Change your passwords on other websites | An update on the Boards.ie Data Incident.

aidan_walsh

IIRC the original change was also done on the advice of the CCU.

It doesn't matter anyway as boards wouldn't have been able to send you your original password for you to be able to check it against other sites.

Conor

aidan_walsh wrote: »

IIRC the original change was also done on the advice of the CCU.

We actually did that before getting in touch with the Gardai (IIRC - I could have the order of things mixed up, it was a very busy time for us) but I'm sure they would have suggested it.

SPDUB

aidan_walsh wrote: »

It doesn't matter anyway as boards wouldn't have been able to send you your original password for you to be able to check it against other sites.

I was never asking you to do that

More something along the lines of logging everyone out and making everyone log back on with a message to change their password

Or change the visibility setting of the board so that people could only see a message that you were going to automatically change the password in 24 hours

aidan_walsh

Changing the password now is the best way to go about it and remove any possibility that people are not going to try to manipulate the account. People who steal passwords don't sit on them for a long period of time, they act on them as soon as they can.

SPDUB

aidan_walsh wrote: »

Changing the password now is the best way to go about it and remove any possibility that people are not going to try to manipulate the account. People who steal passwords don't sit on them for a long period of time, they act on them as soon as they can.

But your actions make it impossible for me to change passwords on other websites without potentially changing it to my former password on this site unless I go down the fiendishly complicated password route which I then have to store them somewhere because I forget them more easily

And that makes that store of passwords a vulnerable spot for security then .

aidan_walsh

First of all, I didn't do anything. I just want to make clear I am speaking as a user of boards, not anyone related to any changes made.

But your actions make it impossible for me to change passwords on other websites without potentially changing it to my former password on this site

Again, unless you are going to be making multiple attempts to log into this site to find out what your password is there is nothing boards could do to show you what your past password could have been.

unless I go down the fiendishly complicated password route which I then have to store them somewhere because I forget them more easily

Do that. Do exactly that. Create long, highly random passwords and use a good program to store them. On my Mac I use 1Password to do just that. They have a Windows version in beta at the moment, or there are several good alternatives that have been on Windows for a while like Keepass. These programs should help you create a long strong password.

And that makes that store of passwords a vulnerable spot for security then

The storage of passwords is always a vulnerable spot because they are of interest to people with fewer scruples than you or me. And if ($DEITY forbid) anything were to happen to the storage location that these programs keep their passwords in they are pretty much useless because they are encrypted using algorithms that are multiple magnitudes harder to crack than the hashes available for storing passwords on the server.

Gruver

For what it's worth I appreciate that you've taken the time to outline the problem. I have two questions.

1. Have you become aware of any incidents involving users data that can be directly attributable to the security breach?

2. If you do become aware of any such incidents will you be sharing details of those incidents here?

Conor

Gruver wrote: »

1. Have you become aware of any incidents involving users data that can be directly attributable to the security breach?

There have been several suspected incidents, but none that I know of which have been conclusively proven to be linked. I don't know for sure though, since any I heard of were pointed in the direction of the Gardai and either treated as a linked or separate investigation as appropriate. I'm not privy to the details of any such investigations, so your first port of call to ask about those would be the Garda Press Office.

If anyone has reason to believe that any account of theirs has been compromised, then please contact the Gardai ASAP, especially if you've suffered a financial loss.

Gruver wrote: »

2. If you do become aware of any such incidents will you be sharing details of those incidents here?

If we hear details and if the Gardai are OK with it and if the injured party/parties are OK with it, then yes. That's a lot of ifs though, and I doubt we could share much until after the relevant investigations were completed.

D.Harry

In January 2010 we advised all members to change their passwords following an incident where member details from our database were accessed by an unauthorised source.

No you didn't. I have all the records.

Here we have an admission by Boards.ie that our private and potentially sensitive information is not safe in its hands, yet posters are denied the freedom to delete their account.

Why can't I have a particular username? We never delete an account, so unfortunately if one is already taken, we can’t release it for you.

It looks like a call to the Data Commissioner may be necessary.

seamus

D.Harry wrote: »

No you didn't. I have all the records.

They did, through every single means at their disposal. An email was sent out (I still have it), the website itself for a full two days had no content except details of the attack and advice on what members should do. When it came back up, everyone would see a notice that gave the same details. A thread was ongoing on feedback for weeks, as well as a sitewide announcement which appeared at the top of every forum and every search result for weeks. Twitter was abuzz with the details of the incident.

