# Security Risk - Change your passwords



## Null (Feb 23, 2015)

So this afternoon at about 4pm CST the server went down. From what I've been able to see, the permissions of our database users were changed so that none of the applications could connect.

I haven't yet had time to read access logs or figure out what exactly happened, but from this alone I can infer that someone gained privileged access the MySQL server. Someone has claimed responsibility for this, but usually they are technically incompetent and bluff constantly so I take it with a grain of salt. They also sounded _really adamant_ that I make this announcement, probably for publicity.

However, as a precaution:
*If you have used your forum password on another website, change it immediately.*

I can't verify that this person has anything. They've refused to show any proof that they were responsible for an attack, that they have our password salt, or any passwords at all. However, as a matter of precaution, this is the *best and most logical thing to do.
*
Also, if you used a password here anywhere else, shame on you.

*Edit:* If you use Steam to sign in, you're fine.


----------



## DN 420 (Feb 23, 2015)

goddammit


----------



## RecordStoreToughGuy (Feb 23, 2015)

Good thing I used a password nobody can guess. It's the price of a large cheese pizza and two drinks where I work: Panucci's Pizza.


----------



## Hodor (Feb 23, 2015)

welp


----------



## Pikonic (Feb 23, 2015)

I've changed all the passwords for everything, especially the ones I didn't have to do. I wrote all my new passwords in one of those password protected electronic diaries from the 90s, put that in a safe, put the safe in a shed with a padlock, and fed the padlock key to my cat.
I think I'm good.


----------



## lynx (Feb 23, 2015)

Null said:


> Also, if you used a password here anywhere else, shame on you.



looking at you, @mapdark


----------



## AnOminous (Feb 23, 2015)

Null said:


> Also, if you used a password here anywhere else, shame on you.



What if I don't have a password?  (Steam login.)


----------



## Zim (Feb 23, 2015)

Good news - password is changed.
Bad news - whiteout is all over my screen.

What do?


----------



## Null (Feb 23, 2015)

AnOminous said:


> What if I don't have a password?  (Steam login.)


Then your password is never stored on our database. You are authenticated by Steam and it sends us a completely anonymous, temporary token that says you validated correctly. You have nothing to worry about.


----------



## Fantasma (Feb 23, 2015)

Heh, I haven't logged out of here since I made my account, and forgot my password. Had it saved in a doc and found out it was something pretty retarded that I've never used anywhere else. Happy day.


----------



## Connor Bible (Feb 23, 2015)

I'm in the clear. I haven't used my password for the Farms on any other site.


----------



## Joan Nyan (Feb 23, 2015)

No burglar would ever want anything in my accounts.


----------



## ToroidalBoat (Feb 23, 2015)

Once you read the access logs, I hope you'll update us with the situation.


----------



## Slowboat to China (Feb 23, 2015)

How odd. Why would anyone want to hack the Farms? It's not like we have secret nuclear launch codes or anything.

... right? Null?


----------



## Marvin (Feb 23, 2015)

Connor said:


> I'm in the clear. I haven't used my password for the Farms on any other site.


Thank god. Dude, I was so fucking worried, you have no idea.


----------



## Ouija Board (Feb 23, 2015)

I changed my passwords off the ones that I can think off the top of my head. I guess I will change my kiwi password.


----------



## Colress (Feb 23, 2015)

everything i use is useless anyways, so w/e


----------



## Chappy (Feb 23, 2015)

Not at all tech-savvy here. Do I even have to bother changing any passwords if this is just a throwaway account? I mean what use is a password if you don't even have an account for it?


----------



## Sir Walter Raleigh (Feb 23, 2015)

I know why my eBay account just bought three dozen Sonichu medallions now.  Is "deagleoscarwinnernewkaufman" a secure enough password?


----------



## Don't Call Anybody (Feb 23, 2015)

Listening to xkcd my professors finally paid off!


----------



## Ouija Board (Feb 23, 2015)

Yeah I tried changing my password but it's not letting me. I know what it is as it is simple but for some reason it's not letting me change it.


----------



## CWCissey (Feb 23, 2015)

Good thing I'm not so fucking stupid as to have the same password everywhere!


----------



## Wet (Feb 23, 2015)

CWCissey said:


> Good thing I'm not so fucking stupid as to have the same password everywhere!



Or use an email address with your real name. People usually overlook that one.


----------



## Datiko (Feb 23, 2015)

I used the same password elsewhere but its one of my throwaway passwords in the same way "Datiko" is just a random name I chose. 

