AVS Forum and Home Theater Shack passwords compromised

[rojo]

So, I tend to use a common login and one of a short list of passwords among all the websites for which I'm required to log in. And damned if a forum provider didn't get breached, rendering my most common password useless. Logging into both AVS and HTS, you're greeted with a lovely "your password has been randomized. Click 'forgot password' to change it" message. Well, that's those two sites taken care of. But the attacker gained access to my username, email address, hashed (unsalted?) password, and other relatively inconsequential data. When the hash is broken, geez, there are literally hundreds of websites that use that same email address or username and password on which the attacker can impersonate me if I don't take action.

So all afternoon and evening I've been scrolling through my Firefox saved passwords list and logging into each site, one at a time, changing my password, and updating Firefox's stored password.

I've been bad, I know. I *should* use a truly random password unique to each website I visit. Problem is that my wife likes to take advantage of my escalated reputation and benefits for some sites, so she's often yelling across the house, "What's your Amazon password?" and similar. Additionally, I often log into accounts from computers or other devices where syncing the password list isn't practical. And I'm not old and pathetic enough to start carrying a diary of hand-written passwords yet.

Well, all whining aside, I guess one day of inconvenience after 20+ years of using the same passwords isn't as bad as it could've been. I've been pretty fortunate thusfar. And thank goodness I happened to log into AVS today to catch it. I never received an email either from AVS or from HTS about the breach, despite the banners claiming that I should have. (Searched both Inbox and Spam, and nothing.)

Anyway, break's over. Time to get back to resetting.

 

[Chu Gai]

I have my passwords and other sensitive information on the DNC's server and in a secure room at Bill and Hillary's residence. No one can hack that.

 

[shadyJ]

Both HTS and AVS have become so bloated with ads that it is obnoxious to visit them anymore. Maybe its not so bad with an adblocker, but Ill be damned if I am going to install a program just to make a couple websites bearable. I understand that ads are their source of revenue, but I think Audioholics has a better balance of ads vs content.

 

[rojo]

Alright, let me vent about the VerticalScope data breach statement for a minute. In the "What the hell are we even doing" section, the page states:

We are in the process of implementing additional safeguards to detect, alert and mitigate any future brute force attempts...

... indicating that the vulnerability exploited during the breach was a brute force attack. Is that how you guys read it as well?

If I were administering a large database of account info and it were brute forced, I could either:

A: implement account lockouts after n1 failed attempts to log in within n2 minutes, having the account lockout time out after n3 duration
B. after n4 lockouts with no successful login in the interim, disable the account and re-enable only after 2-factor auth
C. secure the database so that a compromised user doesn't have rights to pull the entire database
D. parameterized queries to prevent SQL injection attacks
E. secure the database server box with Fail2Ban and PPK authentication
F. A through E
or
G. Increase user password complexity and expiration policies for every user, activating a level of intrusiveness not seen even with banks or hospitals, putting undue burden on the users with requirements that possibly wouldn't have stopped the February breach in the first place.

Yeah, let's go with G. Seems legit.

If I were admin on any forum using VerticalScope, I believe I'd be shopping for a different solution right about now. If I were VerticalScope, I believe I'd be shopping for a different admin right about now.

 

[lovinthehd]

Not surprising for Vertical Scope really. Who gives these forums any meaningful information or passwords?

 

[herbu]

my escalated reputation and benefits for some sites

Now that's funny!!!

 

[rojo]

Now that's funny!!!

Oh, you know, eBay rep, Amazon Prime, big box store membership, chain store rewards, and the list goes on. My credentials carry VIP treatment. I'm kind of a big deal.

 

[Speedskater]

Both HTS and AVS have become so bloated with ads that it is obnoxious to visit them anymore. Maybe its not so bad with an adblocker, but Ill be damned if I am going to install a program just to make a couple websites bearable. I understand that ads are their source of revenue, but I think Audioholics has a better balance of ads vs content.

That's so, so true about AVS (haven't been to HTS in years).
Much of this clutter is getting smarter, they generate new crap so fast that adblocker can't keep up.
I'm getting messages from other forums about changing my passwords.