Change your passwords on other websites | An update on the Boards.ie Data Incident.

balla

Keano A Legend wrote: »

And the email would keep failing...

Not so, I've never had a problem receiving emails before. And I've been receiving emails all day from boards. The emails may not have bounced, but they were aware of the problems with hotmail so should have sent a reminder sooner than April!!

Keano A Legend wrote: »

Grow up, you are looking for a reason to moan again...

All grown up already unfortunately. And I do have a pretty good reason to moan.

Keano A Legend wrote: »

All the Boards guys went to great lengths to get the message out by contacting any media outlet that would listen. So you heard none of this?

Nope. I obviously do live in a cave. As do many others judging from this thread.

aidan_walsh

Thats it, I'm ****ing phoning Liveline.

aidan_walsh

Not to mention that this:



has been on the front page of the site since it came back live.

Nope. Never told at all.

Keano

balla wrote:

I obviously do live in a cave

You said it

As Seamus and many others have pointed out it was all over the media. Had it not dawned on you at any time that you were a member of the site?

balla

As stated, I rarely use this site! And never will again after today (make way for onslaught of predictable "good riddance" responses).
So NO I DID NOT SEE IT. That doesn't mean I deserve to have my account compromised for 3 months!!

aidan_walsh

The passwords were changed once the breach was detected. There would still have been no way for the person to access your account. Nobody says you deserve it, but you could at least recognise that all reasonable efforts were made to alert you to it. Unfortunately and through nobodies fault the information didn't reach you.

csm

aidan_walsh wrote: »

Not to mention that this:



has been on the front page of the site since it came back live.

Nope. Never told at all.

This is a generic message that one should be careful about passwords. A better message would be (in extremely large font)

BOARDS.IE HAS BEEN COMPROMISED. CHANGE YOUR PASSWORD.

or they could have emailed me.

The first I got of this was an email the other day saying I had to change my password. No other email was forthcoming and I would have received all of them. I check this site regularly enough and certainly several hundred times since January.

I would have expected any serious organisation to at least own up to the fact that they had screwed up, and not to pretend in a previous email that they had already tried to contact me. They hadn't (directly) and now my password has been compromised.

Thankfully I expect this of the majority of websites so I have different passwords for all of them. Also, for insecure websites such as boards or facebook or the like I use a different email address.

I don't really care but many people will. And it's indefensible that more steps weren't taken.

Relying on regional media and word of mouth on the website isn't good enough. Direct contact should have been made. Eventually it was, which is a tacit agreement that they messed up. I guess they're just a bit too sheepish to acknowledge that.

aidan_walsh

they could have emailed me.

Mails were sent to all members with registered email accounts, as has been said (time and time again). Some mail providers didn't deliver the mails to their members, without notification to boards that the mail had been dropped, as has also been mentioned. And national as well as regional media were involved.

it's indefensible that more steps weren't taken.

Such as?

seamus

csm wrote: »

I don't really care but many people will. And it's indefensible that more steps weren't taken.

More steps such as what?

csm

I know a lot of people didn't get it - that's for a variety of reasons including hotmail filters, our mail server and more


Sorry, don't know which admin posted the above.

OK so I don't have a hotmail account. I presume there was more than one email provider at fault then? I would have listed the email providers that were known to be dropping emails. Mine is a well known one down the road. I would have called, and if feasible, met with all of these known providers to get those emails through. If they were not helpful, I would have sent periodic emails out saying the same thing, but with something in the subject line that users that had received it several times could filter out (maybe once a week; this is if the problem is a random one, which you suggested it was). After all, you said that you sent 2 emails, and one got through to me, so that's a 50% success rate. Send out one a week since January and you drastically reduce the problem. I would also send out PMs. Your website is in control of them is it not? I received none. Finally, as I suggested, don't put a generic 'be careful about your password' message up. Make it more obvious. Sure it advertises the fact you were compromised, but that's not something you should be embarrassed about. **** happens.


That's 4 suggestions that, to my knowledge, you did not do.

To be fair, what irked me the most was pretending that you had contacted everyone in the last email. What you should have said was you tried to contact everyone, but for several reasons (outlined in this thread), you could not. It's the angry lack of humility, that's all. You have jumped down the throat of the people that are annoyed that you took this long to notify us. You should be apologising profusely, saying that you're doing your best, acknowledging where you went wrong. Do this and you're streets ahead of most websites when it comes to this kind of thing.

csm

Oh and by regional I meant the Irish national media. I'm an ex-pat, along with many others I would have thought.

