IMPORTANT! Have you received an email to your forum username?

colin79666 · 17 November 2010 at 10:55PM

Good post Jesthar, cricket fan by any chance?

mynewaccount · 17 November 2010 at 10:57PM

Rossy. wrote: »

But the issue is that everyone is blowing this way out of proportion.

It's spam and nothing more.

It's a news story if the UK's largest money website is hacked and someone posing as that site sends all the members a bank trojan that can steal actual cash from their accounts.

Tuppeny-hapenny-forums get hacked all the time, but MSE is a very big target. Given the millions of people who are supposed to be signed up to the money tips and these forums, it's a serious risk to the site's reputation alone, and that in itself is going to be an obvious concern to the many people who use it and benefit greatly from it.

MSE_Martin · 17 November 2010 at 11:01PM

Hello folks

First of all, frankly I find the comments that we may have sold this list deeply offensive. It goes against everything we do and would never do so.

While I have been out of MSE towers all day - as far as we are aware this is a forum not a main site issue. To those saying put it on the home page - frankly that'd do little good as the cross over between the two user groups is no where near as big as i'd like. Instead we’ve focused on ensuring the message is prominently on every page in the forum.

We are of course working hard to get to the bottom of this, again the best info we have is this is related to a breach we think we had last year. But we have to analyse it.

The forum is run using a 3rd party software called Vbulletin, and we rely on its protection to look after the files, plus over the last year we've been through a major exercise to try and tighten it up with our own security on top.

We don't hold any personal data on individuals - barring email addresses, and that is a deliberate policy both because we don't aim to data mine and because it means in the event something like this happens (and determined hackers try all big sites – Nasa, Facebook, the Navy and banks have been hacked) the worst that can happen I hope is inconvenience.

If we have been hacked whether recently (we doubt) or in the past - I of course apologise wholeheartedly, its not for want of trying - as I same we've been through some major security exercises over the last year including bringing in outside consultants to check for any flaws. Yet this unfortunately reflects the murkier side of the internet that it is a constant battle to keep out.

I am going to talk to the team now for an update on whats going on and also start a poll to ascertain how many people this affects.

Martin

Karmacat · 17 November 2010 at 11:02PM

Just found this thread, checked the spam folder on the email addy I use for mse, and I've got one, addressed to my name on here.

I remember the big security thing last year .... Martin, your regulars know you would never sell the list ... you're up there on the Trusted and Godlike List along with the likes of Sir Patrick Moore .... I'm sure your team will get to the bottom of the problem.

colin79666 · 17 November 2010 at 11:03PM

MSE_Martin wrote: »

The forum is run using a 3rd party software called Vbulletin, and we rely on its protection to look after the files, plus over the last year we've been through a major exercise to try and tighten it up with our own security on top.

Thanks for the update Martin. Perhaps the team could look at upgrading from the current version of vBulletin which has several known vulnerabilities?

mynewaccount · 17 November 2010 at 11:08PM

Jesthar wrote: »

1. Your password is double hashed, not double encrypted. Got that from the vBulletin site. I suspect the term 'encrypted' was used here earlier in an attempt to not confuse people who have no idea what 'hashed' is. Chances are your password is perfectly safe, as it would take quite a lot of computing power to crack it without full database access (and would be tricky even so), but changing it is a fast and reliable way to make sure. This looks more like database access, not individual account access.

Fair enough, but even so as I'm sure you'll know, if you've got a dump of a database with 'double hashed' passwords, it doesn't take too long to apply the same hashing to a file of dictionary words. Then go through your stolen database, and see which hashes match. Boom, now you have the passwords of the 90% of users who had passwords straight out of the dictionary (or perhaps those on the super-common list, e.g. 'fred', 'god', 'password1', 'letmein', etc).

In vBulletin's case you'd obviously need to know the salt that the passwords were hashed with, but if someone has been able to access the complete user database, it's not at all improbable that they could have obtained the salt password too.

Jesthar wrote: »

10. Trust takes a lifetime to build, and a moment to destroy. For this site to remain effective, it requires trust. I therefore doubt that the information was sold or otherwise traded. Accidentally disseminated remains an option, of course, but MY first question, therefore, is who would profit from MSE not being trusted any more...?

I suspect this was an attempted impersonation gone wrong - perhaps not realising that Money Expert and Money Saving Expert were not the same site, the fraudsters were just impersonating the wrong organisation in their attempt to get people to download the banking trojan. Ultimately, forget about trust, follow the money. The people who will have benefited from this are the crooks who will be withdrawing cash from the accounts of anyone unfortunate enough to follow the link in that email...

This looks like a pretty sophisticated attack.

samwsmith1 · 17 November 2010 at 11:13PM

I haven't had one, but they haven't just got the details off the site member list have they?

akh43 · 17 November 2010 at 11:16PM

I got one to my work email address today, didn't realise until now it was connected to MSE. As I did not recognise the website I decided to forward to our spam email address, glad I did now.

It is worrying that this can happen. My v/card is unticked and I joined with my work email a few years ago.

MrRedundant · 17 November 2010 at 11:18PM

powerRIP wrote: »

Are you aware of the numerous posts from people who only joined recently yet have received today's email?

Of course these people may be lying or mistaken. The fact is the majority are older members and only 2 or 3 newer members have reported this. I suspect they are mistaken, trolls or other miscellaneous.

I do think they are right and the breach was last year but why they chose to cover it up who knows.

Think ML's excuse as to why not put it on the main site is PR straw clutching at the best. Its all to do with not wanting the revenue and rep of the site to take a hit anymore than it has too.

DrPaul · 17 November 2010 at 11:20PM

MSE_Martin wrote: »

Hello folks

First of all, frankly I find the comments that we may have sold this list deeply offensive. It goes against everything we do and would never do so.

Martin

Hi Martin,

Thanks for the response.

Hope that some of my comments aren't construed that way, as I really do believe in the ethics of your good self and MSE in general and believe implicitly in the advice that you offer.

My only point is that the evidence (unique email addresses compromised) indicates a data breach in your system, and that can only really have two possible causes:

1. Your forum database was hacked externally.

2. An "inside job" - e.g. the proverbial temporary staff with a USB stick.

Option 1 seems by far the most likely, but I think that option 2 needs to be investigated if only to exclude it as a possibility.

I'm assuming of course that you haven't been mailing out any unencrypted CDs of your user database - oh sorry that's the Inland Revenue isn't it?

IMPORTANT! Have you received an email to your forum username?

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free