As a security professional I can say its unlikely they have the salt so there is very little risk. Still, its better to be safe than sorry.  

@Null How did they DDOS you though? I thought the KiwiForums were behind cloudflare. Did you keep the same IP after you enrolled? I'm interested in knowing more so I can ask the local cloudflare guys.


----------



## The Dude (Feb 23, 2015)

Woody Chan strikes again! Wait...


----------



## Vodka's My BFF (Feb 23, 2015)

Done and done. Thanks, Null!


----------



## Ouija Board (Feb 23, 2015)

It's also not letting me log in with my password on my phone. Null if you can can you PM me about it? I know you're busy and all but let me know either way.


----------



## dabluearmedbandit (Feb 23, 2015)

My friend and I totally sperged the fuck out thinking it had something to do with Deagle Nation. Thanks for clarifying, I was halfway finished on my Hater Hitlist.


----------



## Jumpin Jenkins (Feb 23, 2015)

Damnit, everything is the same password.


----------



## Yog-Spergoth (Feb 23, 2015)

Jumpin Jenkins said:


> Damnit, everything is the same password.



Quick! Protect the Jontron fanfiction!


----------



## LordCustos3 (Feb 23, 2015)

Can't think of any other sites that I use this password/username pair.


----------



## BadaBadaBoom (Feb 23, 2015)

Man, I'm getting kinda tired of coming up with long, impossible to remember passwords for the sake of security when servers just get hacked and it gets stolen anyway. 

Not blaming this site or anyone else's but come on, just let me use abc123 at this point, fuck.


----------



## cheersensei (Feb 23, 2015)

Considering half of my job is helping people reset passwords, it's probably high time I update all of mine. Never hurts to do so.


----------



## Null (Feb 23, 2015)

Datiko said:


> I used the same password elsewhere but its one of my throwaway passwords in the same way "Datiko" is just a random name I chose.
> 
> As a security professional I can say its unlikely they have the salt so there is very little risk. Still, its better to be safe than sorry.


Yeah, that's what I think. The salt is in the config file and no damage to the system was done.



Datiko said:


> How did they DDOS you though? I thought the KiwiForums were behind cloudflare. Did you keep the same IP after you enrolled? I'm interested in knowing more so I can ask the local cloudflare guys.


Oh, I don't keep attack mode on all the time. Lower security levels of CF protected against early DDoS attacks but their later more effective ones required a different setup that's more intrusive to users, so I keep it off until they start.

From my tests the DDoS attacks last between 1 hour and 4 hours and they do it about once a month.

Also, the botnet is a real deal and from across the world so I feel this is a paid-for attack, as was whatever hit the DB.


----------



## Ouija Board (Feb 23, 2015)

Well until I get this figured out or whatever I'm not logging off.


----------



## Vodka's My BFF (Feb 23, 2015)

Radi Ashun said:


> Well until I get this figured out or whatever I'm not logging off.



I second this.


----------



## DX10 (Feb 23, 2015)

Does the ride ever end?


----------



## Null (Feb 23, 2015)

Radi Ashun said:


> Well until I get this figured out or whatever I'm not logging off.


Do you want me to email you a new random password?


----------



## Yog-Spergoth (Feb 23, 2015)

DX10 said:


> Does the ride ever end?



Never.


----------



## NZDROW (Feb 23, 2015)

I used a shitty throwaway password for this account, and this entire username and identity is completely synthetic and has never been brought up anywhere but here and on Lolcow/Mr Enter wikis.

Think I'm good.


----------



## Ouija Board (Feb 23, 2015)

Null said:


> Do you want me to email you a new random password?



Yes please and I will write it down where I can remember it.


----------



## _blank_ (Feb 23, 2015)

But this was my super special secret password of secrets.... nah, not really. Updated and will promptly forget it tomorrow morning so I'll spend half my day at work freaking out as to why I can't log in at my office until I remember, laugh lightly, and spend the rest of the week with my co-workers thinking I got super-tourettes.


----------



## hard2heart2heart (Feb 23, 2015)

I forgot what I changed my password to. Can I get an email with a new one?


----------



## captaincaveman (Feb 23, 2015)

Pardon my ignorance, but how at risk am I if I use the same/similar password for other accounts, but ones that have no relation to this username? Just to be safe I'm combing through my various accounts and updating their passwords anyway. It's been several years so they could use it. Thanks for the heads up, either way.


----------



## nyess (Feb 23, 2015)

I don't remember my password. Is it ok if I can be emailed a new one to replace my old one?


