Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Change your passwords on other websites | An update on the Boards.ie Data Incident.

  • 23-04-2010 8:02am
    #1
    Closed Accounts Posts: 4,241 ✭✭✭


    Hi all,

    We'd like to remind all readers and members of Boards.ie to change their passwords on their other online accounts if they haven't already.

    For those who aren't aware, in January 2010 our database was attacked by a source external to Ireland and the part that contains member details was accessed. You can read a fuller report on this here: http://www.boards.ie/vbulletin/showthread.php?t=2055806686

    We once again would like to remind you that it is very important to check your other accounts online. We have already reset the passwords on all Boards.ie member accounts.

    Please note, we do not have any access to or note of your previous password - we can't tell you what that was unfortunately!


    If you used the same email address and password on any other website - Facebook, Bebo, Paypal, Google, gambling sites or any other online service - as you did on Boards.ie, please change that password.



    We are, of course, very sorry for the inconvenience this may cause people but it's better than having your personal data in the hands of people who might want to use it for their own gain.

    It's very good practise to have different passwords for different services. We understand that this may not be easy but your data is valuable and that's why we have worked hard to prevent anything like this happening with Boards.ie in the future.

    We'd like you to know:
    • The information accessed in the attack had no bank account/credit card details nor any postal address details.
    • It included your Boards.ie member account number, username, password, email address, IP address, last activity time, last post time and, if you had filled them in your Boards.ie profile details - your birthdate, icq address, yahoo ID etc.
    • We feel it safer to advise you to change your passwords though, to ensure people cannot access any of your other accounts where personal or financial data may be stored.
    • If you have already changed your Boards.ie password since January 21, 2010, you will not need to do anything about your membership here.
    • If you need to change your Boards.ie password, you can do so at http://www.boards.ie/changepassword
    • If you no longer have access to the email address you used to register with Boards.ie, please see this thread: http://www.boards.ie/vbulletin/showthread.php?t=2055811075
    • You can post any questions or feedback below or contact us at hello@boards.ie and we will endeavour to get back to you as soon as possible.
    Thanks for your continued support - your patience, help and understanding over the last 3 months have made the job a lot easier :)

    Darragh on behalf of the Boards.ie team.
    Post edited by Shield on


«13

Comments

  • Registered Users, Registered Users 2 Posts: 207 ✭✭hobbit stomper


    Are the Passwords saved with MD5, SHA1 or SHA1 + Salt?

    EDIT:
    Let me rephrase, back in January, what hash was used to save the password in the SQL Database? And what hash are you using now?


  • Registered Users, Registered Users 2 Posts: 68 ✭✭LINGsCARS


    Were the passwords not encrypted? Storing plain text passwords is a massive breach of security and very bad practice.

    Can someone clarify?

    Ling


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    Are the Passwords saved with MD5, SHA1 or SHA1 + Salt?

    The method used is the standard vBulletin one:

    MD5($salt . MD5($password));

    The salt is in the same table as the hash though.
    LINGsCARS wrote: »
    Were the passwords not encrypted? Storing plain text passwords is a massive breach of security and very bad practice

    We do not and did not store plaintext passwords.


  • Registered Users, Registered Users 2 Posts: 68 ✭✭LINGsCARS


    Thanks for the clarification.

    Think it would have been better to explain that in the original notification email.


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    LINGsCARS wrote: »
    Thanks for the clarification.

    Think it would have been better to explain that in the original notification email.

    TBH, it's only really of interest (and understandable) by a very small proportion of our users. Explaining those kinds of things in a general e-mail is usually a bad idea as it introduces more confusion than is necessary.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 207 ✭✭hobbit stomper


    Conor wrote: »
    The method used is the standard vBulletin one:

    MD5($salt . MD5($password));

    The salt is in the same table as the hash though.

    Cool at least something. Even if the salt is in the same table, it's still as good as impossible to read the password via rainbow tables.

    MD5 alone is almost useless nowadays thanks to all the rainbow tables. I actually had a 12 digit alpha-numerical password and I was shocked to find the hash on one of the rainbow table websites.

    Well, unless your password is 123456 it's almost impossible for the hacker to actually get to your password. So it's not that big of a deal. :)

    Next step: SHA1($salt . SHA1($password)); + separate table for salt.


