Important ***PASSWORD SECURITY NOTICE***

Tex

O-F Administrator
Administrator
Tutorial Publisher
Joined
Oct 16, 2007
Messages
6,572
Reaction score
58
Points
123
Location
Houston
Website
youtube.com
***IMPORTANT PASSWORD SECURITY NOTICE***

Dear Orbinauts,

As with any web site, sometimes exploits are found. Today one was found on ORBITHANGAR.COM where someone was able to gain access to the user table containing passwords. Orbithangar is down while the exploit is addressed, however there is still a remaining threat for some users.

PASSWORDS COMPROMISED:
If you registered an account on Orbithangar using a hotmail email address BEFORE the user accounts were merged with O-F, then your password is likely compromised. If you are using the same password here on Orbiter-Forum (or any other website on the internet) which you were using on Orbithangar, then you should change your password every where it is used. Just to be clear, the only accounts affected are those which registered at Orbithangar using a hotmail email address before the accounts were merged with O-F. If you have re-used your Orbithangar password anywhere on the internet, then it should be changed as it is compromised.


We sincerely apologize for this issue, but assure you we are working hard to quickly address the problem. The user accounts who were specifically affected will be notified by email shortly.

Kind Regards,
O-F Staff
 

Orbinaut Pete

ISSU Project Manager
News Reporter
Joined
Aug 5, 2008
Messages
4,264
Reaction score
0
Points
0
I can't remember whether I used my Hotmail or Gmail address to register, however I do know that the password I used was NOT the password for either account.

Therefore, I should be safe, right?
 

dbeachy1

O-F Administrator
Administrator
Orbiter Contributor
Addon Developer
Donator
Beta Tester
Joined
Jan 14, 2008
Messages
9,164
Reaction score
1,500
Points
203
Location
VA
Website
alteaaerospace.com
Preferred Pronouns
He/Him
If you're in doubt, go ahead and change your passwords. However, as Tex pointed out, this exploit only affected a very specific group of users:

1) Your account was registered at Orbithangar before the accounts were merged with O-F,
AND
2) Your account was using a hotmail email address.

Unless both of these were true with your original Orbithangar account, you're fine.
 

RangerPL

Addon Consumer
Joined
May 25, 2008
Messages
345
Reaction score
0
Points
16
Location
Soviet bunker on Pluto
Better safe than sorry.

At least I'm sure I used gmail to register my account. It was the first thing I used my gmail account for.
 

fireballs619

Occam's Taser
Donator
Joined
Nov 4, 2009
Messages
788
Reaction score
4
Points
33
Was the person who was able to gain access to the passwords acting maliciously, or were they the ones to report the exploit?
 

Orbinaut Pete

ISSU Project Manager
News Reporter
Joined
Aug 5, 2008
Messages
4,264
Reaction score
0
Points
0
If I used my Hotmail address, then I know I didn't use my Hotmail password.

Therefore, I figure I'm safe, as O-F/OH are the only places that I've used that particular password – and I used a different E-mail address here on O-F.

My Hotmail would be safe as the password I used wasn't for that account.
 

Vash

OHM Administrator
Joined
Mar 26, 2008
Messages
189
Reaction score
2
Points
0
Location
In a cave, of course.
Website
www.orbithangar.com
Was the person who was able to gain access to the passwords acting maliciously, or were they the ones to report the exploit?

It was a malicious information gathering attack. Fortunately I was able to put a stop to it before it went too far. Unfortunately that came at the cost of me having to take the site offline, but better that than to have more user information harvested.

The attacker specifically targeted users with hotmail accounts, probably betting that he could determine the passwords that users registered on my site with and use them to log in to those e-mail accounts in order to do additional information gathering.
 

MJR

C++ developer in the mix
Addon Developer
Tutorial Publisher
Donator
Joined
Mar 19, 2008
Messages
2,460
Reaction score
5
Points
0
Location
United States
It was a malicious information gathering attack. Fortunately I was able to put a stop to it before it went too far. Unfortunately that came at the cost of me having to take the site offline, but better that than to have more user information harvested.

