[CJ]

The latest post from the TSR Blog:

Like a number of websites recently, The Student Room has been the victim of an attack by someone intent on capturing user data. The minute we found out we took every possible step to protect our members’ data and we are continuing to increase our security. However, if you are a member of The Student [...]

Read more on the TSR Blog...

[Metrobeans]

I've changed my password as suggested, but I was wondering - do you guys know if details have been taken for everyone on the site or just a certain number? When did this happen?

Admin edit: See here for information and advice regarding the security breach.

[Chrosson]

Additionally regarding the usernames and passwords, I'm curious - can you tell us the hashing+salting method (formerly?) used by TSR?

[thunder_chunky]

I changed my password, here's hoping it's nothing more than a safety precaution.

[estel]

(Original post by Chrosson)
Additionally regarding the usernames and passwords, I'm curious - can you tell us the hashing+salting method (formerly?) used by TSR?

Default vB hash is:

Code:

$password_hash = md5(md5($password_text) . $user_salt);

With a per-user three character salt which is also stored in the database.

[Iqbal007]

"IMPORTANT - Your Password has been compromised. You need to act.
Unfortunately it has come to our attention that TSR has been compromised in a similar way to the recently publicised Linked In attack. At a minimum, username, hashed password and email addresses have been taken. Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches. You therefore need to act as if your actual password has been compromised.
We therefore recommend that everyone changes their password immediately not only on TSR, but anywhere else they have used the same password.
We will be reviewing our security measures over the coming days and communicating in a range of ways with all members to ensure that everyone receives this message.
We are really sorry for the nuisance that this will cause."


All I got was this to change my password.

But seriously, what would a bunch people want to do with our user accounts.....seriously

They are either very dumb "hackers" or the trolls are back for revenge

[Naarim]

Urgh. Last.fm and now TSR.

[internet tough guy]

Why do I keep getting this windows security pop-up when I'm on TSR:

''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.

Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''




btw I'm on internet explorer 9.

Edit: seems like this is happening on all browsers not just IE9

[SecondHand]

Here's an article which will explain the vulnerability (or what I imagine the vulnerability was).

http://krebsonsecurity.com/2012/06/h...word-security/

[Ethereal]

I keep getting a pop up box with the following message in it:

A user name and password are being requested by http://static2.staging.tsrfiles.co.uk. The site says: "Staging Server"

it then has a space for username and password to be entered. I close it and the site works fine, but it's odd.

[Isometrix]

(Original post by internet tough guy)
Why do I keep getting this windows security pop-up when I'm on TSR:

''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.

Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''




btw I'm on internet explorer 9

Yep I'm getting some similar message popping up. I keep cancelling it though cos it's never come up before.

I'm on the latest firefox on Mac.

[Morgsie]

(Original post by internet tough guy)
Why do I keep getting this windows security pop-up when I'm on TSR:

''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.

Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''




btw I'm on internet explorer 9

I have just changed my password and I keep getting this message

[EierVonSatan]

(Original post by internet tough guy)
Why do I keep getting this windows security pop-up when I'm on TSR:

''The server static2.staging.tsrfiles.co.uk at staging server requires a username and password.

Warning. This server is requesting your username and password be sent in an insecure manner (basic authentication without a secure connection).''




btw I'm on internet explorer 9

It looks as though the banner is currently using an image hosted on a restricted site - nothing to worry about just press cancel. I'm sure they'll get around to fixing that

[pinkangelgirl]

i dont get it!! if ive changed my password will i be ok now?

Also, do they only have our current password or will they have all the passwords weve ever used.

Ive just had to log in everywhere and change everything to brane new passwords

[estel]

(Original post by Iqbal007)
But seriously, what would a bunch people want to do with our user accounts.....seriously

A huge percentage of people use their same account details for their email and forums such as TSR. Given access to someone's email account it's usually quite possible to find most of their other passwords, and quite likely access their Paypal / other bank details, or give a wealth of information that would allow the hacker to steal your identity.

[estel]

(Original post by pinkangelgirl)
i dont get it!! if ive changed my password will i be ok now?

Also, do they only have our current password or will they have all the passwords weve ever used.

VB / TSR will need a massive glare if it's the latter, but I imagine it will be the former.

If your TSR password isn't being used on any other sites, and TSR's original vulnerability has been fixed, there's not much more you can do for now.

[pinkangelgirl]

i have literally just this second created a new password and already ive forgotten it!! what is wrong with me and my memory.

[tehforum]

. Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches.

Why not?

Is TSR not a modern website? Is TSR benevolent towards the threat of cyber-hacking? Evidently so.

Does it not care about the millions of users personal information?

Please do not lecture me with cries of "oh, all you have to do is change your password", it is a case of principle and the mere reality that this has occurred.

I have changed my password.

[TheSownRose]

(Original post by estel)
A huge percentage of people use their same account details for their email and forums such as TSR. Given access to someone's email account it's usually quite possible to find most of their other passwords, and quite likely access their Paypal / other bank details, or give a wealth of information that would allow the hacker to steal your identity.

^ This.


Using a different username and password for everything doesn't look so silly now.

[I Kant Spall]

Changed my TSR password.
Changed my e-mail password.
Installed noscript.
Ran a virus scan.
Turned off laptop.
Turned off router.
Fled the country.
Renounced citizenship.
Joined a monastery.

Guess I had the last laugh--shows you, hackers.