# Compromised personal info?????



## SpidertheKitsune (May 22, 2016)

Hi my fellow furbutts

Im wondering if anyone here has any information regarding the announcement by the FA team that our emails and passwords may have been compromised by the hackers after the site attacks that occurred on 5/17.

Thanks 
-Spider. K


----------



## KazWolf (May 22, 2016)

I am wondering same. I wonder if hackers have access to my email


----------



## Zoichi (May 22, 2016)

From what I understand, basically, hackers have access to any information you entered in FA before the breach: email, password, notes, etc.

They know your email address but they don't have access to your email account unless it has the same password as FA.


----------



## Samandriel Morningstar (May 22, 2016)

I'm glad I have so many throw away emails.  :V


----------



## KazWolf (May 22, 2016)

I changed password on my google account, as I have gmail. I think im safe?


----------



## Necire (May 22, 2016)

KazWolf said:


> I changed password on my google account, as I have gmail. I think im safe?


you're safe as long as you don't use the same password for other sites as you do with FA. However, don't be surprised if MAYBE you get some emails that seem "Off" or from someone you have no idea whom it is. This is why I always have a unique password for every website I log into.


----------



## Stickyfox (May 22, 2016)

There are two issues here: your password and your sensitive data like emails (or notes on FA).

Unix passwords are stored by encrypting them in a one-way process. You can't "extract" anyone's password after encryption. You can only "try" a password by encrypting it and comparing the result. The process is designed to be complex and slow so it can't be done much faster than needed (the system doesn't need to handle thousands of logins per second, so for a computer, it's REALLY slow and complex.)

For example: Say my password is "dog". The password gets encrypted and stored on the system:
d0g --> &^*(@^#$FFGH@#324

The site does not store "dog" anywhere that an attacker could find it.

When I log in, whatever I type gets encrypted by the same irreversible process and compared to the above "hash" or "encrypted password." There's no other combination of letters I can type (or if there is, it's very very VERY long and more impossible to guess than the original password), so if I typed, say,

cat --> 68723876vBHGADB^@#

and the computer matched &^*(@^#$FFGH@#324 and 68723876vBHGADB^@#, and found them unequal, then it wouldn't let me in.

Like I said, it's a one way process, but there are dictionaries out there of millions of commonly-used passwords, already encrypted. If you were able to steal the password file from FA (which happened), and you were able to look up "&^*(@^#$FFGH@#324" in a dictionary, you would then know that my password was "dog".

The problem is that any website operating on a similar OS to FA's will use the same exact mechanism, so if attackers are able to take the password file from FA and begin brute-forcing it, they may find some of the password. And then they will be able to access your account on SF and IB and FN and anywhere else you (or rather, most people) use the same password. That is the issue right now.

Your private notes are not protected at all. If an attacker was able to directly read the table containing them, then any drama or dirty secrets that were in your in/out boxes could potentially be compromised.


Bottom line, if your password on FA is the same as any other site, go to the other site and change it. Chances are you're safe right now, especially if you use a strong password, but over time, anyone who has that passwd file will be very busy trying to encrypt random combinations of letters, numbers, and punctuation in the hopes that it will match some of the entries in that file.

Hope this helps!


----------



## Necire (May 22, 2016)

Stickyfox said:


> Your private notes are not protected at all. If an attacker was able to directly read the table containing them, then any drama or dirty secrets that were in your in/out boxes could potentially be compromised.
> 
> Hope this helps!



You mean people will know of my fetish for licking nutella off raging hard cock?!


----------



## Zoichi (May 22, 2016)

Stickyfox said:


> There are two issues here: your password and your sensitive data like emails (or notes on FA).
> 
> Unix passwords are stored by encrypting them in a one-way process. You can't "extract" anyone's password after encryption. You can only "try" a password by encrypting it and comparing the result. The process is designed to be complex and slow so it can't be done much faster than needed (the system doesn't need to handle thousands of logins per second, so for a computer, it's REALLY slow and complex.)
> 
> ...



That depends on how Furaffinity "encrypted" the passwords. Note that hashing (a one way process) is generally not considered encryption (a two way process). If they were encrypted instead of hashed, there's a high chance they have all the passwords, considering they apparently did breach into various accounts.

Also, to prevent that dictionary lookup, passwords usually are salted before hashing, but right now we don't know how FA stored passwords, for some reason they haven't cleared it up. I'd say just assume the hackers indeed got your password.


----------



## Stickyfox (May 22, 2016)

Zoichi said:


> That depends on how Furaffinity "encrypted" the passwords. Note that hashing (a one way process) is generally not considered encryption (a two way process). If they were encrypted instead of hashed, there's a high chance they have all the passwords, considering they apparently did breach into various accounts.
> 
> Also, to prevent that dictionary lookup, passwords usually are salted before hashing, but right now we don't know how FA stored passwords, for some reason they haven't cleared it up. I'd say just assume the hackers indeed got your password.



