# FA /not/ HACKED - but I like attention!



## temp (Jun 24, 2009)

I find myself locked out of my account, with the following message added to my profile:

The password for this account has been reset as a protective measure against this account being hijacked.
We have identified a user database leak from a third party website and are suspending the accounts that use the same passwords here as they were using there.
Please use the password recovery feature to reset your account password, and _be sure not to put the same password as before_.
In case the password recovery feature doesn't work you can also e-mail accounts@furaffinity.net, but you'll need to be able to prove the ownership of the account.

[FA administration]

The password recovery doesn't work, and I send an email to accounts 7 hours ago, and still no response.  Can an Admin take a look at this and email me whatever you changed my password to?

just2draw@gmail.com

http://www.furaffinity.net/user/just2draw/


----------



## AshleyAshes (Jun 24, 2009)

*Re: FA Hacked.*

FurAffinity: Hijacking your account to make sure that someone else doesn't do it first.


----------



## tsawolf (Jun 24, 2009)

Better than having accounts cleaned out.

Oh, and I adjusted the thread title to more properly reflect what's going on.

By the way, the reason the password reset isn't working is because the email address you gave in the OP is not the same as the one you have set in the account.  The one you have set in the account is eclixxx@pickxxxx.com.au - with bits removed so I don't expose your email address.


----------



## cassandrarising (Jun 24, 2009)

Anyway we can be told what 3rd Party database had the leak, so we can go change our PWs over there as well?

I had no problems changing my PW here, just curious as to whats going on with the situation.


----------



## Cojiro (Jun 24, 2009)

cassandrarising said:


> Anyway we can be told what 3rd Party database had the leak, so we can go change our PWs over there as well?
> 
> I had no problems changing my PW here, just curious as to whats going on with the situation.



Interested in this as well.  Was searching for some information on how this happened, so that I can decide what preventative measures I should be taking.  And what I did wrong, if anything?


----------



## Bakeneko (Jun 24, 2009)

Yea, I did all that, and it's still telling me that I haven't supplied my user name? I've checked at least a dozen times. My user name is in the correct slot at the time I hit "submit".


----------



## temp (Jun 25, 2009)

tsawolf said:


> Better than having accounts cleaned out.
> 
> Oh, and I adjusted the thread title to more properly reflect what's going on.
> 
> By the way, the reason the password reset isn't working is because the email address you gave in the OP is not the same as the one you have set in the account.  The one you have set in the account is eclixxx@pickxxxx.com.au - with bits removed so I don't expose your email address.



The email address is eclipse@picknowl.com.au and has been out of service for some years.  I don't care about it being shown, as it doesn't work anyway and I no longer have access to it.  Obviously I forgot to change it in my FA profile.

I still haven't received any notification of my 'New, not asked for, password', or where this alleged 'database leak' is from. You looked up my email address, but didn't both to change it so I could retrieve my password.  Do you think you could actually help, or is the intention to just leave my account hacked so I can't access it?  Was it even worth my time to write to accounts@furaffinity.net?  

I'd rather have my account cleaned out for my own mistake, than know moderators are changing my account details without my permission.  My account security is my problem, not FA's.  The right thing to do would have been to advise of the leak via a PM.


----------



## ArielMT (Jun 25, 2009)

"Your account has been hijacked/disabled"

How to make a safe password


----------



## Carenath (Jun 25, 2009)

temp said:


> ...or where this alleged 'database leak' is from. You looked up my email address, but didn't both to change it so I could retrieve my password.  Do you think you could actually help, or is the intention to just leave my account hacked so I can't access it?  Was it even worth my time to write to accounts@furaffinity.net?
> 
> I'd rather have my account cleaned out for my own mistake, than know moderators are changing my account details without my permission.  My account security is my problem, not FA's.  The right thing to do would have been to advise of the leak via a PM.


The database leak, happened a number of years ago when FurAffinity was hacked. Passwords were reversed from this database and published along with the usernames and email addresses.

