Two Plus Two Publishing LLC Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > >

Notices

About the Forums Here's where you post suggestions about the forums and the software that implements them.

Reply
 
Thread Tools Display Modes
Old 01-08-2017, 07:04 PM   #1
Chuck Weinstock
Administrator
 
Chuck Weinstock's Avatar
 
Join Date: Aug 2002
Posts: 572
Forum Database Compromise

As it says in the forum notice we learned that the database had been compromised this morning. We cannot find any evidence that accounts created after approximately November 20 have been compromised (we fixed a problem that day) but as users you should assume that if you've been a member of the forums since before that date that the information necessary to determine your (unchanged) password is out there.

(Although the people "selling" the database claim a December 7 date we believe this to be wrong.)

We have asked all users to reset their password if it hasn't changed in the last 45 days. You will be prompted to do so the next time you login to the forums.

The actions that Max Silver suggests in another post are incredibly important. To recap them:

1) Change your Password on 2+2
2) Change ALL other passwords that are the same or similair
3) Start using unique passwords for every site, these breaches are so common. I'd reccomend a password manager like lastpass
4) enable 2 factor authentication on any vital accounts/emails
5) Take extra precautions to verify identity when trading via 2+2 via separate means

Feel free to update this thread or PM me with any questions.

Chuck
Chuck Weinstock is offline   Reply With Quote
Old 01-08-2017, 07:41 PM   #2
nham
34oz
 
nham's Avatar
 
Join Date: Sep 2008
Posts: 10,646
Re: Forum Database Compromise

How did this happen? Have any precautions been taken to reduce the likelihood of it happening again?
nham is offline   Reply With Quote
Old 01-08-2017, 07:52 PM   #3
batair
Carpal \'Tunnel
 
batair's Avatar
 
Join Date: Sep 2005
Location: fore the rain starts
Posts: 15,211
Re: Forum Database Compromise

The Russians?
batair is offline   Reply With Quote
Old 01-08-2017, 08:31 PM   #4
pvn
King Emeritus
 
pvn's Avatar
 
Join Date: Jan 2004
Location: De-Green BruceZ for Great Justice
Posts: 66,088
Re: Forum Database Compromise

do we know what was in the compromised database? usernames and cleartext passwords, usernames and hashed passwords, other account data?
pvn is offline   Reply With Quote
Old 01-08-2017, 08:45 PM   #5
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 15,217
Re: Forum Database Compromise

According to what I saw from an external source: user name, hashed password, DOB, registration date, email.
Jbrochu is offline   Reply With Quote
Old 01-08-2017, 08:49 PM   #6
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,382
Re: Forum Database Compromise

LastPass is now free to use across multiple device types, cell phone, tablet, laptop, etc. There's no excuse not to be using it in this day and age. Tell someone you care about that LastPass or a similar password manager is the only way to roll, and help keep those accounts secure!
Noodle Wazlib is offline   Reply With Quote
Old 01-08-2017, 09:07 PM   #7
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 15,217
Re: Forum Database Compromise

What if the password manager gets hacked?
Jbrochu is offline   Reply With Quote
Old 01-08-2017, 09:15 PM   #8
pvn
King Emeritus
 
pvn's Avatar
 
Join Date: Jan 2004
Location: De-Green BruceZ for Great Justice
Posts: 66,088
Re: Forum Database Compromise

Lastpass HAS been hacked in the past
pvn is offline   Reply With Quote
Old 01-08-2017, 09:35 PM   #9
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,382
Re: Forum Database Compromise

Quote:
Originally Posted by Jbrochu View Post
What if the password manager gets hacked?
Then you change your password, ldo

LastPass can be set up for 2FA using the google authenticator fwiw
Noodle Wazlib is offline   Reply With Quote
Old 01-08-2017, 09:47 PM   #10
gregorio
Carpal \'Tunnel
 
Join Date: Jan 2007
Posts: 27,387
Re: Forum Database Compromise

Quote:
Originally Posted by Noodle Wazlib View Post
LastPass is now free to use across multiple device types, cell phone, tablet, laptop, etc. There's no excuse not to be using it in this day and age. Tell someone you care about that LastPass or a similar password manager is the only way to roll, and help keep those accounts secure!
Are you sure? I thought you had to pay monthly to use it one more than one device.
gregorio is offline   Reply With Quote
Old 01-08-2017, 10:26 PM   #11
thunderbolts
veteran
 
thunderbolts's Avatar
 
Join Date: Aug 2008
Posts: 3,405
Re: Forum Database Compromise

Chuck and colleagues - please think about the way you're dealing with this.

The way you have set things up (requiring the password reset) means that users cannot see the banner at the top of the forums, and cannot read any of these threads in ATF and elsewhere, before they change their password.

Like me, plenty of people might be wondering whether the "password expired" message is genuine. Unlike me, they may not load up a different browser (or simply log out) in order to read further.

Can you please edit the "change your password" page - the one that people now hit automatically when they visit with an old password logged in - to explain what's going on to people?


