bit-tech forum alert: Please change your password

Dear All,

We’ve something important to update everyone and protect you, and the forums the best we can.

As I am sure you are all aware, we run vBulletin, an off-the-shelf forum package, which we get notified on when to update.

We have sent notifications to all members to notify them that they need to change their password because we have just been made aware of a security leak that occurred in January this year due to a series of vulnerabilities in vB, some of which have been of a high severity over the past few months. We have been patching these, but as a high-traffic site there’s always an increased risk, and we want to protect all users and admins the best we can.

We want to be transparent with you - the only information which we believe the attack could have taken is email, username, IP, and salted/hashed password. However, whilst the vB passwords are salted and hashed, and are safely stored, they can, if gathered, be broken to reveal the password in plaintext. This is all the more likely when you are using common, short or simple passwords, so we highly recommend users choose strong passwords.

Please be vigilant against fake/phishing emails going forwards; we rarely email people on the forums and we would never ask for your username or password. If you are not sure if the email is genuine, please, of course, double check.

We want to apologise for any inconvenience caused, and we wanted to notify you as soon as information has come to light in order to protect you.

The forums are fully patched and secure per vBulletin’s guidelines, and all admins and moderators have been forced to change their passwords too. We are keeping an eye on things as well.

As many of you will be aware, a new bit-tech is also being built. With this, we will implement a https domain and ensure that all connections to the forum are TLS-encypted. The forums will also be moving away from vB entirely.

Thanks,
Matt Lambert
Editor - bit-tech.net

 

Less than 24 hours ago.

 

More scandalously, Bit-Tech also did nothing when Dropbox was hacked way back in 2012. Because, y'know, Bit-Tech isn't Dropbox.

Bit-Tech also isn't Hexus. It's run on separate servers, using separate software. The attack on Hexus and the attack on Bit-Tech were two completely separate events: the Hexus breach took place on the 8th of August, the Bit-Tech breach took place on the 13th of January - but, and this is critical, Bit-Tech only found out about the attack yesterday. When the Hexus breach notification was sent out, there was nothing to suggest that Bit-Tech had been breached months prior - which is why nobody from Bit-Tech sent out any alerts. As soon as Bit-Tech found out about the breach, the alerts were sent in less than 24 hours - which I'd say is pretty good going.

Just to clarify again: the Hexus and Bit-Tech websites and fora are in no way linked. Breaching one will not get you any data from the other. The Hexus breach and Bit-Tech breach are not known to be related. They happened at completely different times. Unfortunately, crap happens - especially if you're running vBulletin, which has been described as a great remote shell with a so-so forum attached, which is one of the reasons Bit-Tech is shifting away from vBulletin.

 

Absolutely no sarcasm intended: merely a demonstration of the core concept I tried to get across in the post.

Yes, both Hexus and Bit-Tech use vBulletin. So do literally hundreds of thousands of sites across the internet - it's one of the most popular forum packages in the world. When one of those sites is breached, all the other sites can do - assuming they even find out about it - is patch against the vulnerability used and hope for the best. As it happens, Bit-Tech was breached before Hexus - so no amount of information from the Hexus breach could have protected Bit-Tech.

When you say "why [wasn't there] some crossover between the two sites," what do you mean?