VBulletin.com hacked

Seems like a developing story, but worth a read, esp. on the evils of password resuse:

Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks | Ars Technica

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Master Of Puppets

It's funny how often a compromise happens because of password reuse. People hear about it from everywhere but they still continue to use the same password for everything.

JDMurray

So who is gonna pay US$7000 in Bitcoin to find out this 0-day is a hoax?

vBulletin Breach Prompts Password Reset — Krebs on Security

JDMurray

The official explanation so far: Regarding claims of New 0-Day Exploits in vBulletin. - vBulletin Community Forum

SephStorm

Master Of Puppets wrote: »

It's funny how often a compromise happens because of password reuse. People hear about it from everywhere but they still continue to use the same password for everything.

With good reason. It really is ridiculous to expect most humans to have 100s of passwords with different requirements that change every so often, each has to be changed ever 30-90 days, some for home, some for work. Don't even talk about password managers that can't be used at work in many cases, passphrases can suffer from the same vulnerabilities. Lets be realistic, I have around 10 gmail accounts, a yahoo account, 3 different work accounts, an admin account, and we haven't started on the larger internet.

Master Of Puppets

You do have a point but I don't think it's acceptable to reuse a password for the important things. Reality is that we have dozens of accounts to remember but when it comes to important work-related passwords or bank accounts and stuff like that, passwords should be changed. Forums and secondary emails can have the same password but if you have an account with administrative privileges which can lead to the compromise of thousands of users and company data, strong password policy has to be enforced.

JDMurray

I use LastPass to control my Web site passwords. For each of my Web site accounts I use an insanely unmemorizable character sequence and the maximum password length allowed by the site. I never need to remember password for Web sites anymore, only the insanely unmemorizable password I use for my LastPass account itself. LastPass will even remind me to change my passwords.

tpatt100

It requires a lot of discipline and really a change in overall attitude to stick with a disciplined password policy. I tried determining a decent password/email partitioning scheme and it almost gave me a headache......

What I mean by partitioning was I decided I was not going to have any email and password combinations that could result in a situation where if one is compromised it couldn't lead to other more important things being compromised. Companies made things a little easier with two factor authentication for financial information like requesting a number from a text message if you are using a new machine or cleared your cookies.

I wanted to make sure my primary email address that was linked to my bank was also not linked to investments but then realized my different email addresses pointed to each other as my alternative email addresses....So if one got compromised it was the default backup contact for a password reset for my investment account and then I got lazy one day and used it for Amazon which was tied to my debit card so I removed my debit card information and required myself to enter it every time I buy something and reject storing payment information.

I tried LastPass last year and it worked fine on my PC browser but I did have to do some editing for some sites because it would give me issues especially on financial sites with picture and pass phrases form fields. I really should just use it and restrain myself from mobile financial access all together because mobile phone containing access to my cloud and financial data is a walking identity theft bomb.