  • Closed Accounts Posts: 35 woman


    I would like to do what you suggest and change the passwords on other sites, but my problem is I don't remember what password I had on boards.ie, I was permanently logged on and didn't write it down anywhere. Is there any way you could tell me what my original password was? thanks


  • Registered Users, Registered Users 2 Posts: 207 ✭✭hobbit stomper


    woman wrote: »
    I would like to do what you suggest and change the passwords on other sites, but my problem is I don't remember what password I had on boards.ie, I was permanently logged on and didn't write it down anywhere. Is there any way you could tell me what my original password was? thanks

    There is no way to tell you the original password since everything is hashed. Just use the lost password option and enter your E-Mail address. After verifying your E-Mail address a new password will be sent to you.


  • Registered Users, Registered Users 2 Posts: 68 ✭✭LINGsCARS


    Conor,

    But what you are now doing to avoid "confusion" is putting the fear of God into people like "woman" and giving advice on what people should do with their other passwords (on dozens of other sites), that, frankly is nothing to do with boards.ie.

    You are giving advice that everyone should have different passwords on every site, yet you don't think to explain the risk of the passwords here being decoded (very tiny I think).

    Woman actually makes a good point - if she doesn't know the password that is at a tiny risk of being compromised, how does she know which ones to change? Ah, so your advice is to change EVERY password she has? That is not really practical.

    In fact, it seems from your answer that the risk of anyone finding the passwords from the stolen database is very low (if not virtually nil).

    What you have done by avoiding "confusion" and not explaining the encryption... is removed the context of the stolen passwords making it hard for anyone to make a value judgement. Everyone will probably react to your notice and presume their password is out there for the world to see. Really, that is quite unlikely given your answer.

    You are giving partial advice. Nit.

    Ling


  • Closed Accounts Posts: 4,241 ✭✭✭Darragh


    LINGsCARS wrote: »
    Conor,

    But what you are now doing to avoid "confusion" is putting the fear of God into people like "woman" and giving advice on what people should do with their other passwords (on dozens of other sites), that, frankly is nothing to do with boards.ie.

    You are giving advice that everyone should have different passwords on every site, yet you don't think to explain the risk of the passwords here being decoded (very tiny I think).

    Woman actually makes a good point - if she doesn't know the password that is at a tiny risk of being compromised, how does she know which ones to change? Ah, so your advice is to change EVERY password she has? That is not really practical.

    In fact, it seems from your answer that the risk of anyone finding the passwords from the stolen database is very low (if not virtually nil).

    What you have done by avoiding "confusion" and not explaining the encryption... is removed the context of the stolen passwords making it hard for anyone to make a value judgement. Everyone will probably react to your notice and presume their password is out there for the world to see. Really, that is quite unlikely given your answer.

    You are giving partial advice. Nit.

    Ling

    Hi there

    We have been working with the Computer Crime Unit of the Gardaí continuously since the incident and it is primarily on their advice that we are suggesting members change their passwords.

    Plus it's very good practise to have different passwords for different accounts.

    Thanks

    Darragh


  • Advertisement
  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    Cool at least something. Even if the salt is in the same table, it's still as good as impossible to read the password via rainbow tables.

    MD5 alone is almost useless nowadays thanks to all the rainbow tables. I actually had a 12 digit alpha-numerical password and I was shocked to find the hash on one of the rainbow table websites.

    Well, unless your password is 123456 it's almost impossible for the hacker to actually get to your password. So it's not that big of a deal. :)

    Next step: SHA1($salt . SHA1($password)); + separate table for salt.

    Password cracking is fast enough these days that moving to SHA-1 will not give us enough of a boost to make it worth our while moving. I would consider moving to a bcrypt-based hashing scheme if I could turn up the work factor without having negative knock-on effects in the amount of CPU required.

    Moving the salt to a different table won't really win us much, since anyone with access to the table that the password is in will have access to the one with the salt in it.

    I would not rely on the salting to protect the password. It makes it harder to crack, not impossible. If your password is very, very strong it might not be worth cracking but most people have weak passwords which will be trivially crackable.


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    LINGsCARS wrote: »
    yet you don't think to explain the risk of the passwords here being decoded (very tiny I think).

    The risk of passwords being decoded is not tiny. The only safe course of action is to presume that they have been.


  • Closed Accounts Posts: 22,565 ✭✭✭✭Tallon


    Conor wrote: »
    The salt is in the same table as the hash though.

