# Clarification on changing passwords?



## Shaun Dreclin (May 20, 2016)

So I changed my password as soon as the site came back up, but now it's gone into read only mode and people are saying passwords have been leaked. Do I need to change them again, or was the leak before the site came up again?

*Edit:* From FA's twitter account, if you changed your password *after* the site came back up on the 18th, your new password is perfectly safe. They're just doing a mass forced password reset to make sure everybody changes it.


__ https://twitter.com/i/web/status/733814097225994240

On the topic of changing passwords, this XKCD strip comes to mind:






You can add even more entropy by combining the two techniques, but then that starts leaning to the harder to remember side again


----------



## Altair_the_lugia (May 20, 2016)

I don't know. But either way, this is a major security  leak!


----------



## Samandriel Morningstar (May 20, 2016)

It was during the attack so I'm guessing it was whatever password that you had before.
Emails were also leaked,so that's 'fun'.
I guess it was a bigger woopsie-daisy then the admins/staff thought.


----------



## Gem-Wolf (May 20, 2016)

No, we have to change passwords again as they got both our old passwords and our new passwords.
Neer' and his team are going to upgrade the login system.


----------



## Samandriel Morningstar (May 20, 2016)

Gem-Wolf said:


> No, we have to change passwords again as they got both our old passwords and our new passwords.
> Neer' and his team are going to upgrade the login system.



Old and new?
Huh,that's something.


----------



## Gem-Wolf (May 20, 2016)

Samandriel Morningstar said:


> Old and new?
> Huh,that's something.


Tell me about it. Friggin scary and annoying


----------



## Samandriel Morningstar (May 20, 2016)

Gem-Wolf said:


> Tell me about it. Friggin scary and annoying



Agreed.


----------



## Jane_M_J (May 20, 2016)

I knew I can't be save on FA now. Shit!


----------



## Jane_M_J (May 20, 2016)

And FA's stuff said attackers have our email adresses. Is it mean they can write to us and sending viruses for example?!


----------



## Shaun Dreclin (May 20, 2016)

How do we know they got the new passwords? Has a staff member confirmed that?


----------



## Gem-Wolf (May 20, 2016)

Jane_M_J said:


> I knew I can't be save on FA now. Shit!


You can be safe. They are working on it. Hackers are like a cold/flu virus, they evolve to try and stay one step ahead of their cure.


----------



## Gem-Wolf (May 20, 2016)

Shaun Dreclin said:


> How do we know they got the new passwords? Has a staff member confirmed that?


It's obvious when they wanted us to change our passwords when the site first came back, and now they want us to change them _again!_


----------



## Jane_M_J (May 20, 2016)

But if FA's staff is improving security, is it mean we have to wait for FA more than 24 hours?


----------



## AliothFox (May 20, 2016)

Jane_M_J said:


> And FA's stuff said attackers have our email adresses. Is it mean they can write to us and sending viruses for example?!



It's a general rule of e-mail safety that you should NEVER click on links or download attachments in e-mails when you're not 100% sure that they come from a safe sender.  This is true of all e-mail, not just in this case.  

Also, if you're a furry artist who does artwork on a commission basis, it's generally a good idea to have a furry-specific e-mail too.  So if FA's attackers know my e-mail address, they really don't get too much out of it.


----------



## Shaun Dreclin (May 20, 2016)

Gem-Wolf said:


> It's obvious when they wanted us to change our passwords when the site first came back, and now they want us to change them _again!_



That doesn't necessarily mean the new passwords were compromised though, they could just be doing it to force people to change their password if they didn't already. It could be that people who already changed them once are fine.

But I've been tweeting at staff and trying to get answers and nobody is responding.


----------



## MishkaM (May 20, 2016)

From what I can tell its only the salted hashed passwords that were leaked, assuming that a decent hashing algorithm was used and that they were infact salted your passwords themselves were not technically leaked and the attackers have no (easy) way of finding out your password. You should still change your passwords but there is no reason to worry in particular.

It strikes me as odd that during the 23+ hour period that the site was originally offline they did not notice this breach which means that it could still have been "active" when the site was updated.

Furthermore their original post describing the attack alluded to the fact that the hackers may have been able to add/change code on the site and since they logged everyone out after they brought the site back up if the breach was still active it is possible that they attackers were able to get the passwords of anyone who logged in during that period.

EDIT: I just want to add that FA's transparency with the recent security issues is more opaque than transparent.


----------



## Jeffron (May 20, 2016)

This honestly very worrisome for me...just another shitty day of this month honestly.

I'm actually...kinda buggerd out about it.

Also any idea of how long it will be before the site improvements finish?


