The Student Room – security breach

... is it true should I change my pw?

Has anyone else done so?

Why should passwords used on TSR need to be changed for other sites? I didn't but is there someway they can somehow access other accounts with the same password?

Why should passwords used on TSR need to be changed for other sites? I didn't but is there someway they can somehow access other accounts with the same password?

I changed my password, here's hoping it's nothing more than a safety precaution.

I received 24 emails yesterday headed 'DSE-ACCOM-OFFICE' from various names and things, and from what I can see of the messages without clicking on them, there's loads of people saying 'take me off the list, I keep receiving these emails...' I'm with Gmail and they got past the Spam filter. Is this connected to this? I've never been entirely sure what to do with 'bad' emails that get past my Spam filter, other than booting them off to the Spam folder and deleting them forever.

I'm setting about changing passwords for things, password here, email, Facebook etc. ... though I am abroad at the moment and can't remember all my log ins for everything - some are the same as each other, some not... I hope it will all be okay

I think you'll find they are compliant.

And are you seriously suggesting that large companies shouldn't utilise well respected COTS products?

Many people (unwisely) use the same username/password combination on more than one site. If you don't, you've already gone a long way towards a good internet security position.

Analogy fail.

The door wasn't open, they pickpocketed the home owner's keys and let themselves in. That's not lax security, that's unfortunate.

Depends on if you're computing the time correctly. Any ascii 7 character password can be cracked on a single home computer in under 10 days when using the TSR hashing scheme.

I'd say it's true, don't see any other reason for a notification stating to change your password

AND more quippy comment bull**** from TSR's No1 fan. Actually I was being generous by putting it as the customers fault. If you want your analogy the hackers went to the manufacturers site and read the rules on making a default master key. Stupid F'ing door purchaser wasn't smart enough to change the locks as they installed the doors.

But in fact you don't know how the hack was carried out details you also don't know if they got the payment details of those who have paid for premium membership of TSR and they have not given those details. A lot of people when the PSN network got hacked initially were upset about not being able to connect, that soon changed when it came to light what info they got and exactly how it could be used by the hackers.

Its the responsibility of people who collect data to store it in a way that is compliant with the data protection act, those who do store data are responsible to the information commissioner and should have a stated way in which they will store that data and have plans in place for compromises such as this.

Yet again a web site fails in its duty of care and then wants to pass that responsibility on to its users for being stupid enough to give the data to them.

Are you seriously the best TSR can put up to be the spoiler in the forums over this.

TSR doesn't store payment details, payment is carried out through paypal.

Ok so in a few minutes google search for 'how to hack vbulletin username passwords I got over 1.5 million results. heres a small selection:

http://www.youtube.com/watch?v=htGClYoBN9k
http://www.nextgenupdate.com/forums/computer-hacking-programming/446209-tute-hacking-vbulletin-4-x-4-1-3-a.html
http://www.youtube.com/watch?v=pPEOfndtLLY

I can't say whether any of these were used as I have no association with TSR or whether it was an exploit direct on the server but do you still feel comfortable that all was done to prevent being hacked or do you think TSR was at best complacent by not keeping up to date via at least simple searchs on google to check if new exploits had been published.

Web applications get hacked the more popular they are the more people want to hack them. When Talkback a guestbook app was hacked the simple tell in the server logs was searches looking for 'Powered by Talkback' with the vBulletin hacks like TalkBack you need to confirm the site is running the software so the server logs should be showing searches for sites running vBulletin and if your logs show searches for the application you are running its pretty obvious you have peeked the interest in people hacking at that application maybe even just as a practice for a more important target. Mind you have to love the name of the parent company that owns this site 'Acumen Professional Intelligence Ltd' LOL IMHO not much of any of their keywords in the name have been displayed for this to have happened.

I do like the hacks though some good reading and I have a site in mind that might have a go at.

I think you will find they are not in compliance as are many other sites around the web since the rules changed and they now need to get consent not just bury it in the TOS.
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

So maybe your not the font of all knowledge your presenting yourself to be and should stop ranting a defence on behalf of TSR against those who don't appreciate data being lost by calling them dicks.

AND more quippy comment bull**** from TSR's No1 fan. Actually I was being generous by putting it as the customers fault.

.