Email is real c/d?

I got it too. I'm not at all concerned. Maybe someone even deleted Wizardry's account.

Damn... time to change some passwords

mpk, copied/deleted?

The hivemind will post details soon

I did not get an email since I can't get to my personal account from work. Details?


Damn... time to change some passwords

After the Lulzsec thing I changed my passwords for everything so that they're different. But I think I read from one of the RPS site people that the passwords were stored encrypted and salted, so if true I would not be too concerned.

Ah-ha:


As to password security, they are stored salted and encrypted. As with any security matter, using the same password on multiple sites, as tempting as it is, is a bad idea, and we recommend against you doing that.

Email not sent yet. Patience!

Hi everyone.
It really sucks to be sending this email, but this week the RPS forums were hacked. The hackers found a way into the server on the 14th Jan, and had access for five days. That hole is now closed, and they're gone.However, it's not entirely clear what they did when they were there. There is no evidence that they managed to get at user details, which are well hidden, but simultaneously there's no absolute evidence that they didn't. So at this point we have to assume the worst.If they got to those files, they will have got people's emails, usernames, and encrypted passwords. Those passwords were encrypted in such a way that our tech bods believe it will take them at least a month to crack. But it means that we *strongly* recommend that you not only change your password on the RPS forums/commenting registration, but if you use that password elsewhere, make sure you change it there too. In fact, we utterly strongly recommend that you never use the same password in two different places, for this very reason.We're tremendously sorry. We learned about the attack yesterday afternoon, and the tech people at Positive closed it off immediately, and have been sorting it out since, working out what they could have found. We learned the information reported above half an hour ago, and have told you as quickly as we can.Please head tohttp://www.rockpapershotgun.com/forums/profile.php?do=editpasswordAnd tohttp://www.rockpapershotgun.com/wp-login.phpand select "Lost your password" and follow the instructions to set a new one.to change your password as soon as possible.And please accept our emphatic apologies that this has happened. We are doing our best to ensure this doesn't happen again.RPS Hivemind

Also, c/d == Confirm/Deny

Ahh, there you go. Silly me :)
Confirmed.

I don't even remember my own passwords. I guess I will start writing them down, since I don't even know if my RPS one is similar to any others.

It's a fake sent by our diggle overlords.

(i.e. I would take it at face value lest it bite you in the arse)

This seems to be happening more and more frequently with a variety of sites.

I was lazy and just kept my password as one of the randomly-generated bits of gobbletygook. So now it's a new randomly-generated bit of gobbletygook, which might matter, I suppose, if I ever logged off.

In case anyone else is also experiencing difficulties resetting the blog password (I was getting something along the lines of 'password resets are not permitted for this account') you can change your password directly by going to http://www.rockpapershotgun.com/wp-admin/profile.php and using the password change setting at the bottom.

That said, I suspect it was me using this method to change my password last time I needed to that caused the reset function to be disabled. Thus if the method suggested in the E-mail works for you, I strongly recommend using that instead.

Confirmed then.

http://www.rockpapershotgun.com/2012/01/20/rubbish-news-rps-forum-hacked/#more-90287

Just thought I'd check tbh, hence the thread. Too many dodgy emails from addresses <i>almost</i> plausible enough to be from Blizzard etc, asking me to click a link and reset a password.

Thanks for the link. I got the email, too, btw.

It's inspired me to go on a quest to have systematic different passwords for everything.

Relevant: Is http://strongpasswordgenerator.com/ reliable?

Is this related to the incident that occurred a few weeks ago, do you think?

It might not be a RPS exclusive problem (I mean, who would target RPS of all places??) if other forums have been affected as well.

Relevant: Is http://strongpasswordgenerator.com/ reliable?

Looks fine. If you want to really crypto-nerd it up, you could use https://www.random.org/strings/

Random.org uses atmospheric noise, so it's better than a pseudorandom number generator. Of course, neither of these use a secure connection, so it wouldn't help if you're being actively spied on, but that's unlikely to say the least.

