[Mad Vlad]

(Original post by rmhumphries)
I am still wondering how/why this happened. Why was the data not secure enough?

I doubt the how and why will be made public, unfortunately.

[cfizzle]

(Original post by Chrosson)
Well yes now that you've posted that information here. Probably want to change those passwords.

*facepalm*

[Repressor]

So, have you changed how you're storing passwords and fixed the vulnerability? ... If you haven't there's no point changing passwords.....

[Hype en Ecosse]

My new password now has an insane character length.

(Original post by Deyesy)
The joys of my bank using numbers and not letters for it's passwords. I am safe on the bank account front

I think I'll just change everything that uses old TSR password to my new one Though my password is different for YT and other places. I don't think hackers could do that much damage to me to be honest My Amazon password needs changing I think though >.>

I thought, for example, an 8 digit string of numbers was easier to obtain than an 8 digit string of letters? I started reading about cryptology a while ago, but never got past the basics. I guess this is a good incentive for me to go get some further reading done, even though it's not the main security issue.

I'm just glad TSR came out and said it instead of farting about for ages like Sony did.

[ChrisN]

(Original post by Metrobeans)
I've changed my password as suggested, but I was wondering - do you guys know if details have been taken for everyone on the site or just a certain number? When did this happen?

We can only see evidence of 100k being taken.


Posted from TSR Android App

[ChrisN]

(Original post by Sgt.Incontro)
Oh deary me...

Why on earth weren't the passwords and data stored more securely??!!

Seems that even an A-Level computing student could have hacked this then.

This was posted from The Student Room's Android App on my HTC Sensation Z710e

We just used what vbulletin gave us unfortunately. As we do with many things. We dont store much personal data really so never thought to do more. With hindsight...

Posted from TSR Android App

[Care-Free]

changed all my passwords on everything, now (a) i cant remeber half of the passwords or (b) With the passwords i can remember i cant remember what site they're for.

But hey, if i cant get into my bank account neither can they muahaha

[ChrisN]

The nasty man got in originally through a compromised password.

All (hopefully) vulnerabilities were fixed quickly. Our hosting partner in canada has worked all night locking everything down. (thanks guys). Our mods and staff have also done their part over night.

We have some more secondary tasks to do today.

We will be changing password storage shortly and have put in place a range of security features that would prevent this occurring again. Hopefully.

I hate to add those caveats, but we have to be realistic and it wouldnt make sense to start implementing bank like security considering how little personal or financial data we store on users.

Sorry for the inconvenience though. It is a right pain.

Posted from TSR Android App

[ChrisN]

(Original post by estel)
Are changes being made at the moment, or are the instances of people being repeatedly logged out and needing to reset their passwords examples of cracked passwords being exploited?

Please can you expand on this issue

Posted from TSR Android App

[ChrisN]

(Original post by pinkangelgirl)
i dont get it!! if ive changed my password will i be ok now?

Yup


Posted from TSR Android App

[ChrisN]

(Original post by pinkangelgirl)
Also, do they only have our current password or will they have all the passwords weve ever used.

Just the current one

Posted from TSR Android App

[alaska.]

Is there an issue with my account? I fail to see many of the flags in the top right hand corner.... but that is the only problem I've noticed so far (might be a stupid thought, but I thought I better ask!).

[F1 fanatic]

(Original post by alaska.)
Is there an issue with my account? I fail to see many of the flags in the top right hand corner.... but that is the only problem I've noticed so far (might be a stupid thought, but I thought I better ask!).

That is unrelated and you can solve it by clearing your browser cache. You are unlikely to see any direct impact of the data hack and it is unlikely that anyone will try to access your account. However, as a precaution it is recommended that you change your password on this site and on any other site which uses the same password/email combination.

[electriic_ink]

One of the first things these people will do, once they've worked out your password, is search your email address on FB to find out who you are IRL. I would make sure you have this feature turned off if you haven't already.

[Tycho]

(Original post by pinkangelgirl)
i dont get it!! if ive changed my password will i be ok now?

Also, do they only have our current password or will they have all the passwords weve ever used.

Ive just had to log in everywhere and change everything to brane new passwords

I doubt they'll have every password that you've ever used on here. From my experiences of working with forums like these your new password overwrites your previous one and the previous one is no longer stored. It's obviously the most secured way of doing it to keep as few passwords stored as possibly possible.

[Tycho]

(Original post by Sgt.Incontro)
Oh deary me...

Why on earth weren't the passwords and data stored more securely??!!

Seems that even an A-Level computing student could have hacked this then.

This was posted from The Student Room's Android App on my HTC Sensation Z710e

The trouble is that the more secure you make the site the less convenient it becomes. You can't have the best of both worlds. Considering TSR doesn't store any particularly sensitive data, I don't think bank-level security is really needed. Having said that, this should now clearly call for a re-think of their security mechanism.

As far as I know A-Level computing doesn't teach how to break a hashed password? Correct me if I'm wrong... ?

[madders94]

Did they get our email addresses or will they be able to hack every site we're on just with our username and password because TSR is virtually the only thing I use this email address for, so I've changed my password on here but do I need to change it everywhere else too?

[Tycho]

(Original post by tehforum)
. Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches.

Why not?

Is TSR not a modern website? Is TSR benevolent towards the threat of cyber-hacking? Evidently so.

Does it not care about the millions of users personal information?

Please do not lecture me with cries of "oh, all you have to do is change your password", it is a case of principle and the mere reality that this has occurred.

I have changed my password.

Since we don't know that this is really you speaking, I'll wait for you to supply a fingerprint and blood sample before responding properly. It's the only secure way of doing it, however inconvenient it is.

[Tycho]

(Original post by madders94)
Did they get our email addresses or will they be able to hack every site we're on just with our username and password because TSR is virtually the only thing I use this email address for, so I've changed my password on here but do I need to change it everywhere else too?

Anyone who has access to your password from this site will also have access to your email address. Any websites where you have used the same password as here you should change your password. You should also change the password of your email account.

[madders94]

Oh, and just seen the posts above - thanks ChrisN and the TSR staff (and people in Canada) and everyone giving advice for working through the night to fix it we don't appreciate you guys enough