UGH

Sent from my SM-G930P using Tapatalk

The other function of the email would be to inform former or infrequent 2+2 users that a password and email address that they may use across multiple sites may have been compromised.

2+2 has a clear duty of care here imo.

See, this is why I find it suspect that websites need your birthday or any other personal information. There's nothing to be gained from it, but you stand to lose a lot letting any random company have that personal info.

The funny part is, some of the fake birth dates I use have started showing up on my credit reports. Not sure how to feel about that.

I obviously know what an IP address is, but can you help me understand the significance of this being compromised? Should I manually reset it? (We can do this, correct?)

i'm not sure what the big deal about an IP address being exposed is. You're constantly being bombarded with requests from botnets all the time anyway, someone knowing that this IP address is tied to a 2p2 account won't do much, unless i use the same password to access a frontward facing router of some sort.

IP doesn't seem like a big deal. For most it's changed whenever you restart your router.

More concerned about my email ending up on all sorts of spam-lists as an active gambling-related email-address.

Thanks guys. I have a unique password on my router. Maybe I'll restart it just to be cautious.

yeah this. I thought it was some new stupid password policy, so I just changed my password and then immediately changed it back to my normal one. I only saw it was because of a hack because I stumbled into CTH by mistake and someone had cross posted about it.

How vulnerable is site info via potential issues with the mobile app? Every now and then when I use it I get a snarky message along the lines of "The owner of this app hasn't updated this app in like forever so you probably should get them to do that and you probably shouldn't even use it"

How were the passwords hashed (md5, bcrypt, etc)?

How were the passwords salted? Were these individual salts per account or a common salt applied to all passwords?

Don't use the free version of MongoDB. Purchase a subscription so you could use their security features. That would have helped...

Looks like the email to everyone just went out.

does 2p2 use 2FA? I dont see it as an option

Hey, just logged in for the first time in three years after the e-mail. Is there a way I can have my account deleted?

I'm beginning to think I should start using unique email addresses for every site. eg. twoplustwo@mydomain.com

The email I got the message from 2+2 wasn't the email that shows up under my email address in "edit email and password". What's up with that? Was that some sort of secondary address that was provided? Were the secondary email addresses also in the hacked information?

I got an e-mail from Google saying that a sign in from somewhere in China was prevented this morning. Probably related considering I used the same password there as here.

That's strange. Did you ever have that email on here in the past?

I'm not sure.

You shouldn't be using the same password for everything, I always change the passwords for every account I have. I am a cyber security analyst and websites get hacked all of the time, your public IP address being exposed isnt that big of a deal since most people have firewalls and you can reset your IP address. Just change your passwords, and you should be ok but 2+2 needs to change some things to prevent this from happening again.

Alas, its happened and theres not much that can be done about the database now but 2+2 can do things to prevent this from happening in the future.

If an administrator read this, I am Security+, Network+, and Linux+ certified and wouldn't mind giving out some ideas on how to strengthen the forum.

I see my post has been moved. I won't repost, but simply ask

1) How did you let the same exact thing happen as four years ago?
2) What lessons didn't you learn the first time?
3) Why should the community trust you, when you won't take simple security measures?

Do you have more than one account here? If you like, feel free to PM me the email address and I'll check what account it's associated with (it's not a tarp, having two accounts is fine). There is no field for a secondary email address to be stored, so that's not an issue.

I'm not speaking for 2+2, but I'll give my opinions:

1) From my understanding, it wasn't the exact same thing.
2) Better for others to answer this; not sure if there was anything in common between the two attacks that was missed the first time.
3) Seems like you're jumping to conclusions here; I have no idea how you can be sure simple security measures weren't taken but I'm sure TPTB would be happy to hear your suggestions for what they might have missed. Just keep in mind that not everything you think is simple necessarily is. The size of the forum has prevented us from upgrading the forum software in the past, and what may seem easy and inexpensive in theory may not actually be so in reality. Changes were made the last time something like this happened, so this is more than just an unwillingness to do anything.

Ah. That must be it. Thanks.

Call Mat incompetent