IMPORTANT! Have you received an email to your forum username?

emmell

I have had notification of an email and I'm a user from Feb 2009, if this helps you out at all.
ML.

23n1th

Just voted on the poll as having joined this year and for some reason the vote went to "joined before 2010" sort it out.

mp3duck

I am sure this may have been said by others, but I too got the email.
However, it was addressed to my username that I changed a long time back. I think it was around 8 months back..

I know for sure that our details were not sold.. Like Martin said, that is something they would never do.
No website if 100% secure. Hackers will always find a new way to gain access to our details.

dmbw

yupp i got one in my junk box, opened it aswell but didn't click anything as thought it was dodgy looking purporting to be business ME

MSE_Martin

I've just spoken to my team about this.

There are two people who have joined since 2010 who say they've got an email which is of course worrying, though we've yet to verify it and want to check those emails before drawing any conclusions. I have now started the poll to see when the people who got the email joined.

Originally I was going to ask whether people got it or not - but then realised it would be massively skewed because people who got the email would be the ones who clicked the "have you got an email to your forum address" link.

We are going to further look at this in the morning. Both my team and our server company's security team have been logging at this and the access logs and no indication of a recent breach has been found yet (as far as Im aware it is 10.30pm and I can't get hold of them all)

silversize

same as some other posters, I got it today but it was showing my old username that was changed a while back

fletty

I didn't have the email earlier on today but have just recieved it now so it's still on going.....

Olipro

mynewaccount wrote: »

Fair enough, but even so as I'm sure you'll know, if you've got a dump of a database with 'double hashed' passwords, it doesn't take too long to apply the same hashing to a file of dictionary words. Then go through your stolen database, and see which hashes match. Boom, now you have the passwords of the 90% of users who had passwords straight out of the dictionary (or perhaps those on the super-common list, e.g. 'fred', 'god', 'password1', 'letmein', etc).

No, it'd take ages with a database the size of MSEs, not to mention that having a forum account password isn't terribly useful unless you happen to know who that person is.

However, further compounding the problem for any would-be password cracker is the fact that VBulletin uses a salt, so the only way you'd even be able to either crack the password OR find a hash collision is to have gotten not only the SQL DB dump but also the complete forum script files... not impossible of course if the leak was a result of an insider of course.

in any case, if you receive one of these scam e-mail, I suggest you dump the full headers, do a WHOIS on the IP of the server responsible for sending it and then hopefully, if it's an actual webhost and not a zombie machine, let the host know about it so they can take the account down.

mandarinduck

Tigsteroonie wrote: »

Does anybody know, when the Usernames & Email addresses were "harvested" last year (I take it they mean stolen), were Passwords stolen too?

I can't be the only (stupid) person who uses similar passwords on MSE and on other websites.

I've changed a few of them already in the light of this breach

Don't worry - you're not the only one . I do (did!) the same so it's been an arduous afternoon changing them all :eek:

cagsd

I have received this email this afternoon :-/