This discussion is now closed.
Check out other Related discussions
- Chevening Scholarship - Avoiding return to home country for 2 years
- Data breach
- Uk is a backwards aristocratic society
- Enhanced disclosure check for nursing degree
- Ethical Research Misconduct (continued discussion)
- Serious Misconduct Hearing
- Is it technically possible for this to happen in the future?
- My privacy has been completely invaded!!
- Someone created
- Post your biggest secret anonymously
- The London Clinic: Hospital where Kate treated responds after alleged privacy breach
- 2023 - Asylum decision maker recruitment
- queen mary or st georges
- Employer sueing employee
- Help (Cambridge)
- First speeding ticket
- Chevening Scholarship - Has someone not come back to your home country?
- 5 ways how AI is improving cloud computing
- Citi Graduate 2024
- Cyber Security which to take? (Provisional or Full Certified?)
TSR security breach - what happened and what we're doing
Hi everybody
Last night The Student Room was hacked.
We are currently conducting a thorough investigation into the breach, but for now here are the most important details:
A single super-user account was compromised. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.
The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power.
As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.
Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again.
Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system.
Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.
On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.
Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.
Sarah
Part of the TSR community team
Edit: If you have changed your password prior to this announcement being posted, we would advise you to change it again now, to be sure that it has not been compromised. Thank you.
Edit: Here are shortcuts to excellent posts about the more technical aspects of password security that appear further down the thread: One by Dez, and one by Mad Vlad. Well worth a read.
Last night The Student Room was hacked.
We are currently conducting a thorough investigation into the breach, but for now here are the most important details:
A single super-user account was compromised. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.
The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power.
As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.
Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again.
Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system.
Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.
On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.
Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.
Sarah
Part of the TSR community team
Edit: If you have changed your password prior to this announcement being posted, we would advise you to change it again now, to be sure that it has not been compromised. Thank you.
Edit: Here are shortcuts to excellent posts about the more technical aspects of password security that appear further down the thread: One by Dez, and one by Mad Vlad. Well worth a read.
(edited 10 years ago)
Scroll to see replies
Don't know why hackers need to be hacking TSR during Exam period. We're under enough stress already.
I'll be honest, I'm extremely disappointed that it wasn't really CJ asking me for a Skype to Skype session, but a hacker on his account. 
Some day...some day...
Some day...some day...
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
(edited 10 years ago)
Original post by CJKay
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
All that I heard about Skype was that the attacker wanted to Skype with Vikki.
Original post by CJKay
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
The hacker PM'd me saying
"Lets Skype?
"We then continued to chat via private messaging, but I don't think he actually accessed anybody's Skype account, guessing that's just crossed wires!
Original post by CJKay
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
It appears to be an attack that targeted particular accounts, and only one was successfully hacked, and the breach didn't involve anyone's Skype account. The hacker appears to have been using their own Skype.
Original post by rmhumphries
All that I heard about Skype was that the attacker wanted to Skype with Vikki.
So he hacked the entire site just to have a Skype convo with Vikki? Pathetic
Everyone criticising the Admin/mod team, CHILL!!!
FFS, they're dealing with it. At least our passwords aren't compromised
FFS, they're dealing with it. At least our passwords aren't compromised
Original post by Iamyourfather
So he hacked the entire site just to have a Skype convo with Vikki? Pathetic
Vikki is just in demand that much - they decided to make a big grand gesture to try to woo her
Thanks for the update 
Original post by rmhumphries
All that I heard about Skype was that the attacker wanted to Skype with Vikki.
I read Vikki declined a Skype friend request, so I can only assume the hacker didn't actually "hack" anything, but rather acquired CJ's password from elsewhere and gave it a shot here. Considering his account is the only one that has actually been proven to have been accessed and there has been no evidence that a password dump or anything of the forum has occurred, I'd say it was a fairly minor incident all in all, and just a script kiddy.
Original post by Milostar
It appears to be an attack that targeted particular accounts, and only one was successfully hacked, and the breach didn't involve anyone's Skype account. The hacker appears to have been using their own Skype.
Alright, thanks for the update.
Original post by Vikki1805
The hacker PM'd me saying
"Lets Skype?"
We then continued to chat via private messaging, but I don't think he actually accessed anybody's Skype account, guessing that's just crossed wires!
"Lets Skype?
"We then continued to chat via private messaging, but I don't think he actually accessed anybody's Skype account, guessing that's just crossed wires!
Stupid Chinese whispers.
