On the topic of the hack

[TheHogSmasher]

On the topic of the hack I have a few questions for Linus, not the moderators or Admins who work outside of LMG as they wont be able to give enough details.

 

Now that everything is cleaned up on the Twitter and registrar side, can you tell us some details on what's been done to ensure the database hasn't been compromised? Wiping / Altering logs isn't a hard thing for a hacker worth their weight in vodka.

 

The other major thing, what will happen if it is believed that the forum database wasn't compromised and does end up on a market online. These are serious allegations and all we've been told so far is "Nothing has been hacked. They just got our domain. Don't worry". Can we get something more re-assuring? Where logs checked on the forums and cloudflare?

 

As for the future will LMG employ 2Factor authentication further across all accounts possible?

 

And for the final major question. In the event the database ever does get leaked, has the forum been setup to use long unique salts for each password with a harder hashing algorithm such as sha512 / bcrypt?

 

Edit:

 

The reason I'm asking these questions especially the ones about how the passwords are protected is to ensure no one with a few TB's of hard drive space and some time can do a rainbow tables attack in the event they are ever leaked.

[Guest]

As I've previously mentioned in other threads, we're currently assessing what has happened and identifying, what if any data has been compromised. Once we've completed this assessment, we'll notify all users as to the status of the security and integrity of their data.

 

[Manage My Cables]

LinusTechTips.com was up for sale for about 2 mins lol. Should have brought it.

[TheHogSmasher]

1 minute ago, Windspeed36 said:

As I've previously mentioned in other threads, we're currently assessing what has happened and identifying, what if any data has been compromised. Once we've completed this assessment, we'll notify all users as to the status of the security and integrity of their data.

 

 

Linus said this means nothing for the user data and that they only got the DNS but didn't tell us any assessments of the damage done. It seems like it was just to calm people down and might end up with a "Oops! Turns out we where actually hacked" post. 

[tt2468]

3 minutes ago, Manage My Cables said:

LinusTechTips.com was up for sale for about 2 mins lol. Should have brought it.

That would be cybersquatting, which is illegal from what I understand.

[Guest]

3 minutes ago, TheHogSmasher said:

 

Linus said this means nothing for the user data and that they only got the DNS but didn't tell us any assessments of the damage done. It seems like it was just to calm people down and might end up with a "Oops! Turns out we where actually hacked" post. 

This is the situation we're trying to avoid - if we come out half an hour or an hour ago saying everything is fine and then 20 minutes from now, find there's an issue then we're going to look pretty stupid. Hence why we're waiting until we're sure before we make an announcement clarifying what has happened. 

[TheHogSmasher]

2 minutes ago, Windspeed36 said:

This is the situation we're trying to avoid - if we come out half an hour or an hour ago saying everything is fine and then 20 minutes from now, find there's an issue then we're going to look pretty stupid. Hence why we're waiting until we're sure before we make an announcement clarifying what has happened. 

 

On June 28, 2016 the Linus Media Group domain registrar account was compromised.

 

The exact methodology of the "hack" won't be disclosed for obvious reasons, but I can assure you that despite any claims to the contrary, the appropriate safeguards were in place on our side, and as I type this Yvonne is having a very heated phone discussion with the 3rd party responsible for the breach.

 

Anyway, the thing most of you are probably wondering about right now is what this means for your forum account or personal information, and the answer is very simple:

 

NOTHING.

 

The "hacker" simply changed the DNS settings in the dashboard and did not at any time have access to the linustechtips.com server. Any claims of a database dump are categorically false.

 

The compromised accounts - including Twitter - have been restored.

 

I hope this clears things up.

 

Linus

[Zyndo]

I wanna see a youtube video of linus goin on a rant about this =)

[burnttoastnice]

15 minutes ago, TheHogSmasher said:

And for the final major question. In the event the database ever does get leaked, has the forum been setup to use long unique salts for each password with a harder hashing algorithm such as sha512 / bcrypt?

 Didn't read the entire post but saw stuff about hashing and compromise. Here's the documentation: https://www.invisionpower.com/support/guides/_/advanced-and-developers/miscellaneous/passwords-in-ipboard-r130

 

Hashed and salted so nothing to worry about.

[tt2468]

8 minutes ago, Windspeed36 said:

As I've previously mentioned in other threads, we're currently assessing what has happened and identifying, what if any data has been compromised. Once we've completed this assessment, we'll notify all users as to the status of the security and integrity of their data.

