    Last Post: 19th-April-2002, 18:38
  4. Is this possible?
    By MetroNime in forum ROM & ISO Requests
    Replies: 2
    Last Post: 10th-March-2002, 19:53
  5. Is it possible to emulate majoras mask?
    By daveangel in forum ROM & ISO Requests
    Replies: 3
    Last Post: 14th-July-2001, 16:11

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
About Us

We are the oldest retro gaming forum on the internet. The goal of our community is the complete preservation of all retro video games. Started in 2001 as EmuParadise Forums, our community has grown over the past 18 years into one of the biggest gaming platforms on the internet.

Social