Change your passwords (and secret question) (Suggest stake address)

[notlist3d]

Just in case anyone missed the past few day's of downtime.  Change your passwords!  And secret question if you use it.  Everyone I think should have gotten email saying this as well.

I also should have said this earlier but I suggest all to stake a btc address - https://bitcointalk.org/index.php?topic=1068013.msg11448313#msg11448313

I for one did not realize how much I would miss this forum.  Great to have it back up!


All accounts should have received this email a day or two ago:


You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
 - Email address
 - Password hash
 - Last-used IP address and registration IP address
 - Secret question and a basic (not brute-force-resistant) hash of your
 secret answer
 - Various settings

You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".

If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.

Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.

While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.

I apologize for the inconvenience and for any trouble that this may cause.

[Amph]

never used a secret question, well i did use it at the beginning then i removed it, not needed i think, i received an email with this exact text information, but the forum was down at that moment

besides the password if they stole you the others info, it's not a big deal i suppose, especially with dynamic ip and if you used a trash email for your registration

[notlist3d]

never used a secret question, well i did use it at the beginning then i removed it, not needed i think, i received an email with this exact text information, but the forum was down at that moment

besides the password if they stole you the others info, it's not a big deal i suppose, especially with dynamic ip and if you used a trash email for your registration

The IP is kinda a pain.  I need to have a time when I can release and renew on my router a few times to try to get a new IP.   

That is a good point if you have the ability to change your IP it is also a good idea to do so. 

[newflesh]

Yeah I never bothered with the secret question either, I'd have probably forgotten what it was by now anyway (writing it down kind of defeats the point of it being secret ).
Already changed my password just in case, not really fussed about my email as it's a throwaway used to register this account.

[virtualx]

Just in case anyone missed the past few day's of downtime.  Change your passwords!  And secret question if you use it.  Everyone I think should have gotten email saying this as well.

...

Was only the password hash leaked? What are the chances of someone finding a password once its been hashed with sha256crypt 7500 rounds? Wouldn't they be limited to dictionary attacks?

[pooya87]

i have never received the email.

but now i changed my password and secret question. the previous password was strong and only were used here so i am not worried i changed it to a newer and stronger one.

and the email i used here is already receiving spam, but it is a shame that all Email addresses was compromised

[virtualx]

i have never received the email.

but now i changed my password and secret question. the previous password was strong and only were used here so i am not worried i changed it to a newer and stronger one.

and the email i used here is already receiving spam, but it is a shame that all Email addresses was compromised

The forum had been down several days, there were some posts on the web about it.  The site owner had taken the forum down several time to investigate the issue.
Did the email reach your spam folder by any chance?

[irfan_pak10]

Just Now received the same email from bitcointalk.
Thanks theymos for Informing us about this issue,

[Kprawn]

I regularly change my passwords for all my accounts on all the sites I register as a rule any way, so it's not such a big deal.

It's the accounts with the short passwords and the ones where people rarely change passwords, where the trouble starts.

Nothing is bulletproof, but you have to mix things up to make it more difficult. 

Hope this is the end to all of these hacks... kudo's for everyone involved in the restoration of the forum. 

[bandana]

thanks for the information . i have recently changed my password .
it was a ache all over to know that the site is down . but happy to know its back up again.

[bitbaby]

I changed my password, it's the first thing I did when I logged in just now, I didn't read the email but I was following what was happening through bitcointalk twitter and I read there that password hashes were compromised.

I never used a secret question so there was nothing to be changed there. Do one has to change his email also? I didn't change it because if it was already leaked then nothing can be done now and all you have to do is deal with extra spam that will probably come there.

[notlist3d]

Just in case anyone missed the past few day's of downtime.  Change your passwords!  And secret question if you use it.  Everyone I think should have gotten email saying this as well.

...

Was only the password hash leaked? What are the chances of someone finding a password once its been hashed with sha256crypt 7500 rounds? Wouldn't they be limited to dictionary attacks?

I suggest reading theymos post: https://bitcointalk.org/index.php?topic=1067985.0

It depends on length of password, and what was taken.   And things such as IP i would not guess are to long.  So it's hard to say.   I hope nothing comes out as far as info but guess we will see over time.

[1Referee]

I think it's quite weird that you can change your email address without first accepting the change via an email sent to the old email address. The hacker can change everything this way.

Confirming every important profile change via an email sent to the main email address is normal nearly everywhere, but here not. 

[dothebeats]

I ain't receiving any spam email like the others here do. I only receive quoted replies to my posts and that is all fine by me. Also, I once considered putting a secret question to my account but changed my mind after I learned that having one would make your account more vulnerable to hacking attempts instead of having a second layer of protection for your account. Well in any case, I changed my password now. It's been a year or so since I last changed it, and luckily my account isn't compromised in any way.

[notlist3d]

Also Highly Suggest to Stake a BTC address only you have access to.  You do it over in Meta - https://bitcointalk.org/index.php?topic=996318.0

It needs to be a btc address you can sign a message with.  You ask someone else to quote the address that way if you are ever hacked 100 percent and lose access it would allow you to get your account back. 

[Auxi]

Done, thank you guys

[Webnet]

thanks for this info , unfortunately I use the former password on a lot of sites. I hope the attacker does not sell this information to other attackers

[notlist3d]

thanks for this info , unfortunately I use the former password on a lot of sites. I hope the attacker does not sell this information to other attackers

After today I highly suggest stopping using that password.  I don't think we know if they have entire database.  But it is looking bad after today in meta.

Best is just to stop using it/change everywhere and if they sell it or try to use it you have rendered it useless.

[Brewins]

looks like some signatures doesn't match and are leading to pishing sites.

So better type bitcointalk address before changing password than clicking in the link in email

[Hikah]

Ok will do this for sure to prevent my account from hi- jacking