This discussion is now closed.
Check out other Related discussions
- Make it More Breakfast-ey !!
- Someone created
- The London Clinic: Hospital where Kate treated responds after alleged privacy breach
- Urgent - nottingham or warwick
- Ethical Research Misconduct (continued discussion)
- 5 ways how AI is improving cloud computing
- Data breach
- GAMSAT 2024 is online
- idk what to do
- Could my bf live with me in student accommodation?
- what are your most unfair detentions or any punishment in school
- Guaranteed University Managed Accommodation at Winchester - Clearing 2023
- sfe help
- Hayloft Point lease transfer
- Leicester Takeover Tenancy 2023/24
- Urgent tenancy takeover
- Private uni accommodation problem
- Student Accomodation Summer Re-let (May 2024 - 31st August 2024)
- Uni houses
- Student Apartment Sublet - KCL Guy's Campus, April to Early September
The Student Room – security breach
Scroll to see replies
well if it's happened to a number of websites then why didn't you make the password storage more secure. i'm sure you're doing your best, you guys work hard, i'm just pretty annoyed.
Original post by Friar Chris
Any particular reason that the Union Flags have become coloured stripes since yesterday?
That's an unrelated issue, if you clear your cache that will fix it
Original post by whyumadtho
Why is there a woman smiling at us? I almost feel trolled. 
Wut?
Original post by EierVonSatan
That's an unrelated issue, if you clear your cache that will fix it
Aha thanks. Thought there might have been some evil scheme to hack and convert all TSR to coloured blob flags.
Original post by Chrosson
I do not disagree (http://www.thestudentroom.co.uk/showpost.php?p=38267483&postcount=47). There's plenty of blame to go around.
(Nice that we're agreeing on something for once)
(Nice that we're agreeing on something for once)
Do we often disagree?
Original post by GenerationX
Its pretty sloppy of web site owners and developers to rely on hashing paswords as some idea of security. Hashing is not encryption and the site should have used proper encryption in the first place instead of something that many websotes can decode for you in a minute or two.
Sloppy sloppy sloppy to risk members passwords like that
Sloppy sloppy sloppy to risk members passwords like that
Hashing is the way in which pretty much all passwords are stored, you cannot de-hash a password unless you use either a bruteforce attempt or a dictionary based attack. You could argue its more secure than encryption, because with encrypted data all they need is the private key then they have ALL OF THE DATA.
Original post by Tycho
Hashing is a very common method of storing passwords, and it's not as easy to crack as you are suggesting. It's specifically designed to not be decrypted, and indeed can't be. To the best of my knowledge the only way to crack a password which is hashed using md5 is via a brute force method.
Correct, although MD5 is very weak by modern standards, as its been about so long there are massive lists of precompiled hashes that can be used as a dictionary based attack (look up rainbow tables if you're interested).
Original post by El Torres
How would we hear about it? Anyone who has had their information comprised would probably have no idea how.
These people who now have our information; they have thousands of emails and potentially passwords so it'll take a long time to decode it if they want to make any use of it. The e-mails alone don't provide much to them.
They may be opportunists but now they have the information they can do as they please. With us now knowing we can try to make most of that information defunct by changing our passwords but a lot of people won't or might forget to change it on one or two websites.
These people who now have our information; they have thousands of emails and potentially passwords so it'll take a long time to decode it if they want to make any use of it. The e-mails alone don't provide much to them.
They may be opportunists but now they have the information they can do as they please. With us now knowing we can try to make most of that information defunct by changing our passwords but a lot of people won't or might forget to change it on one or two websites.
I meant that we'd know if someone gained access to our bank account/paypal account and stole some money (for instance). We haven't heard of any such horror stories - yet. It probably means one of two things is true. Either 1) the hacker hasn't been able to/tried to actually brute force the passwords, or 2) he has and hasn't done anything with them. In either case changing all passwords now will render what information the hacker has as being pretty useless. It doesn't matter whether people know for certain if their information has been compromised or not, the only thing that really matters now is changing all your details so that if you have been compromised then you are secure again.
As already discussed above, it won't take a while to brute force the hashed passwords that were stored on TSR if the hacker chose to. We're not talking weeks or anything if the hacker knows what they're doing.
I'm not disputing what the hackers might be able to do if they have your password. Not sure how you seem to have picked up that I have suggested this isn't a dangerous scenario?
Original post by The-Wi$e-One
Correct, although MD5 is very weak by modern standards, as its been about so long there are massive lists of precompiled hashes that can be used as a dictionary based attack (look up rainbow tables if you're interested).
Agreed, although these rainbow tables are useless if you use a long and random salt with each password.
Original post by Fallen
Do we often disagree?
I may have confused you with someone else.
Before I start, I'd just like to say I know how much of a disaster and headache this must be for the TSR team.
Anyway, on the TSR blog you say this:
What confuses and annoys me is that TSR did not take 'every possible step to protect it's members data' when the number of other website were hacked. Why did TSR not jump into action after other websites (LinkedIn especially) was hacked?
You have thousands of members, which turns into thousands of email addresses and passwords, and you didn't bother to step up the security of the site in case you were hacked.
I'd like to know the answer to this, so please don't ignore it.
Anyway, on the TSR blog you say this:
Like a number of websites recently, The Student Room has been the victim of an attack by someone intent on capturing user data. The minute we found out we took every possible step to protect our members’ data and we are continuing to increase our security.
What confuses and annoys me is that TSR did not take 'every possible step to protect it's members data' when the number of other website were hacked. Why did TSR not jump into action after other websites (LinkedIn especially) was hacked?