Now, aside from arriving at your workplace, sitting you down and explaining the situtation to you face-to-face, what the fuck else do you expect them to have done?

There's a very old saying about bringing a horse to water.

Here we have an admission by Boards.ie that our private and potentially sensitive information is not safe in its hands, yet posters are denied the freedom to delete their account.

There isn't a single entity on this planet who can claim that your personal information is safe and secure in their hands, and many of them will not let you delete your account either.

You have full access to delete all personal information from boards.ie. If you're concerned about safety, go ahead and delete that information. Your account itself, the entity, is not a piece of personal information.

D.Harry

seamus wrote: »

They did, through every single means at their disposal. An email was sent out (I still have it), the website itself for a full two days had no content except details of the attack and advice on what members should do. When it came back up, everyone would see a notice that gave the same details. A thread was ongoing on feedback for weeks, as well as a sitewide announcement which appeared at the top of every forum and every search result for weeks. Twitter was abuzz with the details of the incident.

Now, aside from arriving at your workplace, sitting you down and explaining the situtation to you face-to-face, what the fuck else do you expect them to have done?

There's a very old saying about bringing a horse to water.

There isn't a single entity on this planet who can claim that your personal information is safe and secure in their hands, and many of them will not let you delete your account either.

You have full access to delete all personal information from boards.ie. If you're concerned about safety, go ahead and delete that information. Your account itself, the entity, is not a piece of personal information.

I won't be bullied by you or anybody else.

I received no such e-mail and being an infrequent visitor to the site (I know, but some of us have lives) was totally unaware of the breach.

The issue is with the passwords, which are not secure. These can be changed but not deleted, presumably without deleting the account.
So no matter what password, which is personal info, is entered, it is open to exploitation. Users should therefore have the freedom to completely deny access to that password.

There isn't a single entity on this planet who can claim that your personal information is safe and secure in their hands

Fair enough but that's different to admitting that it's not secure while saying there's nothing you can do about it.

seamus

D.Harry wrote: »

I won't be bullied by you or anybody else.

:rolleyes: Sensitive much? Bullying? Cop onto yourself.

I received no such e-mail and being an infrequent visitor to the site (I know, but some of us have lives) was totally unaware of the breach.

Again, there's only so much that can be done about that. Boards did everything they could to inform people. It was even on RTE news. So it's not their fault that you didn't know about this, you just happened to miss it.

The issue is with the passwords, which are not secure. These can be changed but not deleted, presumably without deleting the account.

Of course they can be deleted. Go into notepad, and mash the keyboard with your palm. Copy whatever comes out and then paste it into the password boxes and save it. Hey presto, your old password has been deleted.
Delete any personal information and change your email address there while you're at it too, and suddenly your personal information is completely secure.

So no matter what password, which is personal info, is entered, it is open to exploitation. Users should therefore have the freedom to completely deny access to that password.

And so they do, as above.

Fair enough but that's different to admitting that it's not secure while saying there's nothing you can do about it.

How so? Your data is not secure. The stuff stored on your hard drive is not secure. There's plenty you can do about it, but you can never say that it's foolproof secure.
I don't see what you're trying to achieve or point out here.

As I've noted above -

1. Boards.ie made every effort possible to inform everyone of the breach
2. You have full access to remove your personal information from this site if you are concerned about its security.

What else do you want?

Darragh

D.Harry wrote: »

In January 2010 we advised all members to change their passwords following an incident where member details from our database were accessed by an unauthorised source.

No you didn't. I have all the records.

Here we have an admission by Boards.ie that our private and potentially sensitive information is not safe in its hands, yet posters are denied the freedom to delete their account.

Why can't I have a particular username? We never delete an account, so unfortunately if one is already taken, we can’t release it for you.

It looks like a call to the Data Commissioner may be necessary.

Hi there,

On the day of the attack we attempted to send out this email to everyone - it was the exact same information as was posted on our homepage

---

Forwarded message

---

From: <announcement@offsite.boards.ie>
Date: 21 January 2010
Subject: Boards.ie Annoucement

Fellow Boards Members,

Today, Thursday 21 Jan 2009 at 11:20 GMT the Boards.ie database was attacked by a source external to Ireland. This triggered our security response policy and as a result we are sending you this warning email.

In this attack, part of the database which includes our members usernames, email addresses and obfuscated passwords was accessed. While our investigations indicate that individual user accounts are not in danger we have taken the step of changing all user passwords.