A few months back, one user's account was compromised after hackers got into their email account and reset their password on FA. During the course of investigating the unauthorised access.. admins checked to see how many users had not changed their passwords after the site was hacked. They reset the passwords of everyone who's account was still vulnerable in order to protect them.

The administrators changed your password to protect your account, one would think you would be greatful that you didnt have all your stuff deleted and offensive messages sent to others from your account and any number of other nasty things someone who didnt like you could have done.


----------



## Arshes Nei (Jun 25, 2009)

That is incorrect. This has nothing to do with the FA db leak years back. This is a new problem that has to do with another site's leak. I cannot be the one to disclose the site in question. The problem was that people were using same passwords across both sites, and that is the cause of the new problem.


----------



## Carenath (Jun 25, 2009)

Arshes Nei said:


> That is incorrect. This has nothing to do with the FA db leak years back. This is a new problem that has to do with another site's leak. I cannot be the one to disclose the site in question. The problem was that people were using same passwords across both sites, and that is the cause of the new problem.


I could have sworn the FA db leak was given as the reason the passwords to a number of accounts was changed, users using the same passwords as those that were leaked, after the Tincrash incident, my mistake.


----------



## cassandrarising (Jun 25, 2009)

Arshes Nei said:


> I cannot be the one to disclose the site in question.



Is there anyone who can?  I would certainly like to know of any security risks that I might have.


----------



## AshleyAshes (Jun 25, 2009)

Arshes Nei said:


> That is incorrect. This has nothing to do with the FA db leak years back. This is a new problem that has to do with another site's leak. I cannot be the one to disclose the site in question. The problem was that people were using same passwords across both sites, and that is the cause of the new problem.


 
Don't forget the part where someone used that list of users and account names to get into someone's account and then *the FA administration team gave that account administration privledges and the guy went to town with it. *


----------



## yak (Jun 25, 2009)

temp said:
			
		

> The password recovery doesn't work, and I send an email to accounts 7 hours ago, and still no response. Can an Admin take a look at this and email me whatever you changed my password to?



I'll be answering these emails as soon as I get a little bit of free time.
Most probably I'll change the e-mail registered for your account, so you could use the password recovery feature and set whatever password you want.




			
				cassandrarising said:
			
		

> Anyway we can be told what 3rd Party database had the leak, so we can go change our PWs over there as well?
> 
> I had no problems changing my PW here, just curious as to whats going on with the situation.


There will not be a need for that, their contents were deleted and they'll probably have to start from scratch.



			
				Cojiro said:
			
		

> Interested in this as well. Was searching for some information on how this happened, so that I can decide what preventative measures I should be taking. And what I did wrong, if anything?



A simple rule will keep you safe - don't reuse your password anywhere. Every account you have anywhere should have it's own separate password; that way, if that password leaked out only one of your accounts gets damaged as opposed to all of them.



			
				temp said:
			
		

> I still haven't received any notification of my 'New, not asked for, password', or where this alleged 'database leak' is from. You looked up my email address, but didn't both to change it so I could retrieve my password. Do you think you could actually help, or is the intention to just leave my account hacked so I can't access it? Was it even worth my time to write to accounts@furaffinity.net?


Patience, please. We don't have 24/7 technical assistance coverage.

---

No, this is not related to that old password file. The leak the admin message writes about happened recently, and from an unrelated to FA website. 
According to the data I have on me, about 10% of people used the same password for their accounts on FA as for their accounts on that website. To prevent massive amounts of account hijacking I wrote a script to scramble the passwords on those accounts; t'was the only thing I could have done on such a short notice.


----------



## maxgoof (Jun 25, 2009)

Okay, let me get this straight...

Some other database had a leak. This database has nothing to do with FA, but somehow FA got ahold of this database and did comparisons of passwords on all acounts with similar logins?

So, to prevent our accounts from being hacked, our accounts were hacked?

And now I have to change my password to something OTHER than the one I had, but no, I don't get to know what the other database was so I can change it there as well?

