Change your passwords on other websites | An update on the Boards.ie Data Incident.

Overheal

mattb wrote: »

Sorry? If other boards.ie representatives posting here are to be believed, you sent exactly ONE email.

And twitter updates; Press Releases to National Television and Radio Networks; and locked down the site for about 72 hours with the only page available displaying a massive fat copy of said email...

Oh, and they shut down the servers within 20 minutes of the attack.

Darragh

mattb wrote: »

Devore wrote:

We have made as many attempts as we can to contact people

Sorry? If other boards.ie representatives posting here are to be believed, you sent exactly ONE email.

DeVore wrote:

Now, some mailers dropped the email because it wasnt coming from Boards servers (which were offline and compromised), but they didnt inform us.

And it was sent from a server with blacklisted IP address?!

Yet when boards.ie was back up you sent NO follow-up emails, NO PMs, NOTHING to attempt to contact irregular visitors to boards.ie who may not have received the original fail-whale mail regarding the SNAFU.

Until now, three months later - which suggest to me you know something you're not telling us.

For the record, I don't use the same password on sites like boards.ie that I use for email, paypal or similar more critical sites. However, I count over 80 sites where I have used the same password at some point in the past - nearly all ones I don't visit regularly, or at all, but in some cases where someone representing themselves as me could cause severe reputational damage.

How long do you think it might take to systematically change all those? And who do I send the bill to?

Hi Matt,

I'm Darragh, the Boards.ie Communications Manager. I'm an employee of Boards.ie Ltd and I think it's only fair to answer your questions.

We could have done a lot better and I'm sorry for the inconvenience that this has caused people like yourself. Genuinely sorry.

Sorry? If other boards.ie representatives posting here are to be believed, you sent exactly ONE email.

This is true.

When we took the site offline because of the incident, we didn't know how long it would take to get back online and we used the resources available to try and get the word out.

We probably didn't do enough.

None of us think it went as smoothly as possible - we know it didn't. It did go as well as we could manage at the time though. We reset over 290,000 passwords on member accounts. We had to let everyone know. We tried a system that didn't work. Many people got the email - many people didn't. We didn't know who of those had or hadn't.

When we came back online though, all members had to reset their passwords. Many didn't have access to the original email addresses they joined under. We had to verify their identities in a very manual process. We received some 5,000 emails in a very short space of time - all of which had to be answered by Dav, me and Niamh who we hired to help us. I've spent mostly 6 day weeks in the office since January 21 - we've all pulled long hours and had lots and lots to do. I can't believe it's already May

We didn't get to everyone - but our priority became stabilising the site, sorting out existing members who wanted to post and couldn't and helping the Garda Computer Crime Unit and the Data Protection Commissioners Office with their investigations/audits. This all takes time, not to mention all the other stuff that we have to get done.

That's not an excuse - we should, as you and others have said, have followed up with a PM or email sooner and tried to get through to people - we didn't and I'm sorry. This was our first real chance but it should have happened a lot earlier.

However, it's probably too easy for us in the office, looking at the statistics of over 1,750,000 people visiting us every month, to assume people had heard about it, had seen the notices, had read something or heard about it. They didn't. The ones who use, read and enjoy Boards.ie regularly did - those who don't haven't.

Everyone who has an account with Boards.ie, who had tried to log-in or post under their old details couldn't because of our measures. I assume many of those read the reasons why. We

Again, I'm sorry. I'm sorry our data was compromised. It wasn't our doing - we didn't leave a gate open for someone to just walk in - it was quite a calculated attack and that's why the Gardaí have been as involved as they are. The Data Protection Commissioners Office ran a detailed audit at the time and were satisfied that we weren't lax or stupid in how we manage people's details.

We should have done more. We didn't.

Until now, three months later - which suggest to me you know something you're not telling us.

We have been limited all along in what we can say about this case because of the Gardaí investigation. Their Press Office would be more than happy to take questions, but because it's an active investigation, we have been unable give out all the details - many of them would be almost irrelevant anyways.

We are not hiding anything from people. We are not not telling people information they should know.

What we are telling people is to change their passwords if they used the same email address and password on other websites as they did on Boards.ie. It makes sense to do this.

For the record, I don't use the same password on sites like boards.ie that I use for email, paypal or similar more critical sites.

Which, obviously, makes a lot of sense. other people should do the same. I hope all your details for your email are different to your PayPal, etc?

However, I count over 80 sites where I have used the same password at some point in the past - nearly all ones I don't visit regularly, or at all, but in some cases where someone representing themselves as me could cause severe reputational damage.

How long do you think it might take to systematically change all those? And who do I send the bill to?