    Making 'special' brownies, are we?


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    Tallon wrote: »
    Making 'special' brownies, are we?

    If I was thinking about a hash, I'd be much better off with hash rather than hash. :)


  • Registered Users, Registered Users 2 Posts: 207 ✭✭hobbit stomper


    No doubt about, I would always suggest to change the password after incident like this. But the original message sounds like the hacker has the password, just like that. Giving the impression that the passwords were stored in plain text, which just leads to a poor reputation for boards.ie security.

    Should the hacker actually focus on getting a password of one user, it still takes him days/weeks/months to crack it... depending on the salt and the password, and that would just be one user.


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    No doubt about, I would always suggest to change the password after incident like this. But the original message sounds like the hacker has the password, just like that. Giving the impression that the passwords were stored in plain text, which just leads to a poor reputation for boards.ie security.

    Should the hacker actually focus on getting a password of one user, it still takes him days/weeks/months to crack it... depending on the salt and the password, and that would just be one user.

    The time to crack is much less than "days/weeks/months" per password. MD5 is fast.


  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    And thats before we consider that many users will be using easy to guess passwords.


  • Registered Users, Registered Users 2 Posts: 207 ✭✭hobbit stomper


    Conor wrote: »
    The time to crack is much less than "days/weeks/months" per password. MD5 is fast.

    Well it's the salt that makes a difference.

    About a year ago I tried cracking this MD5 salted hash:

    MD5 Hash: 67440a4fc2736f883108ae1c69dab0606222e0cb

    Password: admin
    Salt: F{gR[;1txF,Q;,2qyy£0.yHP(PVT@zeg$%IR?ZKc

    As you can see it's a VERY easy Password, but very complex salt. After scanning it through the biggest rainbow tables out there with zero luck and running an MD5 hash program for almost 3 weeks on my Intel Core 2 Duo 2.8GHz and creating a database almost 4GB big, it still couldn't find it.

    Maybe now using Graphics card processors and Public Rainbow tables with the size of 130GB it's possible to crack it in a short time.


  • Closed Accounts Posts: 88,968 ✭✭✭✭mike65


    Don't use Penis as its not long enough....


  • Registered Users, Registered Users 2 Posts: 68,190 ✭✭✭✭seamus


    Maybe now using Graphics card processors and Public Rainbow tables with the size of 130GB it's possible to crack it in a short time.
    And botnets. Anyone with a few hundred machines at their disposal can sift through a ****load of data in very short order.


  • Advertisement
  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    Well it's the salt that makes a difference.

    Yep, and the default size of the vBulletin salt for many years was 3 characters. :(

    Still, if you have the salt, you don't need to guess it. That makes things a lot easier.


  • Closed Accounts Posts: 4,241 ✭✭✭Darragh


    No doubt about, I would always suggest to change the password after incident like this. But the original message sounds like the hacker has the password, just like that. Giving the impression that the passwords were stored in plain text, which just leads to a poor reputation for boards.ie security.

    Should the hacker actually focus on getting a password of one user, it still takes him days/weeks/months to crack it... depending on the salt and the password, and that would just be one user.

    Can I just repeat, we were advised by the Computer Crime Unit to advise members to change their passwords?

    Thanks

    Darragh


  • Moderators, Education Moderators, Home & Garden Moderators Posts: 8,287 Mod ✭✭✭✭Jonathan


    Conor wrote: »
    Yep, and the default size of the vBulletin salt for many years was 3 characters. :(

    Still, if you have the salt, you don't need to guess it. That makes things a lot easier.
    1) What size salt was used in the stolen data? Was it increased before or after the attack?

    2) What passwords and IP address stolen? Only the most recent or were previously used ones stored too?


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    Jonathan wrote: »
    1) What size salt was used in the stolen data?

    3 characters, randomly chosen from a 93 character alphabet. Different for each user.
    Jonathan wrote: »
    Was it increased before or after the attack?

    It was increased in Jelsoft's update of vBulletin to 3.8.5 which arrived after the attack. Increasing the size of the salt is a fig leaf though, anyone with access to the hash has access to the salt (and there isn't a whole lot we can do about that). All it does is double the number of MD5 calls when cracking the password.
    Jonathan wrote: »
    2) What passwords and IP address stolen? Only the most recent or were previously used ones stored too?

