We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
IMPORTANT! Have you received an email to your forum username?
Options
Comments
-
EssexHebridean wrote: »Why do people keep banging this particular drum? It was made very public when it happened, I suspect you and the others mentioning it have simply forgotten about it, or you didn't bother reading the posts at the time. I certainly recall it and I believe there are linkis to the relevant posts from back then posted on this thread now too - both my MSE Dan and other users.
I would imagine that people keep banging that particular drum because its still relevant and requires an answer, seeing as this is supposedly the cause of the emails. Also the fact that the spammers messed up is besides the point!
There are many users whose details were harvested who don't visit this site everyday, probably not even once a week... imagine that!:eek: Some of these users would not have seen a simple forum thread. And if its anything like this one which is just as useless, if they had seen it, didn't have 4 hours to read through it all.
Each user could easily have been emailed the information. You know like they get the newsletter, the question is if it was such a big breach which it obviously was, why we're they?????????????????0 -
Where does one begin? So much misunderstanding in one post!
"MSE passwords were harvested."VictimOfImpersonation wrote: »[...] the symptoms suggest that it is a given that MSE passwords have also been harvested ... probably during one of the serious Denial of Service attacks against MSE that were reported when the OFT versus the Banks case was reaching a climax. Noted what jrawle says about the encryption of passwords within vBulletin, but who really knows how secure that is under DoS?
They are held as one-way hashes, so even if they were 'harvested' there's nothing that could be done with them.
And a Denial of Service attack has absolutely nothing to do with passwords!
So 'Big Business' sets up Denial of Service attacks against websites? A fascinating conspiracy theory!VictimOfImpersonation wrote: »As MSE is likely to be a recurring target for DoS attacks due to its frequent conflicts with big business...
It is standard practice for WhoIs information about the domain owner's address to be omitted if s/he is a private individual and not a company. And what's so special (or worrying) about anyone knowing your IP address?VictimOfImpersonation wrote: »Even those people clever enough to control their own domain names and unique email addresses may inadvertently find that they are particularly vulnerable if their public domain "WhoIs" data contains location address details for example. Furthermore, one might also imagine that vBulletin tracks User IP addresses. Might they also have been compromised?0 -
Yes, received by me on the 17th (5.20pm) with the heading "From MoneyExpert.com to Watson".
"...we insist on being independent, that 's why we're partnered with..." rang instant warning bells.0 -
Add me to the list.0
-
For those who thought it was something possibley to do with logging in, my mum has received email straight into her junk mail BUT she has not logged into her account for at least 2 possibley 3 years.
Ummmmmm........................My beloved dog Molly27/05/1997-01/04/2008RIP my wonderful stepdad - miss you loads:Axxxxxxxxx:Aour new editionsSenna :male: and Dali :female: both JRT0 -
Would those who keep saying it's likely that passwords have been compromised without any proof please STOP!
It's highly irresponsible, wrong, and scares people.
No good website would store passwords in clear text and vBulletin certainly doesn't. Not even the admins of MoneySavingExpert could find out your password.
Do a search for "salted hashing".
In a nutshell it means that websites have a system where you give them your password and they can tell if it's correct without actually having to store the password itself.
Your password would not be stored here, only a hash of the password and that can't be used to obtain access to your account0 -
Hi folks,
Just an update on what we're planning to do. I had a meeting with the senior techies and team this morning to try and work out whats going on.
Having got back to a computer so late last night this is the first chance I've had to co-ordinate everything- Spam email reported. This has been reported to the police, unfortunately this is just a formal procedure as little is ever done in this cases.
- We continue to investgate. Frustratingly we can't find any evidence of a breach happenening (though of course we know it has due to the emails) and still don't know when it happened. Yet the guys are full time on it.
- News article to come. We are working on a detailed news story to condense the info and explain what's going on - which will go in news and on the home page and try and set our what's happened, what people should do, and the wider context.
- Password worries. Users have rightly raised concerns about their passwords. Any breach of password stored is unlikely (you wouldn't just have to get hold of them but unecrypt them too) and there is no evidence or even suggestion whatsoever that they've been used. Yet it is still a sensible precaution for anyone who also uses the same password for sensitive accounts e.g. bank accounts to change them
As a general point it is always dangerous to use the same password for core secured info and social networks and forums. Many forums don't use full encryption (e.g. any that can email out your password to you are usually not fully encrypted) and they have less security details as the information is less sensitive.
We will be including this in the news story and intend to PM every forum member - as well as expanding the warnings on the change password page and new sign up page about not using such a password.
Unfortunately a site like MSE is constantly under attack from hackers, I learned today that it seems almost every minute someone is trying to hack our info - most of these attempts come from overseas - even though we have very little for these people to harvest other than email addresses - far less lucrative than if we help data such as addresses that could help with ID fraud.
Over the last year we've been through a number of security updates, and brought in external consultants to probe and tests the site's security. Its something we take very seriously to protect our users - yet technology isn't perfect and determined hackers can on occassion, as this seems find their way in. Again my personal apologies as well as from my team - I am very sorry this has happened, but we're doing our best to work with it.
MartinMartin Lewis, Money Saving Expert.
Please note, answers don't constitute financial advice, it is based on generalised journalistic research. Always ensure any decision is made with regards to your own individual circumstance.Don't miss out on urgent MoneySaving, get my weekly e-mail at www.moneysavingexpert.com/tips.Debt-Free Wannabee Official Nerd Club: (Honorary) Members number 0000 -
Received into my spam box, header from MoneyExpert.com to sparrer. Deleted without opening. Why don't some folks get a life?
0 -
I received mine this morning so thankfully after reading the warnings on here yesterday I deleted it immediately.Low Carb High Fat is the way forward I lost 80 lbs
Since first using Martins I have saved thousands0 -
What's to misunderstand? Are you a some other kind of denier too? DoS overwhelms the servers. Then databases can be plundered. Databases like MSE's evidently contain email addresses linked with usernames linked with (encrypted) passwords linked with IP addresses. I am not sure how difficult it is to decrypt encrypted vBulletin passwords, or whether a hacker would even need to try. Whilst the DoS attacks were going on clearly users were trying to login so is it not entirely possible that passwords could have been intercepted in the clear even before vBulletin processed them?Where does one begin? So much misunderstanding in one post!
"MSE passwords were harvested."
They are held as one-way hashes, so even if they were 'harvested' there's nothing that could be done with them.
And a Denial of Service attack has absolutely nothing to do with passwords!
What's so fascinating about it? We have concerns that States use DoS against their enemies. Some rogue big businesses are far bigger than rogue states and are more clearly motivated by money.So 'Big Business' sets up Denial of Service attacks against websites? A fascinating conspiracy theory!
Mine wasn't.It is standard practice for WhoIs information about the domain owner's address to be omitted if s/he is a private individual and not a company.
It can be used as a unique key in comparing personal data from different web sources.And what's so special (or worrying) about anyone knowing your IP address?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.2K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.7K Spending & Discounts
- 244.2K Work, Benefits & Business
- 599.3K Mortgages, Homes & Bills
- 177.1K Life & Family
- 257.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards