Hello all

Adding this thread for those who wind up looking in CTH for information about the latest hack of the 2+2 forums.

Some information:

1. By now you'll probably have seen the message asking you to change your password. This is genuine: make sure you change your password asap (plus anywhere else you've used the same credentials - which no-one in their right mind should do but some will).

2. There are threads elsewhere that will be updated more frequently than this one, although I suggest that this one can be used for general technical questions. If you have technical questions to ask the site's owners/staff, though, you should ask them in the ATF threads.

ATF:

Main thread

Another thread on the topic

NVG:

NVG thread

3. For the avoidance of doubt this is a new compromise, and it appears to have taken place on or before 7 December 2016. It is separate (although presumably may share commonalities with) the widely publicised hack that took place in 2012.

4. In this attack the stolen database is reported to contain your username, (apparently hashed) password, email address, IP address associated with your account, date of birth (if you gave it when you registered), and possibly the password salt too. (This is what is suggested by leakedsource.com - note that I have no idea whether that site is legitimate or whether it is safe to pay for its services.)

5. Note that some of these details might be used to compromise other accounts of yours elsewhere, even if you used a different password (for instance details such as email address and date of birth might be useful in password reset mechanisms on some sites; and IP addresses could conceivably - but less likely - be used to target people as well).

My password was 1702 days old

Mine too!

damn

2+2 gets hacked on a once per 1702 days basis

That makes the hackers the illuminati and means we're screwed... fnord

Can someone tell me exactly how to change my password? I got the screen:

"Your password is 1502 days old and is expired. Please change it from this page"

But then I have no idea how to change it on this page. If I try to go to my control panel or click any link, it just brings me back to this same exact page. I'm clueless.

Try this link: http://forumserver.twoplustwo.com/pr...o=editpassword

Since you are the resident genius around these parts gabe, if you got the "your password is old as ****" message does that have any additional implications?

The implications are as follows:

• If your password hadn't been changed in the last 45 or so days, then the current version is in the compromised database. While encrypted it may still be crackable, particularly if it wasn't a very strong password. Even if it was changed more recently I think you should change it as a precaution.
  
  
• If the number was something like the 1702 days Gabe mentioned then you haven't changed your password since resetting it after the last hack of these forums.
  
  
• While that doesn't automatically make you worse off than other users, it may suggest that your password hygiene is less than stellar and you should think carefully about whether you use the same credentials elsewhere.
  
  
• It might help you to know that everyone gets that message, regardless of whether their password was last changed 50 or 1500 days ago. You haven't been singled out.

I'm sure Gabe will add to this if there's anything else.

Thanks, but I'm far from genius lol

Whatever the message is and whatever the age of your password, just change it after hearing of this hack.

My password was 1702 days old, because I do not change passwords ever. Since my previous password was c_77Ah4VFOGdtVVtvkP0 which takes lifetimes to bruteforce, I feel pretty good about this (also I do not repeat passwords for anything and changing passwords for 50 internet accounts is not something I wish to waste my time on).

Hover your mouse over "this page" on that screen. I think it's a link.

I gather you use KeePass, because the default pw length is 20 and the quoted is 20. Mine was also 20.

Something I've wondered -- does a pw like that become feasibly crackable if the attacker knows the string length? (I'm guessing not, but better not to guess.)

Knowing the password length significantly reduces the time to brute force crack it. However, in real world environments where you have account lock outs after x tries, even just for a few minutes, it isn't something that can be done in any short amount of time.

Say on this site, you can try five passwords every 15 minutes (maybe 30). You're going up against 76-ish to the 20th power possible combinations. (3 with 37 zeroes after it or so if my insomniac math is right) Still likely comes out to 2 with 32 zeroes in total years, which so far no humans have managed to survive.

If the attacker knows your pw length is 20 with random numbers, lowercase and uppercase letters and maybe special characters, they will stop trying.