    The most recent password, hashed. [md5(md5($password) . $salt)]

    The IP used at registration.


  • Closed Accounts Posts: 1 johnscarff


    Ok so how do I delete my account without having to wait for it to become defunct over time.

    Seeing as I have clearly never used boards.ie and have only jumped on here today because of the security issue email.


  • Closed Accounts Posts: 4,241 ✭✭✭Darragh


    johnscarff wrote: »
    Ok so how do I delete my account without having to wait for it to become defunct over time.

    Seeing as I have clearly never used boards.ie and have only jumped on here today because of the security issue email.

    Hi John

    To have your account closed please email hello@boards.ie with your username from the email address you registered with with your request and allow two working days for this to happen.

    Closing your account means we will scramble your password, remove any email subscriptions or notifications you may receive and turn off your Private Messages.

    You will receive one final confirmation email from us. You can then simply stop logging into your account or posting.

    Your email address plus any profile data that you have left on the system (links to your Facebook profile or twitter account for example) will be kept for a set period of time in accordance with the Data Protection Act - and then removed.

    I hope this helps

    Darragh


  • Closed Accounts Posts: 1 ray@obakk.com


    To throw another question into the mix, does this include past members accounts disabled for various reason by sys admins?

    As in, are they still part of the user list that was "possibly" captured but no longer receive updates from boards.ie as the account itself is disabled?


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    To throw another question into the mix, does this include past members accounts disabled for various reason by sys admins?

    As in, are they still part of the user list that was "possibly" captured but no longer receive updates from boards.ie as the account itself is disabled?

    Yes, and they will be getting the PM anyway.


  • Registered Users, Registered Users 2 Posts: 1,341 ✭✭✭SPDUB


    Darragh wrote: »
    Can I just repeat, we were advised by the Computer Crime Unit to advise members to change their passwords?

    Except by automatically triggering a password change on day 1 of the incident you made that advice worthless for people who can't remember what their password was

    I'm 99% certain I didn't use my password on another website but I can't be certain because of the automatic change


  • Advertisement
  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    SPDUB wrote: »
    Except by automatically triggering a password change on day 1 of the incident you made that advice worthless for people who can't remember what their password was

    I'm 99% certain I didn't use my password on another website but I can't be certain because of the automatic change

    Even if we didn't change your password we still couldn't help you with that, I'm afraid.


  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    IIRC the original change was also done on the advice of the CCU.

    It doesn't matter anyway as boards wouldn't have been able to send you your original password for you to be able to check it against other sites.


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    IIRC the original change was also done on the advice of the CCU.

    We actually did that before getting in touch with the Gardai (IIRC - I could have the order of things mixed up, it was a very busy time for us) but I'm sure they would have suggested it.


  • Registered Users, Registered Users 2 Posts: 1,341 ✭✭✭SPDUB


    It doesn't matter anyway as boards wouldn't have been able to send you your original password for you to be able to check it against other sites.

    I was never asking you to do that

    More something along the lines of logging everyone out and making everyone log back on with a message to change their password

    Or change the visibility setting of the board so that people could only see a message that you were going to automatically change the password in 24 hours


  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    Changing the password now is the best way to go about it and remove any possibility that people are not going to try to manipulate the account. People who steal passwords don't sit on them for a long period of time, they act on them as soon as they can.


  • Registered Users, Registered Users 2 Posts: 1,341 ✭✭✭SPDUB


    Changing the password now is the best way to go about it and remove any possibility that people are not going to try to manipulate the account. People who steal passwords don't sit on them for a long period of time, they act on them as soon as they can.

    But your actions make it impossible for me to change passwords on other websites without potentially changing it to my former password on this site unless I go down the fiendishly complicated password route which I then have to store them somewhere because I forget them more easily

    And that makes that store of passwords a vulnerable spot for security then .