Look, I'm not having a go. Please don't take it personally. All I'm saying is you managed to inform me and several others directly 2 days ago. What has changed that you couldn't do this in January? You seem to be saying it's because the Gardai directed you to. When did the CCU tell you to email your members?

seamus

csm wrote: »

OK so I don't have a hotmail account. I presume there was more than one email provider at fault then? I would have listed the email providers that were known to be dropping emails. Mine is a well known one down the road. I would have called, and if feasible, met with all of these known providers to get those emails through. If they were not helpful, I would have sent periodic emails out saying the same thing, but with something in the subject line that users that had received it several times could filter out (maybe once a week; this is if the problem is a random one, which you suggested it was).

You do seem to know at least a little about email. For all I know, you could be a mail server admin.

The problem here is about sending mail to 300,000 people at once. The first mail was sent. Many providers dropped it. You could talk to the providers then and ask them to not drop it. So you send out 300,000 more emails. Some of the providers drop it again, and what's more some new providers drop it too because it's a duplicate email. You talk to as many more as you can, send out your mails again, and most get through.

Great. Except that you've just spammed nearly a few hundred thousand mails to providers who *didn't* drop the mail initially and you find yourself getting blacklisted. And sending the same email every week for 3 months? That's spam. Especially considering that the vast majority of regular users (people who visit at least once a month) will have taken the steps advised in the email, all you're doing is pissing off your regular membership.

The problem with the email being dropped was explained at the time. Because the boards.ie server had been taken offline as a precaution, they had to use an alternate provider to send the bulk mail. Several people didn't like this (including Gmail and hotmail) and the mails got dropped. That's why many received Monday's mail, but not January's one.

You should be apologising profusely, saying that you're doing your best, acknowledging where you went wrong. Do this and you're streets ahead of most websites when it comes to this kind of thing.

They did. A number of times. And they detailed exactly what happened, what they did after the incident and what they've done since the incident.

You're taking this personally, that's why you're annoyed. But it wasn't personal. Nothing was hidden from you, nobody personally excluded you from anything. You simply missed the memos. **** happens.

csm

No, you've misunderstood.

You talk to the main providers and then send the emails again only to those providers. After all, you are aware that gmail & hotmail didn't do it and you are aware why. Did you talk to them? [I say 'you' because I'm assuming that your defensive manner and the different colours of your stars mean you are staff?].

I only suggested regular emails if you thought the problem was random. However, it clearly wasn't. There was a definited reason for it.

No explanation was given in the one and only direct contact i have had. In fact, it was pointed out in the second sentence that I had been contacted before, when it was known to the person sending it that many people hadn't. If I were in charge of this, I would have said in the originally post on this thread that you were aware that many people were not contacted directly. I would have explained why, and I would have apologised that it took this long to send a reminder.

Again, why now? Why send this reminder 3 months later? Clearly by the tone of your post you thought you had taken every possible step. Why then did you feel the need to take this last one (which finally got through)?

"You're taking this personally, that's why you're annoyed. But it wasn't personal. Nothing was hidden from you, nobody personally excluded you from anything. You simply missed the memos. **** happens."

No, I'm not Seamus. If I looked at this and thought I was the only one then I would have said 'oh well' and left it at that. You know that I wasn't the only one.

Frankly, I'm glad that boards have taken this final step. I wouldn't have known about it otherwise. I've had to dig for the reasons that I wasn't informed before though, and I still don't know the reasons why I've been informed at this late juncture.

This is a feedback thread after all. I'm making suggestions about how better to handle this in the future. I'm being reasonable about boards compromising my personal information because I know nobody went out of their way to do it (well, nobody at boards anyway) and I'm confident that reasonable security was in place, even though I know very little about IT architecture.

Ok, my first post was narky. But then I was just responding to the tone of the thread that had already been established when several posters jumped down the throat of bella just because she was annoyed that it was the first she'd heard of. An annoyance that would not have existed if the PM we've just received had been worded a little differently.

boards.ie (and you, if you are staff) can take this on board or not. If they do, great. If they don't, well the world will go on and I'll still continue to waste time lurking on the rugby forum.

I'm going to bed now as it's very late. Sorry if I've offended you, no harm was meant.

aidan_walsh

Again, why now? Why send this reminder 3 months later?

Again, as had been stated earlier boards are reminding people to change passwords on other sites that may have had the same password as here on the advice of the Gardai investigating the incident.

seamus

csm wrote: »

I say 'you' because I'm assuming that your defensive manner and the different colours of your stars mean you are staff?

For the record, I'm not, so please don't construe anything I've said as a response from boards.ie

I'll read the rest of your post later.

yoshytoshy

I'm not really familiar with hackery. I'm not sure if I have things right .

