Heartbleed fun at AATG


Author Reply
HairyArse
Flag
Posts:6388
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
Kalel - I can't tell you what your password is as they're encrypted in the database. I can change it for you but you can do that yourself.
#31 at 17:44:10 - 11/07/2014
dirtbox
Flag
Posts:82
Comments:6
Thread Kills:2(2%)
AATG Pts:30
Star Rating
Bronze Medal
kalel said:We can have an inquisition later, but for now can you just clarify if my password to this site is posted on a Russian forum? And if so, can you tell me what password it is Hairy? I've changed it in the last two years so have no way of knowing, and I can't work out how to see what my password is on the site.


It's hashed and salted, but it's out there for anyone with a will to use. However, it's really up to you to keep track of what you've used where and when. Sucky as that answer is.
#32 at 17:45:13 - 11/07/2014
nekotcha
Flag
Posts:1709
Comments:175
Thread Kills:38(2%)
AATG Pts:140
Star Rating
Silver Medal
Cheers for flagging this up, fortunately in my case it was an old password that I haven't used anywhere else for several years (I'm trying to move towards having different passwords for everything but my ageing brain isn't taking well to it).
#33 at 17:52:11 - 11/07/2014
kalel
Flag
Posts:312
Comments:17
Thread Kills:3(1%)
AATG Pts:90
Star Rating
Bronze Medal
Fair enough.
#34 at 18:04:44 - 11/07/2014
HairyArse
Flag
Posts:6388
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
I'm sure I already did this when it first came to my attention but I've done it again just in case - Emails sent to all users in my database.

Obviously I take this extremely seriously and am doing all I can in my power to address it. If anyone has any advice on how best to deal with this then I'd prefer to hear that than any recriminations and finger-pointing.

I can only apologise for this compromise and just hope that no-one has suffered any adverse affects as a result.
#35 at 18:21:44 - 11/07/2014
Micro_Explosion
Flag
Posts:3361
Comments:83
Thread Kills:129(4%)
AATG Pts:220
Star Rating
Silver Medal
HairyArse said:I'm saying I caught wind of this ages ago and immediately changed internet hosts, database servers, usernames and passwords and I'm pretty certain I sent an email to all email address in the AATG database advising people to change their passwords.


For future reference, if you're concerned enough to make those sorts of changes then you should let people know they need to change their passwords on other sites if they use the same one. Bit late for that 2 years later really but that's not going to change.

No sign of any email in the past so you might have forgotten to do that. Not much more you can do now.
#36 at 18:31:33 - 11/07/2014
dirtbox
Flag
Posts:82
Comments:6
Thread Kills:2(2%)
AATG Pts:30
Star Rating
Bronze Medal
HairyArse said:If anyone has any advice on how best to deal with this then I'd prefer to hear that than any recriminations and finger-pointing.


There's nothing left to be done, as far as I know everyone's data is at least a little more secure than it was previously on this site and now you've finally let everyone know it shouldn't be an issue.

If this ever happens again, don't wait until someone stumbles across the extent of it years later by chance. That is seriously not cool.

Anyway, that aside, I still love the site, so don't give it up.
#37 at 18:40:08 - 11/07/2014
dirtbox
Flag
Posts:82
Comments:6
Thread Kills:2(2%)
AATG Pts:30
Star Rating
Bronze Medal
kentmonkey wrote:
Can someone, who is logged in to AATG advise Rich that the password reminder function is not working, so I can't actually log in to change my password at all as I can't remember it.

#38 at 19:04:10 - 11/07/2014
Gremmi
Flag
Posts:312
Comments:4
Thread Kills:5(2%)
AATG Pts:90
Star Rating
Bronze Medal
To be wholly fair to Hairy, I do vaguely remember some sort of "database may have been compromised" email from a few years ago, though I didn't pay much attention to it as I rarely visited here and use unique passwords.
#39 at 19:06:54 - 11/07/2014
dirtbox
Flag
Posts:82
Comments:6
Thread Kills:2(2%)
AATG Pts:30
Star Rating
Bronze Medal
I don't remember that, nor have that email and I'm not in the habit of deleting anything; I still have 419 scams and spam from the beginning of time.
#40 at 19:34:48 - 11/07/2014
DMorgan
Flag
Posts:200
Comments:98
Thread Kills:7(4%)
AATG Pts:140
Star Rating
Gold Medal
Just as well I use a unique password on here.