  • Advertisement
  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    First of all, I didn't do anything. I just want to make clear I am speaking as a user of boards, not anyone related to any changes made.
    But your actions make it impossible for me to change passwords on other websites without potentially changing it to my former password on this site
    Again, unless you are going to be making multiple attempts to log into this site to find out what your password is there is nothing boards could do to show you what your past password could have been.
    unless I go down the fiendishly complicated password route which I then have to store them somewhere because I forget them more easily
    Do that. Do exactly that. Create long, highly random passwords and use a good program to store them. On my Mac I use 1Password to do just that. They have a Windows version in beta at the moment, or there are several good alternatives that have been on Windows for a while like Keepass. These programs should help you create a long strong password.
    And that makes that store of passwords a vulnerable spot for security then
    The storage of passwords is always a vulnerable spot because they are of interest to people with fewer scruples than you or me. And if ($DEITY forbid) anything were to happen to the storage location that these programs keep their passwords in they are pretty much useless because they are encrypted using algorithms that are multiple magnitudes harder to crack than the hashes available for storing passwords on the server.


  • Registered Users, Registered Users 2 Posts: 40 Gruver


    For what it's worth I appreciate that you've taken the time to outline the problem. I have two questions.

    1. Have you become aware of any incidents involving users data that can be directly attributable to the security breach?

    2. If you do become aware of any such incidents will you be sharing details of those incidents here?


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    Gruver wrote: »
    1. Have you become aware of any incidents involving users data that can be directly attributable to the security breach?

    There have been several suspected incidents, but none that I know of which have been conclusively proven to be linked. I don't know for sure though, since any I heard of were pointed in the direction of the Gardai and either treated as a linked or separate investigation as appropriate. I'm not privy to the details of any such investigations, so your first port of call to ask about those would be the Garda Press Office.

    If anyone has reason to believe that any account of theirs has been compromised, then please contact the Gardai ASAP, especially if you've suffered a financial loss.
    Gruver wrote: »
    2. If you do become aware of any such incidents will you be sharing details of those incidents here?

    If we hear details and if the Gardai are OK with it and if the injured party/parties are OK with it, then yes. That's a lot of ifs though, and I doubt we could share much until after the relevant investigations were completed.


  • Closed Accounts Posts: 24 D.Harry


    In January 2010 we advised all members to change their passwords following an incident where member details from our database were accessed by an unauthorised source.
    No you didn't. I have all the records.

    Here we have an admission by Boards.ie that our private and potentially sensitive information is not safe in its hands, yet posters are denied the freedom to delete their account.
    Why can't I have a particular username? We never delete an account, so unfortunately if one is already taken, we can’t release it for you.
    It looks like a call to the Data Commissioner may be necessary.


  • Registered Users, Registered Users 2 Posts: 68,190 ✭✭✭✭seamus


    D.Harry wrote: »
    No you didn't. I have all the records.
    They did, through every single means at their disposal. An email was sent out (I still have it), the website itself for a full two days had no content except details of the attack and advice on what members should do. When it came back up, everyone would see a notice that gave the same details. A thread was ongoing on feedback for weeks, as well as a sitewide announcement which appeared at the top of every forum and every search result for weeks. Twitter was abuzz with the details of the incident.

    Now, aside from arriving at your workplace, sitting you down and explaining the situtation to you face-to-face, what the fuck else do you expect them to have done?

    There's a very old saying about bringing a horse to water.
    Here we have an admission by Boards.ie that our private and potentially sensitive information is not safe in its hands, yet posters are denied the freedom to delete their account.
    There isn't a single entity on this planet who can claim that your personal information is safe and secure in their hands, and many of them will not let you delete your account either.

    You have full access to delete all personal information from boards.ie. If you're concerned about safety, go ahead and delete that information. Your account itself, the entity, is not a piece of personal information.


  • Advertisement
  • Closed Accounts Posts: 24 D.Harry


    seamus wrote: »
    They did, through every single means at their disposal. An email was sent out (I still have it), the website itself for a full two days had no content except details of the attack and advice on what members should do. When it came back up, everyone would see a notice that gave the same details. A thread was ongoing on feedback for weeks, as well as a sitewide announcement which appeared at the top of every forum and every search result for weeks. Twitter was abuzz with the details of the incident.

    Now, aside from arriving at your workplace, sitting you down and explaining the situtation to you face-to-face, what the fuck else do you expect them to have done?

    There's a very old saying about bringing a horse to water.

    There isn't a single entity on this planet who can claim that your personal information is safe and secure in their hands, and many of them will not let you delete your account either.

    You have full access to delete all personal information from boards.ie. If you're concerned about safety, go ahead and delete that information. Your account itself, the entity, is not a piece of personal information.
    I won't be bullied by you or anybody else.