I didn't overcomplicate it for the majority of users who haven't gone to college for IS/CS. The basic process is pretty much as I described.

For decades, since the days of dialup, we've been warned by sysadmins, the media, teachers, parents, and everyone else around us to change passwords frequently and not reuse them on other sites. FA is run using (mostly) off-the-shelf tools designed for securing web sites. Any major loss resulting from this attack isn't because of a lack of salting, it's because some jerk used the same password for FA and Citibank. That's not Dragoneer's fault.

I mean, you're absolutely right... but lots of people don't understand computers and don't take responsibility for protecting their assets.


----------



## Zoichi (May 22, 2016)

Stickyfox said:


> I didn't overcomplicate it for the majority of users who haven't gone to college for IS/CS. The basic process is pretty much as I described.
> 
> For decades, since the days of dialup, we've been warned by sysadmins, the media, teachers, parents, and everyone else around us to change passwords frequently and not reuse them on other sites. FA is run using (mostly) off-the-shelf tools designed for securing web sites. Any major loss resulting from this attack isn't because of a lack of salting, it's because some jerk used the same password for FA and Citibank. That's not Dragoneer's fault.
> 
> I mean, you're absolutely right... but lots of people don't understand computers and don't take responsibility for protecting their assets.



I think it's better to be safe and assume that the passwords were leaked and not otherwise.


----------



## Resua (May 22, 2016)

Zoichi said:


> Also, to prevent that dictionary lookup, passwords usually are salted before hashing, but right now we don't know how FA stored passwords, for some reason they haven't cleared it up. I'd say just assume the hackers indeed got your password.



forums.furaffinity.net: It's Time for Real Account Security

Dragoneer states that the passwords were hashed and salted.  Happily answered when I asked.  You may stop spreading rumor regarding this now.

Salting prevents precomputed attacks, but high powered rigs like mine can still attack MD5 at staggering speeds.  If you had an insecure password, or one less than 10 digits, you should assume that the attackers can recover it in a reasonable time period (several days.)  Either way, changing your password now will be required when the site goes back online.


----------



## supersonicbros23 (May 22, 2016)

I know they're doing what they can but I really wish there was more prompt status updates considering they left off Friday with a Security Cliffhanger.
Its as if they said _'The attackers have your passwords and email. Have a nice day.'_
I'm biting my nails and frequently checking my email, and several sites I've registered to. I don't see any damage but I don't know what to expect...

I'm not asking for specific details, I mean literally even open-ended status posts like "We have made a little progress" or "Things are worse than we expected" would be comforting. 
I'm scared at to what the attackers' intentions are... were they trying to just fuck with us by attempting to wipe the site, or are they now after something bigger?

The lack of info makes my mind wander too far to find it... too much imagination for my own good

Oddly enough though, I've been more productive now that its currently impossible to submit to the site...


----------



## Resua (May 22, 2016)

supersonicbros23 said:


> I know they're doing what they can but I really wish there was more prompt status updates considering they left off Friday with a Security Cliffhanger.
> Its as if they said _'The attackers have your passwords and email. Have a nice day.'_
> I'm biting my nails and frequently checking my email, and several sites I've registered to. I don't see any damage but I don't know what to expect...
> 
> ...



If you simply follow Rule #1 on the internet about passwords, you are fine.

Rule #1 is: Dont reuse the same password on websites.

If you used the same password on FA as in other places, change it immediately.  While the FA password leak is inconvenient and erodes the userbase's trust (more so with people spreading FUD and rumor...), it is NOT in any way FA's fault if you recycled your passwords


----------



## supersonicbros23 (May 22, 2016)

Resua said:


> If you simply follow Rule #1 on the internet about passwords, you are fine.
> 
> Rule #1 is: Dont reuse the same password on websites.
> 
> If you used the same password on FA as in other places, change it immediately.  While the FA password leak is inconvenient and erodes the userbase's trust (more so with people spreading FUD and rumor...), it is NOT in any way FA's fault if you recycled your passwords


Oh don't get me wrong, pointing fingers is the last thing on my mind, Fur Affinity is the only site I've found that I can be patriotic about. Part of why I'm so hysteric about "just how bad was this attack?"


----------



## Stickyfox (May 22, 2016)

Zoichi said:


> I think it's better to be safe and assume that the passwords were leaked and not otherwise.



agreed! It makes me rage when there are major leaks in the media and people keep trying to place blame and ignore the fact that many of us are just not very careful and expect the government/police/banks to pick up the slack. They can't.


----------

