Password changed?

I've been a member for a while now and when I tried to log in tonight I was greeted by my password was changed by an admin. Not a big deal as I was able to reset my password. Any reason this happened?

Find more posts tagged with

Comments

COBOL_DOS_ERA

AvgITGeek said:

I've been a member for a while now and when I tried to log in tonight I was greeted by my password was changed by an admin. Not a big deal as I was able to reset my password. Any reason this happened?

You are not alone, the same thing just happened to me too.

FluffyBunny

Ditto. Smells like a data leak which still needs to be announced

Johnhe0414

Same thing happened here..

AvgITGeek

While I didn't think too much about it, I did change my password to something that isn't used anywhere else when it asked. So only a handful of us were affected? Who to notify? @Infosec_Sam @Meggo

MrsWilliams

It happened to me as well.

I wasn't going to say anything because I haven't yet decided how much I care. This is actually about my fourth time reading this before I decided to respond.

@beads had an issue and they fixed it. Then they DELETED his post. Suspicious hugh? Ya'll thought I didn't see it. I see everything. But, I am not sure how much I cared. @JDMurray @cyberguypr @Infosec_Sam @Meggo @scaredoftests @UnixGuy

You see, with the new "Infosec website" they gave at least 3 people (that I can think of right now) new admin/mod roles. Where are they at now? They are all ghosts for this post.

I guess, they just have the title and are very selective in how they respond... very..... ....... ..... before I read a response about I have a job, it's 24hrs in a day. If you are working over X amount of hours a day it's labor laws in America and if it's a problem, I have a good attorney I can refer you to for 5% or give the "title or role" up
......
@AvgITGeek posted this 2 days ago and I've seen mods/admins post on other topics since then. Funny hugh? Don't make me link the posts and don't you delete them either

Truth is, 35%-75% of the questions being answered, have been asked before. All of the I passed (well you weren't the only one), I failed (well you weren't the only one), how do I pass this test (been answered before), study methods and suggestions (been answered before) IT Jobs/locations/hubs/Pay/ (have all been answered before) have all been posted on this site in the bulk. So, technically most questions have answers that the user just has to look for. So, the deletion of the post really raised some hairs..like hmmm.... why? I can find you 40 posts that are not beneficial to the positive development of anyone on this site that could be deleted. So...I had some suspicious.

I could bet my check that it's more than 5 people who have/had issues. I honestly I am not sure how much I care. Plus, in order to know you have to change your password, you first have to attempt to login. If someone is just casually visiting the website, they wouldn't know. BUT I know it's more people that HAVE logged in that had to make the change. To state facts, this site just came to "HTTPS" this year. Some of us, even under different account names (or names we forgot) have been on this site 5+ years entering in our password. With us being humans, I am sure it's a lot of re-used passwords. It's no doubt in my mind whatsoever that the website admins or whoever can get (or got) our password. If you can't get a password on a website that YOU are hosting in unsecure text you are a ...

Neutral Standpoint:
In the site defence and from a neutral standpoint, when you were using a non-secure website to enter in your password 10 times a week on this site none of you rioted and stopped logging in to this site!!! They could have got your password Y.E.A.R.S ago now all of a sudden it's a problem? Nobody forced you to login LOL

@beads post doesn't exist anymore. Usually in the years of this site, before anyone knew what or who InfoSec Institute was (without the "obvious" joint venture, people still wouldn't know who they were/are) people only got deleted for SPAM/Domps, etc. Now questions are getting the "answered" mark.

@AvgITGeek
@promethuschow
@FluffyBunny
@Johnhe0414

I am about to screenshot this message just in case some more suspicious activity coincidentally happens to my account.

cyberguypr

I also experienced the password change issue described above. Before that was the constant random need to log back in. I have no knowledge of the specifics of any of this and also defer to @Infosec_Sam @Meggo for an official response.I'll pause here until an official answer is given.

Infosec_Sam

Hey there, everyone! To address the password change - I was notified by Vanilla Forums about two weeks ago that they found and patched a vulnerability in their platform. They didn't find any evidence of wrongdoing, but sent out a platform-wide password change as a safety precaution. Since they didn't find any malicious activity, I figured it didn't warrant a system-wide announcement, but clearly I should know better than that!

