IMPORTANT! Have you received an email to your forum username?

MSE_Martin

A copy of my update to the first post

Update by MSE Martin at 10.30pm Wed

Having been out of the office and contact for most of the day I wanted to write a note now I can, though the senior team have been on this all day.

We are of course working hard to get to the bottom of this, the best info we have so far, is this is related to an old forum breach we think we had last year. But we have to analyse it. Please vote in the poll, as it will help us determine whether this is only affecting older users or not - indications are it is being sent to old usernames which shows that being likely.

We have yet to verfiy anyone who joined in 2010 and got the email, so if you have we’d kindly request that you urgently email [EMAIL="webmaster@moneysavingexpert.com"]webmaster@moneysavingexpert.com[/EMAIL] both your username so we can check the logs and a copy of the email received so we can investigate it.

The forum is run using a 3rd party software called Vbulletin, and we rely on its protection to look after the files, plus over the last year we've been through a major exercise to try and tighten it up with our own security on top.

An upgrade to that software is available and it is on our list, but it is a massive exercise of many months to rebuild all the bespoke features that we’ve added (many on users request) and isn’t something that can happen quickly.

Thankfully we don't hold any personal data on individuals - barring email addresses. That is and always has been a deliberate policy both because I don't want us to data mine individuals and it means in the event something like this happens (and determined hackers try all big sites – Nasa, Facebook, the Navy and banks have been hacked) the worst that can happen I hope is inconvenience of course its also an important reminder again to ensure you have anti-virus software (see free anti-virus)

If we have been hacked whether recently or in the past - I of course apologise wholeheartedly, its not for want of trying - we've been through some major security exercises over the last year including bringing in outside consultants to check for any flaws. Yet this unfortunately reflects the murkier side of the internet that it is a constant battle to keep out.

We will further continue looking at this in the morning. My tech team and our server company's security team have been looking it at this and the access logs and no indication of a recent breach has been found yet (as far as Im aware it is 10.30pm and I can't get hold of them all).

Regards

Martin

csh_2

fletty wrote: »

I didn't have the email earlier on today but have just recieved it now so it's still on going.....

I've not had it yet but when I get Martins Weekly email it comes a day late so I think you are right its still ongoing....

If I don't get it I'll feel all left out

Paul_Herring

mynewaccount wrote: »

Fair enough, but even so as I'm sure you'll know, if you've got a dump of a database with 'double hashed' passwords, it doesn't take too long to apply the same hashing to a file of dictionary words. Then go through your stolen database, and see which hashes match. Boom, now you have the passwords of the 90% of users who had passwords straight out of the dictionary (or perhaps those on the super-common list, e.g. 'fred', 'god', 'password1', 'letmein', etc).

In vBulletin's case you'd obviously need to know the salt that the passwords were hashed with,

I would hope that vBulletin were sensible enough to use a different [strike]hash[/strike] salt for each user rather than the same [strike]hash[/strike] salt for everyone.

Paul_Herring

Just a quick query about the poll - it asks about joining date; what about people who changed their email addresses after the last incident?

PhylPho

DeltaTwo wrote: »

It is odd that one or two see this purely as nothing more than a random SPAM attack when it's clearly a security breach, targeting individuals. Well, i was able to download the zip file ten mins ago thanks to obscured link being posted.

This is what some of the major AVs are reporting on this zip file atm,
that will change as they update their databases of course.

There's not one intelligent poster on here who to my knowledge has posted that this is about spam. Posts have been about a security breach -- the exact nature of which has yet to be identified -- contrived by person or persons unknown for the purposes of getting recipients of a phony email to click on a dangerous link.

What's so damned depressing about this thread isn't the mad melodramatics of a demented few but the larger number of posters who have taken the "we're not tecchies" line as an argument for criticising MSE.

Which is the same as saying, I'm a highway user and I've no idea at all about how to cross the bloody road but it'sd everyone else's fault for not stopping the traffic for me.

There's no duty on MSE or anyone here to try to deal with that kind of ignorance. Nor should it be necessary for so many posters like Rossy to have to keep on stating the blindingly obvious:

1: A botched attempt to trap the unwitting has so far managed only to flush out a lot of people who don't like Martin Lewis, loathe this website, but are delighted to benefit from his work and that of this forum;

2: The botched attempt was *not* a Denial of Service attack on MSE to bring the site down as happened some time ago (and can happen to any site, anywhere);

3: The botched attempt has yet to yield any evidence here or anywhere else of an MSE user's bank account, personal data, or any other details falling into the hands of the scammers;

4: A lot of people are worried, and have good reason to be so, because if they hadn't realised until now that leaving the house with all windows and doors open and then walking out blind-folded into dense traffic is Not A Good Thing, then thank Gawd they do now.

As for lecturings about data protection legislation, and the penalties for breaching same, no webmaster needs a lesson in that from posters who give every appearance of not having the slightest clue what they're on about.

As ever, the most sensible posts from folks here have been from those who decline to rush to judgment and prefer instead to let MSE get on with sorting out the how-what-when-who-where of the current situation.

Maybe I should have posted this to the Vents section of MSE.

mp3duck

Paul_Herring wrote: »

I would hope that vBulletin were sensible enough to use a different hash for each user rather than the same hash for everyone.

That's not how hashing works.

A user enters their password, the salt is added (to those who don't know, a "salt" is some extra text which is added on the end/start of the password), and a hash is generated (normally using the md5 algorithm).

The resulting hash (which can't be directly unhashed) is compared to the hash stored in the database. The stored hash is generated when a user registers, or changes their password.

If each user's hash was generated in a differernt way, there would be no way of knowing how to generate the hash to compare against when the user logs on.
To be clear, each user has a different has stored in the database.

For those who are intrested, a "hashed" password looks something like 120575b06826f0a7829b30910a54f2c3 (this is a hash of "testingxxx", assuming password is "testing", and the salt is "xxx"

Paul_Herring

mp3duck wrote: »

Me wrote:

Paul_Herring View Post
I would hope that vBulletin were sensible enough to use a different hash for each user rather than the same hash for everyone.

That's not how hashing works.

A user enters their password, the salt is added

Braino. I did of course mean salt, not hash.

If each user had a different hash[sic], there would be no way of knowing how to generate the hash to compare against.

I assume you made the same error I did there and that first 'hash' should be 'salt', and the salt should be stored in the database against the hash of the salt and password.

edda

2 suggestions to MSE techies:

1. There are lots of threads about this same issue - all dated today. Could they be combined please? The info in them is not consistent - e.g. they don't all warn that the email contains a trojan.

2. As MSE is a trusted site to many and it appears that usernames unique to MSE are being used in a spam email, can you send out an additional urgent email to all subscribers warning them of the current issue? This could save some people a lot of trouble.

booter

Just checked my spam box - there's loads in there from this MoneyExpert.com going back to 16th October. They are all dated one day after receiving spam from BeatThatQuote.com - coincidence? Luckily all went straight to spam. Really must do more housekeeping!

23n1th

MSE_Martin wrote: »

We have yet to verfiy anyone who joined in 2010 and got the email, so if you have we’d kindly request that you urgently email [EMAIL="webmaster@moneysavingexpert.com"]webmaster@moneysavingexpert.com[/EMAIL] both your username so we can check the logs and a copy of the email received so we can investigate it.

All well and good but I dont have the email anymore, deleted and sender blocked.