Have you ANY idea how many passwords people have to remember these days? It is getting absurd! I have a password to log onto my computer. I have a password to log onto Life Journal. I have a password to log onto Fur Affinity. I have a password to log onto The FuMP, I have passwords to log onto forums for many different webcomics. I have passwords to log onto online newspapers. I have passwords for work accounts. All told there are well over a hundred different things that require my password. And you tell me each one should be unique? Are you out of your gourd?

I have used the same password for years without problem. But now, I have to add a number to one, a number and a capital letter to another, a number and a capital letter and a special character to another, while the previous one won't take special characters, and another with requires a special character, but not the one I chose for the other...

It's getting to the point I have to keep a file handy just to remember all of my passwords. And if someone gets ahold of that, then I would have to change each and every one of them to something ELSE unique.

Give me a break!


----------



## maxgoof (Jun 25, 2009)

AshleyAshes, I ADORE YOUR SIGNATURE!!


----------



## AshleyAshes (Jun 25, 2009)

maxgoof said:


> AshleyAshes, I ADORE YOUR SIGNATURE!!


 
Someone took the idea I use for the thumbnails for my non-sexual gay furry writings to add warnings to his english as a second langage furry fetish sex stories.


----------



## Irreverent (Jun 25, 2009)

maxgoof said:


> So, to prevent our accounts from being hacked, our accounts were hacked?



FA did not hack your account, FA took proactive (and necessary steps) to mitigate the risk to your FA account caused by a third party DB leak.



> Have you ANY idea how many passwords people have to remember these days?



Welcome to 2009.  



> I have a password to log onto my computer. I have a password to log onto Life Journal. I have a password to log onto Fur Affinity. I have a password to log onto The FuMP, I have passwords to log onto forums for many different webcomics. I have passwords to log onto online newspapers. I have passwords for work accounts. All told there are well over a hundred different things that require my password. And you tell me each one should be unique?



If your password for these all of these systems was non-unique, it would be prudent to consider them ALL compromised, or able to be compromised based on information gleaned from a compromised account.  Ie: account A is compromised.....has an email account....same pwd.  Email is compromised, used to perform account resets on accounts B-Z etc.



> I have used the same password for years without problem.



Its not 1986 any more....



> It's getting to the point I have to keep a file handy just to remember all of my passwords. And if someone gets ahold of that, then I would have to change each and every one of them to something ELSE unique.



Use a USB password vault.  A 2gb USB key retails for less than $20.00CDN, and the password vault software is Opensource.



> Give me a break!



Take a breath, and RISK assess.  What is the likelyhood of personal information being lost, or exposed by this breach?  If its low risk, maybe you could carry on with one common password for all systems.  Personally, I wouldn't.


----------



## Corto (Jun 25, 2009)

maxgoof said:


> Okay, let me get this straight...
> 
> Some other database had a leak. This database has nothing to do with FA, but somehow FA got ahold of this database and did comparisons of passwords on all acounts with similar logins?
> 
> ...



Okay, let me get this straight:

You're complaining because you used the same frikking password for every single accounts you had anywhere, and now that you realized that this is a serious mindfart security wise, you must change each password? As far as I know FA didn't invent common sense. 

Give me abreak!


----------



## AshleyAshes (Jun 25, 2009)

Corto said:


> As far as I know FA didn't invent common sense.


 
That _would_ explain why FurAffinity opted to give a guy who hijacked someone elses accounts *administrative access.*


----------



## Armaetus (Jun 25, 2009)

Furries: Where we don't change out passwords after a good hack because we can't come up with anything else better!


----------



## Corto (Jun 25, 2009)

AshleyAshes said:


> That _would_ explain why FurAffinity opted to give a guy who hijacked someone elses accounts *administrative access.*


The official stance is denying everything so I'll do that.


----------



## Carenath (Jun 25, 2009)

AshleyAshes said:


> That _would_ explain why FurAffinity opted to give a guy who hijacked someone elses accounts *administrative access.*


That was human error, and Dragoneer was straight up about it.