----------



## Shaun Dreclin (May 20, 2016)

Well yeah it was hashed passwords but still, they're not uncrackable.


----------



## AliothFox (May 20, 2016)

MishkaM said:


> Furthermore their original post describing the attack alluded to the fact that the hackers may have been able to add/change code on the site and since they logged everyone out after they brought the site back up if the breach was still active it is possible that they attackers were able to get the passwords of anyone who logged in during that period.




__ https://twitter.com/i/web/status/733814097225994240
From FA's twitter: "If you changed your password since the site went live on the 18th that information is safe."

They're also going to be doing a sitewide password reset.


----------



## Shaun Dreclin (May 20, 2016)

Ooh okay good thats the info I was trying to get. For some reason my twitter client wasn't showing that tweet.


----------



## Xenguy (May 20, 2016)

What i want to know is if I should still change my pass for every other site that I used my FA pass on.


----------



## Jeffron (May 20, 2016)

Xenguy said:


> What i want to know is if I should still change my pass for every other site that I used my FA pass on.



I think you should dude. Because that was state some time ago


----------



## MaverickHunterDBoy (May 20, 2016)

I also heard from a Twitter post that you will be able to reset your password to the same password you had earlier.


----------



## cyanidefurart (May 20, 2016)

As long as they don't delete our new accounts again...


----------



## Jeffron (May 20, 2016)

MaverickHunterDBoy said:


> I also heard from a Twitter post that you will be able to reset your password to the same password you had earlier.


Could you quote this from the offcials? I honestly wouldn't.


----------



## Shaun Dreclin (May 20, 2016)

Xenguy said:


> What i want to know is if I should still change my pass for every other site that I used my FA pass on.


Yes. The leaked passwords were hashed (hashing is one-way encryption) but it's not impossible for an attacker to brute force that hash to get your password in plaintext. The shorter and less complex it was, the easier it is to crack.

So while it's not 100% required, it'd really be a smart move to change your password on other websites if you used the same one.


----------



## MaverickHunterDBoy (May 20, 2016)

Jeffron said:


> Could you quote this from the offcials? I honestly wouldn't.




__ https://twitter.com/i/web/status/733815239708397572

__ https://twitter.com/i/web/status/733816386124931072


----------



## Jeffron (May 20, 2016)

Wait didn't they say that if you changed your password the moment the site went back up doesn't that mean you're still good? now I'm confused here.


----------



## Shaun Dreclin (May 20, 2016)

If you already changed your password after the site came back up, you're fine. When the forced reset happens, you can set it back to your new password.

If you *haven't* changed your password since the attack happened, your account (and any other accounts using the same password) is at risk. When the forced reset happens, it would be a very stupid idea to change it back to the old one that has been leaked.


----------



## Jeffron (May 20, 2016)

Ah I get it now cool! thanks I just wonder when are we gonna have improvements finished?

when this usually happens on this scale how long does it normally take?


----------



## Gem-Wolf (May 20, 2016)

Well good then. But sorry I'm not risking it at all. It's not worth it


----------



## Jeffron (May 20, 2016)

Gem-Wolf said:


> Well good then. But sorry I'm not risking it at all. It's not worth it


Same I'm considering in changing the password I just did anyway. 
I admit there were times I honestly wanted to leave FA, unlike DA which honestly was easy for me, I feel like it'd be alot harder to go.


----------



## Shaun Dreclin (May 20, 2016)

Stuff like this can take between an hour and a week. There's really no way to know haha


----------



## Gem-Wolf (May 20, 2016)

Jeffron said:


> Same I'm considering in changing the password I just did anyway.
> I admit there were times I honestly wanted to leave FA, unlike DA which honestly was easy for me, I feel like it'd be alot harder to go.


DA is no good for me. Im a prOn artist so I'm not really welcome over there


----------



## Jeffron (May 20, 2016)

Shaun Dreclin said:


> Stuff like this can take between an hour and a week. There's really no way to know haha


well shit man. x-x I really hate that. Let's hope it only takes an Hour!


----------



## Jeffron (May 20, 2016)

Gem-Wolf said:


> DA is no good for me. Im a prOn artist so I'm not really welcome over there


Yeah I once had a freind who ot chased off their once and she was like a sister, I know FA's community has a bad rep but DA's so much worse in my opinion. Plus my brother almost caught a virus on it quite a few years ago.


----------



## Gem-Wolf (May 20, 2016)

Shaun Dreclin said:


> Stuff like this can take between an hour and a week. There's really no way to know haha


This is true, however I don't think it will take more that 24hrs




Jeffron said:


> Yeah I once had a freind who ot chased off their once and she was like a sister, I know FA's community has a bad rep but DA's so much worse in my opinion. Plus my brother almost caught a virus on it quite a few years ago.