    I received no such e-mail and being an infrequent visitor to the site (I know, but some of us have lives) was totally unaware of the breach.

    The issue is with the passwords, which are not secure. These can be changed but not deleted, presumably without deleting the account.
    So no matter what password, which is personal info, is entered, it is open to exploitation. Users should therefore have the freedom to completely deny access to that password.
    There isn't a single entity on this planet who can claim that your personal information is safe and secure in their hands
    Fair enough but that's different to admitting that it's not secure while saying there's nothing you can do about it.


  • Registered Users, Registered Users 2 Posts: 68,190 ✭✭✭✭seamus


    D.Harry wrote: »
    I won't be bullied by you or anybody else.
    :rolleyes: Sensitive much? Bullying? Cop onto yourself.
    I received no such e-mail and being an infrequent visitor to the site (I know, but some of us have lives) was totally unaware of the breach.
    Again, there's only so much that can be done about that. Boards did everything they could to inform people. It was even on RTE news. So it's not their fault that you didn't know about this, you just happened to miss it.
    The issue is with the passwords, which are not secure. These can be changed but not deleted, presumably without deleting the account.
    Of course they can be deleted. Go into notepad, and mash the keyboard with your palm. Copy whatever comes out and then paste it into the password boxes and save it. Hey presto, your old password has been deleted.
    Delete any personal information and change your email address there while you're at it too, and suddenly your personal information is completely secure.
    So no matter what password, which is personal info, is entered, it is open to exploitation. Users should therefore have the freedom to completely deny access to that password.
    And so they do, as above.
    Fair enough but that's different to admitting that it's not secure while saying there's nothing you can do about it.
    How so? Your data is not secure. The stuff stored on your hard drive is not secure. There's plenty you can do about it, but you can never say that it's foolproof secure.
    I don't see what you're trying to achieve or point out here.

    As I've noted above -

    1. Boards.ie made every effort possible to inform everyone of the breach
    2. You have full access to remove your personal information from this site if you are concerned about its security.

    What else do you want?


  • Closed Accounts Posts: 4,241 ✭✭✭Darragh


    D.Harry wrote: »
    In January 2010 we advised all members to change their passwords following an incident where member details from our database were accessed by an unauthorised source.

    No you didn't. I have all the records.

    Here we have an admission by Boards.ie that our private and potentially sensitive information is not safe in its hands, yet posters are denied the freedom to delete their account.
    Why can't I have a particular username? We never delete an account, so unfortunately if one is already taken, we can’t release it for you.

    It looks like a call to the Data Commissioner may be necessary.

    Hi there,

    On the day of the attack we attempted to send out this email to everyone - it was the exact same information as was posted on our homepage

    Forwarded message
    From: <announcement@offsite.boards.ie>
    Date: 21 January 2010
    Subject: Boards.ie Annoucement

    Fellow Boards Members,

    Today, Thursday 21 Jan 2009 at 11:20 GMT the Boards.ie database was attacked by a source external to Ireland. This triggered our security response policy and as a result we are sending you this warning email.

    In this attack, part of the database which includes our members usernames, email addresses and obfuscated passwords was accessed. While our investigations indicate that individual user accounts are not in danger we have taken the step of changing all user passwords.

    We also recommend that if you used the same username/email and password on other sites that you change your password there too as a precaution.


    What happened:

    * This morning our database server was accessed by an unauthorised source.
    * We discovered this intrusion and took the site offline.
    * As a precaution we contacted the Gardaí, the Data Protection Commissioner and an independent security consultancy.
    * We have followed the advice we have received on how to proceed.
    * Like all large sites we are regularly the target for disruption and take continual actions to proactively protect your data. This particular attack was completely unprecedented despite our rigorous security measures and while we have no idea if this data will be used for any malicious reasons, we felt it vital to tell you this immediately.


    What you need to know and do:

    * If you use the same password on Boards as you do on other services, you should change it on those other services to be safe. Boards passwords are NOT stored in plain text, they are obscured with the standard vBulletin 'Hash'. While this provides strong protection, we have altered all passwords on Boards as a precaution and suggest you take this time to alter other similar passwords.
    * If you are a subscriber, please be assured, we do NOT store credit card details or any payment details on our servers. Nothing of that nature is held on our site and as a result such data was not compromised.
    * We apologise for this inconvenience. We do not want to over stress the problem, however we felt the situation requires full disclosure.

