As it says in the forum notice we learned that the database had been compromised this morning. We cannot find any evidence that accounts created after approximately November 20 have been compromised (we fixed a problem that day) but as users you should assume that if you've been a member of the forums since before that date that the information necessary to determine your (unchanged) password is out there.

(Although the people "selling" the database claim a December 7 date we believe this to be wrong.)

We have asked all users to reset their password if it hasn't changed in the last 45 days. You will be prompted to do so the next time you login to the forums.

The actions that Max Silver suggests in another post are incredibly important. To recap them:

1) Change your Password on 2+2
2) Change ALL other passwords that are the same or similair
3) Start using unique passwords for every site, these breaches are so common. I'd reccomend a password manager like lastpass
4) enable 2 factor authentication on any vital accounts/emails
5) Take extra precautions to verify identity when trading via 2+2 via separate means

Feel free to update this thread or PM me with any questions.

Chuck

How did this happen? Have any precautions been taken to reduce the likelihood of it happening again?

The Russians?

do we know what was in the compromised database? usernames and cleartext passwords, usernames and hashed passwords, other account data?

According to what I saw from an external source: user name, hashed password, DOB, registration date, email.

LastPass is now free to use across multiple device types, cell phone, tablet, laptop, etc. There's no excuse not to be using it in this day and age. Tell someone you care about that LastPass or a similar password manager is the only way to roll, and help keep those accounts secure!

What if the password manager gets hacked?

Lastpass HAS been hacked in the past

Then you change your password, ldo

LastPass can be set up for 2FA using the google authenticator fwiw

Are you sure? I thought you had to pay monthly to use it one more than one device.

Chuck and colleagues - please think about the way you're dealing with this.

The way you have set things up (requiring the password reset) means that users cannot see the banner at the top of the forums, and cannot read any of these threads in ATF and elsewhere, before they change their password.

Like me, plenty of people might be wondering whether the "password expired" message is genuine. Unlike me, they may not load up a different browser (or simply log out) in order to read further.

Can you please edit the "change your password" page - the one that people now hit automatically when they visit with an old password logged in - to explain what's going on to people?


Second, it's obviously a serious concern that you're saying the information is out there to determine our (old) passwords. But you're a bit vague on the important detail. Were passwords stored in plain text? If they were hashed, as suggested by someone above, were they salted?

Hence the key word "now".

They can just log out and then read ATF. That's what I did before changing it as I wasn't sure if it were legit or not.

They can, yes. But some may not. And surely it would be easy enough to make sure that the first thing they see is a proper explanation rather than the misleading password expiry due to x days message.

Thanks. Right, when I checked the PlayStore right now they tell me it's $12 a year to use on multiple devices so I stopped installing it. But on their web site they say it's now free. Makes it seem like Lastpass as a company is largely incompetent.

The passwords were not stored as plain text. They were salted.

Thanks Chuck. That's some good news, I suppose.

I see it's reported that the database also contained the salts (but my understanding is that that's not necessarily an additional cause for concern).

Can we assume that 2+2 was running an old (and thus vulnerable) version of vBulletin and what you did on 7 December was to update it?

I wasn't smart enough to think of that.

I find it surprising that an email wasn't sent out.

I cannot log into my genuine account, and I don't have access to the email associated with my genuine account. I've contacted Mat but I haven't received a reply.

Edit: I will add that when I clicked the forgot password link I was directed to a 'win an iPhone 7' click bait scam page which I obviously thought was really weird.

No point here as they are mainly lefties.

Please respond.

Did the database include email addresses? User IP addresses?

Also this. Telling a user that their password has "expired" once they try to log in is absolutely the wrong way to inform them. A proactive approach, including sending a simple, informative email to all affected accounts is step one here.

http://forumserver.twoplustwo.com/sh...php?p=51500005

call Larry Legend ffs.