If RPS were aware of this last night, why are we only being informed this evening? 12-24 hours after they knew about it?

I just picked up Lastpass, to create a random password and store it.

For something like RPS, I'm not that worried about it, but how well protected are these password managers? I'm terrible with passwords, so something like this could be very helpful, but worthless if it is easy to break into.

I just picked up Lastpass, to create a random password and store it.

Yeah lastpass is extremely handy I find (though if they ever get hacked we're all toast) though. Still bugger.

Hardly use the forums these days.

If RPS were aware of this last night, why are we only being informed this evening? 12-24 hours after they knew about it?

Clearly an all-day drinking session.

For fortitude.

If RPS were aware of this last night, why are we only being informed this evening? 12-24 hours after they knew about it?

because the log analysis took that long. There is a lot of logs. We needed to know how much data had been accessed/taken.

I was thinking collusion with e-terrorists and wanton cruelty.

I was thinking collusion with e-terrorists and wanton cruelty.

A day without murder is like a day without sunshine.

Ignore LastPass.

KeePass + a small USB that can fit on your keys / in your purse or something like DropBox to hold it online.

That way only someone who very specifically is targetting you can get your passwords (and not people hacking online databases, like, say, the online database of Lastpass...)

If someone is out to spy on and get your personal passwords, they probably will. But that's your problem. It's the large scale hacking of anythign online that's the real concern.

A day without sunshine is like, you know, night.™ (http://www.goodreads.com/quotes/show/298)

That way only someone who very specifically is targetting you can get your passwords (and not people hacking online databases, like, say, the online database of Lastpass...)


I thought the whole point of LastPass is that your passwords are all stored and encrypted locally?

So I've successfully changed my password on these here forums, thinking all was well. Trying to comment on RPS articles though, it wants me to log in again, and tells me I'm entering an incorrect password, despite the new one working fine when logging back in to the forums. Any ideas about what's going on there?

So I've successfully changed my password on these here forums, thinking all was well. Trying to comment on RPS articles though, it wants me to log in again, and tells me I'm entering an incorrect password, despite the new one working fine when logging back in to the forums. Any ideas about what's going on there?
Forum account =/= Website account.

Yeah lastpass is extremely handy I find (though if they ever get hacked we're all toast) though. Still bugger.

It kinda did not long ago. I use it, but there was a time where I couldn't log in and change the master password because of some "suspicious activity on some of their servers".

I've got keepass but always forget to start using it as Lastpass is too handy. And I've yet to find an easy way to export/import into keepass from lastpass (if someone knows, please let me know).

Yeah, your Forum username/password are different (although you might have them the same) to the Article Comments username/password. The one on the Articles will still be the same as it was til you change that. There's links to do that on the article, or from the email, or if you login and go to your dashboard/profile thing.

Strange. I changed my main site password, but every time I try to login I just get thrown back to the front page. No message or anything, and I'm not logged in.

Edit: Never mind, works.

In bed about three or four nights ago I was idly reading the forums and noticed that the FAQ link was broken, leading instead to some kind of internal directory (the manipulation of which I know nothing). At the time I figured it was just some daft glitch.

I thought the whole point of LastPass is that your passwords are all stored and encrypted locally?

It's KeePass you're thinking of. LastPass has remote storage, KeePass only local file. I vote for KeePass myself.

It's KeePass you're thinking of. LastPass has remote storage, KeePass only local file. I vote for KeePass myself.

Cheers for the advice (and others.) I'll have a look at KeePass.

Cheers for the advice (and others.) I'll have a look at KeePass.

I also use a portable version of keepass, installed in a folder inside my dropbox folder. So it's in the cloud, but I alone have the password.

I can only read that as KeepAss. Which actually still works

I can only read that as KeepAss. Which actually still works

You're so right it hurts.