We also recommend that if you used the same username/email and password on other sites that you change your password there too as a precaution.


What happened:

* This morning our database server was accessed by an unauthorised source.
* We discovered this intrusion and took the site offline.
* As a precaution we contacted the Gardaí, the Data Protection Commissioner and an independent security consultancy.
* We have followed the advice we have received on how to proceed.
* Like all large sites we are regularly the target for disruption and take continual actions to proactively protect your data. This particular attack was completely unprecedented despite our rigorous security measures and while we have no idea if this data will be used for any malicious reasons, we felt it vital to tell you this immediately.


What you need to know and do:

* If you use the same password on Boards as you do on other services, you should change it on those other services to be safe. Boards passwords are NOT stored in plain text, they are obscured with the standard vBulletin 'Hash'. While this provides strong protection, we have altered all passwords on Boards as a precaution and suggest you take this time to alter other similar passwords.
* If you are a subscriber, please be assured, we do NOT store credit card details or any payment details on our servers. Nothing of that nature is held on our site and as a result such data was not compromised.
* We apologise for this inconvenience. We do not want to over stress the problem, however we felt the situation requires full disclosure.

Tom Murphy.

I know a lot of people didn't get it - that's for a variety of reasons including hotmail filters, our mail server and more. I'm sorry not everyone got the message.

posters are denied the freedom to delete their account.

This isn't entirely accurate. You are fully entitled to ask for your account to be closed. However, you are responsible for what you post on site, so we reserve the right to keep the records of who you are to match up to what you post for a time after your account is closed.

We have worked with the Data Protection Office on this.

After the incident both the Garda Computer Crime Unit and the Data Protection Commissioners office have carried out examinations and audits and are both satisfied with their findings, with, in fact, the Data Protection Commissioners Office including a commendation in the report for how we handled the attack.

You can reach the office at 1890 252 231 or at http://www.cosantasonrai.ie

I'll leave this with the front page of the Metro Herald from the morning of January 22 - you can get it online here - which includes advice similar to the above. We were also on Six: One news and National Radio Stations.

D.Harry

seamus wrote: »

Of course they can be deleted. Go into notepad, and mash the keyboard with your palm. Copy whatever comes out and then paste it into the password boxes and save it. Hey presto, your old password has been deleted.
Delete any personal information and change your email address there while you're at it too, and suddenly your personal information is completely secure.


1. Boards.ie made every effort possible to inform everyone of the breach
2. You have full access to remove your personal information from this site if you are concerned about its security.

Changing your password to gobbledygook only serves to lock yourself out, not a potential hacker. Your account may then be accessed by another.
A valid e-mail address must be used so now your e-mail notifications go to somebody else.

What else do you want?

The freedom to close the account. Is that asking too much?

D.Harry

Darragh wrote: »

You are fully entitled to ask for your account to be closed.

Thanks Darragh. Please close my account.

Darragh

D.Harry wrote: »

The freedom to close the account. Is that asking too much?

Hi there

As I said in this post in this thread, to have your account closed:

... please email hello@boards.ie with your username from the email address you registered with with your request and allow two working days for this to happen.

Closing your account means we will scramble your password, remove any email subscriptions or notifications you may receive and turn off your Private Messages.

You will receive one final confirmation email from us. You can then simply stop logging into your account or posting.

Your email address plus any profile data that you have left on the system (links to your Facebook profile or twitter account for example) will be kept for a set period of time in accordance with the Data Protection Act - and then removed.

I hope this helps

Darragh

seamus

D.Harry wrote: »

Changing your password to gobbledygook only serves to lock yourself out, not a potential hacker. Your account may then be accessed by another.

But if none of your personal information is in the account, then who cares?

A valid e-mail address must be used so now your e-mail notifications go to somebody else.

You don't have to use a valid email address. You only have to use something that looks like an email address. So a@a.com will work as well as anything.
In fact, using an invalid address serves to render your account completely unusable to any hacker.

The freedom to close the account. Is that asking too much?

As Darragh points out, there is a process for this.

However, I will note that what boards do to close your account is exactly as I have described above - they delete your personal data, they remove your email address and they scramble your password. You do not need to apply to close your account, you can do it yourself.

balla

I have just received an email about the password situation now - 3 MONTHS LATER!!!!! This time lapse is a disgrace. I haven't been on boards recently to see any other posts about this. Why didn't you email members last January????

balla

I see the original post now, but I did not receive any email or other communication until today. You claim to have sent 300,000 emails but not to me!! I'm sure there are many others who still don't know about this.