----------



## Vodka's My BFF (Feb 23, 2015)

captaincaveman said:


> Pardon my ignorance, but how at risk am I if I use the same/similar password for other accounts, but ones that have no relation to this username? Just to be safe I'm combing through my various accounts and updating their passwords anyway. It's been several years so they could use it. Thanks for the heads up, either way.



Email, love. I'm assuming, anyway.

EDIT: Better safe than sorry


----------



## Taily Puff (Feb 23, 2015)

Someone has my email and passwords?

Cue me having my very own horrorcow thread in 3...2....


----------



## Lipitor (Feb 23, 2015)

I wonder what percentage of you had "sonichu" as a password.


----------



## Yog-Spergoth (Feb 23, 2015)

Taily Puff said:


> Someone has my email and passwords?
> 
> Cue me having my very own horrorcow thread in 3...2....



 Why would you even do that to a hamster?!?


----------



## Holdek (Feb 23, 2015)

Thanks for the updates from everyone about their particular situation.


----------



## ULTIMATEPRIMETIME (Feb 23, 2015)

Are we sure that passwords were the only things affected?


----------



## The Phantom on the Hill (Feb 23, 2015)

Null said:


> Also, if you used a password here anywhere else, shame on you.
> .


Sorry. ^^; I like to keep things easy to remember


----------



## Mitsunari (Feb 23, 2015)

Done. At least the important sites. Thanks for the warning, hope nothing happens.


----------



## Kamen Rider Black RX (Feb 23, 2015)

I hope this is all  BS but I've still taken precautions. Changed passwords on this and other sites, changed my email's password and switched email for this forum to a new "for fun" account. Thanks for the warning, will await updates.


----------



## pickletickle (Feb 23, 2015)

So much for using QWERTY for every website


----------



## LordCustos3 (Feb 23, 2015)

lipitor said:


> I wonder what percentage of you had "sonichu" as a password.



godammit!


----------



## Bigguy28 (Feb 23, 2015)

Changed my password here and other important sites.


----------



## captaincaveman (Feb 23, 2015)

Vodka's My BFF said:


> Email, love. I'm assuming, anyway.
> 
> EDIT: Better safe than sorry



Yeah, I've changed password to important websites as well to ere on the side of caution, and also changed the email address associated with this account.

Them danged dirty trolls.


----------



## Holdek (Feb 23, 2015)

My password is 



Spoiler



SonicsFleshColouredArms


 and I refuse to change it!


----------



## Conrix (Feb 23, 2015)

Well shit I guess 8chan is about to find my collection of Sonic the Hedgehog and Molly Ringwald slashfics and tumblr full of dried catskins, I'm so becoming a lolcow now.


----------



## Shotgun Ronnie (Feb 23, 2015)

Nowhere else lets me use a password as autistic as I do on the Farms, sadly.


----------



## Broseph Stalin (Feb 23, 2015)

Let's say I used an alternate email to register for this site with a fake name and completely meaningless number in the name... Would that mean I'm still compromised?


----------



## 4Macie (Feb 23, 2015)

I changed my password and made it so good I already forgot it. As long as the site never logs me out, I think I'm good.
Here's hoping for the best!


----------



## Jewelsmakerguy (Feb 23, 2015)

Guess I should be thankful I use different passwords for every site I have an account on.


----------



## nesimatic (Feb 23, 2015)

Help me!!!!!!!!!! I don't know what to do!!!! I use the same password for literally everything, there are site that I've joined that I can't even remember!!! Help me!!! How to know if someone is using it?????? I'm paranoid help!!!! Please!!!! How can I tell if someone took it? How do I delete this account? Will that help? I'm seriously crying my eyes out will someone please tell me what I should do.


----------



## DuskEngine (Feb 24, 2015)

All my important sites have different passwords. The Russians can have my GameFAQs account if they really want it.


----------



## Kamen Rider Black RX (Feb 24, 2015)

nesimatic said:


> Help me!!!!!!!!!! I don't know what to do!!!! I use the same password for literally everything, there are site that I've joined that I can't even remember!!! Help me!!! How to know if someone is using it?????? I'm paranoid help!!!! Please!!!! How can I tell if someone took it? How do I delete this account? Will that help? I'm seriously crying my eyes out will someone please tell me what I should do.


Look at your list of saved passwords and go to any sites with the same as the farms and change them. That is, if they're connected to the email you use here.

Just wait and see what Null says once he looks over the logs. May be nothing.