I used to use KeePass but their 2.x clents (except for Windows) are a pain to use. You're all correct that if LastPass gets hacked it does put security at risk depending on how the passwords are stored. However neither really helps if the password is stolen and decrypted from RPS it doesn't really matter how you generated or stored them in the first place.

The point to using some kind of password storing is to make it easy to use a different one in each site, so it still helps a lot in these situations.

because the log analysis took that long. There is a lot of logs. We needed to know how much data had been accessed/taken.

You use the word "we" - does that mean you are the RPS techie? (as you can tell from my postcount, I'm a noob on the forum)

My issues are:

1) You don't wait until you know what's been accessed - you get an email out first and then do the detailed analysis, so people know to change any relevant passwords as soon as possible.

2) If the analysis has been done, how come the RPS post is so vague? I'm left with no idea whether e.g. the attackers could run arbitrary php on the forums (either via installing their own forum plugins or just altering existing source code), since that would basically mean they'd have access to the forum database. There's also no mention of whether the wordpress database used the same login credentials or not (or if it's on the same machine).

3) Weirdness in the RPS article. User details are "well hidden"? What does that mean? If they had db or forum admin access, I don't see how they could be hidden at all. Also, the RPS article claims that user passwords were "encrypted". I very seriously doubt that; not only is it not usual, it's not best practice either, since encryption can be reversed, and it's a bit of a red flag tbh.

Seriously worried here :/

The point to using some kind of password storing is to make it easy to use a different one in each site, so it still helps a lot in these situations.
You should be using a different password whether it's using an online solution or not.

What I was saying though is if someone steals the password whether it was generated by a program making a string of random characters or "lolcats105", they've still got the password.

You should be using a different password whether it's using an online solution or not.

meh. what for?

just dont mix passwords between important and unimportant stuff.

You should be using a different password whether it's using an online solution or not.

What I was saying though is if someone steals the password whether it was generated by a program making a string of random characters or "lolcats105", they've still got the password.

True, but when you have four or five e-mail accounts, a bunch of websites and forums you regularly visit, multiple kinds of online stores, a couple of online banking services, a few work passwords, etc. etc. you start to run out of passwords to use and an easy and secure way of storing them/remembering them. A bit of software like KeePass lets me generate passwords, so I don't have to come up with a different one for each service I use and securely stores it for me. When somewhere like RPS is hacked, I can easily just get it to generate a new password and change it, so it doesn't matter that they have my old one.

Having said that, I am getting a few issues using KeyPass. Firstly, my Hotmail account on my IPad refuses to recognise the new password, even though G-mail worked fine. I also have had to change my RPS password about two or three times, because it will suddenly no longer recognise the password I have stored in KeyPass. Anyone else experienced this before or am I doing something wrong?

Edit: Okay, forget the Hotmail issue. Apparently my previous 20 character password was too long. Instead of telling me this, it just chops of the last 4 characters when accessing Hotmail from your browser. The IPad doesn't know to do this, so just said the password was wrong. Deleting the last 4 characters from the password worked.

After the chorus of condemnation of Sony for hiding their being hacked for several days, I would have thought RPS would have sent an email as soon as they knew something had happened, rather than merely taking the forums down and leaving people to wonder.
It was nice to see a front page article and emails to subscribers once you knew what had happened, but the fact remains that you knew something had happened for a day and neglected to tell us.

After the chorus of condemnation of Sony for hiding their being hacked for several days, I would have thought RPS would have sent an email as soon as they knew something had happened, rather than merely taking the forums down and leaving people to wonder.
It was nice to see a front page article and emails to subscribers once you knew what had happened, but the fact remains that you knew something had happened for a day and neglected to tell us.
Um... did you read the e-mail? They said they knew about half an hour before they sent the first e-mail out.

A day without murder is like a day without sunshine.

By which you mean "very common"?