Second, it's obviously a serious concern that you're saying the information is out there to determine our (old) passwords. But you're a bit vague on the important detail. Were passwords stored in plain text? If they were hashed, as suggested by someone above, were they salted?
thunderbolts is offline   Reply With Quote
Old 01-08-2017, 10:29 PM   #12
Noodle Wazlib
just about tolerable
 
Noodle Wazlib's Avatar
 
Join Date: Nov 2015
Location: Drowning in robot chocolate
Posts: 10,382
Re: Forum Database Compromise

Quote:
Originally Posted by gregorio View Post
Are you sure? I thought you had to pay monthly to use it one more than one device.
Hence the key word "now".
Noodle Wazlib is offline   Reply With Quote
Old 01-08-2017, 10:30 PM   #13
Lattimer
I are smart
 
Lattimer's Avatar
 
Join Date: Feb 2009
Location: New England
Posts: 11,598
Re: Forum Database Compromise

They can just log out and then read ATF. That's what I did before changing it as I wasn't sure if it were legit or not.
Lattimer is offline   Reply With Quote
Old 01-08-2017, 10:34 PM   #14
thunderbolts
veteran
 
thunderbolts's Avatar
 
Join Date: Aug 2008
Posts: 3,405
Re: Forum Database Compromise

They can, yes. But some may not. And surely it would be easy enough to make sure that the first thing they see is a proper explanation rather than the misleading password expiry due to x days message.
thunderbolts is offline   Reply With Quote
Old 01-08-2017, 10:42 PM   #15
gregorio
Carpal \'Tunnel
 
Join Date: Jan 2007
Posts: 27,387
Re: Forum Database Compromise

Quote:
Originally Posted by Noodle Wazlib View Post
Hence the key word "now".
Thanks. Right, when I checked the PlayStore right now they tell me it's $12 a year to use on multiple devices so I stopped installing it. But on their web site they say it's now free. Makes it seem like Lastpass as a company is largely incompetent.

Last edited by gregorio; 01-08-2017 at 10:51 PM.
gregorio is offline   Reply With Quote
Old 01-08-2017, 10:51 PM   #16
Chuck Weinstock
Administrator
 
Chuck Weinstock's Avatar
 
Join Date: Aug 2002
Posts: 572
Re: Forum Database Compromise

The passwords were not stored as plain text. They were salted.
Chuck Weinstock is offline   Reply With Quote
Old 01-08-2017, 10:58 PM   #17
thunderbolts
veteran
 
thunderbolts's Avatar
 
Join Date: Aug 2008
Posts: 3,405
Re: Forum Database Compromise

Thanks Chuck. That's some good news, I suppose.

I see it's reported that the database also contained the salts (but my understanding is that that's not necessarily an additional cause for concern).

Can we assume that 2+2 was running an old (and thus vulnerable) version of vBulletin and what you did on 7 December was to update it?
thunderbolts is offline   Reply With Quote
Old 01-08-2017, 11:46 PM   #18
Jbrochu
Carpal \'Tunnel
 
Join Date: Jan 2005
Posts: 15,217
Re: Forum Database Compromise

Quote:
Originally Posted by Lattimer View Post
They can just log out and then read ATF. That's what I did before changing it as I wasn't sure if it were legit or not.
I wasn't smart enough to think of that.
Jbrochu is offline   Reply With Quote
Old 01-09-2017, 12:39 AM   #19
Gin 'n Tonic
Pooh-Bah
 
Gin 'n Tonic's Avatar
 
Join Date: Mar 2005
Location: Reclining my seat
Posts: 5,856
Re: Forum Database Compromise

I find it surprising that an email wasn't sent out.
Gin 'n Tonic is offline   Reply With Quote
Old 01-09-2017, 01:28 AM   #20
BLACK DEATH
newbie
 
BLACK DEATH's Avatar
 
Join Date: Feb 2015
Location: 13:46
Posts: 27
Re: Forum Database Compromise

I cannot log into my genuine account, and I don't have access to the email associated with my genuine account. I've contacted Mat but I haven't received a reply.

Edit: I will add that when I clicked the forgot password link I was directed to a 'win an iPhone 7' click bait scam page which I obviously thought was really weird.

Last edited by BLACK DEATH; 01-09-2017 at 01:34 AM.
BLACK DEATH is offline   Reply With Quote
Old 01-09-2017, 09:31 AM   #21
bundy5
Pooh-Bah
 
bundy5's Avatar
 
Join Date: Jul 2013
Location: Australia
Posts: 3,668
Re: Forum Database Compromise

Quote:
Originally Posted by batair View Post
The Russians?
No point here as they are mainly lefties.
bundy5 is offline   Reply With Quote
Old 01-09-2017, 09:43 AM   #22
Mayo
4l Mod of the Year
 
Mayo's Avatar
 
Join Date: Sep 2006
Location: RIP dangeraw
Posts: 50,962
Re: Forum Database Compromise

Quote:
Originally Posted by pvn View Post
do we know what was in the compromised database? usernames and cleartext passwords, usernames and hashed passwords, other account data?
Please respond.

Did the database include email addresses? User IP addresses?
Mayo is offline   Reply With Quote
Old 01-09-2017, 09:46 AM   #23
Mayo
4l Mod of the Year
 
Mayo's Avatar
 
Join Date: Sep 2006
Location: RIP dangeraw
Posts: 50,962
Re: Forum Database Compromise

Quote:
Originally Posted by Gin 'n Tonic View Post
I find it surprising that an email wasn't sent out.
Also this. Telling a user that their password has "expired" once they try to log in is absolutely the wrong way to inform them. A proactive approach, including sending a simple, informative email to all affected accounts is step one here.
Mayo is offline   Reply With Quote
Old 01-09-2017, 10:24 AM   #24
gregorio
Carpal \'Tunnel
 
Join Date: Jan 2007
Posts: 27,387
Re: Forum Database Compromise

Quote:
Originally Posted by Mayo View Post
Please respond.

Did the database include email addresses? User IP addresses?
https://forumserver.twoplustwo.com/sh...php?p=51500005
gregorio is offline   Reply With Quote
Old 01-09-2017, 11:03 AM   #25
Tuma
Carpal \'Tunnel
 
Tuma's Avatar
 
Join Date: Aug 2012
Location: penniless geek
Posts: 8,752
Re: Forum Database Compromise

call Larry Legend ffs.
Tuma is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 02:40 PM.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © 2008-2010, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online