• Visit Rebornbuddy
  • Account Password Vulnerability

    Discussion in 'Honorbuddy Support' started by Chuckles, Aug 17, 2015.

    1. Chuckles

      Chuckles Member

      Joined:
      Dec 4, 2011
      Messages:
      101
      Likes Received:
      0
      Trophy Points:
      16
      Hello, i just received this in my mail.

      A vulnerability has been found with your password at Honorbuddy, Demonbuddy, Buddystore, Archebuddy - TheBuddyBots. Some passwords are vulnerable to exploitation which may allow a third party to hijack your account.

      This may lead to your account being used without your knowledge or permission, and actions being performed under your name.

      Vulnerable accounts can also be bad for the board as a whole as they may enable access for automated tools to spam both the forums and other user accounts,
      using your username.

      As such we have had to reset your password.
      You can find your new login details below.

      Is this a whole site issue or an individual attack on my account?. Just trying to grasp if its an individual issue as my passwords are usually fairly strong and if I need to change other passwords as well.
       
    2. stevenr

      stevenr Member

      Joined:
      Jan 15, 2010
      Messages:
      871
      Likes Received:
      0
      Trophy Points:
      16
      Same here
       
    3. Zicoth

      Zicoth Member

      Joined:
      Oct 17, 2011
      Messages:
      544
      Likes Received:
      2
      Trophy Points:
      18
      i got this aswell yday, so its probably whole buddyforum passwords reset.
       
    4. aqh

      aqh Member

      Joined:
      Dec 11, 2011
      Messages:
      711
      Likes Received:
      0
      Trophy Points:
      16
      I replied to the e-mail asking for more information, and answered me saying that there was going to be an announcement on the forum shortly.
       
    5. Aetheric

      Aetheric Member

      Joined:
      Jul 25, 2012
      Messages:
      576
      Likes Received:
      2
      Trophy Points:
      18
      Although the content of the email suggests that there's a "personal" issue with your password, I do not think there is.
      Unless passwords are being stored without encryption, which means the staff can see them. I doubt that.

      Again, I don't think it's a personal issue, but a board-wide reset.

      It would have been nicer for the issuer of this email to tell us what really happened, in stead of a vague one like this.
      It's not a matter of national security, is it .. :cool:
       
    6. Samlock

      Samlock Member

      Joined:
      Jun 26, 2010
      Messages:
      257
      Likes Received:
      2
      Trophy Points:
      18
      I would imagine it was sent hastily using a template, hence why it reads like it's the users fault... Somehow I doubt everyone's passwords were weak, as the email appears to suggest!
       
    7. y2krazy

      y2krazy Community Developer

      Joined:
      Jun 21, 2011
      Messages:
      2,803
      Likes Received:
      70
      Trophy Points:
      48
      It appears to have been sent to all users of the forums from my observations. It certainly appears to be taken from a template, possibly from a "reset all users' passwords" vBulletin modification (or default feature of the software).

      I couldn't help but find it amusing that it's worded in a way that would appear to the user that they had an easy-to-guess password and that the reset was done to "help" you stay secure. It's likely that for security reasons, or a vulnerability in the vBulletin software itself that may or may not have resulted in an attack on user data, possibly including e-mail addresses and passwords, that they had to do a site-wide reset. Most likely, the passwords were fine, but due to an attack on the database or other malicious actions, they had to cover their bases.

      It certainly would've helped clear the confusion if Bossland (or another Moderator) would've posted an announcement at the very least to calm any concerns people had about their information being hacked server-side.
       
    8. aqh

      aqh Member

      Joined:
      Dec 11, 2011
      Messages:
      711
      Likes Received:
      0
      Trophy Points:
      16
      Doubt they'd want everyone to email support. Tony already said they'd make an announcement soon.
       
    9. Samlock

      Samlock Member

      Joined:
      Jun 26, 2010
      Messages:
      257
      Likes Received:
      2
      Trophy Points:
      18
      How long does it take to admit something went wrong, though?
       
    10. aqh

      aqh Member

      Joined:
      Dec 11, 2011
      Messages:
      711
      Likes Received:
      0
      Trophy Points:
      16
      They might still be investigating stuff
       
    11. ZoneHunter

      ZoneHunter Member

      Joined:
      Mar 15, 2015
      Messages:
      389
      Likes Received:
      16
      Trophy Points:
      18
    12. Samlock

      Samlock Member

      Joined:
      Jun 26, 2010
      Messages:
      257
      Likes Received:
      2
      Trophy Points:
      18
      Heh - so the "vulnerable password" was an admin one...

      Explains why the email template was (presumably) used, then... Can't fault them for getting it sorted ASAP!

      EDIT

      Since the thread is locked (surprise surprise...) how did it take so long to 1) notice an admin account was compromised, 2) notice a new vBulletin plugin was installed and 3) reset passwords? July 25th to now is quite a long time for something as potentially serious as this...
       
      Last edited: Aug 17, 2015
    13. Azucar

      Azucar Member

      Joined:
      Mar 26, 2010
      Messages:
      439
      Likes Received:
      2
      Trophy Points:
      18
      What if its just a standard password reset? Some of us haven't been here in years.
       
    14. ZoneHunter

      ZoneHunter Member

      Joined:
      Mar 15, 2015
      Messages:
      389
      Likes Received:
      16
      Trophy Points:
      18
      just resets everyone s password to a random generated one and emails it to everyone
       
    15. Keanu

      Keanu Member Buddy Store Developer

      Joined:
      Jan 15, 2010
      Messages:
      871
      Likes Received:
      15
      Trophy Points:
      18
      Very amusing that the password they sent me could be *****ed in 15 hours on a desktop PC according to https://howsecureismypassword.net/. I know that hashes in a users table are salted but still my old password was much better.
       
    16. Samlock

      Samlock Member

      Joined:
      Jun 26, 2010
      Messages:
      257
      Likes Received:
      2
      Trophy Points:
      18
    17. Tony

      Tony "The Bee" Staff Member Moderator

      Joined:
      Jan 15, 2010
      Messages:
      128,834
      Likes Received:
      571
      Trophy Points:
      113
      its not something personal,its general
       

    Share This Page