Important ***PASSWORD SECURITY NOTICE***

[Tex]

***IMPORTANT PASSWORD SECURITY NOTICE***

Dear Orbinauts,

As with any web site, sometimes exploits are found. Today one was found on ORBITHANGAR.COM where someone was able to gain access to the user table containing passwords. Orbithangar is down while the exploit is addressed, however there is still a remaining threat for some users.

PASSWORDS COMPROMISED:
If you registered an account on Orbithangar using a hotmail email address BEFORE the user accounts were merged with O-F, then your password is likely compromised. If you are using the same password here on Orbiter-Forum (or any other website on the internet) which you were using on Orbithangar, then you should change your password every where it is used. Just to be clear, the only accounts affected are those which registered at Orbithangar using a hotmail email address before the accounts were merged with O-F. If you have re-used your Orbithangar password anywhere on the internet, then it should be changed as it is compromised.


We sincerely apologize for this issue, but assure you we are working hard to quickly address the problem. The user accounts who were specifically affected will be notified by email shortly.

Kind Regards,
O-F Staff

 

[Orbinaut Pete]

I can't remember whether I used my Hotmail or Gmail address to register, however I do know that the password I used was NOT the password for either account.

Therefore, I should be safe, right?

 

[dbeachy1]

If you're in doubt, go ahead and change your passwords. However, as Tex pointed out, this exploit only affected a very specific group of users:

1) Your account was registered at Orbithangar before the accounts were merged with O-F,
AND
2) Your account was using a hotmail email address.

Unless both of these were true with your original Orbithangar account, you're fine.

 

[RangerPL]

Better safe than sorry.

At least I'm sure I used gmail to register my account. It was the first thing I used my gmail account for.

 

[fireballs619]

Was the person who was able to gain access to the passwords acting maliciously, or were they the ones to report the exploit?

 

[Orbinaut Pete]

If I used my Hotmail address, then I know I didn't use my Hotmail password.

Therefore, I figure I'm safe, as O-F/OH are the only places that I've used that particular password – and I used a different E-mail address here on O-F.

My Hotmail would be safe as the password I used wasn't for that account.

 

[Vash]

Was the person who was able to gain access to the passwords acting maliciously, or were they the ones to report the exploit?

It was a malicious information gathering attack. Fortunately I was able to put a stop to it before it went too far. Unfortunately that came at the cost of me having to take the site offline, but better that than to have more user information harvested.

The attacker specifically targeted users with hotmail accounts, probably betting that he could determine the passwords that users registered on my site with and use them to log in to those e-mail accounts in order to do additional information gathering.

 

[MJR]

It was a malicious information gathering attack. Fortunately I was able to put a stop to it before it went too far. Unfortunately that came at the cost of me having to take the site offline, but better that than to have more user information harvested.

The attacker specifically targeted users with hotmail accounts, probably betting that he could determine the passwords that users registered on my site with and use them to log in to those e-mail accounts in order to do additional information gathering.

Thank you. Fortunately I have about 5 passwords and none repeat for the emails or Orbiter related stuff. I want to know why someone would do something like this.

 

[jinglesassy]

Thanks for the warning and i hope you find whoever did this and do whatever you can legally against them.

 

[n72.75]

Why wasn't the database encrypted?????

 

[James.Denholm]

The e-mail I was sent implies that they were:

While the passwords were not stored in plain text, they can still be decoded."

 

[Hielor]

The e-mail I was sent implies that they were:

That's not particularly good encryption, then... what encryption method are they using?

 

[James.Denholm]

Well, ultimately, anything can be decoded. Furthermore, if my understanding is correct, it's not like they will be able to easily determine the form of encoding used, as gibberish in one will most likely be gibberish in another, I assume.

 

[n72.75]

Well, ultimately, anything can be decoded.

Hash collision and and the pigeonhole principle prevent this as long as you're not using a lookup table.

 

[JEL]

Do we just change the password for our forum-accounts here to fix things?

I just visited the hangar-site and even though I'm auto logged-in to it I can't change the password anywhere on that site.
When I click my account over there I can see my uploads but there's nowhere I can change or set a password.

 

[dbeachy1]

The reason you cannot change your password on Orbit-Hangar is because Orbit-Hangar and Orbiter-Forum accounts are linked: to change your Orbit-Hanger password, just change your Orbiter-Forum password.

However, to reiterate the point yet again, you only need to change your O-F/O-H password if 1) your account was registered at Orbithangar before the accounts were merged with O-F, AND 2) your account was using a hotmail email address. If both of those conditions are true for you, then you should change your O-F/O-H password. [In addition, if you are using the same password for Hotmail then you should change your Hotmail account password as well.] Otherwise, you do not need to worry about it.

 

[Wishbone]

May I humbly inquire how long it may possibly take to fix the problem? Have got a new build and a new description, and perhaps a new screenshot that have to be uploaded :tiphat:

 

[dbeachy1]

It's already fixed. Vash took down the database yesterday the second he discovered the attacker (I presume from the logs). Then he closed the security hole and restarted the database.

 

[dbeachy1]

To clarify another important point: O-F account passwords are encrypted via a one-way hash in the database, so even if an attacker were to somehow gain access to the O-F account database table he would be unable to determine your O-F/O-H password (one-way hashes are very difficult to crack). The exploit only affected old OrbitHangar logins (which were not encrypted with a one-way hash) that used a Hotmail email account. Based on empirical evidence it appears the attacker was a spammer/spambot attempting to harvest Hotmail account logins.

 

[JEL]

to change your Orbit-Hanger password, just change your Orbiter-Forum password.

Thanks for clarifying that
Yes, I had the hangar-account before it merged with the forum, AND use a hotmail email for both, so I've just changed my forum-password now.