Attention - Password and Security Update - Alfa Romeo Forum
You are currently unregistered, register for more features.    
The AO Bug Lounge
Find an image missing? A page you cannot access? Post it here.

 6Likes
Reply
 
Thread Tools
(Post Link) post #1 of 26 Old 14-06-16 Thread Starter
Status: Spider's asleepforwinter
testing
 
Admin_Support's Avatar
 
Join Date: Jul 2011
Location: united kingdom
County: Canada
Posts: 2,173
Garage

Member car:

Spider/GTA/

Attention - Password and Security Update

Hello all,

Over the next few days we will be implementing some changes to our forum password strength and password expiration policies. To make sure you continue having the best experience possible on the community, we regularly monitor the site and the Internet to keep everyone's account information safe. We've recently become aware of a potential risk to some accounts coming from outside of this community. Just to be safe, we are implementing the following changes to improve security even further:

1) We are asking everyone to change their passwords (and will force a one time reset). Along with every user on the forum, new passwords will need to be more complex, and can't be simple words (sorry, you can't have "fluffy" as your password anymore!). Please use a password unique to this community. Reusing passwords can expose your account indirectly when other websites (Twitter, Linkedin, Badoo, etc) are compromised; and

2) Your passwords will expire on a 365 day basis. When you login on the 366th day, you will have to change it.

We'll also be sending out an email to users to let them know about the changes, in upcoming weeks.

Thanks all,

Helena

Community Management

Please post feedback, bugs, and questions about the upgrade here:

https://www.alfaowner.com/Forum/the-a...l#post12507945
Admin_Support is offline  
Sponsored Links
Advertisement
 
Status: -
AO Gold Member
 
Join Date: Nov 2002
Location: Canada
Posts: 6,205

Member car:

1973 Spider 2000

Okay, for a bit more transparency, this announcement came about because the company that now owns AO was hacked.
VerticalScope, online forum operator, hacked; says it's beefing up security - Technology & Science - CBC News
Toronto Spider is offline  
Status: Meh....
AO Platinum Member
 
Verbout's Avatar
 
Join Date: Feb 2014
Location: United Kingdom
County: West Yorkshire
Posts: 12,274
Garage

Member car:

Lexus

I'm not totally computer illiterate but.........it doesn't matter how robust I make my password if the owners can't keep MY information secure.

Am I correct?
RougeEau likes this.
Verbout is online now  
Status: -
AO Gold Member
 
Join Date: Nov 2002
Location: Canada
Posts: 6,205

Member car:

1973 Spider 2000

You're absolutely correct. The responsibility is on their end.
Toronto Spider is offline  
(Post Link) post #5 of 26 Old 17-06-16 Thread Starter
Status: Spider's asleepforwinter
testing
 
Admin_Support's Avatar
 
Join Date: Jul 2011
Location: united kingdom
County: Canada
Posts: 2,173
Garage

Member car:

Spider/GTA/

Quote:
Originally Posted by Toronto Spider View Post
Okay, for a bit more transparency, this announcement came about because the company that now owns AO was hacked.
VerticalScope, online forum operator, hacked; says it's beefing up security - Technology & Science - CBC News
The article fails to mention that the breach was for a third party plugin. This breach is on countless sites across the internet and not just limited to ours.

Their system was compromised and they grabbed user data for us and thousands of others. We cleared our part of the breach and went this route to further security. This is also in place as many members on the internet use the same or similar passwords across all things they use.

These tech blogs don't ever get the full story, there just have hearsay and run with and embellish it.

We cannot go into detail at the moment as it is being dealt with on a legal level.

Quote:
Originally Posted by Verbout View Post
I'm not totally computer illiterate but.........it doesn't matter how robust I make my password if the owners can't keep MY information secure.

Am I correct?
The security of members accounts is very important to us and although a members personal information or private information such as credit card info is not stored on the site, many people use the same password for multiple sites.

