What you need to know about the recent compromise here

This is used for general discussion that is not necessarily server-related.
theRadAleks
This is my homepage
This is my homepage
Posts: 198
Joined: Wed Feb 19, 2014 6:07 pm
Location: Dallas, TX

Re: What you need to know about the recent compromise here

Post by theRadAleks » Sat Aug 01, 2015 1:32 pm

ZacharyS wrote:Seems to me that they (nfo) did everything they could and as has been said in other posts - it's refreshing to be kept informed, not something that the majority of other companies would do I'm sure :wink:

Keep up the good work!

Zac. :D
Yeah i'm pretty sure most other GSP's would not have even mentioned a security breach, and just played it off like nothing happened. I'm impressed with how professionally NFO handled the situation :)

QOOOOOOOOQ
A regular
A regular
Posts: 35
Joined: Wed Nov 20, 2013 11:50 pm

Re: What you need to know about the recent compromise here

Post by QOOOOOOOOQ » Sat Aug 01, 2015 3:10 pm

Very nice counter, glad to know even more security will be provided in the future. :) I've heard of phpBB being a relatively common target as of the last decade or so, either because of it's somewhat common vulnerabilities or widespread use. I hope phpBB security is improved upon. xP

User avatar
Rone
A regular
A regular
Posts: 40
Joined: Fri Oct 10, 2014 12:28 pm

Re: What you need to know about the recent compromise here

Post by Rone » Sat Aug 01, 2015 3:35 pm

A 'scramble all passwords' button would be a pretty neat feature.

eckospider
New to forums
New to forums
Posts: 3
Joined: Sat Aug 01, 2015 7:08 am

Re: What you need to know about the recent compromise here

Post by eckospider » Sat Aug 01, 2015 4:43 pm

When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?

Mattwalton122
New to forums
New to forums
Posts: 1
Joined: Sat Aug 01, 2015 5:21 pm

Re: What you need to know about the recent compromise here

Post by Mattwalton122 » Sat Aug 01, 2015 5:24 pm

Regarding the plain text passwords in the panel. Surely you could use symmetric key encryption using a hash of the users password to encrypt them, then require the user to input their password to either decrypt them in the browser using JavaScript, or decrypting them on the web server as a fallback for older browsers but never storing the key.

User avatar
kraze
Staff
Staff
Posts: 4359
Joined: Fri Sep 17, 2010 9:06 am
Location: California

Re: What you need to know about the recent compromise here

Post by kraze » Sat Aug 01, 2015 5:27 pm

eckospider wrote:When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?
What we mean here is that any passwords used on third-party sites(Facebook/Gmail..etc) that were also used here should be changed immediately.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!

Joykiller
New to forums
New to forums
Posts: 4
Joined: Wed Jul 29, 2015 9:43 pm

Re: What you need to know about the recent compromise here

Post by Joykiller » Sat Aug 01, 2015 6:33 pm

kraze wrote:
eckospider wrote:When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?
What we mean here is that any passwords used on third-party sites(Facebook/Gmail..etc) that were also used here should be changed immediately.
If admins that are getting hosting here are using universal passwords, you deserve to be hijacked. Just to be taught a lesson on what NOT to do.

Thanks for the update Kraze.

eckospider
New to forums
New to forums
Posts: 3
Joined: Sat Aug 01, 2015 7:08 am

Re: What you need to know about the recent compromise here

Post by eckospider » Sat Aug 01, 2015 7:21 pm

kraze wrote:
eckospider wrote:When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?
What we mean here is that any passwords used on third-party sites(Facebook/Gmail..etc) that were also used here should be changed immediately.
Oh OK I was thinking of something else thank you for the reassurement and simply I was misunderstanding it from a different point thank you

User avatar
ZacharyS
A semi-regular
A semi-regular
Posts: 26
Joined: Fri Oct 10, 2014 6:32 pm
Location: Somewhere off the South Coast - UK
Contact:

Re: What you need to know about the recent compromise here

Post by ZacharyS » Sun Aug 02, 2015 7:00 am

I think I probably don't have sufficient posts to use the pm system on here - but I know of a very good password program, but I'm not sure if I'm allowed to post the link? maybe someone could tell me if I'm allowed to do that as I can't pm anyone to ask them :wink:

I use the program so that I don't repeat any passwords on ANY site.