If I use different email addresses for different websites ,should I have to worry about anything ?

Daemos

I have a question for everyone complaining about "not being told" about this before now

If that's true how did you get your accounts back when the site came back online?

My name is URL

yoshytoshy wrote: »

I'm not really familiar with hackery. I'm not sure if I have things right .

If I use different email addresses for different websites ,should I have to worry about anything ?

Unless you use the same username on different sites, then no, other than a possible increase in spam e-mails to the address you signed up with. Though if you do use the same username then the hacker could potentially search for all instances of it and try the password that you had here

DT100

Originally Posted by csm
I say 'you' because I'm assuming that your defensive manner and the different colours of your stars mean you are staff?

Ok...now I am really upset....I have read all the posts...taken all the viewpoints on board...but what upsets me most is that Seamus has different colour stars.How could the admin of boards let this happen.I got no email about this...I am going to be in touch with the star data people...

lanternchikk

Okay, so I'm a bit confused here.
I joined back in '08 using the same password I use on a couple other messageboards.
It's something I memorised a few years ago specifically to use it as a password (it's neither personal nor easy to guess), and now it seems like I have to change it everywhere...argh! I guess using the same password for different places is not so smart after all. Crap.
Anyway, if memory serves me right, I had my password reset (just like everyone had theirs reset IIRC) after the January incident, then changed it back to the old one (the one previously mentioned).
Should I get new passwords ASAP for those other sites now or what?

Daemos

Well to be honest I can't understand why you changed it back to a potentially-hacked password in the first place

So yeah, I'd get a new password for each site, maybe a different one each time, and make a Word document storing all your passwords. That's what I did after the hack, because you can never be too careful

Butch Cassidy

Darragh wrote: »

Can I just repeat, we were advised by the Computer Crime Unit to advise members to change their passwords?

Thanks

Darragh

In fairness, how good are the "Computer Crime Unit" ? Gardai don't even have access to internet enabled computers for heaven's sake!

Darragh wrote: »

Hi there,

On the day of the attack we attempted to send out this email to everyone - it was the exact same information as was posted on our homepage



I know a lot of people didn't get it - that's for a variety of reasons including hotmail filters, our mail server and more. I'm sorry not everyone got the message.



This isn't entirely accurate. You are fully entitled to ask for your account to be closed. However, you are responsible for what you post on site, so we reserve the right to keep the records of who you are to match up to what you post for a time after your account is closed.

We have worked with the Data Protection Office on this.

After the incident both the Garda Computer Crime Unit and the Data Protection Commissioners office have carried out examinations and audits and are both satisfied with their findings, with, in fact, the Data Protection Commissioners Office including a commendation in the report for how we handled the attack.

You can reach the office at 1890 252 231 or at http://www.cosantasonrai.ie

I'll leave this with the front page of the Metro Herald from the morning of January 22 - you can get it online here - which includes advice similar to the above. We were also on Six: One news and National Radio Stations.

It looks like ye handled this really well but stuff like the "SixOne News" and that paper front page just kinda looks like the unfortunate situation was used for a big of free publicity. Security was breached, some encrypted data may have been compromised. Not that great big a deal. Yeah there's data protection law to abide by but eh, it was some usernames and passwords... hardly life or death.

DeVore

pogo182 wrote: »

probably a stupid question but is the following true:?

If we weren't a member of this site untill after jan, we aren't recommended to take any action? For exampled I didn't register to this site untill march 10, 2010

No, you dont need to do anything regarding this matter.

DeV.

DeVore

@Butch:

The CCIU has been excellent with us. The lads and I had feared having to explain IPs to them but in fact they have been exceedingly efficient in this case and very easy to work with.

As for your second point...
You aren't understanding the problem. Suppose you used the same username and password for many sites, some important some not. A hacker gets his hands on one sites usernames and passwords... he knows very well that many people make this mistake and so heads off, not to the site he stole the data from but to sites like Paypal and Moneybookers and others and trys to access those with details already in hand... Plenty of mischief to be had there!


The information that was stolen from us was useless to him 20 minutes later because we changed all passwords. USELESS TO ACCESS Boards.ie ACCOUNTS. We have made as many attempts as we can to contact people to deny him any benefit whatsoever.


Now, some mailers dropped the email because it wasnt coming from Boards servers (which were offline and compromised), but they didnt inform us.

Some people didnt return to the site and see the (large) announcements everywhere including taking up the entire front page for 2 days solid.

Some people didnt watch the RTE news here or online.

Some people didnt see it on Twitter or the blogosphere.