This could create a potential hole for a hacker to get your info which is what we would like to avoid. The forced password change for now is to insure there are no holes on the forum and the one that should happen a year from now can be revisited then and we can look into if it is still needed on the site.

Thanks,
- JB
Admin_Support is offline  
Status: -
AO Gold Member
 
Join Date: Nov 2002
Location: Canada
Posts: 6,205

Member car:

1973 Spider 2000

Shouldn't the passwords been stored in a format that makes them less attractive to hackers? Were they hashed and salted?

And the CBC is hardly a "tech blog" that runs with embellished hearsay. It may not be the first destination for detailed tech coverage, but it tends to adhere to journalistic standards.

Here's the take from a well-respected tech reporter who is absolutely ethical and very conscientious. Admittedly he does report about what the initial "tech blog" posted.

Also has this been going on since February? That's a pretty long time to wait to notify the community.
Toronto Spider is offline  
(Post Link) post #7 of 26 Old 20-06-16 Thread Starter
Status: Spider's asleepforwinter
testing
 
Admin_Support's Avatar
 
Join Date: Jul 2011
Location: united kingdom
County: Canada
Posts: 2,173
Garage

Member car:

Spider/GTA/

Quote:
Originally Posted by Toronto Spider View Post
Shouldn't the passwords been stored in a format that makes them less attractive to hackers? Were they hashed and salted?

And the CBC is hardly a "tech blog" that runs with embellished hearsay. It may not be the first destination for detailed tech coverage, but it tends to adhere to journalistic standards.

Here's the take from a well-respected tech reporter who is absolutely ethical and very conscientious. Admittedly he does report about what the initial "tech blog" posted.

Also has this been going on since February? That's a pretty long time to wait to notify the community.
Hey there,

Yes, the passwords were salted and hashed, and only passwords that were very easy like 'fluffy' and 'password' or other dictionary words, have been cracked.

The original breach on the third party plugin was in February, that is correct. Unfortunately, we were only made aware at the beginning of last week and have responded accordingly.

Dayle
Admin_Support is offline  
Status: A/C repaired hopefully
AO Silver Member
 
TonyGr's Avatar
 
Join Date: Dec 2011
Location: Scunthorpe
County: Lincolnshire
Posts: 4,422
Garage
Is this not a degree of overkill because some members may have been lazy with their passwords? Surely if someone uses the same password for a free to join forum and their personal banking that is silly. I do not use personal banking nor store personal data on the internet yet I am being forced to use a 10 character password which not only must have letters and numbers but symbols as well. So complicated that I may well have to write it down which goes against all the rules.
StMark likes this.
TonyGr is offline  
Status: Daddy bear
Global Mod Team
 
bazza's Avatar
 
Join Date: Nov 2002
Location: Congleton - The centre of
Posts: 44,415

Member car:

AMG C63 estate

Forcing me to reset my password,fine.

Making me do that, then auto-replacing it with a random one a day later was a bit vexing though. Especially when it then wouldn't let me put it back to the one I wanted, because I'd used it before (i.e before it was replaced again!)

These overly complex rules for picking your password (symbols, numbers, capitals, etc) are a load of tosh. They don't make the password any harder to crack for an imposter, they just make it massively harder to remember for the genuine owner. Which means they write it down, which means it's massively less secure.
n13roy likes this.

Seen an offensive/spam post? Report it! Click the or button next to the post.
AO Rules - AO Gallery - AO Classified adverts - AO Club - AO Traders

"Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so." - Douglas Adams


"You know, sometimes the world seems like a pretty mean place."
"That's why animals are so soft and huggy."
- Calvin and Hobbes

To err is human, to moderate ursine.
bazza is offline  
(Post Link) post #10 of 26 Old 24-06-16 Thread Starter
Status: Spider's asleepforwinter
testing
 
Admin_Support's Avatar
 
Join Date: Jul 2011
Location: united kingdom
County: Canada
Posts: 2,173
Garage

Member car:

Spider/GTA/

Quote:
Originally Posted by bazza View Post
Forcing me to reset my password,fine.

