This discussion is now closed.
Check out other Related discussions
- Make it More Breakfast-ey !!
- Someone created
- The London Clinic: Hospital where Kate treated responds after alleged privacy breach
- Urgent - nottingham or warwick
- Ethical Research Misconduct (continued discussion)
- 5 ways how AI is improving cloud computing
- Data breach
- idk what to do
- GAMSAT 2024 is online
- Could my bf live with me in student accommodation?
- Guaranteed University Managed Accommodation at Winchester - Clearing 2023
- sfe help
- what are your most unfair detentions or any punishment in school
- Hayloft Point lease transfer
- Leicester Takeover Tenancy 2023/24
- Urgent tenancy takeover
- Uni houses
- Student Apartment Sublet - KCL Guy's Campus, April to Early September
- Student Accomodation Summer Re-let (May 2024 - 31st August 2024)
- Private uni accommodation problem
The Student Room – security breach
The latest post from the TSR Blog:
Like a number of websites recently, The Student Room has been the victim of an attack by someone intent on capturing user data. The minute we found out we took every possible step to protect our members’ data and we are continuing to increase our security. However, if you are a member of The Student [...]
Read more on the TSR Blog...
Like a number of websites recently, The Student Room has been the victim of an attack by someone intent on capturing user data. The minute we found out we took every possible step to protect our members’ data and we are continuing to increase our security. However, if you are a member of The Student [...]
Read more on the TSR Blog...
Scroll to see replies
I've changed my password as suggested, but I was wondering - do you guys know if details have been taken for everyone on the site or just a certain number? When did this happen?
Admin edit: See here for information and advice regarding the security breach.
Admin edit: See here for information and advice regarding the security breach.
(edited 11 years ago)
I changed my password, here's hoping it's nothing more than a safety precaution.
Original post by Chrosson
Additionally regarding the usernames and passwords, I'm curious - can you tell us the hashing+salting method (formerly?) used by TSR?
Default vB hash is:
$password_hash = md5(md5($password_text) . $user_salt);With a per-user three character salt which is also stored in the database.
(edited 11 years ago)
"IMPORTANT - Your Password has been compromised. You need to act.
Unfortunately it has come to our attention that TSR has been compromised in a similar way to the recently publicised Linked In attack. At a minimum, username, hashed password and email addresses have been taken. Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches. You therefore need to act as if your actual password has been compromised.
We therefore recommend that everyone changes their password immediately not only on TSR, but anywhere else they have used the same password.
We will be reviewing our security measures over the coming days and communicating in a range of ways with all members to ensure that everyone receives this message.
We are really sorry for the nuisance that this will cause."
All I got was this to change my password.
But seriously, what would a bunch people want to do with our user accounts.....seriously
They are either very dumb "hackers" or the trolls are back for revenge
Unfortunately it has come to our attention that TSR has been compromised in a similar way to the recently publicised Linked In attack. At a minimum, username, hashed password and email addresses have been taken. Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches. You therefore need to act as if your actual password has been compromised.
We therefore recommend that everyone changes their password immediately not only on TSR, but anywhere else they have used the same password.
We will be reviewing our security measures over the coming days and communicating in a range of ways with all members to ensure that everyone receives this message.
We are really sorry for the nuisance that this will cause."
All I got was this to change my password.
But seriously, what would a bunch people want to do with our user accounts.....seriously
They are either very dumb "hackers" or the trolls are back for revenge
Why do I keep getting this windows security pop-up when I'm on TSR:
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9.
Edit: seems like this is happening on all browsers not just IE9
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9.
Edit: seems like this is happening on all browsers not just IE9
(edited 11 years ago)
Here's an article which will explain the vulnerability (or what I imagine the vulnerability was).
http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
I keep getting a pop up box with the following message in it:
A user name and password are being requested by http://static2.staging.tsrfiles.co.uk. The site says: "Staging Server"
it then has a space for username and password to be entered. I close it and the site works fine, but it's odd.
A user name and password are being requested by http://static2.staging.tsrfiles.co.uk. The site says: "Staging Server"
it then has a space for username and password to be entered. I close it and the site works fine, but it's odd.