Um... did you read the e-mail? They said they knew about half an hour before they sent the first e-mail out.
From the e-mail:
"We learned about the attack yesterday afternoon"

From the e-mail:
"We learned about the attack yesterday afternoon"
From the e-mail:
"We're tremendously sorry. We learned about the attack yesterday afternoon, and the tech people at Positive closed it off immediately, and have been sorting it out since, working out what they could have found. We learned the information reported above [i.e. the details of the hacking] half an hour ago, and have told you as quickly as we can."

They knew something was wrong, but didn't immediately notify people. Instead, they chose to do investigations prior to notifying people. I (and seemingly President Weasel along with me) think that this is inappropriate, and you need to notify people as soon as you know something is wrong, then tell them that you'll update them as you know more (such as what exactly was done to your systems)

EDIT: The same thing happened a while ago when the forums were also exploited and were actually serving malware to people who visited the forums. They never sent out an e-mail for that, because they believed that no data was stolen or retrieved (http://www.rockpapershotgun.com/forums/showthread.php?2427-RPS-Forums-Site-Contains-Malicious-Ware&p=78869&viewfull=1#post78869).

How can you tell "them" something is wrong without knowing what's wrong?

If they sent out an e-mail as soon as they knew, it would just cause panic or outrage because no-one would know if their details were safe or whatever, and no-one could do anything about it anyway as the forum was down, ergo no facility to change your password.

How can you tell "them" something is wrong without knowing what's wrong?

That'd be a really horrible early warning system.

Mass e-mail: "BAD THINGS!"

Mass e-mail twelve hours later: "False alarm."

Well, not everything is bad! I just registered to see how the community is!
And for those who need to have a strong password, I recommend you http://www.pwdhash.com, it doesn't store anything and with only a keyword, you have one virtually undecipherable password for each site you are on.

How can you tell "them" something is wrong without knowing what's wrong?
It's possible to figure out that someone has gained illegitimate access to your servers without knowing what exactly they've done, but knowing that they would have access to user data and the like.

They took the forums down because they knew that there had been an attack of some kind. It would have been best practice at that point to have put a quick news article on the front page to tell people the simple facts that they knew at the time - "the forums are down due to a possible hack, we have taken them down while we investigate, we will update you when we know more, and in the meantime we strongly suggest that if you use the same password for any other sites you change them as a basic safety precaution".
I am mildly disappointed in you for not doing this, RPS hivemind.

Why should they do that? As much as I tend to disagree with Nalano, his above post is bang on the money. If they'd said something without the facts, they could have spread alarm, tarnished their image - whatever. I would rather they take the forums down, work out what's going on and then - as they did - say "We're sorry guys, but this, that and the other happened". There was little reason to mention it before the forums went back up because none of us would have been able to do anything about our passwords anyway, which would have just caused stress or panic amongst parts of the userbase.

Having said that, I am getting a few issues using KeyPass. Firstly, my Hotmail account on my IPad refuses to recognise the new password, even though G-mail worked fine. I also have had to change my RPS password about two or three times, because it will suddenly no longer recognise the password I have stored in KeyPass. Anyone else experienced this before or am I doing something wrong?

Edit: Okay, forget the Hotmail issue. Apparently my previous 20 character password was too long. Instead of telling me this, it just chops of the last 4 characters when accessing Hotmail from your browser. The IPad doesn't know to do this, so just said the password was wrong. Deleting the last 4 characters from the password worked.

I decided to use this opportunity to try out keepass as well. After spending a fair amount of time getting it all set up and synced across various devices via dropbox I find that most of the passwords that it generated were too long for the sites in question. So i run into a similar situation as this, where my site passwords are cut-off versions of the ones in keepass, but without warning me that this was happening. Also, to my recollection, there was no mention of password limits/parameters on any of the change your password pages.

So, I've gone back to making up my own passwords and using them, making sure that important ones like email and banking are unique while everything else gets pretty much the same one. :/ When I'm less frustrated I might give KP another try.