Making me do that, then auto-replacing it with a random one a day later was a bit vexing though. Especially when it then wouldn't let me put it back to the one I wanted, because I'd used it before (i.e before it was replaced again!)

These overly complex rules for picking your password (symbols, numbers, capitals, etc) are a load of tosh. They don't make the password any harder to crack for an imposter, they just make it massively harder to remember for the genuine owner. Which means they write it down, which means it's massively less secure.
We let users know that they would be being reset. I am sorry you went ahead and reset it yourself. I can change it back for you if you PM me?

Helena
Admin_Support is offline  
Status: -
Newbie
 
Locked_out's Avatar
 
Join Date: Jun 2016
County: -
Posts: 4
I've tried everything I can think of, but my original user name is still locked. To add insult to injury I've just had to agree to terms and conditions that say I won't have a duplicate account while being forced to use a duplicate account to post here. I'm having to post here because I can't send a bl**dy message to the admins because my old user name was subscribed but I don't want to go through that all again.

To admin - please can you reset the email address on my original username (mapalfa) to the one I've used for this ID.

Robin
Locked_out is offline  
Status: Daddy bear
Global Mod Team
 
bazza's Avatar
 
Join Date: Nov 2002
Location: Congleton - The centre of
Posts: 44,415

Member car:

AMG C63 estate

Quote:
Originally Posted by Admin_Support View Post
We let users know that they would be being reset. I am sorry you went ahead and reset it yourself. I can change it back for you if you PM me?

Helena
It didn't give me the choice! It forced me to change it myself, the day before it then automatically did it again.

No need to do anything further for me, just having a moan, everything is fine now!
bazza is offline  
Status: Misunderstood by many....
AO Platinum Member
 
n13roy's Avatar
 
Join Date: Feb 2008
Location: South Wales
Posts: 28,482

Member car:

147 JTDm Ti

I absolutely HATE this new site, they seem to be going out of their way, to discourage people to come and use it nowdays. Took me AGES to log in today ( AGAIN ) and I have been issued with a new password too, by some ****ing Administrator..................WHY..........What was wrong with my previous one........Rant Over......and I really think my patience has finally run out with this once brilliant site.......No wonder its as dead as a DoDo in here now.......
symon and RougeEau like this.
n13roy is offline  
cgc
Status: Dreaming of upgrades
AO Silver Member
 
cgc's Avatar
 
Join Date: Jan 2010
Location: United Kingdom
County: Monmouthshire
Posts: 1,877
I can login with my new password but the new password box still comes up and can't get rid of it, really annoying.

Sent from my SM-G900F using Tapatalk
cgc is offline  
Status: Devoid of gorm
Global Mod Team
 
Halibut's Avatar
 
Join Date: Aug 2009
Location: Germany & Belgium
Posts: 7,558
Garage
Hi there Locked_Out/mapalfa..........I have done as you asked.
Sorry for the delay, I thought admin were dealing with it.
Anyway, try resetting your password again, you should get the mail.
Halibut is offline  
Status: -
Newbie
 
Locked_out's Avatar
 
Join Date: Jun 2016
County: -
Posts: 4
Quote:
Originally Posted by Halibut View Post
Hi there Locked_Out/mapalfa..........I have done as you asked.
Sorry for the delay, I thought admin were dealing with it.
Anyway, try resetting your password again, you should get the mail.
Sorted - thanks

That saved me from posting a page load of swear words to get someone's attention, which was going to be the next option as I thought my message to the admins had been ignored.

I'll delete this account now just to make sure I comply
Locked_out is offline  
Status: Devoid of gorm
Global Mod Team
 
Halibut's Avatar
 
Join Date: Aug 2009
Location: Germany & Belgium
Posts: 7,558
Garage
Quote:
Originally Posted by Locked_out View Post
Sorted - thanks

That saved me from posting a page load of swear words to get someone's attention, which was going to be the next option as I thought my message to the admins had been ignored.