----------



## nesimatic (Feb 24, 2015)

Kamen Rider Black RX said:


> Look at your list of saved passwords and go to any sites with the same as the farms and change them. That is, if they're connected to the email you use here.
> 
> Just wait and see what Null says once he looks over the logs. May be nothing.


I used a different e mail for this site than any other sites. I should just try to calm down, what are the chances that someone will steal my password and actually use my stuff?


----------



## Gaol (Feb 24, 2015)

good thing I use a different set of passwords for sites like these


----------



## Kamen Rider Black RX (Feb 24, 2015)

nesimatic said:


> I used a different e mail for this site than any other sites. I should just try to calm down, what are the chances that someone will steal my password and actually use my stuff?


You only have to worry about stuff connected to that email.


----------



## BiggerJ (Feb 24, 2015)

Slowboat to China said:


> How odd. Why would anyone want to hack the Farms?


It's pretty obvious.

1. The forums make fun of people and one of them (or, more likely, someone wanting to defend them) may have felt compelled to try and do something about us.
2. We don't tolerate shitty weens whose behavior fucks things up for the rest of us; one of them may have sought revenge.


----------



## nesimatic (Feb 24, 2015)

Kamen Rider Black RX said:


> You only have to worry about stuff connected to that email.


So if I only used the e mail I used here for sites I don't care about I should be okay right?


----------



## Kamen Rider Black RX (Feb 24, 2015)

nesimatic said:


> So if I only used the e mail I used here for sites I don't care about I should be okay right?


Right.


----------



## nesimatic (Feb 24, 2015)

Kamen Rider Black RX said:


> Right.


Oh, thanks that makes me feel a lot better. Well I'm going to change my passwords now.


----------



## Zvantastika (Feb 24, 2015)

Well, that sucks.

If someone received a message from me saying "you're a faggot" it wasn't me... unles you're a faggot, then it was really me... faggot.

But seriously though, I'm glad I noticed this now and not one month later. Time to change some passwords.


----------



## Null (Feb 24, 2015)

nesimatic said:


> Help me!!!!!!!!!! I don't know what to do!!!! I use the same password for literally everything, there are site that I've joined that I can't even remember!!! Help me!!! How to know if someone is using it?????? I'm paranoid help!!!! Please!!!! How can I tell if someone took it? How do I delete this account? Will that help? I'm seriously crying my eyes out will someone please tell me what I should do.


1) take your medications
2) the person who attacked paid for their attack and even if they downloaded a complete copy of the database they would not be able to resolve your password because of our hashing algorithms.

just change your shit and stop being spastic. the only way to deal with problems is to deal with them.


----------



## The I Scream Man (Feb 24, 2015)

I ain't changin shit.  Come at me nerds.


----------



## Kamen Rider Black RX (Feb 24, 2015)

Null said:


> 2) the person who attacked paid for their attack and even if they downloaded a complete copy of the database they would not be able to resolve your password because of our hashing algorithms.


Did I miss something in chat?


----------



## Ruin (Feb 24, 2015)

Its TJchurch right?


----------



## pickletickle (Feb 24, 2015)

Went to rate that autistic spaz's post 'autistic' and it got deleted right as I clicked the icon. Glad @nesimatic has more sense than I thought. I was gonna suggest you might be halal for that horrific over share of information. The fact that you realized that error and deleted the comment restores a tiny bit of my faith...

Unless admin deleted it for being so autistic...in which case you still seem pretty halal...


----------



## nesimatic (Feb 24, 2015)

pickletickle said:


> Went to rate that autistic spaz's post 'autistic' and it got deleted right as I clicked the icon. Glad @nesimatic has more sense than I thought. I was gonna suggest you might be halal for that horrific over share of information. The fact that you realized that error and deleted the comment restores a tiny bit of my faith...
> 
> Unless admin deleted it for being so autistic...in which case you still seem pretty halal...


I deleted it, and who's halal?


----------



## Yog-Spergoth (Feb 24, 2015)

nesimatic said:


> I deleted it, and who's halal?



Halal is Farms shorthand for a lolcow that comes from our forums. Good on you for deleting it.


----------



## nesimatic (Feb 24, 2015)

Yog-Spergoth said:


> Halal is Farms shorthand for a lolcow that comes from our forums. Good on you for deleting it.


Thanks. That was pretty stupid of me to say all that.


----------



## Null (Feb 24, 2015)

Can you idiots stop shitting up this thread? He's just being weird. Stop trying to go cannibalistic on everyone.


----------



## Duke Nukem (Feb 24, 2015)

I do not know if they have anything, or what they might have, but I changed my entry codes regardless. It's something you should do from time to time anyway.

