1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bit-tech forum alert: Please change your password

Discussion in 'Feedback & Suggestions' started by Dogbert666, 7 Sep 2016.

  1. Dogbert666

    Dogbert666 Happy New Ye- MELTDOWN!! Staff Administrator

    Joined:
    17 Jan 2010
    Posts:
    1,515
    Likes Received:
    87
    Dear All,

    We’ve something important to update everyone and protect you, and the forums the best we can.

    As I am sure you are all aware, we run vBulletin, an off-the-shelf forum package, which we get notified on when to update.

    We have sent notifications to all members to notify them that they need to change their password because we have just been made aware of a security leak that occurred in January this year due to a series of vulnerabilities in vB, some of which have been of a high severity over the past few months. We have been patching these, but as a high-traffic site there’s always an increased risk, and we want to protect all users and admins the best we can.

    We want to be transparent with you - the only information which we believe the attack could have taken is email, username, IP, and salted/hashed password. However, whilst the vB passwords are salted and hashed, and are safely stored, they can, if gathered, be broken to reveal the password in plaintext. This is all the more likely when you are using common, short or simple passwords, so we highly recommend users choose strong passwords.

    Please be vigilant against fake/phishing emails going forwards; we rarely email people on the forums and we would never ask for your username or password. If you are not sure if the email is genuine, please, of course, double check.

    We want to apologise for any inconvenience caused, and we wanted to notify you as soon as information has come to light in order to protect you.

    The forums are fully patched and secure per vBulletin’s guidelines, and all admins and moderators have been forced to change their passwords too. We are keeping an eye on things as well.

    As many of you will be aware, a new bit-tech is also being built. With this, we will implement a https domain and ensure that all connections to the forum are TLS-encypted. The forums will also be moving away from vB entirely.

    Thanks,
    Matt Lambert
    Editor - bit-tech.net
     
  2. IanW

    IanW Grumpy Old Git

    Joined:
    2 Aug 2003
    Posts:
    6,201
    Likes Received:
    197
    Done. Thanks for the heads-up.
     
    David likes this.
  3. Toka

    Toka Member

    Joined:
    19 Nov 2006
    Posts:
    316
    Likes Received:
    6
    done - thanks for the email :)
     
  4. Andy Mc

    Andy Mc Well-Known Member

    Joined:
    23 May 2002
    Posts:
    1,718
    Likes Received:
    126
    When did you find out about the breach?
     
  5. Guest-16

    Guest-16 Guest

    Urgh. 3.xx is so old not surprised. Suggest people change it to something disposable not related to any other accounts.

    How long til new forum roughly? Will we get to see a beta? (In my experience allowing ~50 people to test creates a group of ambassadors)
     
    David likes this.
  6. Dogbert666

    Dogbert666 Happy New Ye- MELTDOWN!! Staff Administrator

    Joined:
    17 Jan 2010
    Posts:
    1,515
    Likes Received:
    87
    Less than 24 hours ago.
     
  7. Arboreal

    Arboreal Well-Known Member

    Joined:
    21 Jan 2011
    Posts:
    2,183
    Likes Received:
    103
    Thanks for the heads up, another password 'mare. Changed and moved on...hope I can rememberthe darn thing!
     
  8. .//TuNdRa

    .//TuNdRa Resident Bulldozer Guru

    Joined:
    12 Feb 2011
    Posts:
    4,038
    Likes Received:
    109
    Whelp, there goes me having a memorable password for Bit, Lastpass to the rescue again...
     
    David likes this.
  9. Andyuk911

    Andyuk911 New Member

    Joined:
    6 Jun 2009
    Posts:
    13
    Likes Received:
    0
    Try Roboform
     
  10. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    12,298
    Likes Received:
    1,619
    So, when Hexus sent out their alert a couple of weeks ago, bit-tech did nothing?

    Despite sharing staff and resources?

    WTF?
     
  11. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,251
    Likes Received:
    669
    More scandalously, Bit-Tech also did nothing when Dropbox was hacked way back in 2012. Because, y'know, Bit-Tech isn't Dropbox.

    Bit-Tech also isn't Hexus. It's run on separate servers, using separate software. The attack on Hexus and the attack on Bit-Tech were two completely separate events: the Hexus breach took place on the 8th of August, the Bit-Tech breach took place on the 13th of January - but, and this is critical, Bit-Tech only found out about the attack yesterday. When the Hexus breach notification was sent out, there was nothing to suggest that Bit-Tech had been breached months prior - which is why nobody from Bit-Tech sent out any alerts. As soon as Bit-Tech found out about the breach, the alerts were sent in less than 24 hours - which I'd say is pretty good going.

    Just to clarify again: the Hexus and Bit-Tech websites and fora are in no way linked. Breaching one will not get you any data from the other. The Hexus breach and Bit-Tech breach are not known to be related. They happened at completely different times. Unfortunately, crap happens - especially if you're running vBulletin, which has been described as a great remote shell with a so-so forum attached, which is one of the reasons Bit-Tech is shifting away from vBulletin.
     
  12. pumpman

    pumpman New Member

    Joined:
    7 Jul 2004
    Posts:
    1,035
    Likes Received:
    2
    Spookily enough I changed mine in June using 1password and generated a new password just done same again to be on safe side
     
  13. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    12,298
    Likes Received:
    1,619
    As much as I enjoy your sarcasm, I didn't say it was the same breach - the alert from Hexus was in reference to a breach due to a vulnerability in vBulletin, which both Hexus and bit tech use.

    Both sites share the same owner and tech staff. Given that, I think it's fair to ask why there wasn't some crossover between the two sites.
     
  14. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,251
    Likes Received:
    669
    Absolutely no sarcasm intended: merely a demonstration of the core concept I tried to get across in the post.

    Yes, both Hexus and Bit-Tech use vBulletin. So do literally hundreds of thousands of sites across the internet - it's one of the most popular forum packages in the world. When one of those sites is breached, all the other sites can do - assuming they even find out about it - is patch against the vulnerability used and hope for the best. As it happens, Bit-Tech was breached before Hexus - so no amount of information from the Hexus breach could have protected Bit-Tech.

    When you say "why [wasn't there] some crossover between the two sites," what do you mean?
     
  15. B1GBUD

    B1GBUD More Biddy Bang Bang than Sean Paul

    Joined:
    29 May 2008
    Posts:
    3,120
    Likes Received:
    336
    Thanks for the headsup and honesty guys.
     
  16. UberTiger

    UberTiger New Member

    Joined:
    3 May 2009
    Posts:
    24
    Likes Received:
    0
    What platform are you moving to?
     
  17. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    12,298
    Likes Received:
    1,619
    Yes bit-tech was breached before Hexus, but didn't find out until now - weeks later. I'd have thought, given the shared technical resource and the fact that Hexus' forum was patched weeks ago, bit tech's vulerability would have been identified and dealt with at the same time.

    I understand bit's breach was back in January, but why wasn't it discovered until now, when the staff were aware of the vulnerability since early August?

    Both sites share the same technical staff.
     
  18. wecrookie

    wecrookie Member

    Joined:
    20 Dec 2013
    Posts:
    95
    Likes Received:
    5
    Done & thx for the heads up.

    yours wecrookie:confused:
     
    David likes this.
  19. jonnyGURU

    jonnyGURU Power to the People

    Joined:
    4 Oct 2006
    Posts:
    23
    Likes Received:
    1
    Done. Thanks!

    :rock:
     
  20. itrush07

    itrush07 New Member

    Joined:
    28 Nov 2007
    Posts:
    228
    Likes Received:
    1
    Done, thanks for the heads up too..
     

Share This Page