Conor

balla wrote: »

I see the original post now, but I did not receive any email or other communication until today. You claim to have sent 300,000 emails but not to me!! I'm sure there are many others who still don't know about this.

We have persistent problems with your e-mail provider. They go through phases of dropping mail from us entirely, I'm afraid.

Wile E. Coyote

Is it just me or are some people over reacting way to much to this? Boards.ie made every effort to inform people as to what happened in January. It was posted all over the site, e-mails were sent and it was on every news bulletin and in every news paper at the time. Now if you managed to miss all that who's fault is it?

What was sent today was a reminder to change your password on other sites if it was the same. If you can't remember what your Boards.ie password was prior to January and you haven't changed your Facebook, Twitter, Bebo etc password since then, maybe now would be as good a time as any to change it. It's not rocket science people!

pogo182

probably a stupid question but is the following true:?

If we weren't a member of this site untill after jan, we aren't recommended to take any action? For exampled I didn't register to this site untill march 10, 2010

balla

Wile E. Coyote wrote: »

Is it just me or are some people over reacting way to much to this?

The gardai were contacted, so boards.ie obviously considered this a serious matter.

Wile E. Coyote wrote: »

Boards.ie made every effort to inform people as to what happened in January. It was posted all over the site, e-mails were sent and it was on every news bulletin and in every news paper at the time. Now if you managed to miss all that who's fault is it?

I heard nothing til today. Is that my fault?
Did they resend the emails dropped by hotmail in January?
I did not hear it on the news. And I haven't been on the site in months. Like many people.

Conor

pogo182 wrote: »

probably a stupid question but is the following true:?

If we weren't a member of this site untill after jan, we aren't recommended to take any action? For exampled I didn't register to this site untill march 10, 2010

That is correct. If you registered on or after 22/01/2010 you're not affected by this.

Orion

Hilarious thread. I love the moan posts "why didn't you do this", "you didn't let me know" "whinge whinge whinge".

Conor, Dav, DeV - all the guys - took immediate action once the hack was discovered. They gave full disclosure to all members in every manner they could. They alerted the national media. They contacted the Gardai. They reset passwords to mitigate the action. But that's not enough. Some people want their cocks held for them while they piss.

There are other sites out there who would sweep something like this under the carpet and hope nobody found out. With the amount of publicity that the admins generated to ensure the details got to everyone you'd have to be living in a cave to miss it.

From me - thanks lads for the disclosure and effort in minimising the risk to everyone.

balla

You wouldn't find it so hilarious if you didn't get an email and hackers had 3 months with your password. There's a difference between whinging and being concerned about identify theft.

Macros42 wrote: »

They gave full disclosure to all members in every manner

Not to me. If an email bounced, resend.

Conor

balla wrote: »

Not to me. If an email bounced, resend.

We don't get bounces from your mail provider. They either deliver or silently drop, but we have no way of confirming delivery.

Keano

balla wrote: »

You wouldn't find it so hilarious if you didn't get an email and hackers had 3 months with your password. There's a difference between whinging and being concerned about identify theft.


Not to me. If an email bounced, resend.

And the email would keep failing...

Grow up, you are looking for a reason to moan again...

All the Boards guys went to great lengths to get the message out by contacting any media outlet that would listen. So you heard none of this?

Orion

I actually wasn't referring to you balla As Conor explained your mail provider doesn't seem to like boards. And from Conor's wording I wouldn't say the mail bounced - he implies they just drop it.

[edit]too late - Conor has confirmed that.

seamus

balla wrote: »

You wouldn't find it so hilarious if you didn't get an email and hackers had 3 months with your password. There's a difference between whinging and being concerned about identify theft.

Look at this hypothetical way;

Your credit card details get compromised. Your credit card provider rings you. Twice. Both times they leave a voicemail. For whatever reason, you don't get any notification that you have a voicemail.

Two weeks later you receive a letter telling you about how your credit card was compromised two weeks ago, but you're raging because nobody contacted you at the time. Except that they did.

Whose fault is it that you didn't find out straight away? Nobodys.

In this case, the seriousness of the breach is less, so the timeframes are a little longer. Except apart from two missed voicemails, they also put it all over their website and the national media publicised it. And you still missed it.

**** happens, get over it. It's not boards' fault that you didn't know about this for 3 months.