(edited 10 years ago)
Original post by Milostar
Hi everybody
Last night The Student Room was hacked.
We are currently conducting a thorough investigation into the breach, but for now here are the most important details:
A single super-user account was compromised. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.
The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power.
As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.
Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again.
Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system.
Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.
On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.
Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.
Sarah
Part of the TSR community team
Last night The Student Room was hacked.
We are currently conducting a thorough investigation into the breach, but for now here are the most important details:
A single super-user account was compromised. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.
The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power.
As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.
Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again.
Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system.
Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.
On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.
Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.
Sarah
Part of the TSR community team
One of the possibilities the community considered was that the attacker changed the login and 'change your password' scripts to steal (in plain-text) people's passwords if they logged in / changed their password. Could you confirm this didn't happen? Also, if the attacker didn't have access to the server files, does this mean they are not aware of the hashing scheme used?
Original post by CJKay
I read Vikki declined a Skype friend request, so I can only assume the hacker didn't actually "hack" anything, but rather acquired CJ's password from elsewhere and gave it a shot here. Considering his account is the only one that has actually been proven to have been accessed and there has been no evidence that a password dump or anything of the forum has occurred, I'd say it was a fairly minor incident all in all, and just a script kiddy.
As far as I am aware, the hacker wanted to skype with Vikki from one of their own accounts, as opposed to from CJ's Skype account.
(edited 10 years ago)
Original post by This Excellency
Everyone criticising the Admin/mod team, CHILL!!!
FFS, they're dealing with it. At least our passwords aren't compromised
FFS, they're dealing with it. At least our passwords aren't compromised
I agree, it's just an excuse for people to vent. They're not psychics and they didn't intend for all this to happen. They say they're constantly looking out for the users' best interest so stop criticising.
(edited 10 years ago)
Glad this is trying to be sorted, but this is the 2nd time when I was at TSR that the database has been hacked. I am glad that this time its not as bad as the first. Thankfully I have different passwords for sites that are very important to me.
I think you should PM everyone as the someone already said and put this thread as a global announcement as there are people who don't view this forum who maybe unaware of the hack.
Milostar
x
I think you should PM everyone as the someone already said and put this thread as a global announcement as there are people who don't view this forum who maybe unaware of the hack.
(edited 10 years ago)
Anytime 
Original post by Milostar
Hi everybody
Last night The Student Room was hacked.
We are currently conducting a thorough investigation into the breach, but for now here are the most important details:
A single super-user account was compromised. How did the hacker get the details of CJ's account? Seriously, that should NOT happen. If it's due to a poor password, then all blame is on CJ. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.
The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power. I think the hacker has significant amount of time and power.
As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.
Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again. Does this imply that the hacker changed the files in order to store any changed passwords as a result of the hack in plaintext?
Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system. Derp, if it's a "custom" back-end system, then of course the user wasn't familiar.
Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.
On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.
Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.
Sarah
Part of the TSR community team
Last night The Student Room was hacked.
We are currently conducting a thorough investigation into the breach, but for now here are the most important details:
A single super-user account was compromised. How did the hacker get the details of CJ's account? Seriously, that should NOT happen. If it's due to a poor password, then all blame is on CJ. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.
The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power. I think the hacker has significant amount of time and power.
As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.
Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again. Does this imply that the hacker changed the files in order to store any changed passwords as a result of the hack in plaintext?
Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system. Derp, if it's a "custom" back-end system, then of course the user wasn't familiar.
Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.
On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.
Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.
Sarah
Part of the TSR community team
Comments in bold.
Related discussions
- Chevening Scholarship - Avoiding return to home country for 2 years
- Data breach
- Uk is a backwards aristocratic society
- Enhanced disclosure check for nursing degree
- Ethical Research Misconduct (continued discussion)
- Serious Misconduct Hearing
- Is it technically possible for this to happen in the future?
- My privacy has been completely invaded!!
- Someone created
- Post your biggest secret anonymously
- The London Clinic: Hospital where Kate treated responds after alleged privacy breach
- 2023 - Asylum decision maker recruitment
- queen mary or st georges
- Employer sueing employee
- Help (Cambridge)
- First speeding ticket
- Chevening Scholarship - Has someone not come back to your home country?
- 5 ways how AI is improving cloud computing
- Citi Graduate 2024
- Cyber Security which to take? (Provisional or Full Certified?)
Latest
Trending
Last reply 1 month ago
The Student Room Update: New Look, New Homepage and More!Trending
Last reply 1 month ago
The Student Room Update: New Look, New Homepage and More!