Why should they do that? As much as I tend to disagree with Nalano, his above post is bang on the money. If they'd said something without the facts, they could have spread alarm, tarnished their image - whatever. I would rather they take the forums down, work out what's going on and then - as they did - say "We're sorry guys, but this, that and the other happened". There was little reason to mention it before the forums went back up because none of us would have been able to do anything about our passwords anyway, which would have just caused stress or panic amongst parts of the userbase.
If someone used the same RPS forum password on another service, they then know that they need to change it on the other service or potentially lose access to that service. Warning people quickly may give them more of a chance of changing their passwords on these other services.

It's possible to figure out that someone has gained illegitimate access to your servers without knowing what exactly they've done, but knowing that they would have access to user data and the like.

Erm, no it isn't. Not unless they tell you they've done it. Particularly not when the entire purpose of the server is to have people accessing it. I don't really think people need an email every time a badly written web crawler tries to do something it shouldn't.

If someone used the same RPS forum password on another service, they then know that they need to change it on the other service or potentially lose access to that service. Warning people quickly may give them more of a chance of changing their passwords on these other services.
Despite the fact that the tech gurus estimated a 1 month timeframe for them to be cracked IF the hackers had taken user details, and according to one of the e-mails there is no evidence to suggest they did nor suggest they didn't. Ergo, warning users within roughly 24 hours of finding out (~20hrs of the forum going down) sounds like a pretty good turnaround to me.

The problem is that you don't know if the 1 month 'cracktime' applies as soon as you realize that something is wrong. If someone has write access to your forum's core files, they could have included something that makes your browser send the password as plaintext which is then logged to some database or file. This would mean that your password has been leaked in plain-text. Alternatively, they could've logged all calls to login.php; specifically logging all "vb_login_md5password" request parameters. These contain MD5'd versions of your password without salting, which means that they'd only have to look all MD5s up in a rainbow table to get your precious RPS forum password (provided that your password's hash can be located in one of these). You need to do some investigation which takes time to figure out if your user's passwords have been vulnerable or not, and how vulnerable they would be under different conditions.

I would've let people know as soon as I'd have any good reason to believe that the servers had been compromised. Receiving a lot of failed SSH login attempts isn't a good reason to believe that you've been compromised, but receiving a successful login for a username and password you're not familiar with, or a successful login from an IP address you're not fmiliar with, is. Receiving a random call on on /shell.php (which hopefully 404s :P) isn't an indication that you've been compromised, but actually finding such a file and having it be publically-accessible is.

I think it's healthy and wise to assume the worst in these kind of situations, even when you think that the 'worst case' scenario is very unlikely to happen. This allows you to respond quickly with a well-crafted message. Don't say things like "We may have been hacked, more information later", though. Say things like:

"We have reason to believe that our servers have been compromised. These servers contained usernames and passwords which were hashed and salted properly. Although we haven't started a full investigation yet, we believe that it's good practice to warn our users quickly, and we advise you to assume that your username and password have been leaked. That said, based on our server infrastructure and the information we know right now of the attack, we think it's unlikely that your passwords have been leaked, but we still advise you to assume that they have. More information and updates as we know more can be found at http://..."

I don't see any real downside to letting people know things like this quickly. If you were right and there was something wrong, you'll have done the right thing and users will appreciate your actions. If you had a false-positive, you send a followup e-mail or notice stating that nothing was wrong and that you have made a mistake when dealing with the situation at hand, but you make sure to word things in such a way which makes clear that you value security and notification of possible breaches highly. In case of a false-positive, you also start a process to try and make sure that next time you won't. If false positives keep happening, you politely apologize and increase the amount of investigation you do prior to warning users.

With all of that out of the way, I'd like to make clear that I don't really care much about the way RPS dealt with this hacking case. I'd like it if they let me know a bit sooner, even though it won't really affect me (I usually use randomly-generated passwords) and I don't really expect them to. After all, the RPS folks probably have other stuff to do, and it's not like I'm paying them any money directly.