Boards.ie Attack - What Happened? Please post all questions here.

william power

well done guys,very well handled by everyone-give yourselves a clap on the back-you deserve it.

evercloserunion

Deleted User wrote: »

Shared password or unrelated?

A lot of phishing mails doing the rounds at the moment.

I've received no spam emails since the breach - dunno if that says anything about the extent of the leak.

Bonito

On topic - Wooooooooooooo See this is why I LOVE boards.ie

Off topic - So much for Dr.Bollocko's SSF thread being on it's way to most thanked thread on boards.ie awful shame, twas legendary IMO

leninbenjamin

Dav wrote: »

This is something we're looking into too folks, there are a lot of people who didn't get it - I actually didn't get it myself to my personal account. I'll be talking to the Daft guys who helped us out with the mass-mail for us just to see what was involved and what might have gone ary.

Dav

Said this on twitter but don't think I was understood. People were being asked to whitelist no-reply@boards.ie, which has been used for comms. for donkey's and I'm pretty sure doesn't trigger any spam filters (at least it never has for me).

However, the address used for the bulk mail was announcement@offsite.boards.ie, which as a unrecognised domain, triggered gmail's spam filter for me. And as sending 300,000 mails at once from an unrecognised address isn't at all suspicious (:)), I'd hazard plenty of other ISPs simply complained and bounced it back.

In short, I'm pretty sure you'd have reached the vast majority of people had you used no-reply@boards.ie as the sent from add. (although I'm far from an expert on this so I'm merely guessing).

Dav

leninbenjamin wrote: »

Said this on twitter but don't think I was understood. People were being asked to whitelist no-reply@boards.ie, which has been used for comms. for donkey's and I'm pretty sure doesn't trigger any spam filters (at least it never has for me).

However, the address used for the bulk mail was announcement@offsite.boards.ie, which as a recognised domain, triggered gmail's spam filter for me. And as sending 300,000 mails at once from an unrecognised address isn't at all suspicious (:)), I'd hazard plenty of other ISPs simply complained and bounced it back.

In short, I'm pretty sure you'd have reached the vast majority of people had you used no-reply@boards.ie as the sent from add. (although I'm far from an expert on this so I'm merely guessing).

I missed that myself on the Twitter feed (Darragh and I were sharing it over the few days). I think you have something there though, I'll go back to the lads with that. Thanks very much.

Dav

The_Hustler

ZeRoY wrote: »

lol - using same password on a massive public forum and Paypal or email account? You have only yourself to blame dude :rolleyes:

I'm a more casual computer user than you are.

Sorry for expecting my password on boards.ie to be safe.

coldwood92

DeVore wrote: »

We didnt email passwords out, the email you were sent simply outlined what had happened.

If you want your new password, best to use our "Recover Password" link here: www.boards.ie/changepassword

DeV.

I didn't get it but thank god saw it on homepage just pointing out that all members mightn't have

evercloserunion

The_Hustler wrote: »

I'm a more casual computer user than you are.

Sorry for expecting my password on boards.ie to be safe.

Frankly you shouldn't expect anything you put on the internet to be entirely safe.

The_Hustler

I know but I don't like being told I deserve for this to happen when I doubt many people thought an attack like this might happen.

Anyway, it wasn't spam, paypal limited my account. And yes, it was the same password as boards (not anymore obviously).

ZeRoY

The_Hustler wrote: »

I know but I don't like being told I deserve for this to happen when I doubt many people thought an attack like this might happen.

Anyway, it wasn't spam, paypal limited my account. And yes, it was the same password as boards (not anymore obviously).

I didnt mean to sound that nasty, i realise not everyone is careful when registering accounts - here is a lesson learned now anyway for you - always use unique and complex passwords on site holding credit card/bank details.

FunnyStuff

Well done guys, great to have you's back.

BostonB

The_Hustler wrote: »

I know but I don't like being told I deserve for this to happen when I doubt many people thought an attack like this might happen.

Anyway, it wasn't spam, paypal limited my account. And yes, it was the same password as boards (not anymore obviously).

Hopefully its not too painful a lesson to learn.

The vast majority people are unaware of the security risks of computing, using the web etc. and/or they don't take it seriously.

BostonB

Fair play for the boards doing their best to make everyone aware of it as fast as possible.

The_Hustler

The_Hustler wrote: »

I know but I don't like being told I deserve for this to happen when I doubt many people thought an attack like this might happen.

Anyway, it wasn't spam, paypal limited my account. And yes, it was the same password as boards (not anymore obviously).

Just goes to show how quick the hackers got to work on breaking the hash file, assuming the password was a dictionary word.

Then how quickly they hit potential sites looking for matches.