You have thousands of members, which turns into thousands of email addresses and passwords, and you didn't bother to step up the security of the site in case you were hacked.
I'd like to know the answer to this, so please don't ignore it.
Original post by Tycho
Agreed, although these rainbow tables are useless if you use a long and random salt with each password.
yeah, but they most likely have the salts
and I'd be willing to bet the majority of users have used a dictionary word(s) as their password.
I could make an awful joke right now.
Original post by Runninground
Before I start, I'd just like to say I know how much of a disaster and headache this must be for the TSR team.
Anyway, on the TSR blog you say this:
What confuses and annoys me is that TSR did not take 'every possible step to protect it's members data' when the number of other website were hacked. Why did TSR not jump into action after other websites (LinkedIn especially) was hacked?
You have thousands of members, which turns into thousands of email addresses and passwords, and you didn't bother to step up the security of the site in case you were hacked.
I'd like to know the answer to this, so please don't ignore it.
Anyway, on the TSR blog you say this:
What confuses and annoys me is that TSR did not take 'every possible step to protect it's members data' when the number of other website were hacked. Why did TSR not jump into action after other websites (LinkedIn especially) was hacked?
You have thousands of members, which turns into thousands of email addresses and passwords, and you didn't bother to step up the security of the site in case you were hacked.
I'd like to know the answer to this, so please don't ignore it.
Hi there,
I thought I'd quickly respond - I can completely understand your frustration and we do take this situation incredibly seriously. In fact, TSR has always taken security incredibly seriously.
To clarify on one point, the actual security systems we have are very strong and they weren't hacked exactly. A single privileged user account was compromised, giving the individual access to do what they did.
As soon as we were notified, every privileged account and system password was changed immediately.
Unfortunately, if someone is intent on doing something like this we can't always predict how they will do it. We've learnt some tough lessons today and have already put in place even stronger processes and systems to protect our members. Thankfully, TSR doesn't store a great deal of personal information, so by updating a password people's data will be safe.
We are sorry this has happened and people have been working 24/7 to make sure it doesn't happen again. We'll keep you all updated on progress and news as it happens.
Jack
Original post by Captain Jack
Hi there,
I thought I'd quickly respond - I can completely understand your frustration and we do take this situation incredibly seriously. In fact, TSR has always taken security incredibly seriously.
To clarify on one point, the actual security systems we have are very strong and they weren't hacked exactly. A single privileged user account was compromised, giving the individual access to do what they did.
As soon as we were notified, every privileged account and system password was changed immediately.
Unfortunately, if someone is intent on doing something like this we can't always predict how they will do it. We've learnt some tough lessons today and have already put in place even stronger processes and systems to protect our members. Thankfully, TSR doesn't store a great deal of personal information, so by updating a password people's data will be safe.
We are sorry this has happened and people have been working 24/7 to make sure it doesn't happen again. We'll keep you all updated on progress and news as it happens.
Jack
I thought I'd quickly respond - I can completely understand your frustration and we do take this situation incredibly seriously. In fact, TSR has always taken security incredibly seriously.
To clarify on one point, the actual security systems we have are very strong and they weren't hacked exactly. A single privileged user account was compromised, giving the individual access to do what they did.
As soon as we were notified, every privileged account and system password was changed immediately.
Unfortunately, if someone is intent on doing something like this we can't always predict how they will do it. We've learnt some tough lessons today and have already put in place even stronger processes and systems to protect our members. Thankfully, TSR doesn't store a great deal of personal information, so by updating a password people's data will be safe.
We are sorry this has happened and people have been working 24/7 to make sure it doesn't happen again. We'll keep you all updated on progress and news as it happens.
Jack
Thanks for replying
What security measures do you have in place to protect these privileged accounts (before this happened)?
Original post by the bear
Just wondering why if this hacking took place on 14th June it is only today 8 days later we are being told to change our passwords...
Because it only came to our attention last night.
Original post by Runninground
Thanks for replying
What security measures do you have in place to protect these privileged accounts (before this happened)?
What security measures do you have in place to protect these privileged accounts (before this happened)?
To be honest, I'd prefer not to go into detail with them for now because it's better not to share our security measures in a public way. In a few days we'll be able to explain more.
Original post by Captain Jack
To be honest, I'd prefer not to go into detail with them for now because it's better not to share our security measures in a public way. In a few days we'll be able to explain more.
Okay, well I hope you did that basics, such as making them change their password monthly (At least), making sure their passwords are not real words and contain numbers and special characters etc.
Related discussions
- Make it More Breakfast-ey !!
- Someone created
- The London Clinic: Hospital where Kate treated responds after alleged privacy breach
- Urgent - nottingham or warwick
- Ethical Research Misconduct (continued discussion)
- 5 ways how AI is improving cloud computing
- Data breach
- GAMSAT 2024 is online
- idk what to do
- Could my bf live with me in student accommodation?
- what are your most unfair detentions or any punishment in school
- Guaranteed University Managed Accommodation at Winchester - Clearing 2023
- sfe help
- Hayloft Point lease transfer
- Leicester Takeover Tenancy 2023/24
- Urgent tenancy takeover
- Private uni accommodation problem
- Student Accomodation Summer Re-let (May 2024 - 31st August 2024)
- Uni houses
- Student Apartment Sublet - KCL Guy's Campus, April to Early September
Latest
Trending
Last reply 1 month ago
The Student Room Update: New Look, New Homepage and More!Trending
Last reply 1 month ago
The Student Room Update: New Look, New Homepage and More!