Original post by internet tough guy
Why do I keep getting this windows security pop-up when I'm on TSR:
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9
Yep I'm getting some similar message popping up. I keep cancelling it though cos it's never come up before.
I'm on the latest firefox on Mac.
Original post by internet tough guy
Why do I keep getting this windows security pop-up when I'm on TSR:
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9
I have just changed my password and I keep getting this message
Original post by internet tough guy
Why do I keep getting this windows security pop-up when I'm on TSR:
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9
''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.
Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''
btw I'm on internet explorer 9
It looks as though the banner is currently using an image hosted on a restricted site - nothing to worry about just press cancel. I'm sure they'll get around to fixing that
i dont get it!! if ive changed my password will i be ok now?
Also, do they only have our current password or will they have all the passwords weve ever used.
Ive just had to log in everywhere and change everything to brane new passwords
Also, do they only have our current password or will they have all the passwords weve ever used.
Ive just had to log in everywhere and change everything to brane new passwords
Original post by Iqbal007
But seriously, what would a bunch people want to do with our user accounts.....seriously
But seriously, what would a bunch people want to do with our user accounts.....seriously
A huge percentage of people use their same account details for their email and forums such as TSR. Given access to someone's email account it's usually quite possible to find most of their other passwords, and quite likely access their Paypal / other bank details, or give a wealth of information that would allow the hacker to steal your identity.
Original post by pinkangelgirl
i dont get it!! if ive changed my password will i be ok now?
Also, do they only have our current password or will they have all the passwords weve ever used.
Also, do they only have our current password or will they have all the passwords weve ever used.
VB / TSR will need a massive glare if it's the latter, but I imagine it will be the former.
If your TSR password isn't being used on any other sites, and TSR's original vulnerability has been fixed, there's not much more you can do for now.
i have literally just this second created a new password and already ive forgotten it!! what is wrong with me and my memory.
. Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches.
Why not?
Is TSR not a modern website? Is TSR benevolent towards the threat of cyber-hacking? Evidently so.
Does it not care about the millions of users personal information?
Please do not lecture me with cries of "oh, all you have to do is change your password", it is a case of principle and the mere reality that this has occurred.
I have changed my password.
Why not?
Is TSR not a modern website? Is TSR benevolent towards the threat of cyber-hacking? Evidently so.
Does it not care about the millions of users personal information?
Please do not lecture me with cries of "oh, all you have to do is change your password", it is a case of principle and the mere reality that this has occurred.
I have changed my password.
Original post by estel
A huge percentage of people use their same account details for their email and forums such as TSR. Given access to someone's email account it's usually quite possible to find most of their other passwords, and quite likely access their Paypal / other bank details, or give a wealth of information that would allow the hacker to steal your identity.
^ This.
Using a different username and password for everything doesn't look so silly now.
Changed my TSR password.
Changed my e-mail password.
Installed noscript.
Ran a virus scan.
Turned off laptop.
Turned off router.
Fled the country.
Renounced citizenship.
Joined a monastery.
Guess I had the last laugh--shows you, hackers.
Changed my e-mail password.
Installed noscript.
Ran a virus scan.
Turned off laptop.
Turned off router.
Fled the country.
Renounced citizenship.
Joined a monastery.
Guess I had the last laugh--shows you, hackers.
Related discussions
- Make it More Breakfast-ey !!
- Someone created
- The London Clinic: Hospital where Kate treated responds after alleged privacy breach
- Urgent - nottingham or warwick
- Ethical Research Misconduct (continued discussion)
- 5 ways how AI is improving cloud computing
- Data breach
- idk what to do
- GAMSAT 2024 is online
- Could my bf live with me in student accommodation?
- Guaranteed University Managed Accommodation at Winchester - Clearing 2023
- sfe help
- what are your most unfair detentions or any punishment in school
- Hayloft Point lease transfer
- Leicester Takeover Tenancy 2023/24
- Urgent tenancy takeover
- Uni houses
- Student Apartment Sublet - KCL Guy's Campus, April to Early September
- Student Accomodation Summer Re-let (May 2024 - 31st August 2024)
- Private uni accommodation problem
Latest
Trending
Last reply 1 month ago
The Student Room Update: New Look, New Homepage and More!Trending
Last reply 1 month ago
The Student Room Update: New Look, New Homepage and More!