As others have already said, a sharp reminder as to why strong and unique passwords are needed.

stainluss

Its times like this im happy to be poor.
Maybe these boys will drop a few € in my paypal:rolleyes:

billy the squid

maybe the hackers might be able to tell me which email i registered with, so I may get my old account going.

decdev

Just great to have you back

stovelid

Thanks guys.

There was a real human sense of wanting to communicate things as they went along. A, er, real community feeling.

Kudos.

Dr. Kenneth Noisewater

I love you boards.ie

DOC09UNAM

Imagine, just for a second, say if someone got your email address and your boards password.

Now per say, if you were a silly person who used the same password for boards that you did for paypal or moneybookers, or whatever.

Well then this so called person who hacked it could use the email address that you use for paypal, along with a possible password of yours, or if its not the correct password, it will probably be a strong hint to what your other password is.

Bad things can happen in theory tbh.

Dudess

Good job all - can't have been easy.

K-9

DOC09UNAM wrote: »

Imagine, just for a second, say if someone got your email address and your boards password.

Now per say, if you were a silly person who used the same password for boards that you did for paypal or moneybookers, or whatever.

Well then this so called person who hacked it could use the email address that you use for paypal, along with a possible password of yours, or if its not the correct password, it will probably be a strong hint to what your other password is.

Bad things can happen in theory tbh.

Exactly. It would be your own fault not Boards.

No point fuming at Boards because you used the same password for Ebay, Paypal, GMail etc.

I use Lastpass for Firefox. It will generate and save unique passwords for you. Makes the process very simple.

Kudos to Boards for doing all they could do.

DOC09UNAM

K-9 wrote: »

Exactly. It would be your own fault not Boards.

No point fuming at Boards because you used the same password for Ebay, Paypal, GMail etc.

I use Lastpass for Firefox. It will generate and save unique passwords for you. Makes the process very simple.

Kudos to Boards for doing all they could do.

Do you have that firefox installed onto a memory stick so you can use it anywhere???

i use alot of different computers accessing my **** so i've to be able to remember my passwords.

Have em all typed into my phone, has a thing where it stores all your passwords that you put in, but you need one password to get into the list, if you enter the wrong one, it just gives out dummy passwords, cool thing.

K-9

DOC09UNAM wrote: »

Do you have that firefox installed onto a memory stick so you can use it anywhere???

i use alot of different computers accessing my **** so i've to be able to remember my passwords.

Have em all typed into my phone, has a thing where it stores all your passwords that you put in, but you need one password to get into the list, if you enter the wrong one, it just gives out dummy passwords, cool thing.

They have it for IE, Firefox and Chrome, AFAIK, no need for a memory stick, just install it elsewhere.

https://lastpass.com/misc_download.php

You can install it on other computers. I have it on my work pc. Just remember the master password and make it unique!

SPDUB

K-9 wrote: »

Exactly. It would be your own fault not Boards.

No point fuming at Boards because you used the same password for Ebay, Paypal, GMail etc.

I will fume at them for automatically triggering password change so that I don't know what , if any , other boards might be comprised (not Paypal ,Gmail )

yoshytoshy

K-9 wrote: »

Exactly. It would be your own fault not Boards.

I never got what the problem was myself aswell(apart from the hassle for the lads of course),I use different email addresses for different things ,ebay has a certain email address as does amazon.

simonckenyon

i used the same password for a lot of web sites
my facebook account was used to spam my friends with malware

i had some vain hope that the password file would not have been used.
oh well!

anyway, good work with the prompt action.

Conor

ZeRoY wrote: »

How did you guys managed to get the Admin Account hacked? Silly password or something? Thats what i'd like to know

It was a relatively strong password. It's highly unlikely that it was guessed or brute-forced.

-JammyDodger- wrote: »

I've one question about the admin account that was hacked:

Was it a specific admin account, i.e. one of the current admins? Obviously the individual's name would not be mentioned. Or, did the people who gained access to the admincp find a way to do so without getting into a specific admin account?

It was a current admin.

BostonB

Thing about master passwords is what happens if a keylogger gets it? or you forget it. Or you lose your phone? An alternative is you come up with a system to make your passwords unique, that you can remember. But of course is someone guesses your system thats broken too. Also its good to clear out your passwords every now and then with CCleaner.

Once place I worked has a system that forced you to change your password regularly, then it tested the one you picked to make sure it wasn't a weak password. If it failed you had to change it.

a5y

Great response on this guys, and the password reset method couldn't have been better.

But in all seriousness, we need to lay off the Atari Jaguar. The fanboys have shown what they're capable of when they jam a dial up cable in the bum of that plastic "64 bit" monstrosity.