torrentthief Posted June 9, 2016 Share Posted June 9, 2016 (edited) https://invisionpower.com/news/ipboard-34x-and-ipnexus-15x-security-update-r972/ v3.4.9 was released on June 1st, a few days ago the utorrent forums were hacked, possibly by the vulnerabilities patched in IPB v3.4.9. Has neowin upgraded to v3.4.9 yet? Also are passwords salted and hashed on neowin as it appears that russian social media site vk.com has had 100 million plaintext password leaked a few days ago. Hoping that neowin isn't next. EDIT: just realised that neowin is running a much newer version of IPB. Silly me. Draconian Guppy 1 Share Link to comment Share on other sites More sharing options...
DaveLegg Developer Posted June 9, 2016 Developer Share Posted June 9, 2016 Passwords in IPB have been hashed and salted for as long as I can remember. We're on 4.1.12 (or something very close, there's a new update coming out every week at the moment, and I lose track), which is a long way ahead of the 3.4 series (V4 was a complete re-write of the code) Draconian Guppy and Draggendrop 2 Share Link to comment Share on other sites More sharing options...
+Audioboxer Subscriber² Posted June 9, 2016 Subscriber² Share Posted June 9, 2016 4 minutes ago, DaveLegg said: Passwords in IPB have been hashed and salted for as long as I can remember. We're on 4.1.12 (or something very close, there's a new update coming out every week at the moment, and I lose track), which is a long way ahead of the 3.4 series (V4 was a complete re-write of the code) Check behind you Dave, I'm already in. robertwnielsen and Draggendrop 2 Share Link to comment Share on other sites More sharing options...
Draconian Guppy Posted June 9, 2016 Share Posted June 9, 2016 (edited) Quote The uTorrent team was alerted to the issue by one of their vendors earlier this week. While the vulnerability didn't originate at the uTorrent forums, it was indirectly compromised. "The vulnerability appears to have been through one of the vendor's other clients, however it allowed attackers to access some information on other accounts. As a result, attackers were able to download a list of our forum users," uTorrent writes. The security alert is posted in the forums but as far as we know users haven't been notified individually. There is no mention of the massive security breach on uTorrent and BitTorrent's social media accounts either. In its announcement, UTorrent said: "On June 6th, 2016, BitTorrent was made aware of a security issue involving the vendor which powers our forums. The vulnerability appears to have been through one of the vendor's other clients. However, it allowed attackers to access some information on other accounts. As a result, attackers were able to download a list of our forum users. We are investigating further to learn if any other information was accessed." Victor Rambo 1 Share Link to comment Share on other sites More sharing options...
Michael Scrip Posted June 9, 2016 Share Posted June 9, 2016 I changed my Neowin password anyway. Took 20 seconds. I actually took me longer to find the account settings than it did to change the password. Link to comment Share on other sites More sharing options...
Draconian Guppy Posted June 9, 2016 Share Posted June 9, 2016 Just now, Michael Scrip said: I changed my Neowin password anyway. Took 20 seconds. I actually took me longer to find the account settings than it did to change the password. i've changed my neowin password since never. On a serious note, some not so well known sites, make password changing mandatory. Victor Rambo 1 Share Link to comment Share on other sites More sharing options...
Michael Scrip Posted June 9, 2016 Share Posted June 9, 2016 (edited) 8 minutes ago, Draconian Guppy said: i've changed my neowin password since never. On a serious note, some not so well known sites, make password changing mandatory. My former Neowin password was my old "standard" password from before I discovered LastPass. It was short, easy to type and I used that same password everywhere (thus not very secure) Now I use passwords like this... different on every website: 470l1p0fH8^%0i4S I wish hackers good luck in cracking that Plus I now use 2FA on very important accounts. +mram 1 Share Link to comment Share on other sites More sharing options...
Draconian Guppy Posted June 9, 2016 Share Posted June 9, 2016 (edited) 4 minutes ago, Michael Scrip said: My former Neowin password was my old "standard" password from before I discovered LastPass. It was short, easy to type and I used that same password everywhere (thus not very secure) Now I use passwords like this... different on every website: 470l1p0fH8^%0i4S I wish hackers good luck in cracking that Plus I now use 2FA on very important accounts. without going far off topic, I used to brag on how my hotmail account was a simple 5 letter 10 year old password until they forced a change around 2006-8ish, goes to show how insignificant/worthless I am. Victor Rambo 1 Share Link to comment Share on other sites More sharing options...
Michael Scrip Posted June 9, 2016 Share Posted June 9, 2016 Just now, Draconian Guppy said: without going far off topic, I used to brag on how my hotmail account was a simple 5 letter 10 year old password until they forced a change around 2006-8ish Mine used to be 6 letters... then I later added a couple digits. Those were the days! Link to comment Share on other sites More sharing options...
+mram Subscriber² Posted June 9, 2016 Subscriber² Share Posted June 9, 2016 29 minutes ago, Michael Scrip said: My former Neowin password was my old "standard" password from before I discovered LastPass. It was short, easy to type and I used that same password everywhere (thus not very secure) Now I use passwords like this... different on every website: 470l1p0fH8^%0i4S I wish hackers good luck in cracking that Plus I now use 2FA on very important accounts. This deserved a quote. And a like. And should be repeated often. It makes issues like "suchandsuch site was hacked, should I worry?" really really easy. 2FA + different passwords everywhere + password manager = secure. Michael Scrip 1 Share Link to comment Share on other sites More sharing options...
Circaflex Posted June 9, 2016 Share Posted June 9, 2016 I like using passwordcard, https://www.passwordcard.org/en. Link to comment Share on other sites More sharing options...
1337ish Posted June 9, 2016 Share Posted June 9, 2016 2 hours ago, DaveLegg said: Passwords in IPB have been hashed and salted for as long as I can remember. We're on 4.1.12 (or something very close, there's a new update coming out every week at the moment, and I lose track), which is a long way ahead of the 3.4 series (V4 was a complete re-write of the code) Also they use blowfish not md5 as the encryption. Link to comment Share on other sites More sharing options...
Recommended Posts