    Tom Murphy.

    I know a lot of people didn't get it - that's for a variety of reasons including hotmail filters, our mail server and more. I'm sorry not everyone got the message.
    posters are denied the freedom to delete their account.

    This isn't entirely accurate. You are fully entitled to ask for your account to be closed. However, you are responsible for what you post on site, so we reserve the right to keep the records of who you are to match up to what you post for a time after your account is closed.

    We have worked with the Data Protection Office on this.

    After the incident both the Garda Computer Crime Unit and the Data Protection Commissioners office have carried out examinations and audits and are both satisfied with their findings, with, in fact, the Data Protection Commissioners Office including a commendation in the report for how we handled the attack.

    You can reach the office at 1890 252 231 or at http://www.cosantasonrai.ie

    I'll leave this with the front page of the Metro Herald from the morning of January 22 - you can get it online here - which includes advice similar to the above. We were also on Six: One news and National Radio Stations.

    boards.ie_jan22.jpg


  • Closed Accounts Posts: 24 D.Harry


    seamus wrote: »
    Of course they can be deleted. Go into notepad, and mash the keyboard with your palm. Copy whatever comes out and then paste it into the password boxes and save it. Hey presto, your old password has been deleted.
    Delete any personal information and change your email address there while you're at it too, and suddenly your personal information is completely secure.


    1. Boards.ie made every effort possible to inform everyone of the breach
    2. You have full access to remove your personal information from this site if you are concerned about its security.
    Changing your password to gobbledygook only serves to lock yourself out, not a potential hacker. Your account may then be accessed by another.
    A valid e-mail address must be used so now your e-mail notifications go to somebody else.
    What else do you want?
    The freedom to close the account. Is that asking too much?


  • Closed Accounts Posts: 24 D.Harry


    Darragh wrote: »
    You are fully entitled to ask for your account to be closed.
    Thanks Darragh. Please close my account.


  • Closed Accounts Posts: 4,241 ✭✭✭Darragh


    D.Harry wrote: »
    The freedom to close the account. Is that asking too much?

    Hi there

    As I said in this post in this thread, to have your account closed:
    ... please email hello@boards.ie with your username from the email address you registered with with your request and allow two working days for this to happen.

    Closing your account means we will scramble your password, remove any email subscriptions or notifications you may receive and turn off your Private Messages.

    You will receive one final confirmation email from us. You can then simply stop logging into your account or posting.

    Your email address plus any profile data that you have left on the system (links to your Facebook profile or twitter account for example) will be kept for a set period of time in accordance with the Data Protection Act - and then removed.

    I hope this helps

    Darragh


  • Registered Users, Registered Users 2 Posts: 68,190 ✭✭✭✭seamus


    D.Harry wrote: »
    Changing your password to gobbledygook only serves to lock yourself out, not a potential hacker. Your account may then be accessed by another.
    But if none of your personal information is in the account, then who cares?
    A valid e-mail address must be used so now your e-mail notifications go to somebody else.
    You don't have to use a valid email address. You only have to use something that looks like an email address. So a@a.com will work as well as anything.
    In fact, using an invalid address serves to render your account completely unusable to any hacker.
    The freedom to close the account. Is that asking too much?
    As Darragh points out, there is a process for this.

    However, I will note that what boards do to close your account is exactly as I have described above - they delete your personal data, they remove your email address and they scramble your password. You do not need to apply to close your account, you can do it yourself.


  • Registered Users, Registered Users 2 Posts: 43 balla


    I have just received an email about the password situation now - 3 MONTHS LATER!!!!! This time lapse is a disgrace. I haven't been on boards recently to see any other posts about this. Why didn't you email members last January????


  • Registered Users, Registered Users 2 Posts: 43 balla


    I see the original post now, but I did not receive any email or other communication until today. You claim to have sent 300,000 emails but not to me!! I'm sure there are many others who still don't know about this.


  • Closed Accounts Posts: 2,479 ✭✭✭Conor


    balla wrote: »
    I see the original post now, but I did not receive any email or other communication until today. You claim to have sent 300,000 emails but not to me!! I'm sure there are many others who still don't know about this.

    We have persistent problems with your e-mail provider. They go through phases of dropping mail from us entirely, I'm afraid.


  • Advertisement
This discussion has been closed.
Advertisement