DSL Reports security issue

Author	All Replies
tazman01 join:2002-02-10 NY Reviews: ·Optimum Online	DSL Reports security issue Help - I can't figure out how to change my dslreports password. I received this email below (I logged out and my dslreports password was changed but I got it by clicking forgot password and it was different than what it should have been): Message from Justin, owner of ISP review site dslreports.com At about 5pm tuesday US eastern time (today) I found a distributed 'sql injection attack' targeting dslreports.com. I blocked it upon spotting it, but the attack had already extracted about 8% of our user email address / password pairs. Your email and password was one that was revealed: The email extracted was "I removed my email for this post" and it was paired with a password first three characters of "I removed the letters for this post" characters long (I hope this is a good hint for you to recognize the password that was obtained). I would advise you IMMEDIATELY change this password IF YOU ALSO use it on other sites paired with the email address "removed for this post". I've no idea what the purpose of this attack was, or how long before they try using the data, but I imagine the data will be searched for possibly high value access elsewhere: paypal, ebay, gmail, banking sites. They got no other details, just email and password pairs. I will post more details in this topic: »site user password intrusion info this week however at this stage I would rather get the information to impacted users fast BEFORE tipping the intruders off publically that we know exactly what was obtained. It would be helpful if you can wait a day or two before posting publically on the event. Your compromised site password has been reset to a random one, please use the forgot password function www.dslreports.com/forgot to retrieve it. I deeply regret that the site had this flaw and we had not updated to use of one way encrypted passwords, I will post in the topic referenced above but my priority right now is to get these emails out so you can act on them. If you use a different password and/or email address for key services online then you won't be at any risk. If you have any questions on this, don't reply to this email as it comes from a script, instead please email me at justinbeech (at) gmail.com I will try to reply when I am able.
	to forum · permalink · 2011-04-28 08:18:18 · (locked)
jmn1207 Premium join:2000-07-19 Ashburn, VA	From the email sent out by DSLR: "Your compromised site password has been reset to a random one, please use the forgot password function www.dslreports.com/forgot to retrieve it." It takes a few minutes for the password reminder email to get sent out. When I selected the forgotten password function and did not receive an immediate email response, I thought it was too late for me and that my account info had already been changed by the culprits behind the site attack. After a brief moment of panic, the email with the new password did finally arrive.
	to forum · permalink · 2011-04-28 08:31:13 · (locked)
tazman01 join:2002-02-10 NY	Thanks. I missed that dsl changed my password.
	to forum · permalink · 2011-04-28 08:34:04 · (locked)
Krisnatharok Caveat Emptor Premium join:2009-02-11 Earth Orbit kudos:3	reply to jmn1207 Does this mean the passwords weren't hashed and basically saved next to the username in an excel spreadsheet somewhere?
	to forum · permalink · 2011-04-28 08:40:21 · (locked)
amazingm Premium join:2001-07-16 USA	Yes Obviously having both an sql injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can. »site user password intrusion info
	to forum · permalink · 2011-04-28 08:47:37 · (locked)
Krisnatharok Caveat Emptor Premium join:2009-02-11 Earth Orbit kudos:3 Reviews: ·Comcast	Isn't that one of the failings that led HBGary Federal to being hacked? I understand it's a big no-no for users to use the same password on more than one site, but I have enough of a problem remembering 40+ passwords for various systems at work, that while at home, I commonly share passwords between sites (especially games, since it seems every game with persistent stats requires a damn logon), and I will have to be relooking all my home logons now. Can we get DSLR to hash its passwords, even if it requires a lengthier/more complicated log-on process? -- "The conservative criticism of our age is that liberals have turned from humanity, from the expansion of freedom for the individual, to a cultural bolshevism that can only be expressed in moral trickery and tyranny." - Francis Graham Wilson
	to forum · permalink · 2011-04-28 08:50:31 · (locked)
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire kudos:13	said by Krisnatharok: I have enough of a problem remembering 40+ passwords You think you have a problem? »Funny Dilbert comic strips on too many passwords.. Cudni -- "what we know we know the same, what we don't know, we don't know it differently." Help yourself so God can help you. Microsoft MVP, 2006 - 2011/12
	to forum · permalink · 2011-04-28 08:57:02 · (locked)
Krisnatharok Caveat Emptor Premium join:2009-02-11 Earth Orbit kudos:3	Ahahahah! I just saw that -- so appropriate for today.
	to forum · permalink · 2011-04-28 08:58:35 · (locked)
mdgreen join:2000-08-19 Paron, AR	reply to amazingm said by amazingm: Obviously having both an sql injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can. Unbelievable, plain text passwords stored, in this day and age. At the very least you could md5 them with a salt... That being said, is there some secret to getting to account preferences? I cannot see a link anywhere to go to account preferences so I can change my password from the one the forum reset it to.
	to forum · permalink · 2011-04-28 09:19:53 · (locked)
jmn1207 Premium join:2000-07-19 Ashburn, VA	said by mdgreen: That being said, is there some secret to getting to account preferences? I cannot see a link anywhere to go to account preferences so I can change my password from the one the forum reset it to. Try this link to update your password. »/prof/passwd You would have to be logged in for this to work.
	to forum · permalink · 2011-04-28 09:24:22 · (locked)
pandora Premium join:2001-06-01 Outland kudos:1 Reviews: ·ooma ·Google Voice ·Future Nine Corp.. ·Comcast	reply to tazman01 I have making a separate gmail account for every service I use. However increasingly that seems to be necessary. If google gets hacked, it's game over. -- "People demand freedom of speech as a compensation for the freedom of thought which they seldom use."
	to forum · permalink · 2011-04-28 09:26:08 · (locked)

mdgreen join:2000-08-19 Paron, AR	reply to jmn1207 Thanks, found it. Although I decided against changing my auto-generated password until some sort of hashing is implemented. No point making it TOO easy on extremely lazy hackers.
	to forum · permalink · 2011-04-28 09:27:32 · (locked)
JLevinworth @embarqhsd.net	reply to tazman01 said by tazman01: Help - I can't figure out how to change my dslreports password. I received this email below (I logged out and my dslreports password was changed but I got it by clicking forgot password and it was different than what it should have been): The place where you can get help, per justin /the site owner, and where this should have been posted is contained in your OP (clipped below). said by justin: I will post more details in this topic: »site user password intrusion info this week however at this stage I would rather get the information to impacted users fast BEFORE tipping the intruders off publically that we know exactly what was obtained. It would be helpful if you can wait a day or two before posting publically on the event. 2011-04-27 20:17:51 It appears Mod help is needed to move/lock this thread.
	to forum · permalink · 2011-04-28 10:27:31 ·

Broadband Tech > Security > Security > DSL Reports security issue