SECURITY ALERT!! -- Please Read!!

[JLC]

Spammers....the parasitic slime of all good internet sites....have found a new technique for infiltrating our site and spreading their filth.

I highly encourage...strongly encourage...EVERYone who reads this, if you have a registered account here at BP.net, whether you post every day, or just lurk and read (especially if you just lurk and read, I fear) CHANGE YOUR PASSWORD. Make it something truly secure, with a mix of uppercase and lowercase letters, numbers, special symbols and no obvious, actual words.

Hopefully our tech guy can find this security leak and plug it up tight. I don't really know how this is being done. But changing to a truly secure password is the first logical step to keeping the bad guys out.

[WarriorPrincess90]

Are they hacking legitimate accounts?

[George1994]

Wait, are they getting the passwords of users and taking over their accounts? Could they not just be poor passwords that have been brute forced or figured out from patterns of passwords or even commandeered email accounts? If that is the case, it may not be the sites issue.

[Tsanford]

So is the security flaw only effecting weak passwords? If our password already meets your description above does it still need to be changed?

[George1994]

It is always good to be safe, however, even if anyone has gotten any access to the site, the passwords shouldn't be stored in plaintext, and should be encrypted. Which they most likely are.

[JLC]

Wait, are they getting the passwords of users and taking over their accounts? Could they not just be poor passwords that have been brute forced or figured out from patterns of passwords or even commandeered email accounts? If that is the case, it may not be the sites issue.

We don't know yet. The problem MAY be poor passwords that have been "brute forced" and that is the reason for this warning. If you have a weak password, it needs to be changed.

Yes, our password database is encrypted. I can't tell anyone what their password is. I can only change them if one gets forgotten. I really don't think the security breach is THAT big that they've gotten into all the actual account keys. But they've gotten into SOME, and until we know why and how, it behooves everyone to make sure they have something not easily forced.

If you already have one that you feel is sufficiently strong, it should be fine. If they can see past the encryption and look at everything anyhow, then changing it wouldn't make much difference anyhow.

[George1994]

Nice, this is good news. I doubt they have managed to get the keys, and the sure as hell haven't beaten the encryption haha! My first guess was either brute forcing or people using the same passwords etc. Thanks for the news.

[wolfayal]

I only really use my account for lurking and reading purposes, but I did receive an email on 2/12 letting me know someone had unsuccessfully tried to log in to my account. Do you all need/want me to forward it on to you?

[mlededee]

This is most likely a matter of accounts with very weak passwords like "password" becoming compromised. However, the fact is, spammers are gaining access to some accounts and it is in everyone's best interest to make sure they have a strong password as mentioned above and it never hurts to update your password to something new just to be on the safe side. If you received an email about someone attempting to log in to your account you should most definitely change your password to something as secure as possible.

[mlededee]

We have updated files and changed some settings, so at this point we should be good to go. There were never any security breaches or anything serious, this was just a straightforward dictionary attack that likely picked up on a few accounts with easy passwords. If you have a super simple password, it would still be a good idea to change it to something more secure, but that is true for any web site. If you receive any suspicious private messages in the future please report them and we will take care of the issue right away.