Thursday, November 22nd 2012

Please Reset Your TechPowerUp Forums Password

Earlier today (22/11), TechPowerUp servers were hacked. The attacker gained access to the forums user database, the one which stores user information. Details such as usernames, hashed and salted passwords fell into the wrong hands. Thanks to GPGPU, the passwords are as good as compromised. We have undertaken a security review, and are mandating a password change for all users. Your old password will not work, click on "forgot password" link and follow the instructions to reset it. If you use the same password (as your old TPU password) elsewhere (other sites), change it to something completely different. We sincerely apologize for the inconvenience, and promise to improve our security infrastructure.

If you no longer have access to the email account you used to register, please email w1zzard@techpowerup.com and mention your username, old e-mail, new e-mail and IP address you typically use to post on the forums.
Add your own comment

221 Comments on Please Reset Your TechPowerUp Forums Password

#1
theoneandonlymrk
by: XeoNoX
btw b/c of this security breach i'm VERY surprised TPU didn't recommend users change their passwords to other webiste/services that use the same username/password as it will be a matter of time before the attacker(s) get to it.
Afaik they did in the OP , just glad to be back :)
Posted on Reply
#2
THE_EGG
by: theoneandonlymrk
Afaik they did in the OP , just glad to be back :)
Agreed, and they sent the recommendation to change the password used in other sites in the email as well.
Posted on Reply
#3
Frag Maniac
What do I do if the password reset feature doesn't work? My email said my password would no longer work, but when I visited the site I was still logged in and I can log out and the save password feature allows me to log back in. I also cannot manually reset my password.
Posted on Reply
#4
gaiden.sensei
Took a few days to get the server to send me the password reset, didn't send until today. I had to change a lot of my passwords because of mutual accounts...

I was under the impression that the user database for vBulletin (3.6 and up) was encrypted by default? I remember examining some of my databases and sensitive details couldn't be seen.
Posted on Reply
#5
Frag Maniac
As a rule I always use different passwords for forums than I do for more protected uses, such as places where I do online purchases and such. Just the same, I'd like to get some help resetting my password here, because I can't seem to get it to work.

The main problem is it's saying I'm entering the wrong current password when trying to reset it, and it won't send me my password or a temporary one.
Posted on Reply
#6
gaiden.sensei
by: Frag Maniac
The main problem is it's saying I'm entering the wrong current password when trying to reset it, and it won't send me my password or a temporary one.
No idea what's wrong with your password, but you can 'reset' it by invoking the forgotten password form.

Make sure your email address is correct or working before attempting the following:
It'll give you a temp password, but you have to wait for the server to email you the generated key.

http://www.techpowerup.com/forums/login.php?do=lostpw
Posted on Reply
#7
Frag Maniac
I had already done that. I finally got the temp password sent though, and all is good now. Thanks.

I gotta say though, it was a bit scary when right after I posted about it in the feedback forum, what appears to be a SPAM bot answered with jibberish.
Posted on Reply
#8
buggalugs
Wow I had a hard time resetting the password. Couldnt get the confirmation email, was going round in circles. Anyway all is sorted now.

Wizzard, You can disregard the email I sent, its ok now.
Posted on Reply
#9
W1zzard
by: gaiden.sensei
I was under the impression that the user database for vBulletin (3.6 and up) was encrypted by default?
That's correct. However, with distributed passwords cracking, especially on GPUs, there is a real risk that the passwords can be decrypted
Posted on Reply
#10
Frag Maniac
At least we know they're encrypted to begin with. Probably more secure than Sony was before their PSN fiasco. LOL
Posted on Reply
#11
N9ZN-Extra
This can be stopped when the industry gets serious.

When the computer manufactrurers get serious they will adopt a standard for login procedures which cannot be compromised by simply hacking a site and stealing information.

Some complain it will be to costly to implement such a solution but I suggest the cost will sharply drop when millions of orders are placed for the equipment required to implement a solution.

The bigger problem for users is how to get those building the computers and those writing the software to REALLY CARE about our security online. If they don't get away from this grade school approach of identity verification all we as users can expect is more of this in the future.
Posted on Reply
#12
W1zzard
by: N9ZN-Extra
When the computer manufactrurers get serious they will adopt a standard for login procedures which cannot be compromised by simply hacking a site and stealing information.

Some complain it will be to costly to implement such a solution but I suggest the cost will sharply drop when millions of orders are placed for the equipment required to implement a solution.

The bigger problem for users is how to get those building the computers and those writing the software to REALLY CARE about our security online. If they don't get away from this grade school approach of identity verification all we as users can expect is more of this in the future.
there is no 100% secure authentication system and it can never be created.
maybe the hacker came to my house, held my hamster hostage and forced me to give him the admin password?
Posted on Reply
#13
N9ZN-Extra
by: W1zzard
there is no 100% secure authentication system and it can never be created.
maybe the hacker came to my house, held my hamster hostage and forced me to give him the admin password?
Wizzard I agree there is no 100% foolproof system but there are many much more secure and difficult to break than these obsolete password security methods we just take for granted.

With all of the trouble people around the globe are having with security breaches, some leading to identity theft and other nefarious ends, any simple minded person can recognize the need for the industry to come togather and agree on a simple system which is much more difficult to break than a code word.

If a new system cost us a small (one time) amount to prepare our PC's that would be a reasonable cost, considering we each pay a heafty monthly rate for internet access anyway. The success of such a system would be upon the software houses and PC manufacturers to make it a standard in all new equipment. This also will be the tough part of any plan because most PC makers and software houses don't care diddly about end user security beyond the most simple of implementations.

