vBulletin.com / vBulletin.org Hacked

Discussion in 'vBulletin Discussions' started by BamaStangGuy, Nov 14, 2013.

  1. Big al

    Big al Regular Member

    Joined:
    May 14, 2013
    Messages:
    1,093
    Likes Received:
    415
    Location:
    OZ
    I think that all three losers, Mark B /Paul M and Joe D should be fired. They are all contributing to the downfall of VB and IB. Their attitude towards VB customers is deplorable.
     
    SatGuyScott likes this.
  2. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    It is the same one, just got it on my end. Lots of complaints about the delays in even the email they got sent out. I got that email at 10:59PM CT today (11/16/13).

    I'm tired of people sticking up for vBulletin and the paid help that pops on to the admin forums at this point.

    It is a joke.
     
    Big al likes this.
  3. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    If you are on TAZ, I have responded to their thread but I am on Auto Moderation there for calling @Paul M a douche.

    So I have to wait to be approved because Howard has to control ever single aspect of that site to the tee. Not much of a community over there at all.
     
    Big al likes this.
  4. Big al

    Big al Regular Member

    Joined:
    May 14, 2013
    Messages:
    1,093
    Likes Received:
    415
    Location:
    OZ
    Totally unbelievable, the sheer incompetence and ignorance of the VB/IB support staff and management.

    I have just done some Google searches and read a small part of the fiasco about them on TAZ and elsewhere.

    The twisting and turning to try to play catch up by the VB staff is an abject lesson in failure.

    Surely the owners and bean counters of IB can see what is going down?

    The lies, propaganda, and unethical practises of some of the support staff are just a total farce, from supposed programmers and coders etc.

    I just shake my head at their total incompetence in dealing with anything that involves commonsense or actual thought.


    Is Bugs Bunny really running the show over there?
     
  5. Big al

    Big al Regular Member

    Joined:
    May 14, 2013
    Messages:
    1,093
    Likes Received:
    415
    Location:
    OZ
    *THEIR* SECURITY TEAM DISCOVERED IT???? I thought Joe stated that they did not hide things on VB.org.
    Why hide the fact that others DISCOVERED the security risk?

    Yup it seems that Bugs Bunny is in fine form.
     
  6. BoostN

    BoostN Regular Member

    Joined:
    Aug 27, 2013
    Messages:
    51
    Likes Received:
    14
    Location:
    TN
    I received two separate emails regarding hack from vB.com
     
  7. Code Monkey

    Code Monkey Regular Member

    Joined:
    Apr 15, 2013
    Messages:
    230
    Likes Received:
    170
    So just an example of how screwed up vb is. I follow the link to vBORG, which is on vb 3.something and it changed fine. I follow the link to vbulletin.com, which is on vb 5 and it I mistyped the old pw because it has been so long and it wouldn't let me change it. But get this, it accepted my email change I typed in at the same time, with a bad password! WTF. Then I used the correct one and it kept sending me back to the change your password screen. I clicked on forums and I get the same screen. I click on latest posts or whatever it's called over there and I am in. What a piece of crap that software has become.
     
    Brandon likes this.
  8. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Interesting. I guess I have to take back a bit of my sarcasm and give IB some credit for doing the right thing.

    Some points to consider though, which I saw within 2 minutes of reading the email.

    1. The instructions in the email aren't correct. Something was done to make users have to log-in again first. If you click the link in the email, you are met with an empty page. Not even a "You aren't allowed to view this page until you are logged in" message. Just a completely blank page with the header and footer. Terrible UI #1.

    2. In one sentence the email says, " involving the illegal access of forum user information, possibly including your password." And in the next sentence it says, "the attackers accessed customer IDs and encrypted passwords on our systems." So, passwords, even though encrypted, were accessed, which mean the "possibly" is totally out of place. Don't do tap dancing, when it comes to security.

    3. "do not use the same password you used with us previously". Hmm....maybe a possible new feature for vBulletin? The "we got hacked and now you need to create a new password different from the one you had before check" feature? So users MUST create a totally new password? Sorry, my sarcasm coming out again. But still, jokes aside, any good identity authentication system would actually have that built into it, as a higher level of password security, along with the password aging function, which I believe vB5 actually has. Or does it?

