Thread: Hacked?

Originally Posted by DarthLord

On a side note; this may actually be part of something more serious than many of you realize. Sure, we're just a straight razor discussion forum. Small fries, right?
Thing is, most people (even we IT folk that supposedly know better) reuse passwords.

The passwords are stored encrypted with salts, so they are not accessible by hacking into an account. The database where the encrypted values are stored is also not accessible through the exploit they used to replace the homepage.

The passwords and the salts were accessible on any forum that used tapatalk last year for several months. I patched it on SRP within hours of that buggy version verified nobody had tried to access the leaked data, but tapatalk didn't fix it for a long time so many other forums were exposed without ever realizing it. Still, unencrypting passwords isn't that easy and takes resources.

The login attempts that have increased in the past few months are completely different - they are probing for weak passwords by brute force. We block these after 5 unsuccessful attempts and send notification. It happens on every forum where the login names are publicly visible from the posts, except that most forums chose not to send notification to their members and if they do the block they do it silently.
We send the email notification because it's an enhancement of the security - few people have emailed us back that they have updated their password as a result, which is a good thing.