uTorrent forums hacked, is neowin vulnerable?

[torrentthief]

https://invisionpower.com/news/ipboard-34x-and-ipnexus-15x-security-update-r972/

 

v3.4.9 was released on June 1st, a few days ago the utorrent forums were hacked, possibly by the vulnerabilities patched in IPB v3.4.9. Has neowin upgraded to v3.4.9 yet? Also are passwords salted and hashed on neowin as it appears that russian social media site vk.com has had 100 million plaintext password leaked a few days ago. Hoping that neowin isn't next.

 

EDIT: just realised that neowin is running a much newer version of IPB. Silly me.

[DaveLegg Developer]

Passwords in IPB have been hashed and salted for as long as I can remember. We're on 4.1.12 (or something very close, there's a new update coming out every week at the moment, and I lose track), which is a long way ahead of the 3.4 series (V4 was a complete re-write of the code)

[+Audioboxer Subscriber²]

4 minutes ago, DaveLegg said:

Passwords in IPB have been hashed and salted for as long as I can remember. We're on 4.1.12 (or something very close, there's a new update coming out every week at the moment, and I lose track), which is a long way ahead of the 3.4 series (V4 was a complete re-write of the code)

Check behind you Dave, I'm already in.

[Draconian Guppy]

Quote

The uTorrent team was alerted to the issue by one of their vendors earlier this week. While the vulnerability didn't originate at the uTorrent forums, it was indirectly compromised. "The vulnerability appears to have been through one of the vendor's other clients, however it allowed attackers to access some information on other accounts. As a result, attackers were able to download a list of our forum users," uTorrent writes. The security alert is posted in the forums but as far as we know users haven't been notified individually. There is no mention of the massive security breach on uTorrent and BitTorrent's social media accounts either.

 

In its announcement, UTorrent said: "On June 6th, 2016, BitTorrent was made aware of a security issue involving the vendor which powers our forums. The vulnerability appears to have been through one of the vendor's other clients. However, it allowed attackers to access some information on other accounts. As a result, attackers were able to download a list of our forum users. We are investigating further to learn if any other information was accessed."

 

 

 

[Michael Scrip]

I changed my Neowin password anyway.  Took 20 seconds.  I actually took me longer to find the account settings than it did to change the password.    

 

 

[Draconian Guppy]

Just now, Michael Scrip said:

I changed my Neowin password anyway.  Took 20 seconds.  I actually took me longer to find the account settings than it did to change the password.    

 

 

i've changed my neowin password since never.

 

On a serious note, some not so well known sites, make password changing mandatory.

[Michael Scrip]

8 minutes ago, Draconian Guppy said:

i've changed my neowin password since never.

 

On a serious note, some not so well known sites, make password changing mandatory.

My former Neowin password was my old "standard" password from before I discovered LastPass.  It was short, easy to type and I used that same password everywhere  (thus not very secure)

 

Now I use passwords like this... different on every website:  470l1p0fH8^%0i4S

 

I wish hackers good luck in cracking that

 

Plus I now use 2FA on very important accounts.

[Draconian Guppy]

4 minutes ago, Michael Scrip said:

My former Neowin password was my old "standard" password from before I discovered LastPass.  It was short, easy to type and I used that same password everywhere  (thus not very secure)

 

Now I use passwords like this... different on every website:  470l1p0fH8^%0i4S

 

I wish hackers good luck in cracking that

 

Plus I now use 2FA on very important accounts.

without going far off topic,

 

 I used to brag on how my hotmail account was a simple 5 letter 10 year old password until they forced a change around 2006-8ish, goes to show how insignificant/worthless I am.

[Michael Scrip]

Just now, Draconian Guppy said:

without going far off topic,

 

 I used to brag on how my hotmail account was a simple 5 letter 10 year old password until they forced a change around 2006-8ish

Mine used to be 6 letters... then I later added a couple digits.

 

Those were the days!

[+mram Subscriber²]

29 minutes ago, Michael Scrip said:

My former Neowin password was my old "standard" password from before I discovered LastPass.  It was short, easy to type and I used that same password everywhere  (thus not very secure)

 

Now I use passwords like this... different on every website:  470l1p0fH8^%0i4S

 

I wish hackers good luck in cracking that

 

Plus I now use 2FA on very important accounts.

This deserved a quote.  And a like.  And should be repeated often.  

 

It makes issues like "suchandsuch site was hacked, should I worry?" really really easy.

 

2FA + different passwords everywhere + password manager = secure.

[Circaflex]

I like using passwordcard, https://www.passwordcard.org/en.

[1337ish]

2 hours ago, DaveLegg said:

Passwords in IPB have been hashed and salted for as long as I can remember. We're on 4.1.12 (or something very close, there's a new update coming out every week at the moment, and I lose track), which is a long way ahead of the 3.4 series (V4 was a complete re-write of the code)

Also they use blowfish not md5 as the encryption.