I'll delete this account now just to make sure I comply
good good. Glad we got there in the end.
Halibut is offline  
cgc
Status: Dreaming of upgrades
AO Silver Member
 
cgc's Avatar
 
Join Date: Jan 2010
Location: United Kingdom
County: Monmouthshire
Posts: 1,877
Quote:
Originally Posted by cgc View Post
I can login with my new password but the new password box still comes up and can't get rid of it, really annoying.

Sent from my SM-G900F using Tapatalk
Now that big pop up box has gone, every thing seems alright my end.
cgc is offline  
Status: Devoid of gorm
Global Mod Team
 
Halibut's Avatar
 
Join Date: Aug 2009
Location: Germany & Belgium
Posts: 7,558
Garage
Quote:
Originally Posted by cgc View Post
Now that big pop up box has gone, every thing seems alright my end.
Excellent! looks like we are starting to get back to normal.
Glad it's sorted. (although, I didn't do anything to sort your troubles, looks like you did it yourself. )
Halibut is offline  
Status: Returning a gtv toformer glory
AO Silver Member
 
alfaholik's Avatar
 
Join Date: Apr 2008
Location: United Kingdom
County: Mid Glamorgan
Posts: 1,097
Mooney

Quote:
Originally Posted by Admin_Support View Post
Hello all,

Over the next few days we will be implementing some changes to our forum password strength and password expiration policies. To make sure you continue having the best experience possible on the community, we regularly monitor the site and the Internet to keep everyone's account information safe. We've recently become aware of a potential risk to some accounts coming from outside of this community. Just to be safe, we are implementing the following changes to improve security even further:

1) We are asking everyone to change their passwords (and will force a one time reset). Along with every user on the forum, new passwords will need to be more complex, and can't be simple words (sorry, you can't have "fluffy" as your password anymore!). Please use a password unique to this community. Reusing passwords can expose your account indirectly when other websites (Twitter, Linkedin, Badoo, etc) are compromised; and

2) Your passwords will expire on a 365 day basis. When you login on the 366th day, you will have to change it.

We'll also be sending out an email to users to let them know about the changes, in upcoming weeks.

Thanks all,

Helena

Community Management
Helena

This idea absolutely SUCKS!!! How dare you interfere with my password?? Not only have you deleted it.
You have changed it for some ridiculous piece of **** coding who's characters I don't even know the location of on my keyboard.

I'm furious, having been locked out twice trying to log on.

You are making this once brilliant forum more trouble than it's worth.

If this is the future of this forum I'll be going elsewhere.

You are a disgrace! We are not all computer techy types who like 10 character passwords with numbers, capitals and wait for it "Special Characters"

What do you think this is???? Do you think some hacker might practise on the Alfa forum before they start decoding the passwords for MI6? Are you a crazy woman? Do you really think you and this forum need to have this level of security?

IT SUCKS!!!!!

n13roy likes this.

Loving being back in alfa ownership!!
alfaholik is offline  
Status: BORED
 
David P's Avatar
 
Join Date: Aug 2003
Location: Ireland
County: Cork
Posts: 85,178
Garage
Alfa-holik1 <-- Just an example that a 10 character password which fulfills the required criteria doesn't have to be difficult to remember or input, however I suggest you don't use that

PS For anyone having trouble inputting the generated password contained in the email, just copy it from the email & paste it into the password box.

Last edited by David P; 03-07-16 at 20:16.
David P is offline  
Status: -
AO Member
 
Join Date: Jan 2008
Location: United Kingdom
County: Hertfordshire
Posts: 570
I've just hit this too and was forced to enter a long password with characters and numbers. There is no way I'll remember it next time I visit. It's only a forum FFS, this is tighter security than my bank.
RichardM is offline  
(Post Link) post #23 of 26 Old 05-07-16 Thread Starter
Status: Spider's asleepforwinter
testing
 
Admin_Support's Avatar
 
Join Date: Jul 2011
Location: united kingdom
County: Canada
Posts: 2,173
Garage

Member car:

Spider/GTA/

Hey Guys,

I just want to post here to shed a little more light on the situation, at least as much as we can provide at the moment.
Some of this information may have been expressed above by Jeff and Dayle. I just wanted to provide as much info as possible.

