Important ***PASSWORD SECURITY NOTICE***

[dbeachy1]

To put an exact date on it, O-F and O-H accounts were merged on December 27, 2009. So if you joined O-H/O-F after that date you are fine even if you used a Hotmail email account.

 

[Vash]

Why wasn't the database encrypted?????

To clarify another important point: O-F account passwords are encrypted via a one-way hash in the database, so even if an attacker were to somehow gain access to the O-F account database table he would be unable to determine your O-F/O-H password (one-way hashes are very difficult to crack). The exploit only affected old OrbitHangar logins (which were not encrypted with a one-way hash) that used a Hotmail email account. Based on empirical evidence it appears the attacker was a spammer/spambot attempting to harvest Hotmail account logins.

To further clarify, the Orbit Hangar Mods database also stores passwords using a one-way hash and these are the values that the attacker stole.

One-way hashes can be defeated by building a lookup table. If the attacker has a robust enough lookup table, he can easily dereference all of the values that he stole. Orbiter-Forum accounts are safer since the forum also uses a salt value combined with your password (which is different for each user) when the hash is created. This means that the attacker would have to create a new hash table for every single account he wishes to crack, making things a bit impractical.

The attacker who stole the OHM passwords associated with hotmail accounts may or may not have the capability of decoding those passwords. So, to be on the safe side, I asked Tex to write up that announcement which was posted yesterday afternoon.

 

[dbeachy1]

O-F Staff Note: Removed seven off-topic/spam posts in this thread. As this is an announcement thread let's please keep posts on-topic and relevant. Thanks.