TSR security breach - what happened and what we're doing

Watch
This discussion is closed.
Milostar
Badges: 17
Rep:
?
#1
Report Thread starter 7 years ago
#1
Hi everybody

Last night The Student Room was hacked.

We are currently conducting a thorough investigation into the breach, but for now here are the most important details:

A single super-user account was compromised. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.

The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power.

As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.

Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again.

Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system.

Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.

On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.

Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.

Sarah
Part of the TSR community team

Edit: If you have changed your password prior to this announcement being posted, we would advise you to change it again now, to be sure that it has not been compromised. Thank you.

Edit: Here are shortcuts to excellent posts about the more technical aspects of password security that appear further down the thread: One by Dez, and one by Mad Vlad. Well worth a read.
85
MMXIII
Badges: 5
Rep:
?
#2
Report 7 years ago
#2
:dontknow: Don't know why hackers need to be hacking TSR during Exam period. We're under enough stress already.
90
username677182
Badges: 18
Rep:
?
#3
Report 7 years ago
#3
I'll be honest, I'm extremely disappointed that it wasn't really CJ asking me for a Skype to Skype session, but a hacker on his account. :plz2:


Some day...some day... :daydreaming:
13
CJKay
Badges: 19
Rep:
?
#4
Report 7 years ago
#4
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
1
rmhumphries
Badges: 17
Rep:
?
#5
Report 7 years ago
#5
(Original post by CJKay)
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
All that I heard about Skype was that the attacker wanted to Skype with Vikki.
2
there's too much love
Badges: 19
Rep:
?
#6
Report 7 years ago
#6
Send this as a mass PM to everyone (because not everybody see's TSR emails or pays much attention to them. And we get phishing emails about all sorts these days).
Send this as an email to everyone (because when not done just on it's own, it's one more method of communication).
AND create a manual for mods to use in case of a hacking emergency so that they have the right advice to give people (because if they're not told what to do, they'll still be asked what to do by users. It puts them in an impossibly unfair position).

It's not the mods fault that proper procedure hasn't been set up. This is the job of the admin. And an oversight.
And given what happened last time I expect better in every way.
By this time tonight I hope to update my signature to praise instead of criticise the admin team.

Please quote with "agree" at the end if you agree with my post.

For my thread on this:

http://www.thestudentroom.co.uk/show....php?t=2360716
18
username677182
Badges: 18
Rep:
?
#7
Report 7 years ago
#7
(Original post by CJKay)
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
The hacker PM'd me saying

"Lets Skype? "

We then continued to chat via private messaging, but I don't think he actually accessed anybody's Skype account, guessing that's just crossed wires!
0
Milostar
Badges: 17
Rep:
?
#8
Report Thread starter 7 years ago
#8
(Original post by CJKay)
Was it an individual account that was compromised or was the software remotely exploited?
Also, if the passwords are so securely hashed and it wasn't just the account compromised, how is it the attacker managed to allegedly access an individual's Skype account? Or is that rumour?
It appears to be an attack that targeted particular accounts, and only one was successfully hacked, and the breach didn't involve anyone's Skype account. The hacker appears to have been using their own Skype.
0
User1014865
Badges: 17
Rep:
?
#9
Report 7 years ago
#9
(Original post by rmhumphries)
All that I heard about Skype was that the attacker wanted to Skype with Vikki.
So he hacked the entire site just to have a Skype convo with Vikki? Pathetic :rolleyes:
5
This Excellency
Badges: 0
Rep:
?
#10
Report 7 years ago
#10
Everyone criticising the Admin/mod team, CHILL!!!

FFS, they're dealing with it. At least our passwords aren't compromised :rolleyes:
4
rmhumphries
Badges: 17
Rep:
?
#11
Report 7 years ago
#11
(Original post by Iamyourfather)
So he hacked the entire site just to have a Skype convo with Vikki? Pathetic :rolleyes:
Vikki is just in demand that much - they decided to make a big grand gesture to try to woo her
1
F1's Finest
Badges: 21
Rep:
?
#12
Report 7 years ago
#12
Thanks for the update :yy:
1
CJKay
Badges: 19
Rep:
?
#13
Report 7 years ago
#13
(Original post by rmhumphries)
All that I heard about Skype was that the attacker wanted to Skype with Vikki.
I read Vikki declined a Skype friend request, so I can only assume the hacker didn't actually "hack" anything, but rather acquired CJ's password from elsewhere and gave it a shot here. Considering his account is the only one that has actually been proven to have been accessed and there has been no evidence that a password dump or anything of the forum has occurred, I'd say it was a fairly minor incident all in all, and just a script kiddy.

(Original post by Milostar)
It appears to be an attack that targeted particular accounts, and only one was successfully hacked, and the breach didn't involve anyone's Skype account. The hacker appears to have been using their own Skype.
Alright, thanks for the update.

(Original post by Vikki1805)
The hacker PM'd me saying

"Lets Skype? "

We then continued to chat via private messaging, but I don't think he actually accessed anybody's Skype account, guessing that's just crossed wires!
Stupid Chinese whispers. :mad:
2
there's too much love
Badges: 19
Rep:
?
#14
Report 7 years ago
#14
(Original post by This Excellency)
Everyone criticising the Admin/mod team, CHILL!!!