Edit: As an example, I have not had my E-Bay or PayPal passwords compromised since I began using their electronic key fobs, for that matter my bank has also not been compromised diue to the same security. The problem with key fobs is they are too costly to implement into all online entities requireing secure access. There are other forms of identification which is not as costly and more secure like retna scanners, finger print id's and so on that can be used over a broad range of equipment and still identifies a unique user.
Posted on Reply
#14
w3b
I don't think creating a new password/security system with a central heirarchy is a good idea at all; not only for the weaknesses that are inherited in all centrally focused systems (government/internal abuse, a much more attractive target for hackers that would lead to bigger problems than TPU going down, etc.) but this would also be wide open for abuse under the perpetual 'war on terror' by the US government (and/or those behind the curtain thereof).

I doubt a TPU account would ever be a matter of national security. :p

Fine work to the admin staff catching the problem so quickly:rockout:, hopefully those responsible are found soon and dealt with severely. :shadedshu
Posted on Reply
#15
N9ZN-Extra
by: w3b
I don't think creating a new password/security system with a central heirarchy is a good idea at all

Fine work to the admin staff catching the problem so quickly:rockout:, hopefully those responsible are found soon and dealt with severely. :shadedshu
I know there will be many like yourself who for a number of reason would object to any new security ID system. It is to be expected, but do you really believe code words (passowrds) are the best method of security man can acheive to protect them?

As for catching the intruders, Tech Power Up has a small chance of finding who is responsible. My guess is these people may be hackers or they may also be a foreign government, like China, with a reputation for hacking sites. The worrysome thing is in the past few months several tech oriented sites have been compromised making myself ask what purpose might these folks have in mind? I would bet the intent goes far beyond any joy they may feel by having hacked the site.

Edit: Looking at your quote from Benjamin Franklin... I also remember it was Franklin who thought the Turkey should be named as our national bird instead of the eagle. Franklins thoughts have many times been on the fringes of rational thinking. This is not to say what Frankilin said about liberty is wrong, but making something more secure would not cost us any liberty at all. It would cost those who abuse liberty some pain but isn't that the intention with any security be it passwords or something else?
Posted on Reply
#16
Irony
by: N9ZN-Extra
I know there will be many like yourself who for a number of reason would object to any new security ID system. It is to be expected, but do you really believe code words (passowrds) are the best method of security man can acheive to protect them?

As for catching the intruders, Tech Power Up has a small chance of finding who is responsible. My guess is these people may be hackers or they may also be a foreign government, like China, with a reputation for hacking sites. The worrysome thing is in the past few months several tech oriented sites have been compromised making myself ask what purpose might these folks have in mind? I would bet the intent goes far beyond any joy they may feel by having hacked the site.

Edit: Looking at your quote from Benjamin Franklin... I also remember it was Franklin who thought the Turkey should be named as our national bird instead of the eagle. Franklins thoughts have many times been on the fringes of rational thinking. This is not to say what Frankilin said about liberty is wrong, but making something more secure would not cost us any liberty at all. It would cost those who abuse liberty some pain but isn't that the intention with any security be it passwords or something else?
1) Passwords may not be the most secure thing in the universe, but if thats what you're after then why are you even on the internet?

2) Lol at china

3) Turkeys are awesome
Posted on Reply
#17
W1zzard
Considering that 99.99% of people use "remember me", which means if their PC is hacked their passwords are gone, password security is kinda obsolete already.

Would you want to receive (and pay for) an SMS each time you access TPU? and then you have to enter that code?
Posted on Reply
#18
WhiteLotus
by: W1zzard
there is no 100% secure authentication system and it can never be created.
maybe the hacker came to my house, held my hamster hostage and forced me to give him the admin password?
They key thing here is to know that w1zz has a hamster. Bless
Posted on Reply
#19
Irony
Hamsters are awesome. It could be a trained hamster that cleans the servers in its spare time
Posted on Reply
#20
cadaveca
My name is Dave
by: W1zzard
Considering that 99.99% of people use "remember me", which means if their PC is hacked their passwords are gone, password security is kinda obsolete already.

Would you want to receive (and pay for) an SMS each time you access TPU? and then you have to enter that code?
I don't even have my own cell phone. :(


:roll:

Just for discussion, I wouldn't mind seeing something like SteamGuard used more often.
Posted on Reply
#21
W1zzard
by: WhiteLotus
They key thing here is to know that w1zz has a hamster. Bless
i have no hamster or any pets .. other than my moderators
Posted on Reply
#22
erocker
I'm hungry and my cedar chips are getting rank. :(
Posted on Reply
#23
N9ZN-Extra
by: W1zzard
i have no hamster or any pets .. other than my moderators
LOL, that's not what I read either. :D

Just to clear this up on my end, the internet began after PC's were invented in 1981 (I think). That is somewhere between 20 to 30 yerrs we have lived with passwords to protect us and every year they become weaker and weaker as a protection.

My whole point is times have changed and along with that the industry should change how we protect our identity, and access to web sites.
Posted on Reply
#24
EarlZ
Heres an issue on my end, I've never really used this account ( this only has 2 posts prior to this ) and I though this account was bound to a different email and my active account was on my main email address, I can no longer recall the email address used on my active account here at TPU but I would very much like to keep using that, is there a way this can be resolved?
Posted on Reply
#25
erocker
by: neodark088
Heres an issue on my end, I've never really used this account ( this only has 2 posts prior to this ) and I though this account was bound to a different email and my active account was on my main email address, I can no longer recall the email address used on my active account here at TPU but I would very much like to keep using that, is there a way this can be resolved?
PM'd. :)
Posted on Reply
Add your own comment