And some people didnt see the headlines in the newspapers.

And out of about 100,000 active accounts plus another few hundred thousand semi-active.... there is bound to be an intersection of those sets, a few people for whom there was a perfect storm. That would be you, genuinely sorry about that



DeV.

Overheal

Butch Cassidy wrote: »

In fairness, how good are the "Computer Crime Unit" ? Gardai don't even have access to internet enabled computers for heaven's sake!



It looks like ye handled this really well but stuff like the "SixOne News" and that paper front page just kinda looks like the unfortunate situation was used for a big of free publicity. Security was breached, some encrypted data may have been compromised. Not that great big a deal. Yeah there's data protection law to abide by but eh, it was some usernames and passwords... hardly life or death.

I posted up a rather interesting article not too long ago about exactly the process a hacker uses to access sensitive materials. Namely, your bank accounts, email addresses, and other things one typically values above their Message Board Persona and their video game account.

http://boards.ie/vbulletin/showthread.php?t=2055870790

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we've got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

Bassicaly for anyone who uses the same password everywhere, boards.ie is a fresh target, even if only 5% of the users were that negligenct with their password management, it still represents hundreds if not thousands of accounts that these hackers could have accessed. "oh your password was gregory567, then you probably used that same password to get into your email and bank account".

Its basically the same thing to say you use the same key to open your home, your office, and your car. And a thief steals your house key; just because you change the locks at the house doesnt make your car and your office safe.

And many people lost their email addresses; through which hackers can pretty much weasel their way into any of your online accounts, including your bank accounts, at which point they can start spending your very real funds causing a very real problem for "not that great a big deal".

Henceforth, its something that ought to be taken quite seriously. Especially given society's newfound reliance on the internet and computing.

N17

I registered with boards.ie in January. I didn't receive an email about the hack but I heard about it in the media and then I went on the boards website and got the rest of the story.
I immediately changed the passwords on my facebook and paypal accounts which had the same password as my boards login. I forgot to change the password on my hotmail account which should have been the first thing to do.
In early March some one sent a mail containing a link to a website from my hotmail account to all the contacts in my address book. I only found out about it because someone asked me about it. It was only then that I realised I hadn't changed the email password.
I don't know if this is connected to the hack as it was only acted upon two months later. I didn't know who to report it to. It had never happened before in ten years of using hotmail. No major harm was done but my contact list was exposed to every one of my clients which was a bad thing to happen.
Am I the only one to have been affected???

seamus

N17 wrote: »

In early March some one sent a mail containing a link to a website from my hotmail account to all the contacts in my address book. I only found out about it because someone asked me about it. It was only then that I realised I hadn't changed the email password.
I don't know if this is connected to the hack as it was only acted upon two months later. I didn't know who to report it to. It had never happened before in ten years of using hotmail. No major harm was done but my contact list was exposed to every one of my clients which was a bad thing to happen.
Am I the only one to have been affected???

This is a common enough hack of hotmail which would have been completely unrelated to the boards.ie incident.

It happened to my missus, who doesn't have a boards account. Afaik, it's a brute-force hack of the hotmail password, but it can also be caused by malware, as in the case of my wife's.

You can't report it to anyone really, all you can do is make sure your computer is completely updated in terms of software and anti-virus, then change your hotmail password. And apologise to any business partners in your hotmail address book!

N17

Thanks for the info Seamus. I use Norton Internet Security so had ruled that possibility out. Might need to change so.

seamus

It may not necessarily have been your machine.

If you used another computer in the intervening period which had been compromised, then that could be the problem. The password may have also just been taken through a hotmail exploit, which you have no control over.

mattb

DeVore wrote: »

We have made as many attempts as we can to contact people

Sorry? If other boards.ie representatives posting here are to be believed, you sent exactly ONE email.

DeVore wrote: »

Now, some mailers dropped the email because it wasnt coming from Boards servers (which were offline and compromised), but they didnt inform us.

And it was sent from a server with blacklisted IP address?!

Yet when boards.ie was back up you sent NO follow-up emails, NO PMs, NOTHING to attempt to contact irregular visitors to boards.ie who may not have received the original fail-whale mail regarding the SNAFU.

Until now, three months later - which suggest to me you know something you're not telling us.

For the record, I don't use the same password on sites like boards.ie that I use for email, paypal or similar more critical sites. However, I count over 80 sites where I have used the same password at some point in the past - nearly all ones I don't visit regularly, or at all, but in some cases where someone representing themselves as me could cause severe reputational damage.

How long do you think it might take to systematically change all those? And who do I send the bill to?