Quote:
Originally Posted by Borr
If the passwords are out there, this process is just fake security. Clicking the expired password link allows the person that knows the password to change the password and email addres. Thus hijacking the account.
The only way to do this is to force a password reset (not change), requiring the user to prove to have access to the registered email address.
The problem is, even that doesn't prevent hijacks.
If we assume nefarious characters have this database and have already decrypted the passwords, it's too late. They can already have hijacked numerous accounts and changed the email addresses registered to them, and once that happens, 2+2 can force password changes all day long to no avail.
Unfortunately, there is no perfect answer now, so 2+2 has to do the best they can. It doesn't appear that any 2+2 accounts have been compromised thus far, so measures are being taken that are felt to be the best mix of reducing the risk of hijacked accounts while not overly inconveniencing 2+2 members.
Quote:
Originally Posted by Noodle Wazlib
better than yahoo, right? And I'm sure yahoo spent millions on security
edit
looks like it's actually only half a million in the last year
That's the thing - 2+2 can take security seriously while not being infallible. Much bigger companies holding much more sensitive data than 2+2 have been hacked numerous times before. I'm not saying that lets 2+2 off the hook, but I think people need to temper their expectations.
Quote:
Originally Posted by pokcalculus
This forum is so unprofessional!
Your forum get hacked (OK could happen to almost any site these days).
Your response: send a haughty email to all your users with no apologies at all.
IDK, I get that tone doesn't always come across well in written word, but I have a really hard time finding anything in this "haughty":
Quote:
Dear member of the Two Plus Two Forums:
On January 8 we learned that the user database at http://forumserver.twoplustwo.com had been compromised. We cannot find any evidence that accounts created after approximately November 20 have been compromised (we fixed a problem that day) but as a registered users you should assume that if you've been a member of the forums since before that date that the information necessary to determine your (unchanged) password is out there. Information obtained includes username, email, encrypted password, birthdate, and IP address.
The people "selling" the database claim a December 7 date, but we believe this to be wrong.
We are asking all users to reset their password if it hasn't changed in the last 45 days. You will be prompted to do so the next time you login to the forums. In addition we will shortly be invalidating the passwords of accounts that have not been active for some time. The users of those accounts will need to follow the forgotten password link to reset their password.
A user suggested that the following actions are incredibly important, and we agree:
1) Change your Password on 2+2
2) Change ALL other passwords that are the same or similair
3) Start using unique passwords for every site, these breaches are so common. I'd recommend a password manager like lastpass
4) enable 2 factor authentication on any vital accounts/emails
5) Take extra precautions to verify identity when trading via 2+2 (or any other site) via separate means
Regards,
The Two Plus Two Management
Sure, it could've been apologetic. Haughty? I'm not seeing it.
Quote:
Originally Posted by pokcalculus
Instruct them to take security measure to protect their personal computer. (What does this have to do with the hack?)
This part was cut-and-pasted from another posters' suggestion list (typos and all - ack), so maybe it should've been made clearer that those weren't directly from 2+2 but something they agreed with. Basically, it's a list of good security practices in light of the database compromise. Securing other passwords makes sense, as for most people that's really the only damage a 2+2 hack could cause - if you don't engage in transactions with other 2+2 members, your next big risk would be if you use the same password elsewhere, so I think suggestions to remedy that are a good idea.
Quote:
Originally Posted by pokcalculus
Ask them to enable two-factor authentication wherever possible, yet your own forum doesn't support it.
The suggestion was to "enable 2 factor authentication on any vital accounts/emails". I don't think most people would consider their 2+2 account to be vital in the way that I assume was meant here - to me, vital would be accounts like financial institutions, poker sites, etc. Two factor authentication seems like overkill for a forum.