Irreverent said:


> FA did not hack your account, FA took proactive (and necessary steps) to mitigate the risk to your FA account caused by a third party DB leak.


Not many other sites, take those kinds of proactive measures.. as far as they are concerned it is your own tough luck if you used a bad password (which it is).


----------



## Jayness (Jun 25, 2009)

I'm amazed how we seem to need a dozen of people to prove one simple point.


----------



## Deleted member 19863 (Jun 25, 2009)

To be honest; when I first read this thread title, I thought it was going to be like this:


"ohai guise iam teh FA adminustreator and i ned mai pass nao cos som n00b h4xx0r3d it and i fallen n cant get bak up. plz kthx"


But I see it's far more different than that. Next time try setting a better password / updating your profile every month or so to keep it secure.


----------



## Roland (Jun 25, 2009)

I think it's hilarious when people expect instant response when something goes wrong.  I get enough people complaining when something they pay for is down, I could hardly be bothered to care less when they're getting it for free. 

ITT: People don't know how to manage passwords.


----------



## kjorteo (Jun 25, 2009)

PasswordMaker is really not that hard.  _Really._


----------



## Dragoneer (Jun 25, 2009)

cassandrarising said:


> Is there anyone who can?  I would certainly like to know of any security risks that I might have.


We would like to say more about the issue, but at this time I can not. Let me first and foremost say that Fur Affinity does not have the best track record, but we've always been up front and honest about our short comings and have always taken a pro-active approach to people's security.

In this case, the group in question was not. They knew what happened but chose not to tell anybody. Suffice to say, these people are not on my personal happy list, but this issue had NOTHING to do with Fur Affinity.

Again, I won't say more than that.



maxgoof said:


> Some other database had a leak. This database has nothing to do with FA, but somehow FA got ahold of this database and did comparisons of passwords on all acounts with similar logins?
> 
> So, to prevent our accounts from being hacked, our accounts were hacked?


No, your accounts were secured to prevent damage from behind done to them. I'd rather we scramble a user's password than watch their account get jacked. Individual file restores are a nightmare.

_This issue had nothing at all to do with FA, _but we were made aware of the issue and took steps to protect people. If you have a problem with that then I'm sorry, but I'll (and every other staffer) will take the steps necessary to protect your personal data.



Corto said:


> The official stance is denying everything so I'll do that.


FA makes it a point to be open and honest about mostly everything.


----------



## Roland (Jun 25, 2009)

Better than the dumbshites getting their accounts hijacked and then they happen to complain about that.  I'm just gonna sit back and wait for stuff to be working again.


----------



## Arshes Nei (Jun 25, 2009)

AshleyAshes said:


> That _would_ explain why FurAffinity opted to give a guy who hijacked someone elses accounts *administrative access.*



Here's another stick for that dead horse you are beating.


----------



## Kesteh (Jun 25, 2009)

temp said:


> I'd rather have my account cleaned out for my own mistake, than know *moderators are changing my account details without my permission.  My account security is my problem, not FA's*.  The right thing to do would have been to advise of the leak via a PM.



Remind me, who's website are you on?


----------



## BlackWolfe (Jun 26, 2009)

maxgoof said:


> Okay, let me get this straight...
> 
> Some other database had a leak. This database has nothing to do with FA, but somehow FA got ahold of this database and did comparisons of passwords on all acounts with similar logins?
> 
> So, to prevent our accounts from being hacked, our accounts were hacked?



Negative.

Passwords are stored using a hash encryption - the PHP "crypt" function.  If you, hypothetically, have the password "PASSWORD" it is stored as "PA#$JIWO#$$U#34" (This is not what crypt actually outputs, just an example of what it might look like.)

Using this, it is possible to brute force all passwords in a database, simply by passing strings to the "crypt" function and comparing the output to the actual database entry.

It is also possible to compare the encrypted data in two different databases and look for correlations - user ID and encrypted passwords that match - without knowing what the password is.