Yep. DA are asshats


----------



## Jeffron (May 20, 2016)

Gem-Wolf said:


> This is true, however I don't think it will take more that 24hrs
> 
> 
> 
> ...




exactly. But on FA I've made alot of freinds which is why I just hate it when things get so bad I feel like 
 I may have to leave. Especially with sites where I don't exactly feel like I'm at home.


----------



## Gem-Wolf (May 20, 2016)

Jeffron said:


> exactly. But on FA I've made alot of freinds which is why I just hate it when things get so bad I feel like
> I may have to leave. Especially with sites where I don't exactly feel like I'm at home.


Sorry to hear that


----------



## Jeffron (May 20, 2016)

Yeah. I'm honestly kind of shcoked that FA's security hasn't improved much since the whole IMVU thing. Which I admit I got a few scares there two a week before when I got a popup while on FA. Though things like that have already been resolved it seems like they only added more ads and not really did much with upgrades till now. I had to use Adblocker just to use this site again comfortably.

And now this crap happens. It's kinda..iffy to me.

I also spoke with a freind about the last time, she told me that last time FA got leaked in 2008


----------



## Dragonley (May 20, 2016)

Well if they have our email addresses we need to change ALL of passwords associated with the email (if the password for FA is the same/similar to your other accounts). It's a smart move, annoying, but smart.


----------



## Jeffron (May 20, 2016)

Dragonley said:


> Well if they have our email addresses we need to change ALL of passwords associated with the email (if the password for FA is the same/similar to your other accounts). It's a smart move, annoying, but smart.



All passwords? you mean the ones that match? or ALL of them? O___O


----------



## Dragonley (May 20, 2016)

Jeffron said:


> All passwords? you mean the ones that match? or ALL of them? O___O



All that are the same or related. :V


----------



## Jeffron (May 20, 2016)

Dragonley said:


> All that are the same or related. :V



Well none of my passwords are the same.


----------



## Dragonley (May 20, 2016)

Jeffron said:


> Well none of my passwords are the same.



You're good then, dude~


----------



## Jeffron (May 20, 2016)

Dragonley said:


> You're good then, dude~


cool. DAMN that scared the SHIT out of me x-x

Any update on Twitter from the offcials? any word on their progress?


----------



## TheRedRaptor (May 20, 2016)

My confidence in this site's' security is somewhat... lacking.
First the debacle a few years ago when a certain someone with administrator privileges logged in via an unsecured public wifi and had his password snatched,   due an to (at the time) un-encrypted login url.
Now this bull shit.
I would suggest that the site administration lift their game, however it seems they scored an own goal and lost it.


----------



## Jeffron (May 20, 2016)

TheRedRaptor said:


> My confidence in this site's' security is somewhat... lacking.
> First the debacle a few years ago when a certain someone with administrator privileges logged in via an unsecured public wifi and had his password snatched,   due an to (at the time) un-encrypted login url.
> Now this bull shit.
> I would suggest that the site administration lift their game, however it seems they scored an own goal and lost it.



Yeah this is pretty upseting.


----------



## Piklz419 (May 20, 2016)

It's fucking pathetic how poorly FA is managed.

First i thought people were just full of it when they quit FA because of something silly but now i really see why they do.
Stolen email addresses and passwords? What a way to fuck your community guys.


----------



## Jeffron (May 20, 2016)

Piklz419 said:


> It's fucking pathetic how poorly FA is managed.
> 
> First i thought people were just full of it when they quit FA because of something silly but now i really see why they do.
> Stolen email addresses and passwords? What a way to fuck your community guys.



I honestly wanted to be very firm after all the weird things that happen...but I'm not gonna lie, it is pretty rough. If only the other placeshad a more activet community. 

I do agree with alot of others that the supposed buy out from IMVU would mean that the site would get the security and upgrades because of help from bigger companies. What I wanna know is: why hasn't this become more of a thing? it seems like when the ads came that's all it seemed to be and occasionally the ads were pretty intrusive. But apparently the security is has became really horrible on this site. So apparently that didn't get changed much if at all.

So...I want to question just where exactly is all this money going?


----------



## Gem-Wolf (May 20, 2016)

Jeffron said:


> I honestly wanted to be very firm after all the weird things that happen...but I'm not gonna lie, it is pretty rough. If only the other placeshad a more activet community.
> 
> I do agree with alot of others that the supposed buy out from IMVU would mean that the site would get the security and upgrades because of help from bigger companies. What I wanna know is: why hasn't this become more of a thing? it seems like when the ads came that's all it seemed to be and occasionally the ads were pretty intrusive. But apparently the security is has became really horrible on this site. So apparently that didn't get changed much if at all.
> 
> So...I want to question just where exactly is all this money going?