 

I would say you guys should still send an email or announcement out asking people to change their passwords. I have already. It's just a good idea.

[TheHogSmasher]

7 minutes ago, burnttoastnice said:

 Didn't read the entire post but saw stuff about hashing and compromise. Here's the documentation: https://www.invisionpower.com/support/guides/_/advanced-and-developers/miscellaneous/passwords-in-ipboard-r130

 

Hashed and salted so nothing to worry about.

Hash + salt only slows down, doesn't stop.

 

Edit:

 

It's md5. Jesus christ we're doomed.

 

Edit:

 

bcrypt + salt

 

 

[burnttoastnice]

5 minutes ago, TheHogSmasher said:

Hash + salt only slows down, doesn't stop.

 

Edit:

 

It's md5. Jesus christ we're doomed.

Good news! That's the documentation from the version 4 years ago. I don't remember whose post I copied and pasted that from but here's the official response from a mod:

 

2 minutes ago, Blade of Grass said:

They are storied using industry standard methods - salted and with numerous rounds of BCRYPT

 

Salted BCRYPT

 

[DiabeticMadman]

Hopefully Linus makes a video on it or explains it in the WAN show.

[Sapemeg]

Social Engineering is the most successful vector of attack these days.

 

How I Lost My $50,000 Twitter Username by @N https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd#.hmtbqq3qv

[BuckGup]

4 hours ago, TheHogSmasher said:

On the topic of the hack I have a few questions for Linus, not the moderators or Admins who work outside of LMG as they wont be able to give enough details.

 

Now that everything is cleaned up on the Twitter and registrar side, can you tell us some details on what's been done to ensure the database hasn't been compromised? Wiping / Altering logs isn't a hard thing for a hacker worth their weight in vodka.

 

The other major thing, what will happen if it is believed that the forum database wasn't compromised and does end up on a market online. These are serious allegations and all we've been told so far is "Nothing has been hacked. They just got our domain. Don't worry". Can we get something more re-assuring? Where logs checked on the forums and cloudflare?

 

As for the future will LMG employ 2Factor authentication further across all accounts possible?

 

And for the final major question. In the event the database ever does get leaked, has the forum been setup to use long unique salts for each password with a harder hashing algorithm such as sha512 / bcrypt?

 

Edit:

 

The reason I'm asking these questions especially the ones about how the passwords are protected is to ensure no one with a few TB's of hard drive space and some time can do a rainbow tables attack in the event they are ever leaked.

First don'y keep making threads about this. Second he had 2FA but he had an android and there is a very easy exploit that allows them to "hijack" your phone number and phone making it appear offline. This allows for the 2FA to be useless. Boogie2988 just had PoodleCorp do this and he had 2FA and he explained it.

[laminutederire]

6 hours ago, tt2468 said:

I would say you guys should still send an email or announcement out asking people to change their passwords. I have already. It's just a good idea.

What about the dumbass like me who sign in with their Facebook account?

[KuJoe]

6 minutes ago, laminutederire said:

What about the dumbass like me who sign in with their Facebook account?

LTT cannot access Facebook's servers so you're safe.

[KuJoe]

7 hours ago, tt2468 said:

I would say you guys should still send an email or announcement out asking people to change their passwords. I have already. It's just a good idea.

Changing your password regularly on all websites is a good idea but in this case it's not required because they did not access the server itself, only their DNS. I highly doubt the LMG team is crazy enough to use passwords to protect their web server. I also hope after the last forum hack they're protecting the Admin/Mod CP with mod_auth or IP whitelists.

[Blade of Grass]

10 hours ago, tt2468 said:

I would say you guys should still send an email or announcement out asking people to change their passwords. I have already. It's just a good idea.

We're quite cautious when it comes to security on the forum, if we felt it nessesary to, we would have forced a password reset (as we've done in the past).

[Nitroblast]

8 hours ago, Blade of Grass said:

We're quite cautious when it comes to security on the forum, if we felt it nessesary to, we would have forced a password reset (as we've done in the past).

Is a random password created if you use an external identity provider, e.g. Twitter that could allow someone with a breach of the database to login to your account?

 

Also, if you originally made an account with a username and password - is it possible to remove that in exchange for an external login provider?

[vanished]

I believe this is sort of the unofficial official thread now.  All conversation should be moved over there: