[CJ]

The latest post from the TSR Blog:

Firstly, thank you to everyone that has helped us communicate the request for members to change their passwords over the past few days. We realised that following the discovery of being hacked, we needed to act quickly and lots of changes were made in a very short space of time. At the time of discovery [...]

Read more on the TSR Blog...

[cambo211]

Cheers for keeping us updated.

[ViceVersa]

Thank you, you guys are the best.

[ak137]

Thanks

[Champagne Supernova]

Cheers for the update CJ. No doubt you guys have been working hard on this the last few days.

[PoGo HoPz]

Your updates turn me on.

[Metrobeans]

Cheers for the info.

[Wilfred Little]

The announcement went up on 21st June and I've only just seen it.

Surely it would have been easier to send PM's as opposed to a tiny announcement inside the actual forums?

Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches.

Why not?

[Wilfred Little]

(Original post by Wilfred Little)
The announcement went up on 21st June and I've only just seen it.

Surely it would have been easier to send PM's as opposed to a tiny announcement inside the actual forums?



Why not?

Answers?

Why did this happen?

Is it down to smart hackers or the tardiness of TSR?

[Illusionary]

(Original post by Wilfred Little)
Answers?

Why did this happen?

Is it down to smart hackers or the tardiness of TSR?

There was a very prominent announcement up for several days. Have you seen the details in the staff blog? Those may be helpful: http://staffblog.thestudentroom.co.u...curity-breach/

Otherwise, admin don't work at weekends but you'll hopefully get a reply to any unanswered questions that you may have early next week.

[rmhumphries]

(Original post by Wilfred Little)
The announcement went up on 21st June and I've only just seen it.

Surely it would have been easier to send PM's as opposed to a tiny announcement inside the actual forums?



Why not?

There is a big message at the top of every thread.

As to why the passwords were not secured to an extent that modern approaches would not be able to crack them - then TSR used the default method provided by vbulletin. Why they haven't used a more secure approach I don't know. My personal view is that TSR hadn't upgraded the level provided by vbulletin as their dev time is limited, and they spent the time upgrading other parts of the site / fixing other bugs instead of testing how secure the default password storage method was, as they assumed the method was fit for purpose, given they are not using the vbulletin software to do anything it wasn't designed for.

(Original post by Wilfred Little)
Answers?

Why did this happen?

Is it down to smart hackers or the tardiness of TSR?

Answers are partly here and here.

[Wilfred Little]

(Original post by Illusionary)
There was a very prominent announcement up for several days. Have you seen the details in the staff blog? Those may be helpful: http://staffblog.thestudentroom.co.u...curity-breach/

Otherwise, admin don't work at weekends but you'll hopefully get a reply to any unanswered questions that you may have early next week.

Quick reply. Illusionary, you're the best mod.

My main questions are why does TSR send automatic PM's for things like Share Trading Competitions but didn't send any for this? If this is as serious as it's coming across then I am questioning the decision to put an announcement up over sending PM's. We would have all been notified the second we signed in had PM's been used.

There are so many stickies and announcements that I barely even look at what's there. You may have noticed I spend far too much time browsing this website than I'm proud to admit and even I didn't notice it. I had no email notification either, although I do get thread update emails (much less than before as I've posted a thread about them before.)

I'm not knocking the staff, you all do a great job but I used the same password for at least 15 sites, I do find it a bit odd that PM's weren't used.

This is a pain in the arse.

[Wilfred Little]

(Original post by rmhumphries)
There is a big message at the top of every thread.

As to why the passwords were not secured to an extent that modern approaches would not be able to crack them - then TSR used the default method provided by vbulletin. Why they haven't used a more secure approach I don't know. My personal view is that TSR hadn't upgraded the level provided by vbulletin as their dev time is limited, and they spent the time upgrading other parts of the site / fixing other bugs instead of testing how secure the default password storage method was, as they assumed the method was fit for purpose, given they are not using the vbulletin software to do anything it wasn't designed for.

Top of the thread isn't good enough, there are other things there clogging the forum up that I don't give two ****s about. If I get my bank account, Paypal, etc hacked then it's not enough.

And is the highlighted bit down to incompetence?

[rmhumphries]

(Original post by Wilfred Little)
Top of the thread isn't good enough, there are other things there that I don't give two sh!ts about. If I get my bank account, Paypal, etc hacked then it's not enough.

And is the highlighted bit down to incompetence?

It is a big banner though with coloured side and so-on - not just a line of text; so it is expected to attract your attention more than a normal announcement. Where would you suggest they put it? They did send out an e-mail as well. Just as if paypal got hacked, then they would send out an e-mail (and possibly a text / letter if they held those details, but TSR only holds your e-mail).

Due to my incompetence? No, I just don't work for TSR - and have as much knowledge of its running as any other user. Their incompetence? I gave why I consider, if you think different fair enough.