A 3rd party plugin that we and other networks use had it's developers' compromised. Their DB was breached and data was scraped. I can't ID the plugin as it's under legal investigation. However I can say that it had access to user data because it functions separately from the vb software. Many plugins do this, chats, news letters, mobile apps etc. This is not an active breach, however as a precaution we did initiate security updates including password changes and new pass requirements.

Their system was compromised and they grabbed user data for us and thousands of others.
We cleared our part of the breach and went this route to further security.
This is also in place as many members on the internet use the same or similar passwords across all things they use.

Hackers who have access to these accounts, may be able to access other platforms where the same email and/or passwords are used.
Other platforms have been compromised as well, including Twitter, Linkedin etc. We are just trying to get ahead of this, and nip it in the bud as soon as possible.

We cannot go into detail at the moment as it is being dealt with on a legal level.

Though this breech happened in Feb, we were not notified until very recently. We worked hard to find a solution for this mess, and acted on it. Though it may not be ideal in some eyes, it is the best we have access to ATM.
Once the storm settles we may look into other methods for our security, but right now we ask that you be patient with us.

As for us not responding to members, you have to understand our community support team watches over many sites. Luckily this week and last, we have had many members from other teams offer help. With that said all emails sent to our Contact Us email will be dealt with. Granted, it may take a little time for us to get to all of them, but please be patient with us as we are working really hard to catch up and help everyone.

If there are any other questions/concerns/feedback, please feel free to post them here.

Thank you for your patience and understanding,

Richard.
Admin_Support is offline  
(Post Link) post #24 of 26 Old 06-07-16 Thread Starter
Status: Spider's asleepforwinter
testing
 
Admin_Support's Avatar
 
Join Date: Jul 2011
Location: united kingdom
County: Canada
Posts: 2,173
Garage

Member car:

Spider/GTA/

thanks richard,

as for those having issues with your passwords, If you are unable to get your password resets properly sorted out due to old emails on your account still after the notice was sent out, we ask that you go down to the contact us area, and with the subject line of "password reset" add the following contents for me:

- Account Name
- Email On the account
- Email You need it changed to if need be

add all this, then hit send, and someone on our team will answer that email and fix your account up no problem.

You can do the same and send us a PM privately to have it manually changed, but due to the influx and us tackling a lot of issues, this would be a slower way of getting it reset. we recommend you use the contact us form to get it resolved if you can. If that does fail though and you have waited too long, send us a PM and we will Manually reset it. Just make sure you supply the information above for a quicker fix.

Also, If you do have the right email on your account, I would ask you to please check your spam/junk folders as sometimes with certain email providers, it tends to land in there.

Again, I personally apologize about the wait. We are tackling the password transition as quickly as we can. if you all need anything else, please let me know.

~Shane
Admin_Support is offline  
Status: -
AO Member
 
StMark's Avatar
 
Join Date: Aug 2009
Location: South Africa
County: Gauteng
Posts: 18

Member car:

156

Quote:
Originally Posted by TonyGr View Post
Is this not a degree of overkill because some members may have been lazy with their passwords? Surely if someone uses the same password for a free to join forum and their personal banking that is silly. I do not use personal banking nor store personal data on the internet yet I am being forced to use a 10 character password which not only must have letters and numbers but symbols as well. So complicated that I may well have to write it down which goes against all the rules.
I will not be using this site again because of this.
StMark is offline  
Reply

Go Back   Alfa Romeo Forum > The Official AO Problem Discussion Forum > Submit Your Questions / Bugs > The AO Bug Lounge

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

 
For the best viewing experience please update your browser to Google Chrome