----------



## Ansuru (Jun 29, 2009)

maxgoof said:


> Okay, let me get this straight...
> 
> Some other database had a leak. This database has nothing to do with FA, but somehow FA got ahold of this database and did comparisons of passwords on all acounts with similar logins?
> 
> ...





Don't keep an electronic file. Paper is not obsolete.


Also, you don't have to make EVERY password unique. Just categorize your various accounts by importance. 

Emails get username randomfuzzbutt01@whatever.stuff and password blahblahblah.
Random forums and dramafactories get username Jimbob1234 password iliektehpronz. 
Paid mmo accounts get username ThisJediWillRaepU password WithARusty$pork.
E-banking, Pay-pal, or Ebay/Amazon/etc, where financial and personal data is vulnerable each get a unique set.
edit: And for the record, dictionary passwords are for dummies. Even when they use stupid n3tspeak dictionaries.

Voila, it's managable! And, if FA gets its database defenestrated again, you can keep it straight in your head which group of passwords needs to be changed. FA, DA, don't worry about SA because that place sucks anyway...you get the idea?


----------



## yak (Jun 29, 2009)

An update.
126 people out of 818 have reset their passwords to the same thing it was before.

*I give up*


----------



## CaptainCool (Jun 29, 2009)

yak said:


> An update.
> 126 people out of 818 have reset their passwords to the same thing it was before.



*happy sigh* people never fail to amuse me^^


----------



## Irreverent (Jun 29, 2009)

yak said:


> An update.
> 126 people out of 818 have reset their passwords to the same thing it was before.
> 
> *I give up*



Statistically, 15% of the people may have risked assessed and determined that  the risk was manageable for their needs.  Having a throw away account for your fandom activities is possible. Seems a bit high, I would have figured 7-10%, but it may be risk assessment, not apathy.


Why yes, I am a frigging optimist.  So was Murphy


----------



## Carenath (Jun 29, 2009)

yak said:


> An update.
> 126 people out of 818 have reset their passwords to the same thing it was before.
> 
> *I give up*


Didn't Net-Cat say that the last time too... almost reminds me of my friend, he used the last four digits of my home phone number as his Bank PIN..


----------



## BlackWolfe (Jun 29, 2009)

yak said:


> An update.
> 126 people out of 818 have reset their passwords to the same thing it was before.
> 
> *I give up*



Don't look at it that way.  Look at it this way:  692 people _changed_ their passwords.



Irreverent said:


> Statistically, 15% of the people may have risked assessed and determined that  the risk was manageable for their needs.  Having a throw away account for your fandom activities is possible. Seems a bit high, I would have figured 7-10%, but it may be risk assessment, not apathy.



Agreed.  Long ago I decided to make all of my passwords fit a pattern that is easy for me to remember, and to use a limited number of user IDs as well.  Within the fandom, this means I do have some overlap.  I'm used to that, and ready to deal with the consequences.

I appreciate the proactive measures taken by FurAffinity, even if they inconvenience me.  I'm less concerned with the possibility that someone will hack my account than I am with the thought that my email address is now floating around out there.  I already had to delete one email address due to spam issues, I don't want to have to do it again.


----------



## Armaetus (Jun 30, 2009)

@Yak: So that's 126 idiot furries who lack proper security measures..I really think you should redicule them and post the list of usernames that have kept their old passwords.


----------



## KatmanDu (Jul 6, 2009)

I'm just baffled trying to figure out what other website I have an account with got hacked... I'm not on a lot of furry sites to begin with. I know FA staff can't/won't say.

...but if a little birdie crapped a note on my head in passing...

Also, how long does that notice stay on your page after you've changed your password?


----------



## Dragoneer (Jul 7, 2009)

KatmanDu said:


> Also, how long does that notice stay on your page after you've changed your password?


Until you remove it. It's in your Profile information. You just delete it out.


----------



## KatmanDu (Jul 7, 2009)

*smacks forehead* Imma dumbass.


----------

