-
Hi, If you cannot get into the site, be sure to Contact Us. Please be advised that the app is no longer in use!
MiniMins Security Breach
- Thread starter OOnion
- Start date
thanks for that I had never heard of it x
tesmaralda
New Member
A lot of the emails are going to peoples junk folder so it might have been sent there?
afandou1999
Member
Hi Mazza, ive got mcafee security on my laptop do you think i have to change my accounts password. many thanks Hx
tesmaralda
New Member
This site was set up as it had got too big for the moderators to cope with and the arguement that happened highlighted just how big and how quick the wls side had grown and needed its own moderators and own space to grow properly.
wannabeminime
New Member
Not in mine
Ok, so it got too big, but i am sure i remember arguements! Unless i am going mad! ie those doing the ww, sw, cd way being upset that us 'cheaters' were on the same site etc.
Hi all,
A blanket email was sent to the 80,000 odd members. This mailing list took close to 15 hours to process and my own email is only starting to catch up.
The security breach has been fixed on MiniMins (as you will notice with the newer version of Vbulletin). So it is safe to update your password on MiniMins.com now.
It was also closed here (arcade is disabled), but we are planning to upgrade WLSurgery on friday to keep the sites even.
If you are/were a member of MiniMins and you used the same password anywhere else it is advisable to change it.
Due to the nature of email, despite how much I have tried over the last 6 months to register and verify my legitimacy with all email providers, some of it still goes to the Junk basket, or worse is deleted by the ISP before it even arrives at your inbox.
I am very sorry about the whole incident, and I have done everything in my power in the last 24 hours to rectify it.
Pierce
A blanket email was sent to the 80,000 odd members. This mailing list took close to 15 hours to process and my own email is only starting to catch up.
The security breach has been fixed on MiniMins (as you will notice with the newer version of Vbulletin). So it is safe to update your password on MiniMins.com now.
It was also closed here (arcade is disabled), but we are planning to upgrade WLSurgery on friday to keep the sites even.
If you are/were a member of MiniMins and you used the same password anywhere else it is advisable to change it.
Due to the nature of email, despite how much I have tried over the last 6 months to register and verify my legitimacy with all email providers, some of it still goes to the Junk basket, or worse is deleted by the ISP before it even arrives at your inbox.
I am very sorry about the whole incident, and I have done everything in my power in the last 24 hours to rectify it.
Pierce
wannabeminime
New Member
Aww Pierce i feel sorry for you now. Thanks so much for everything you do, i know it must be a struggle to keep such a big site up and running. I, for one, am extremely grateful for all you do, and thankful that you and Mini set up both sites in the first place. I'd be lost without them!!
Sorry for being grouchy about it!! xx
. Thanks so much for everything you do, i know it must be a struggle to keep such a big site up and running. I, for one, am extremely grateful for all you do, and thankful that you and Mini set up both sites in the first place. I'd be lost without them!!Sorry for being grouchy about it!! xx
Serapis Bey
Member
Does this mean our actual email address was exposed or just our username?
How can we find out if our details were exposed on the net?
How can we find out if our details were exposed on the net?
The password and the salt were released.
For example.
Lets say that your password is "Dog", and the server had a salt of "Cat".
When you log in, the server takes "Dog" joins it with "Cat" and then encrypts it like this "encrypt('DogCat');"
Which returns a long string of about 42 characters. It is impossible to take these 42 characters and work backwords.
So somebody decrypting your password would have to run the encryption method until they break it.
In the security world there are 2 methods of attack.
The first method is to simply check every dictionary word, which is extremly fast.
The second menthod is to brute force it. For example
encrypt('aCat');
encrypt('bCat');
encrypt('cCat');
until they get to your password. This shows how it is important to have a complex password like: saquq56r (randomly generated here: Security Guide for Windows - Random Password Generator).
There are 2 other methods but they are ineffective in this situation (one is to use a lookup table called a rainbow table, which is where you create all the possibilities before hand, but as everybodies salt is unique it makes it pointless). The last one is to enter (the incorrect password) but a very long string of letters to force it to cause what is called a collision.(Great if you want to hack into the users account on MiniMins, useless if you want to log into something else)
The biggest issue of course with this is not that the MiniMins password was released after all what are you going to do after you log into MiniMins? But if the password is decrypted and becomes useful, that password may be common with other online accounts elsewhere.
Pierce
For example.
Lets say that your password is "Dog", and the server had a salt of "Cat".
When you log in, the server takes "Dog" joins it with "Cat" and then encrypts it like this "encrypt('DogCat');"
Which returns a long string of about 42 characters. It is impossible to take these 42 characters and work backwords.
So somebody decrypting your password would have to run the encryption method until they break it.
In the security world there are 2 methods of attack.
The first method is to simply check every dictionary word, which is extremly fast.
The second menthod is to brute force it. For example
encrypt('aCat');
encrypt('bCat');
encrypt('cCat');
until they get to your password. This shows how it is important to have a complex password like: saquq56r (randomly generated here: Security Guide for Windows - Random Password Generator).
There are 2 other methods but they are ineffective in this situation (one is to use a lookup table called a rainbow table, which is where you create all the possibilities before hand, but as everybodies salt is unique it makes it pointless). The last one is to enter (the incorrect password) but a very long string of letters to force it to cause what is called a collision.(Great if you want to hack into the users account on MiniMins, useless if you want to log into something else)
The biggest issue of course with this is not that the MiniMins password was released after all what are you going to do after you log into MiniMins? But if the password is decrypted and becomes useful, that password may be common with other online accounts elsewhere.
Pierce
Similar threads
