Results 51 to 60 of 68
Thread: Sunday Killin'
-
01-24-09, 09:31 PM #51
I un-approved the thread for now, as I think we are safe.
It seems the hacker was employing some sort of a script to brute force accounts with easy email passwords. The thing is, he is only targeting pre-2004 forum accounts. That makes sense, as old Steam accounts often used the email as the login username. The hacker could then match the forum account email address to Steam accounts with the forum account password - if both match up bingo.
Since these forums are relatively new, that should not be an issue as the Steam login username is not the email address anymore.
I just took the thread out of public viewing for the moment, we dont want to give the impression that accounts here may be vulnerable. Alan may choose to post up some announcement tomorrow.
For now, I think our best bet is to just monitor things and keep an eye out for any suspicious activity.
Just some further information, the script that was used targeted the vB Member's List - and when it was disabled they instantly ended the attack.
It makes sense, as the list displays join dates.
-
-
01-25-09, 01:29 AM #53
Hmmmm, let me get this straight (and bear in mind it's 7.30am and I've not slept yet), so they were brute forcing passwords on the forum, and then, having gained access to the forum account, they use the email address that account is registered to as the login name, and the forum password as the steam password?
If that's the case, then the problem here is that the Steam username is often proudly on display here anyway, so it doesn't need the email address, and anyone stupid enough to have the same password for the forum as their steam account would be royally fucked.
-
01-25-09, 04:27 AM #54
no. Because passwords are not stored anywhere on the forums in a readable format. They are stored in the mysql database using a complex encryption system. I can't see what your password is by viewing the database. As long as you keep it pretty random you're safe.
-
01-25-09, 08:03 AM #55
-
01-25-09, 08:11 AM #56
The latest version of vB (the one we're using) has a nifty password strength feature. I run it once a month. It searches the database and generates an email to anyone who uses something like 'password' or their user name as their password. The email tells them they have a new password and it is a random sequence of numbers.
-
01-25-09, 08:24 AM #57
-
-
01-25-09, 08:35 AM #59
-
01-25-09, 08:41 AM #60
Happy to help.
In reality, they should probably just hand the forums over to me.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Bookmarks