ZacharyS wrote:Seems to me that they (nfo) did everything they could and as has been said in other posts - it's refreshing to be kept informed, not something that the majority of other companies would do I'm sure
Keep up the good work!
Zac.
Yeah i'm pretty sure most other GSP's would not have even mentioned a security breach, and just played it off like nothing happened. I'm impressed with how professionally NFO handled the situation
Very nice counter, glad to know even more security will be provided in the future. I've heard of phpBB being a relatively common target as of the last decade or so, either because of it's somewhat common vulnerabilities or widespread use. I hope phpBB security is improved upon. xP
When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?
Regarding the plain text passwords in the panel. Surely you could use symmetric key encryption using a hash of the users password to encrypt them, then require the user to input their password to either decrypt them in the browser using JavaScript, or decrypting them on the web server as a fallback for older browsers but never storing the key.
eckospider wrote:When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?
What we mean here is that any passwords used on third-party sites(Facebook/Gmail..etc) that were also used here should be changed immediately.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
eckospider wrote:When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?
What we mean here is that any passwords used on third-party sites(Facebook/Gmail..etc) that were also used here should be changed immediately.
If admins that are getting hosting here are using universal passwords, you deserve to be hijacked. Just to be taught a lesson on what NOT to do.
eckospider wrote:When they spoke about third party websites did they mean all websites that use cookies because to me I don't understand how they would have my login info for those websites? if I am wrong then correct me please if I am right then tell me why this service needs those cookies?
What we mean here is that any passwords used on third-party sites(Facebook/Gmail..etc) that were also used here should be changed immediately.
Oh OK I was thinking of something else thank you for the reassurement and simply I was misunderstanding it from a different point thank you
I think I probably don't have sufficient posts to use the pm system on here - but I know of a very good password program, but I'm not sure if I'm allowed to post the link? maybe someone could tell me if I'm allowed to do that as I can't pm anyone to ask them
I use the program so that I don't repeat any passwords on ANY site.
ZacharyS wrote:I think I probably don't have sufficient posts to use the pm system on here - but I know of a very good password program, but I'm not sure if I'm allowed to post the link? maybe someone could tell me if I'm allowed to do that as I can't pm anyone to ask them
I use the program so that I don't repeat any passwords on ANY site.
Thanks.
Zac.
I don't believe there's any problem with mentioning a name or link. I personally use KeePass to keep track of my passwords.
I believe the PM system is disabled to avoid users PMing people private for help, since that kind of takes away what the community forums are for.
rymax99 wrote:I don't believe there's any problem with mentioning a name or link. I personally use KeePass to keep track of my passwords.
I believe the PM system is disabled to avoid users PMing people private for help, since that kind of takes away what the community forums are for.
Yup that's the program I use I've been using it for about 2 years now. And that's totally understandable about the pm stuff. Thanks for the reply.
Security issues and attacks can happen to any company, no matter how big or small.Many of us can sit here and tell them what they did wrong and bitch about it, but it's not what you let happen that controls how people feel about it, it's what you do about it AFTER it happens. You guys have shown an amazing amount of transparency with this issue as well as taking control of your actions and admitting that you could have done things to prevent this from happening as well as detailing as much as you could, what information was or could have been leaked.
This is why we do, and always will, use NFO when we can. Thanks for all the details guys! Very well handled.
ZacharyS wrote:Seems to me that they (nfo) did everything they could and as has been said in other posts - it's refreshing to be kept informed, not something that the majority of other companies would do I'm sure
Small companies like NFO are more susceptible to attacks like these. They often have less money to spend on RND for things like security audits.
I can think of one bad exploit of the top of head, that can compromise the security of your NFO account. The email address for coffer services matches your login email. If you pass this out to receive donations, a hacker will have this info. It may be easier to request a password reset, after they've successfully comprised your email.
I've been using it for about 2 years now. And that's totally understandable about the pm stuff. Thanks for the reply.