If the worst were to happen, there's probably not much I have that these guys would want anyway.


----------



## Save Goober (Feb 24, 2015)

Oh no, this was my bank account password. And my credit card and stocks and bitcoin and my white house internship logins. Sorry Obama


----------



## DuskEngine (Feb 24, 2015)

meltychocolate said:


> Sorry Obama


Shocking new Obama birth documents leaked by KIWI Terror brigade, more at 11.


----------



## QI 541 (Feb 24, 2015)

Passwords are generally encrypted when stored in a database so we're probably not completely fucked.


----------



## Save Goober (Feb 24, 2015)

DawnMachine said:


> Shocking new Obama birth documents leaked by KIWI Terror brigade, more at 11.


"The internet sleuths from something called Kiwi farm"


----------



## Cum Crime (Feb 24, 2015)

I highly recommend a program such as "KeePass" to generate secure passwords and keep track of them, along with the common sense necessary to understand that there are bad people on the internet and providing the same information to multiple websites can be used against you.


----------



## Some JERK (Feb 24, 2015)

BadaBadaBoom said:


> Man, I'm getting kinda tired of coming up with long, impossible to remember passwords for the sake of security when servers just get hacked and it gets stolen anyway.
> 
> Not blaming this site or anyone else's but come on, just let me use abc123 at this point, fuck.


http://www.passwordcard.org/en


----------



## Jomadre (Feb 24, 2015)

Thanks for the warning, I went ahead and checked my passwords real quick to make sure everything was good (it was)


----------



## CrispyBacon (Feb 24, 2015)

Cum Crime said:


> I highly recommend a program such as "KeePass" to generate secure passwords and keep track of them, along with the common sense necessary to understand that there are bad people on the internet and providing the same information to multiple websites can be used against you.


LastPass is another good one. I used KeePass for a few years but eventually switched to LastPass for the browser and mobile integration.


----------



## geewizz (Feb 24, 2015)

You might want to send an email out for inactive/rarely active users just in case.
In any case I wouldn't worry much. Most competent/willfully ignorant users these days use Decentrailzed NSA-backdoored password storing browser plug-ins super safe very friendly password managers like lastpass that auto generate random strings during account creation and store them. This is one of those unique situations where they actually prove useful.


----------



## DX10 (Feb 24, 2015)

I think I'm pretty safe. My name is a DirectX redistributable, my email is a 1950's song lyric that only gives you the full song when searched, and in reality I'm actually just a bunch of Cold War server banks left running in a dusty arcade. Plus my password is extremely homosexual. I'm totally safe.


----------



## Godot (Feb 24, 2015)

@Null my Facebook was apparently accessed by someone from Texas tonight so that could be related to the hacking. It was hacked like a month ago somehow and I changed my email and password to what I use on the farms (stupid I know) so I'm not really sure which hacking that it was related to but I figured you should know in case it is related to this event


----------



## Kazami Yuuka (Feb 24, 2015)

raymond said:


> Passwords are generally encrypted when stored in a database so we're probably not completely fucked.


I would hope the password hashes in the database are also salted as well. At least the passwords aren't plaintext entries, or else there would be serious trouble.


----------



## Peter Capaldi (Feb 24, 2015)

Well, I am happy I'm using Steam right now... I am too lazy to use different passwords everywhere (albeit I might add or remove a number every password), so that I am in the clear is a definitely a good thing...


----------



## Stud2Stud (Feb 24, 2015)

So that's what Chris has been up to during his radio silence 

Either way, I'll change my exceedingly autistic password just in case.

But at least this thread brought the password storage function of Firefox to my attention, I didn't know about that. I've got a shitton of different passwords spread over many websites saved in my browser (which I realise is pretty dumb but oh so convenient) so I eventually lost track of a few important ones and was actually now able to retrieve them. 

People actually pay to attack this website? Goddamn, that's a new level of pathetic behaviour.


----------



## Silver (Feb 24, 2015)

I don't use different passwords because I'm naive and lazy, and always under the impression no one cares about _my_ shit to bother. Regardless, I've changed all the relevant passwords that I care about. (There's probably a shitton more that use that pass that I just can't remember lmao)


----------



## Mrs Paul (Feb 24, 2015)

Fuck, I don't even REMEMBER which password I used, and I used a variation on one password for a number of sites.  Fuck fuck fuck fuck FUCK.

I'm figuring my google account since it's my e-mail, and probably my Amazon password, my facebook and twitter accounts, but various messages boards I visit, I'm not going to worry about those.  At least not right now.


----------