Who do you send the bill to? I assume the person who has caused all of this to happen... Either yourself for using the same password on all those sites (sorry, but it's a fair comment, isn't it? We had no control over this, pre or post incident) or the hacker who may have your details on a database that they are willing to sell to someone else for whatever use they see fit.

We'd prefer them not to have access to your details and that's why we recommend the change. It is, though, up to you.

In short - yes, we could have done more. I'm sorry we didn't, but we're doing what we can and as I said in the first post on this thread, we're extremely grateful to those who have stuck with us since January and have given their support. It's made a difference.

I hope that helps,

Thanks

Darragh

Orion

Darragh wrote: »

We could have done a lot better and I'm sorry for the inconvenience that this has caused people like yourself. Genuinely sorry.
Darragh

I haven't read the rest of your post yet Darragh but I must comment on that line - bull! There was shag all else that b.ie could do. FFS the national media were involved. Even if I hadn't tried to log on to boards at the time I heard about the attack all over the shop.

The boards.ie staff and admins are to be commended for their actions, proactive responses, and continued disclosure.

Some people are never going to be happy and tbqfh fuck them. And just to make sure that there's no misinterpretation - yes mattb I do mean you.

Darragh

Macros42, while I appreciate the support and feedback - and I genuinely do - there's always more we can do, but it comes down to the space to do it - not so much time, resource or commitment - but just the circumstance.

It's not great getting a message saying "Change your password because we were attacked" from any service. I want to reiterate that we are sorry for the inconvenience.

Thanks again

Darragh

robodonkey

Whilst on the subject of password management, and multiple logins on multiple sites, might I suggest a technique for assisting folks with this?

To make your password "site relevant for you" , use a system (that you use on all sites you visit) for example:

Website: www.example.com
The password system:

<4 digit personal num>
<first letter website in caps, in this case "E">
<last letter website in caps, again here it's "E">
<8 character password derived from a phrase, using the first letter of each word/mnemonics and letter/number substitution for the vowels a/e/i/o "I Can Remember This Password Because its easy">
<non alpha numeric>
<non alpha numeric>

Giving a 16 character password (in this system):
9876EE1crtpb13!£

So, you know your "system", your "pin", your "phrase", your "end characters" and yet the password is unique to the website.

Not as complicated as it sounds, and you will never forget your passwords!
You can invent whatever system you like by the way...in fact you SHOULD do so!

Wibbs

mattb wrote: »

For the record, I don't use the same password on sites like boards.ie that I use for email, paypal or similar more critical sites. However, I count over 80 sites where I have used the same password at some point in the past - nearly all ones I don't visit regularly, or at all, but in some cases where someone representing themselves as me could cause severe reputational damage.

If you're signed up to 80 sites(mind boggles) and some could cause you "severe reputational damage" if compromised, then changing those ones would be the priority I would have thought? If they could cause this damage, then you must be readily recognisable on these sites, that's hardly sensible either(unless its your career). Plus lets face it, this hacker or hackers are hardly after a way to cause you reputational damage. Your login for email and paypal etc is all they're going to be after.

How long do you think it might take to systematically change all those? And who do I send the bill to?

:rolleyes: If you were a complete novice at this I could understand your ire. If you're on so many sites as a member and you have already very sensibly not shared these passwords with critical sites, then you're well clued in on personal web security. You should have realised that sooner or later one of these sites would be hacked. The more you join the more likely this is going to happen. Ones with less security and followup in play than this one. While any site has a duty of care to effect the best security they can muster, personal web security as far as different passwords go is the individuals remit.

Macros42 wrote: »

I haven't read the rest of your post yet Darragh but I must comment on that line - bull! There was shag all else that b.ie could do. FFS the national media were involved. Even if I hadn't tried to log on to boards at the time I heard about the attack all over the shop.

The boards.ie staff and admins are to be commended for their actions, proactive responses, and continued disclosure.

+1000. Hindsight is always 20/20, but even with hindsight, they did a bloody good job of handling this and given the scale of the task, the site was back up, users got their new logins and were back on and yapping away remarkably quickly. With remarkably few stragglers to boot.

justforgroups

Hi,
Just heard about the security incident. I was able to logon using my old password but posts from boards.ie admins say they changed all the passwords after the attack?

How could I logon then?

Conor

You reset your password on the 23rd February.

You wouldn't have been able to log in with your old password, since all the old passwords were discarded, forcing anyone who wanted to log in to reset their passwords.

justforgroups

Ah I see, grand. I kept the random password and didn't use it anywhere else. Cool. Thanks!

Steerpike

What about this tosspot? Spotted in Tescos Maynooth.

Insect Overlord

Steerpike wrote: »

What about this tosspot? Spotted in Tescos Maynooth.