Post-Hack Note Regarding Your Accounts

[Jason Dunn]

A community member brought up an interesting point that I hadn't thought much about: although there's no indication that the hacker copied our user database, it is of course possible that he looked up individual user entries and copied data from them. The most sensitive user information we store is your email address (and your password if you didn't use a password unique to this site), which we never share with anyone else, but it's technically possible that the hacker got his hands on it. Unlike some of the other previous hacks we've dealt with, this one didn't seem to be motivated by profit or a desire to distribute spyware. I highly doubt anyone will start to get any spam to the address in their profile from this incident, but I felt it best to bring this issue to your attention in case something unusual does start to happen. Hopefully this is much-ado about nothing.

UPDATE: I've been informed that vBulletin encrypts the user passwords in it's database, so it's highly unlikely that anyone's passwords were compromised. Good news!

[Jason Dunn]

A community member brought up an interesting point that I hadn't thought much about: although there's no indication that the hacker copied our user database, it is of course possible that he looked up individual user entries and copied data from them. The most sensitive user information we store is your email address (and your password if you didn't use a password unique to this site), which we never share with anyone else, but it's technically possible that the hacker got his hands on it. Unlike some of the other previous hacks we've dealt with, this one didn't seem to be motivated by profit or a desire to distribute spyware. I highly doubt anyone will start to get any spam to the address in their profile from this incident, but I felt it best to bring this issue to your attention in case something unusual does start to happen. Hopefully this is much-ado about nothing.

UPDATE: I've been informed that vBulletin encrypts the user passwords in it's database, so it's highly unlikely that anyone's passwords were compromised. Good news!

[subzerohf]

I presume that our passwords are encryted, and as long as the hacker does not have the private key, (s)he won't be able to resolve the password ?

[Rocco Augusto]

Good to hear! To my knowledge, doesn't VBulletin MD5 hash the users selected password twice and than randomly selects a key to encrypt it? If so, it just seems like more trouble than its worth to try and crack the passwords.

[Jason Dunn]

Quote:

Originally Posted by subzerohf

I presume that our passwords are encryted, and as long as the hacker does not have the private key, (s)he won't be able to resolve the password ?

Yes, that would seem to be correct. The only private data exposed would be your email address...