Thanks.

Zac. :D

rustydusty1717
This is my homepage
This is my homepage
Posts: 629
Joined: Sun Sep 20, 2009 6:15 pm

Re: What you need to know about the recent compromise here

Post by rustydusty1717 » Sun Aug 02, 2015 8:07 am

Lots of password generators to found on oogle.
Image

User avatar
rymax99
This is my homepage
This is my homepage
Posts: 142
Joined: Sun Feb 02, 2014 2:08 pm
Location: Florida
Contact:

Re: What you need to know about the recent compromise here

Post by rymax99 » Sun Aug 02, 2015 11:41 am

ZacharyS wrote:I think I probably don't have sufficient posts to use the pm system on here - but I know of a very good password program, but I'm not sure if I'm allowed to post the link? maybe someone could tell me if I'm allowed to do that as I can't pm anyone to ask them :wink:

I use the program so that I don't repeat any passwords on ANY site.

Thanks.

Zac. :D
I don't believe there's any problem with mentioning a name or link. I personally use KeePass to keep track of my passwords.
I believe the PM system is disabled to avoid users PMing people private for help, since that kind of takes away what the community forums are for.

User avatar
ZacharyS
A semi-regular
A semi-regular
Posts: 26
Joined: Fri Oct 10, 2014 6:32 pm
Location: Somewhere off the South Coast - UK
Contact:

Re: What you need to know about the recent compromise here

Post by ZacharyS » Mon Aug 03, 2015 1:35 am

rymax99 wrote:I don't believe there's any problem with mentioning a name or link. I personally use KeePass to keep track of my passwords.
I believe the PM system is disabled to avoid users PMing people private for help, since that kind of takes away what the community forums are for.
Yup that's the program I use 8) I've been using it for about 2 years now. And that's totally understandable about the pm stuff. Thanks for the reply.

Zac. :D

User avatar
Paronity
A semi-regular
A semi-regular
Posts: 23
Joined: Sat Mar 03, 2012 9:46 pm
Location: WV, USA
Contact:

Re: What you need to know about the recent compromise here

Post by Paronity » Mon Aug 03, 2015 9:56 am

Security issues and attacks can happen to any company, no matter how big or small.Many of us can sit here and tell them what they did wrong and bitch about it, but it's not what you let happen that controls how people feel about it, it's what you do about it AFTER it happens. You guys have shown an amazing amount of transparency with this issue as well as taking control of your actions and admitting that you could have done things to prevent this from happening as well as detailing as much as you could, what information was or could have been leaked.

This is why we do, and always will, use NFO when we can. Thanks for all the details guys! Very well handled.
Creator of Paronicon and ARMAcon
Image
Image

jazz albert
New to forums
New to forums
Posts: 2
Joined: Tue Oct 25, 2016 3:07 pm

Re: What you need to know about the recent compromise here

Post by jazz albert » Tue Oct 25, 2016 3:11 pm

ZacharyS wrote:Seems to me that they (nfo) did everything they could and as has been said in other posts - it's refreshing to be kept informed, not something that the majority of other companies would do I'm sure :wink:

Keep up the good work!

Zac. :D
Indeed it is!

stickz
This is my homepage
This is my homepage
Posts: 173
Joined: Tue Apr 30, 2013 11:06 am

Re: What you need to know about the recent compromise here

Post by stickz » Fri Oct 28, 2016 4:40 pm

Small companies like NFO are more susceptible to attacks like these. They often have less money to spend on RND for things like security audits.

I can think of one bad exploit of the top of head, that can compromise the security of your NFO account. The email address for coffer services matches your login email. If you pass this out to receive donations, a hacker will have this info. It may be easier to request a password reset, after they've successfully comprised your email.

Locked