IMVU doesn't give a flying rats arse what happens to FA. As far as IMVU are concerned, we are just a tiny chip of their asset. We are dispensable, easily written of as surplus if need be.


----------



## Jeffron (May 20, 2016)

Gem-Wolf said:


> IMVU doesn't give a flying rats arse what happens to FA. As far as IMVU are concerned, we are just a tiny chip of their asset. We are dispensable, easily written of as surplus if need be.


Then I must questin WHY on eart did Neer even accept it? if IMVU isn't helping us then there was nothing good about the whole thing.


----------



## Gem-Wolf (May 20, 2016)

Jeffron said:


> Then I must questin WHY on eart did Neer even accept it? if IMVU isn't helping us then there was nothing good about the whole thing.


$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$


----------



## Shaun Dreclin (May 21, 2016)

Piklz419 said:


> It's fucking pathetic how poorly FA is managed.
> 
> First i thought people were just full of it when they quit FA because of something silly but now i really see why they do.
> Stolen email addresses and passwords? What a way to fuck your community guys.



This had absolutely nothing to do with FA's staff. It was an exploit in a third party library. There was no way anybody at FA could have predicted that people would have access to the source code of the entire website.


----------



## PhantomBull (May 21, 2016)

Shaun Dreclin said:


> This had absolutely nothing to do with FA's staff. It was an exploit in a third party library. There was no way anybody at FA could have predicted that people would have access to the source code of the entire website.



Well, it really had to do with FA's staff. Having their code leaked should not be a problem if the code was robust enough... Wikipedia for example has all their code public and that doesn't mean that it's not secure (it doesn't mean neither that there are no bugs that can be exploited, every software has bugs). The problem is that the existing bugs in the FA's code were easier to find once the code was leaked.


----------



## Wakboth (May 21, 2016)

Reminder for everyone: the batteryhorsestaple thing is better than just using Password01 or HotHyenaHunk for your password, but to be really secure, you should use randomly generated passwords along the lines of P0@&^cMRNCT#fH%^1t or so.

But wait, Wakboth, I hear you say, nobody can remember even one of those, let alone a separate one for each and every account you have on every site and service! Well, yes, that's true. In today's world, after the big leaks over the last few years that revealed tons and tons of passwords, the hackers have a better idea how people make passwords -- mnemonics, substitution schemes, and so on -- than ever before. It's _probably_ an exaggeration to say that any password that you can easily remember is inherently insecure, but we're getting closer to that point all the time.

Hence you should be using a password manager program like KeePass or similar. Or, in the case of everyday user, write them all down in a notebook that you keep good care of. That's a lot safer for most of us, in most situations, than using and re-using poor passwords online.


----------



## areoplain (May 21, 2016)

Coincidentally, the site linkedin has also had their user data compromised; starting from a couple of days ago or so. syncing perfectly with when the site went offline, which is odd and untimely. What's interesting is that I've seen several tweets from FA users claiming that their linkedin accounts had been breeched, all of whom claiming it was due to the recent attack on FA, which is completely understandable given what's going on. Now, I'm not saying those particular cases _couldn't_ have been result of FA being hacked, (or a combination of both) but for anyone who has a linkedin account and has noticed any strange activity regarding their accounts, this _might_ be the more probable reason why.  

I haven't seen anyone mention this, so I thought I would say something... Hope this information helps someone out there.


----------



## Shaun Dreclin (May 21, 2016)

Using randomly generated passwords is not acceptable for day to day use. Is it worth it for banks and other things involving money? Yes. But to remember a unique random password for every website is asking too much. Using a password manager program also has flaws, like only being able to access your accounts from a single machine.


----------



## noveltybest (May 21, 2016)

i know hackers would stoop this low I mean when I heat I too precaution on all this sites I go to luckily I have more than one email address so if I loose my accounts or get compramissed I can change my passwords swiftly some of my passwords are a lot more different than others.


----------



## Nerts (May 21, 2016)

MaverickHunterDBoy said:


> __ https://twitter.com/i/web/status/733815239708397572
> 
> __ https://twitter.com/i/web/status/733816386124931072


Don't do this, you can, but it's a bad idea since you've effectively not changed the password.


----------



## coyoteOdin (May 21, 2016)

that is, if I changed the password on May 19 - then change it again do not need?


----------