    4. When I saved my new password, I was met with the same page again, but empty. No message that my input was saved properly. Just an empty page with all the fields looking like I'd have to fill it out again. Was my info saved or not? Do I really have to log back out and log back in, to test if my input was saved? Terrible UI #2 among many, many more..... (IB, you really need to look at who is in charge of the UI and replace them with someone who knows what they are doing!).

    Again, I commend IB for doing what was the right thing to do. Getting hacked, is bad, but it is also part of a life in a computerized world and it can happen. It shouldn't, but it can. How an organisation deals with it is more telling about the organisation than the hack itself.

    Scott
     
    Brandon likes this.
  9. Code Monkey

    Code Monkey Regular Member

    Joined:
    Apr 15, 2013
    Messages:
    230
    Likes Received:
    170
    How they deal with it on day one is more telling. How they deal with it many days later after much denial is revealing.
     
    Big al likes this.
  10. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    All I can say is Internet Brands got somewhat lucky on this one. They don't have to deal with the new California Data Breach Law SB 46.

    I haven't been paying too much attention to this data breach, but as soon as I finish my research homework, I'll post more details on what we can put together on my firm's blog.
     
    Big al and Brandon like this.
  11. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Did the deny the hack? I wasn't aware of that. I believe Paul admitted directly that test servers were compromised, when approached with the issue. And considering the "notice of infiltration" email was released 2-3 days after the hack was accomplished, you'd have to admit that is even lightening speed for IB. It could have been faster, yes. But let's some give credit where credit is due.

    What interests me more is what will be done to make sure this doesn't happen again.

    Scott
     
  12. Big al

    Big al Regular Member

    Joined:
    May 14, 2013
    Messages:
    1,093
    Likes Received:
    415
    Location:
    OZ

    And so it continued in a similar vein.
     
    Autopilot likes this.
  13. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    Since I own my own cybersecurity consulting firm, I want to point out that DEFENSE is hard. Responding to a security incident is equally as hard, if not harder.

    Releasing information too soon is detrimental. - You have customers demanding update pretty quickly, including scope.

    Releasing information too late is also detrimental. - You have customers mad at you for not releasing it soon enough.


    The toughest part is the investigation phase, to identify the scope of the breach, and what assets were potentially taken.
     
  14. Iconic

    Iconic The Original

    Joined:
    Nov 2, 2011
    Messages:
    353
    Likes Received:
    135
    Location:
    Australia
    I can't seem to be able to change my password on the site. Oh well might try it again next week.
     
  15. Peace

    Peace Regular Member

    Joined:
    Jul 5, 2013
    Messages:
    100
    Likes Received:
    58
    I'm being prompted for server logins all over vB.org - screenshot in the post below:

    http://www.vbulletin.org/forum/showpost.php?p=2461405&postcount=91

    Not putting my login info there until I know this isn't a phishing scam. I've PM'd Ozzy, who has always been really friendly & helpful. Hopefully we can figure out what's going on!
     
  16. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    Did anyone stop to wonder how it is that by clicking on that link in a generic email you are taken to a page that allows you to change your password without first logging into your account there? How do you know you are changing your accounts password??? Given that the hackers now have all customers pertinent information from vBOOM's database could this email have come from the hackers and not vBOOM???? inquiring minds want to know............
     
    Big al likes this.
  17. GeorgeB

    GeorgeB Building Social Communities Since 2004

    Joined:
    Jun 28, 2013
    Messages:
    43
    Likes Received:
    17
    I still haven't gotten an email from vbulletin...

    Ha, that may be true Brent but you are featured in the TAZ newsletter I just got a couple seconds ago. Avatar and everything :D

    brentletter.png
     
    BamaStangGuy likes this.
  18. signal500

    signal500 Regular Member

    Joined:
    Nov 5, 2012
    Messages:
    143
    Likes Received:
    114
    Not a surprise, the guy that runs TAZ is such a raging douche bag it's unreal.
     
    Big al likes this.
  19. Alfa1

    Alfa1 Regular Member

    Joined:
    Jul 24, 2009
    Messages:
    303
    Likes Received:
    196
    This clarifies a bit:
     
    Big al, Peace and Brandon like this.
  20. Peace

    Peace Regular Member

    Joined:
    Jul 5, 2013
    Messages:
    100
    Likes Received:
    58
    It doesn't exactly bode well that we (and they) are just now finding out about a hack from the summer. Never good news when your hackers are the ones to alert you of your site being hacked (over social media no less)... Yeesh.
     
    Alfa1, Big al and Brandon like this.

Share This Page