The attacker specifically targeted users with hotmail accounts, probably betting that he could determine the passwords that users registered on my site with and use them to log in to those e-mail accounts in order to do additional information gathering.
Thank you. Fortunately I have about 5 passwords and none repeat for the emails or Orbiter related stuff. I want to know why someone would do something like this.
 

n72.75

Addon Developer
Addon Developer
Tutorial Publisher
Donator
Joined
Mar 21, 2008
Messages
2,295
Reaction score
846
Points
128
Location
Biddeford ME
Website
mwhume.space
Preferred Pronouns
he/him
Why wasn't the database encrypted?????
 

James.Denholm

Addon ponderer
Joined
Feb 8, 2008
Messages
811
Reaction score
0
Points
0
Location
Victoria, Australia
Well, ultimately, anything can be decoded. Furthermore, if my understanding is correct, it's not like they will be able to easily determine the form of encoding used, as gibberish in one will most likely be gibberish in another, I assume.
 

JEL

Addon Developer
Addon Developer
Joined
Apr 23, 2008
Messages
674
Reaction score
0
Points
0
Location
in the cold Denmark
Website
www.jelstudio.dk
Do we just change the password for our forum-accounts here to fix things?

I just visited the hangar-site and even though I'm auto logged-in to it I can't change the password anywhere on that site.
When I click my account over there I can see my uploads but there's nowhere I can change or set a password.
 

dbeachy1

O-F Administrator
Administrator
Orbiter Contributor
Addon Developer
Donator
Beta Tester
Joined
Jan 14, 2008
Messages
9,164
Reaction score
1,500
Points
203
Location
VA
Website
alteaaerospace.com
Preferred Pronouns
He/Him
The reason you cannot change your password on Orbit-Hangar is because Orbit-Hangar and Orbiter-Forum accounts are linked: to change your Orbit-Hanger password, just change your Orbiter-Forum password.

However, to reiterate the point yet again, you only need to change your O-F/O-H password if 1) your account was registered at Orbithangar before the accounts were merged with O-F, AND 2) your account was using a hotmail email address. If both of those conditions are true for you, then you should change your O-F/O-H password. [In addition, if you are using the same password for Hotmail then you should change your Hotmail account password as well.] Otherwise, you do not need to worry about it.
 

Wishbone

Clueless developer
Addon Developer
Joined
Sep 12, 2010
Messages
2,421
Reaction score
1
Points
0
Location
Moscow
May I humbly inquire how long it may possibly take to fix the problem? Have got a new build and a new description, and perhaps a new screenshot that have to be uploaded :) :tiphat: :cheers:
 

dbeachy1

O-F Administrator
Administrator
Orbiter Contributor
Addon Developer
Donator
Beta Tester
Joined
Jan 14, 2008
Messages
9,164
Reaction score
1,500
Points
203
Location
VA
Website
alteaaerospace.com
Preferred Pronouns
He/Him
It's already fixed. Vash took down the database yesterday the second he discovered the attacker (I presume from the logs). Then he closed the security hole and restarted the database.
 

dbeachy1

O-F Administrator
Administrator
Orbiter Contributor
Addon Developer
Donator
Beta Tester
Joined
Jan 14, 2008
Messages
9,164
Reaction score
1,500
Points
203
Location
VA
Website
alteaaerospace.com
Preferred Pronouns
He/Him
To clarify another important point: O-F account passwords are encrypted via a one-way hash in the database, so even if an attacker were to somehow gain access to the O-F account database table he would be unable to determine your O-F/O-H password (one-way hashes are very difficult to crack). The exploit only affected old OrbitHangar logins (which were not encrypted with a one-way hash) that used a Hotmail email account. Based on empirical evidence it appears the attacker was a spammer/spambot attempting to harvest Hotmail account logins.
 
Top