Confused By Major Geeks E-mail?

Hi.
I had an e-mail tonight apparently from Major Geeks telling me of security issue.
It told me that ALL accounts would be forced to have a password change.
So I came straight here and logged in............... using my old password!
Any clue any one?
Thanks

 

Not only that, but I cannot even find a password or account change form anywhere on the site. Guess its hidden somewhere ....

 

Ok, I found it. Click on your username when logged in.

I hate "hidden" links like this. Why not an "Account" link ?

 

I haven't been looking to change my password. I was just surprised that I could log in with my old password as the e-mail inferred that it wouldn't be possible.
Either the e-mail is fake, they've sent it out before they have set up properly or there's still a major security issue??

 

I agree, but whatever, it would be a good idea to change your current password too, the trick was to find out how to do it.

 

I had never received an e-mail from noreply@majorgeeks.com, so I thought it was a phishing scam, deleted it, and went here. Apparently it was real. You dont know until your know.

 

Hi Tim.
I am an 'old' member.
I shall change my password.
What puzzles me is why did the e-mail say I would be forced to change my password but I wasn't?
Something obviously isn't right, is it?

 

sobeit it makes sense to allow people to log in with old password and then they can change it for security purposes. All passwords on every site and email should be changed often anyway.

 

katkat. I don't think you have the gist of my original question.
Did you get the e-mail in question?
If you did you will see that it is saying that when you attempt to log on to MG you will NOT be able to use your old password.
You will be forced to change it.
That isn't happening.
I logged on using my old password so the security measure that is supposed to be in place stopping the compromised passwords from being used isn't in place.

 

XenForo uses a different password hashing to vBulletin 3 and they cannot be changed manually. The staff setup a forced pass change mod but it's possible you clicked somewhere else and it only shows first time on login. That's the only option sadly to force users to change pass. I'm not staff here so please don't confused just trying to help.

For other users who read this and can't find the pass change hover over your username and click password, Under there you will be prompted for your old pass and an option to input a new secure password. (Remember not to reuse password's that's unsafe.)

 

What they're talking about is exactly what happened to me when I got it. The prompt came up saying I had to change my password before I logged in. Instead of creating a new one, I typed my current one in the box (I had just changed it a couple of days before), and it let me log in. I've been logged in using that same password ever since. It's really too bad all of us are logged in already so we don't see the prompt again, or you'd be able to see what we're talking about. It looks like you have to create a new password to log in, but if you type your current password into the box you're logged in, and there is never again a prompt to change it.

I was confused and mentioned it immediately, and I am all too familiar with forums, their software, and computers. The email and also the prompt clearly state you have to create a new password to continue, but that's not actually true, thus the confusion.

 

OK. There seems to be some confusion.
Either I'm not explaining myself very well or my posts are appearing in Latin!
So I have copied the exact wording from the e-mail (see below).
When I read the e-mail I came to this site and typed in my user name and password as I have always done.
I was expecting a message telling me I had to change my password before I could log on.
The bold sentence below states that all old passwords would be rendered useless.
This obviously isn't the case and so I posed the question, why?
I didn't get any prompt or any other message, I just logged on as usual.

Laura R you say that there is nothing that can be done to stop people using their old password, it's the software.
As you can see in the e-mail below, that isn't what MG are saying.
Also, is it really so hard to override a users password using software?
For me, yes, but for these boffins.................?
Of course I will change my password, no hardship, but that was one confusing message.
As it didn't do what it said I had no idea that it was genuine.



Unfortunately, it has been brought to our attention that there may have been a data breach of our old 3rd party forum software (vBulletin 3.x) someplace around November of 2015.

According to credible reports, a hacker was able to gain access and export a list which included; user name, registered email and encrypted passwords. Encrypted or not, as a rule you should assume the password is possible to decrypt and protect against it.

As such we have instituted a policy that will force a password change on all accounts, rendering the old password useless. Our new forums software also allows for two-step authentication of user accounts, if you desire higher security.

Unfortunately, many people use the same user/password combination at multiple places. So, you should take care to change your passwords on systems which did in fact use the same password you used at the MajorGeeks Forums.

If you have any questions, please email me (jim@majorgeeks.com) directly.

Our sincere apologies for the inconvenience.

Jim and Tim.

 

As soon as I saw the first thread on this subject, I was already logged and reading the forum, I immediately changed my password. That happen before the email was sent but since my password was only a couple days old I did not need to change it.
I understood what you posted. You can't log into the site without a password. You used your old one. As mentioned already you should change it.

 

katkat.
I understand your concern, however, I only posted the question to find out
1. Was the message genuine. That it gave information that wasn't correct was a concern.
2. Did the mods know that what was supposed to happen wasn't happening. So far I haven't seen an answer.
The e-mail was sent to me yesterday at 18:55 UK time. I assume it was sent to all at the same time?
I know about security so I'm ok on that score.
The idea to stop any old passwords from being used was the right course of action.
This would stop the hackers from logging on and looking at any personal info a user may have entered.
It hasn't been implemented so those that don't know about the security breach are still at risk.

Tibbs, mocked on this thread? where? I haven't read such a post. Though the way posts are read can be subjective of course.

 

You might find the answer in the discussion on the other thread on this same topic.

http://forums.majorgeeks.com/index.php?threads/majorgeeks-com-support-forum-pwned.297230/

 

Just an FYI, I have had a login since 2009, tho seldom used... Guess I just post to the main DL pages mostly.
Anyway, I received an email also, alerting me to a hack or breach, info being (just so we all know what notice is being discussed):

Subject: Security Information From MajorGeeks Forums.
Sent: Mar 8 2016 at 10:25 AM
From: Major Geeks <noreply@majorgeeks.com>
Text:

Unfortunately, it has been brought to our attention that there may have been a data breach of our old 3rd party forum software (vBulletin 3.x) someplace around November of 2015.
According to credible reports, a hacker was able to gain access and export a list which included; user name, registered email and encrypted passwords. Encrypted or not, as a rule you should assume the password is possible to decrypt and protect against it.
As such we have instituted a policy that will force a password change on all accounts, rendering the old password useless. Our new forums software also allows for two-step authentication of user accounts, if you desire higher security.
Unfortunately, many people use the same user/password combination at multiple places. So, you should take care to change your passwords on systems which did in fact use the same password you used at the MajorGeeks Forums.
If you have any questions, please email me (jim@majorgeeks.com) directly.
Our sincere apologies for the inconvenience.
Jim and Tim​

Came here, logged in and thought I would get an alert, or see a prominent notice. But nothing caught my attention. So I changed my password.
I was just expecting there would be some kind of noticeable blurb or blinkin' box ... ;-)

Anyway, hope all is good and secure now.
Best,