I've been answering questions as they get PMed to me, but I haven't had time to scroll through the forum to look for discussions about it as well. As far as I'm aware, the gist of it was just that they found a bug, patched it up, and took some extra safety precautions. If you've got any other questions, feel free to ask!

MrsWilliams

Infosec_Sam said:

Hey there, everyone! To address the password change - I was notified by Vanilla Forums about two weeks ago that they found and patched a vulnerability in their platform. They didn't find any evidence of wrongdoing, but sent out a platform-wide password change as a safety precaution. Since they didn't find any malicious activity, I figured it didn't warrant a system-wide announcement, but clearly I should know better than that!

I've been answering questions as they get PMed to me, but I haven't had time to scroll through the forum to look for discussions about it as well. As far as I'm aware, the gist of it was just that they found a bug, patched it up, and took some extra safety precautions. If you've got any other questions, feel free to ask!

I am not going to ask questions like:

What kind of "vulnerability.

Or say things like..

Not all "vulnerabilities" require a (site-wide) passport change, trust me on that.

Or things like when it is something that effects EVERYONE, maybe a mass notification would have been helpful

Or say things like

Thinking that people that have been in the industry for 10-20 years wouldn't notice is plain disrespectful to everyone who logs on.

I am not going to say anything like that. I am just going to say thanks for letting us know and have a great day! I appreciate your response.

Infosec_Sam

Those are super valid questions, and I'll be sure to be more on top of things if this type of incident ever happens again, regardless of severity. For those of you who are interested in the technical details about the bug they found, here's what they sent to me a few days after the password reset:

Some Background

Vanilla stores records of user information in its databases, for display and authentication purposes. The full record is generally not visible to the public and is guarded by various permission checks through Vanilla's controllers and API endpoints.

In Vanilla's APIv2 endpoints additional validation exists to ensure that only certain, predefined fields are returned from any particular endpoint. This is called a Schema.

What happened

A bug in sanitization logic caused the schema not to be applied to a single APIv2 endpoint. For customers using our "Rich Text Editor" this caused user records to outputted to the HTML source sent to browsers while quoting comments and discussions. While this data was not visible to the eye, it could be accessed by:

· Inspecting the network requests while quoting some user content.

· Inspecting the HTML of rich comment or discussion quotes.

In addition, for all Vanilla customers regardless of text editor in use:

· Calling the /api/v2/media/scrape endpoint directly (with permission to view the scraped discussion or comment). We are currently evaluating logs to determine if any evidence of malicious action against this API is present, thus far no evidence is present in the log reviews performed to date.

‌

Affected data includes entire user records made up of:

· Usernames.

· Passwords (salted & hashed)

· Our hashing mechanism is BCRYPT with a cost of 10

· Email Addresses

· IP addresses

· User preferences

· Users roles and ranks

PC509

Infosec_Sam said:

Hey there, everyone! To address the password change - I was notified by Vanilla Forums about two weeks ago that they found and patched a vulnerability in their platform. They didn't find any evidence of wrongdoing, but sent out a platform-wide password change as a safety precaution. Since they didn't find any malicious activity, I figured it didn't warrant a system-wide announcement, but clearly I should know better than that!

I've been answering questions as they get PMed to me, but I haven't had time to scroll through the forum to look for discussions about it as well. As far as I'm aware, the gist of it was just that they found a bug, patched it up, and took some extra safety precautions. If you've got any other questions, feel free to ask!

With a forum full of paranoid tech people and security junkies, it probably needed an announcement. We think the worst, especially when it looks like something may have been breached.

Even if there was nothing malicious, with a forced password change for everyone, we were freaking out.

I think it's comical, really. Not a big deal at all.

beads

A blanket system wide banner stating something about the account resets seems to be in order. In my case an old email address, once compromised (ahem) lead to me changing accounts, carriers and am still occasionally cleaning up some occasional access. Knowing that it would be rough to get through and still in my second year since the change. Nothing really shocks me about the situation outside of a banner to clue us in on the situation.

Meggo

@beads we can definitely do that! We'll be sure to be much more transparent with these types of things moving forward. As soon as Vanilla notifies us, we'll notify the forum.

beads

Otherwise, people coming back, after say a long absence may mistakenly believe they aren't welcome. Understand I am usually a bit controversial in some of my ideas over the years but I do know what I am talking about from experience.

scaredoftests

Agreed, needs an announcement.