Still, it's a shame. I certainly don't think for one moment that Rich willfully neglected to mention this exploit.
#41 at 20:15:45 - 11/07/2014
HairyArse
Flag
Posts:6388
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
Gremmi said:To be wholly fair to Hairy, I do vaguely remember some sort of "database may have been compromised" email from a few years ago, though I didn't pay much attention to it as I rarely visited here and use unique passwords.


I'm 99% sure I did it because I remember having to sort through the cluster-fuck of invalid email addresses, but I can't find any evidence of it. Though that could be because I recently had to delete thousands of emails because my Gmail inbox was full.

Again, I feel terrible about it, but honestly don't know what else I can do.
#42 at 20:24:18 - 11/07/2014
HairyArse
Flag
Posts:6388
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
dirtbox said:
kentmonkey wrote:
Can someone, who is logged in to AATG advise Rich that the password reminder function is not working, so I can't actually log in to change my password at all as I can't remember it.



I'm confused by this. In what way is it not working? I just reset my password and it worked just fine. Can anyone else confirm the same?
#43 at 20:36:25 - 11/07/2014
dirtbox
Flag
Posts:82
Comments:6
Thread Kills:2(2%)
AATG Pts:30
Star Rating
Bronze Medal
I don't have a problem with the password reset either.

As for the email bounces, sounds like your mailing list was broken in some way, especially as only one person out of however many recalls seeing it.
#44 at 21:32:03 - 11/07/2014
HairyArse
Flag
Posts:6388
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
Well it wasn't so much a mailing list as it was a column of email addresses from Excel pasted into the BCC field. :)
#45 at 21:34:27 - 11/07/2014
Kay
Flag
Posts:2120
Comments:342
Thread Kills:51(2%)
AATG Pts:160
Star Rating
Silver Medal
Haven't popped in for days and just saw this. I'm not sure if I can remember what my password is, and in any case I'm 99% sure I haven't used the same password anywhere else.

Don't remember ever receiving an email from Hairy either...
#46 at 10:17:17 - 14/07/2014
Lutzie
Flag
Posts:887
Comments:58
Thread Kills:19(2%)
AATG Pts:120
Star Rating
Silver Medal
In yesteryear I use to have 1 password for all internet accounts/forums etc.

About 18 months ago I changed them all, so that each internet site log in has it's own password. That is, all of the important ones (ie, related to money)

There's a fair chance some obscure forums that I've used still have the same password. No bother really.

Yesterday I changed my AATG password from the old "used everywhere" one to another, new unique password.

However Mike Hunt has just text me saying my email account has been sending out spam. Now, AFAIK, my gmail account isn't. It has a different password too and always has. (completely different, not even close) However it is the account that I registered here at AATG.

Related?

I can't see any evidence to suggest that my gmail account has been hacked; how could I tell? I still have full access to my email, drive etc and everything looks normal.

Ideas?

Edit: Ignore the Mike thing. Case of wrong user! :D

#47 at 14:14:06 - 15/07/2014
Bremenacht
Flag
Posts:150
Comments:38
Thread Kills:7(5%)
AATG Pts:50
Star Rating
Could AATG be used as a source for spoofing? I don't know if spoofing is used the same way these days.
#48 at 17:33:52 - 16/07/2014
mal
Flag
Posts:532
Comments:165
Thread Kills:40(8%)
AATG Pts:85
Star Rating
Email spoofing is still the same old - just change the value in the From field and send it using a server which doesn't check that (and not many do that I know of). Useful if you're mass-mailing since then the bounces don't fill your mailbox, and I guess spammers also want to look as much like legit emailers as possible, so they use a real email address.

No hacking required, basically.
#49 at 01:39:27 - 18/07/2014
Rodpad
Flag
Posts:5
Comments:0
Thread Kills:2(40%)
AATG Pts:30
Star Rating
Bronze Medal
Seeing that the site was hacked from a Russian source, and 5 million gmail accounts with passwords were leaked by a Russian website today, you might want to see if your account was on the leaked list here - https://isleaked.com/en
#50 at 12:10:48 - 11/09/2014

home
Left