IMPORTANT! Have you received an email to your forum username?

claire111

I joined 12.11.09 and have not received spam or a warning email.

I double checked my spambox to make sure.

HTH

LadyMariannaKL

I only joined on Wednesday 17th (yesterday) and did not receive an email.

leew

I joined in 2004 and i got one :mad: went straight into my Junk folder though

thelawnet

Rossy. wrote: »

Without sounding rude clearly you haven't read the MSE teams responses.

Without being rude you haven't got a clue what you are talking about.

This email was just "generic" spam under the false pretense of coming from MSE.

Er no, 'generic' spam would be for instance sending email to 'thelawnet@hotmail.com' on the basis that my username is 'thelawnet' and therefore I am likely to have that email address.

Or if I'd put a post up saying 'if anyone wants to contact me, please email me at thelawnet@yahoo.com', they could find that email address on the web page and send spam to it.

This is NOT generic spam, it is emails and usernames obtained by hacking. MSE apparently have no idea how this information was obtained.

MSE have CLEARLY stated that passwords would not have been taken

No they didn't say that at all.

I quote:

"If you use the same password as with your bank - consider changing it urgently. We have absolutely NO evidence that forum users passwords have been accessed, it would be a particularly difficult thing to break the encryption. However if you use the same password here as for a bank website or any other that holds sensitive personal data, and use the same email as your forum email – we suggest you change those passwords as a precaution. "

They said:

1. they have no evidence that passwords have been accessed
2. it would be "particularly difficult thing to break the encryption"

Point 1 contradicts what you said, the fact that they have no evidence is not the same thing as saying that it hasn't happened. In fact it appears they have no evidence that the emails were taken, apart from the spams we've received, so this is actually an empty statement - the only thing we know is that usernames and emails have been stolen, we don't know how that happened or what else, if anything, was taken.

Considering HOW the information might have been obtained, my guess would be a SQL injection attack; given that the entire username/email list has apparently been obtained, this seems more likely than some sort of vulnerability allowing individual username/email pairs to have been captured. It's possible, in the event this was a SQL injection attack, they just obtained usernames and emails, but frankly 'select *' is more straightforward and likely.

Point 2 is just rubbish, it's not that difficult at all, a dictionary attack using just the top 500 passwords, something that would take under a minute on a modern computer for the entire database, would crack around 100,000 usernames, assuming the user table has been compromised (and there's certainly every reason to believe it has been).

Your log on information is completely safe and you can change your password if you feel the need to.

That's nonsense. The login information is quite clearly NOT completely safe.

We already know that the server has been compromised. That's the first thing. Given that it HAS happened, it's therefore not 'completely' unlikely that it will happen again.

Secondly, given that the usernames and emails have been compromised, it's entirely reasonable not to mention prudent to assume that they also have the rest of the user table, i.e. password hashes and salts. Given that this is so, as I've already been mentioned, it ranges from utterly trivial to somewhat challenging to crack it.

Personally i just don't think MSE have done anything wrong. I think they've done a fantastic job and i really hope they continue to do so

Well my view is the PM is unnecessarily mealy-mouthed.

Straightforward:

"Dear MSE user,

It has come to our attention that the MSE forum usernames and emails have been obtained.
We are not sure how this happened, and while the usernames and emails are not of themselves a security risk, beyond receiving extra spam, there is a high chance they have also received the encoded passwords from the database.

With access to the encoded password and salt it is relatively straightforward to derive your password. Therefore if you have used the same password on any other site, you are advised to change your password on those sites NOW. In addition, you may want to change your password on this site.

You are reminded to never reuse passwords on sensitive sites such as banking, online shopping, email, and anything else with access to your financial data."

snoooopy

Snoooopy got one too,but deleted it straight away.An email and looking i think may be one in my pm....

Never_Enough_Money

I received one this morning and deleted it

London50

Recieved yesterday, deleted without opening

KxMx

I agree re passwords and usernames. I have seperate passwords for sensitive/ financial info, like bank, amazon, facebook, email, Paypal, and then one for everything else as I can't remember a different one for every forum I visit.

Lately I have been changing the usernames around so it's not so easy to track me on the web.

Just common sense really!

MrRedundant

Nice to see it was buried into the news below a few older stories. Quite clear that MSE are thinking of their reputation and PR in their statements and publicity to ensure they can't be accused of covering it up but not making it as public as they could or should.

I also think some people need to remember this site has people who earn salaries and make a lot of money from its existence. Why should they be any less accountable than a bank or supermarket. They shouldn't and are not in the eyes of the law.

The poll suggests to me it is the historical breach to blame (5% is probably mistaken/trolls) and that the website could have acted far better at that time so people could proactively protect themselves rather than wait until the information was used. Not everyone is IT savvy.

Rossy.

MrRedundant wrote: »

Nice to see it was buried into the news below a few older stories. Quite clear that MSE are thinking of their reputation and PR in their statements and publicity to ensure they can't be accused of covering it up but not making it as public as they could or should.

I also think some people need to remember this site has people who earn salaries and make a lot of money from its existence. Why should they be any less accountable than a bank or supermarket. They shouldn't and are not in the eyes of the law.

The poll suggests to me it is the historical breach to blame (5% is probably mistaken/trolls) and that the website could have acted far better at that time so people could proactively protect themselves rather than wait until the information was used. Not everyone is IT savvy.

Thats out of order

Why shouldnt Martin, his team etc be paid. Look at the scale of this site.. It couldn't be run from someones bedroom.

If people really believe MSE sold details then your either extremely paranoid or have nothing better to say about a site that has probably helped you in some way.

I'm not affiliated with anyone from here but they've helped me and i'm grateful. Splurting off with selling details is bang out of order and if you feel that way then don't bother logging back on