what's with the security breach headline and link at the top of the forum page?
What is going on with the big bold Security Breach headline and link in this forum.
"SECURITY AND DATA BREACH NOTIFICATION "CLICK HERE"
What does the "Vertical Scope" security breach have have to do with CMF?
Should we all be worried that our identities, an any personal information in this site breached for exploitation?
Last edited by carverman; 2016-06-28 at 07:25 PM.
Carverman, the answers are pretty much in http://canadianmoneyforum.com/showth...ecurity-Update .(Well, maybe not all.)
Sad state of affairs BUT at least we were told AND passwords automatically changed....after the horse left the barn of course.
Honestly, passwords are getting stolen from lots of web sites we use. We just don't hear about all of them.
Again it is vitally important that you don't use the same password at more than one place. Each password must be different, for your safety.
Totally impractical if one is registered on circa 100 sites. Use a password manager like Last Pass if you want to have a different password for each site.
The password managers are a good option. Though I doubt people are registered on hundreds of sites.
There are other schemes too. One way is to combine a static password with some kind of variant mnemonic. If the static part is "mypassword" then on this web site you might use "cmforum$mypassword" whereas at pinterest you'd use "pinteresting$mypassword"
This thwarts the problem of having identical passwords at different sites, and simplifies your memorization problem. I use prefixes/suffixes like those and find I can easily recall them, since the web site I'm visiting is a cue. Even when I totally forget and come back to a site after a year, in a couple attempts I can replicate the right prefix/suffix
Be aware that if the variant part is too obvious, you may merely have a false sense of security. If your password is ever compromised (as plain text, not hashed), than a too-obvious scheme of this nature will make both the static part as well as your algorithm obvious, and may thus lull you into a false sense of security. Of course, depends on how interesting you are to the miscreant trying to then steal your (online) identity. If it is a bot that mechanistically trying to see what harvested username and password combos can be used to unlock accounts on another site, you're probably safe - for now, at least. But if someone then or later applies targeted brain cells to break into james4beach, you're in trouble -- especially if you cheerfully shrugged off a notification years ago of a breach, since you had a "unique" password there.
Originally Posted by james4beach
I just want to post here to shed a little more light on the situation, at least as much as we can provide at the moment.
A 3rd party plugin that we and other networks use had it's developers' compromised. Their DB was breached and data was scraped. I can't ID the plugin as it's under legal investigation. However I can say that it had access to user data because it functions separately from the vb software. Many plugins do this, chats, news letters, mobile apps etc. This is not an active breach, however as a precaution we did initiate security updates including password changes and new pass requirements.
Their system was compromised and they grabbed user data for us and thousands of others.
We cleared our part of the breach and went this route to further security.
This is also in place as many members on the internet use the same or similar passwords across all things they use.
Hackers who have access to these accounts, may be able to access other platforms where the same email and/or passwords are used.
Other platforms have been compromised as well, including Twitter, Linkedin etc. We are just trying to get ahead of this, and nip it in the bud as soon as possible.
We cannot go into detail at the moment as it is being dealt with on a legal level.
Though this breech happened in Feb, we were not notified until very recently. We worked hard to find a solution for this mess, and acted on it. Though it may not be ideal in some eyes, it is the best we have access to ATM.
Once the storm settles we may look into other methods for our security, but right now we ask that you be patient with us.
As for us not responding to members, you have to understand our community support team watches over many sites. Luckily this week and last, we have had many members from other teams offer help. With that said all emails sent to our Contact Us email will be dealt with. Granted, it may take a little time for us to get to all of them, but please be patient with us as we are working really hard to catch up and help everyone.
If there are any other questions/concerns/feedback, please feel free to post them here.
Thank you for your patience and understanding,