FFS, they're dealing with it. At least our passwords aren't compromised :rolleyes:
After their lack of proper action in the last hack they deserve to be criticised. I'm being constructive in my posts.
4
rmhumphries
Badges: 17
Rep:
?
#15
Report 7 years ago
#15
(Original post by Milostar)
Hi everybody

Last night The Student Room was hacked.

We are currently conducting a thorough investigation into the breach, but for now here are the most important details:

A single super-user account was compromised. This allowed the hacker sufficient privileges to access the database. Without detailing security measures, please let me reassure you that we have a number of authentication methods, and in this case they were breached. How this was carried out is under investigation.

The individual managed to download usernames, email addresses and passwords. Your passwords are not stored in plain text, and we don’t use standard vbulletin password hashing. This was introduced following our most recent security review and it means that even if the perpetrator is familiar with the software that powers The Student Room forums, they are extremely unlikely to be able to access your passwords. To decode the passwords would require a significant amount of time and computing power.

As a result we believe your passwords to be safe, but despite this we would strongly advise that you change your password. If you use your TSR password for any account you use anywhere online, it’d be a good idea for you to change those passwords too. The security measures we use mean that your password is extremely unlikely to have been decoded, so any accounts you have which use the same passwords are extremely unlikely to be vulnerable.

Access to the back-end system and access to the breached account are both currently heavily locked down. That means the hacker no longer has any access to the system, so it’s safe to change your password. If you changed it last night in response to the hack, please do so again.

Early investigation suggests that that hacker was someone very familiar with TSR and with some of the staff members who are active in the TSR community. But their behaviour suggests it was not someone familiar with the use of our back-end system.

Security is always at the heart of everything we do, and we are always looking at ways of improving. Unfortunately, like all websites, as we step up our security, there are people who work to overcome it. We are constantly working to improve your security and we’re conducting a thorough investigation of the breach.

On behalf of TSR, I’m sorry for any anxiety that the breach may have caused you. If you feel concerned and you want to ask something, please do so here.

Thank you to all the users and mods who went out of their way to raise the alert to the TSR tech and community team.

Sarah
Part of the TSR community team
One of the possibilities the community considered was that the attacker changed the login and 'change your password' scripts to steal (in plain-text) people's passwords if they logged in / changed their password. Could you confirm this didn't happen? Also, if the attacker didn't have access to the server files, does this mean they are not aware of the hashing scheme used?

(Original post by CJKay)
I read Vikki declined a Skype friend request, so I can only assume the hacker didn't actually "hack" anything, but rather acquired CJ's password from elsewhere and gave it a shot here. Considering his account is the only one that has actually been proven to have been accessed and there has been no evidence that a password dump or anything of the forum has occurred, I'd say it was a fairly minor incident all in all, and just a script kiddy.
As far as I am aware, the hacker wanted to skype with Vikki from one of their own accounts, as opposed to from CJ's Skype account.
0
User1014865
Badges: 17
Rep:
?
#16
Report 7 years ago
#16
(Original post by This Excellency)
Everyone criticising the Admin/mod team, CHILL!!!

FFS, they're dealing with it. At least our passwords aren't compromised :rolleyes:
I agree, it's just an excuse for people to vent. They're not psychics and they didn't intend for all this to happen. They say they're constantly looking out for the users' best interest so stop criticising.
2
mr tim
Badges: 17
Rep:
?
#17
Report 7 years ago
#17
Glad this is trying to be sorted, but this is the 2nd time when I was at TSR that the database has been hacked. I am glad that this time its not as bad as the first. Thankfully I have different passwords for sites that are very important to me.

(Original post by Milostar)
x
I think you should PM everyone as the someone already said and put this thread as a global announcement as there are people who don't view this forum who maybe unaware of the hack.
1
there's too much love
Badges: 19
Rep:
?
#18
Report 7 years ago
#18
(Original post by This Excellency)
Apparently CJ's password was 'password12345' :rofl2:
If that's true then he'll be really embarrssed (and rightly so). That would be so stupidly idiotic.

Edit:
Apparently that was meant to be a joke. CJ's password was probably not something as weak and stupid as that.

(Original post by Iamyourfather)
I agree, it's just an excuse for people to vent. They're not psychics and they didn't intend for all this to happen. They say they're constantly looking out for the users' best interest so stop criticising.
Thank you for your short sighted judgement of my posts that completely fail to see the point.
0
Morgsie
Badges: 7
Rep:
?
#19
Report 7 years ago
#19
Glad to see action being taken. Cyber-Crime is a real threat at the moment, it is not just here but elsewhere.
3
User1014865
Badges: 17
Rep:
?
#20
Report 7 years ago
#20
(Original post by there's too much love)


Thank you for your short sighted judgement of my posts that completely fail to see the point.
Anytime
3
X
new posts
Back
to top
Latest
My Feed

See more of what you like on
The Student Room

You can personalise what you see on TSR. Tell us a little about yourself to get started.

Personalise

Current uni students - are you thinking of dropping out of university?

Yes, I'm seriously considering dropping out (129)
14.73%
I'm not sure (40)
4.57%
No, I'm going to stick it out for now (264)
30.14%
I have already dropped out (22)
2.51%
I'm not a current university student (421)
48.06%

Watched Threads

View All