News about UOAA and this Discussion Board.
Post Reply
User avatar
Bob Webtech
Site Admin
Posts: 1000
Joined: 2005-09-29 11:17:09


Post by Bob Webtech »

Updated Information posted February 13, 2011

In our continuing effort to keep users as safe as possible, we have reconfigured our site so all pages in the discussion board are served in secure (https) mode. We went live with our https capability on Wednesday, February 9. Thus, when viewing content in this discussion board, you'll see an https (instead of http) prefix in your browser's URL bar, and the browser should display a padlock icon. This means that communication is encrypted, making your use of our board more secure, even when your connection to the Internet is not itself encrypted (for example, when using public wi-fi connections).

Meanwhile, this doesn't alter our recommendation (highlighted in red below) that all users who registered in this board before January 15 should change their passwords. So, if you haven't done so already, please change your password to something different than it was before January 15. And if you were using the same password for other Internet accounts/websites, you should change your password there too.

In case you've been using the board's "Log me on automatically each visit" feature (aka auto-login) as explained in the thread at viewtopic.php?f=5&t=4122 we suggest that you "refresh" your auto-login session by clicking the Logout button and then starting a new auto-login session. This will ensure that you get a "secure" auto-login cookie, taking better advantage of our new https capability.

Here is the original message posted January 17, 2011

This board was down for 46 hours because of a hacking incident. On Saturday afternoon, January 15th, an unauthorized person accessed the board's administrative controls and downloaded part of the board's database. As soon as we discovered the incident, we took the board down so we could investigate what happened and take steps to make sure it won't happen again. We are very sorry that your use of the Forums had to be interrupted.

In some ways, we were lucky. As far as we can tell, the person didn't change anything on the board. All posted messages, user accounts, forum settings, etc., are the same as they were. The main thing this person did was to download our user database. This database includes the e-mail address of every user. We have to assume that the person will sell these e-mail addresses to spammers, which means that you'll probably get some more spam e-mail eventually. Please understand, however, that when you receive a spam e-mail, there won't be any way to tell whether it resulted from this hacking incident or some other way, as spammers have numerous ways to acquire e-mail addresses.

The database that this person downloaded also included passwords; therefore all users should change their passwords. And if you use the same password for any other accounts or websites, you should change your password there too. This includes e-mail accounts, Facebook accounts, etc.

To change your password on this board, make sure you're logged in, then click User Control Panel near the upper left, then the Profile tab, then Edit account settings on the left side.

Please understand that all passwords in the database are encrypted in such a way that they can't be used directly for logging in. Spammers can run "cracking" software to try to un-encrypt the passwords, but they don't always succeed in cracking the passwords. If you have a very simple password (e.g., if it's just an English word), it may be easier to crack than a more complicated password. Also, assuming you've logged in to this board any time since November 2008 (when we upgraded our board from version 2 to version 3 of phpBB), your password is encrypted in a more secure form than it is for the users who haven't logged in since Nov 2008. (Of course, the users who haven't logged in since Nov 2008 probably aren't reading this message!)

Since it's possible that spammers will crack the passwords of some users who haven't changed their passwords, you may start seeing spam postings from some accounts, perhaps from accounts that haven't been used for a long time. If you find any such spam postings, please report them to Moderators immediately. Also, if you receive spam in the form of private messages or e-mail from any account on this board, please report that right away too.

We are very sorry that this incident happened. We promise to do our best to continue providing the safest and most secure environment possible for providing the mutual support that this board has been known for.
Bob Baumel, UOAA discussion board administrator
Post Reply