[Illusionary]

(Original post by Wilfred Little)
Quick reply. Illusionary, you're the best mod.

My main questions are why does TSR send automatic PM's for things like Share Trading Competitions but didn't send any for this? If this is as serious as it's coming across then I am questioning the decision to put an announcement up over sending PM's. We would have all been notified the second we signed in had PM's been used.

There are so many stickies and announcements that I barely even look at what's there. You may have noticed I spend far too much time browsing this website than I'm proud to admit and even I didn't notice it. I had no email notification either, although I do get thread update emails (much less than before as I've posted a thread about them before.)

I'm not knocking the staff, you all do a great job but I used the same password for at least 15 sites, I do find it a bit odd that PM's weren't used.

This is a pain in the arse.

I think the share trading PM that you mentioned is from another member, not admin. I can't now show you how the original announcement looked, but it was very prominent. I know that sending PMs was suggested and considered, but I'm not personally in a position to fully explain why this wasn't done - it was an admin, rather than moderation team, decision. As rmhumphries mentions above, an email was sent out to all members with details of this.

[Wilfred Little]

(Original post by rmhumphries)
It is a big banner though. Where would you suggest they put it? They did send out an e-mail as well. Just as if paypal got hacked, then they would send out an e-mail (and possibly a text / letter if they held those details, but TSR only holds your e-mail).

Due to my incompetence? No, I just don't work for TSR - and have as much knowledge of its running as any other user. Their incompetence? I gave why I consider, if you think different fair enough.

The banner isn't enough, I'm on here near enough every day. I had no email, I checked my junk before posting this thread just to make sure I didn't make a tit out of myself. If you can send PM's that pop up on your screen every time you sign in, for things like Share Trading Competitions, then I find it very strange you couldn't do the same for something which is actually dangerous and a risk to every member that posts on here.

And no, not your incompetence personally, I apologise most sincerely if it sounded like an attack on you. Like I say, I think the TSR team do a great job but considering I browse here frequently and didn't notice the announcement I think should it happen in future TSR really needs to do more than just sticky a thread or an announcement. It's not enough.

[Wilfred Little]

(Original post by Illusionary)
I think the share trading PM that you mentioned is from another member, not admin. I can't now show you how the original announcement looked, but it was very prominent. I know that sending PMs was suggested and considered, but I'm not personally in a position to fully explain why this wasn't done - it was an admin, rather than moderation team, decision. As rmhumphries mentions above, an email was sent out to all members with details of this.

Cheers mate, I believe the constant replies are causing my points to overlap.

But I had no email and didn't notice the announcement until earlier today.

[rmhumphries]

(Original post by Wilfred Little)
The banner isn't enough, I'm on here near enough every day. I had no email, I checked my junk before posting this thread just to make sure I didn't make a tit out of myself. If you can send PM's that pop up on your screen every time you sign in, for things like Share Trading Competitions, then I find it very strange you couldn't do the same for something which is actually dangerous and a risk to every member that posts on here.

And no, not your incompetence personally, I apologise most sincerely if it sounded like an attack on you. Like I say, I think the TSR team do a great job but considering I browse here frequently and didn't notice the announcement I think should it happen in future TSR really needs to do more than just sticky a thread or an announcement. It's not enough.

There was an e-mail - I don't see any reason why it wouldn't have been sent to all users, it went to junk mail in my account but I did get it - unless you changed your e-mail recently I don't know why it didn't get to you - but the intention was certainly there by TSR. It could be worth seeing if anyone else may have not received the e-mail though.

Just double checking The actual reason for our passwords most likely not being secure I don't think was their fault, if you pay for something, you expect it to work for what it says it will do. With the announcement of the problems, I am on the fence as to if there has been a problem where some people didn't get e-mailed when they should have or if you were an unfortunate exception and the measures were good enough.

[ChrisN]

(Original post by Wilfred Little)
The announcement went up on 21st June and I've only just seen it.

Surely it would have been easier to send PM's as opposed to a tiny announcement inside the actual forums?

We did a site wide announcement for logged in and out users, a notice at the top of every page for logged in users, posts in the blog, and an email to all users.

We thought this would be enough. We did discuss a PM, but it's not quite that easy to do for all users, and we figured we had all bases covered already.

Apologies if all those methods missed you.

[ChrisN]

(Original post by rmhumphries)
As to why the passwords were not secured to an extent that modern approaches would not be able to crack them - then TSR used the default method provided by vbulletin. Why they haven't used a more secure approach I don't know. My personal view is that TSR hadn't upgraded the level provided by vbulletin as their dev time is limited, and they spent the time upgrading other parts of the site / fixing other bugs instead of testing how secure the default password storage method was, as they assumed the method was fit for purpose, given they are not using the vbulletin software to do anything it wasn't designed for.

Exactly that. With hindsight we clearly would have done things different, but unfortunately we didnt have that in advance... sorry we know it's a pain...