I'm very sorry to announce that a serious bug was recently discovered in our forum software.
This bug might have allowed a hacker to access the email addresses, and encrypted passwords, of all members.
There are multiple reasons why this is not as bad as it seems:
- I have consulted the server logs, and have not found any proof that this has actually happened. In fact, all the attempts I have seen to exploit this bug happened after I had already applied a patch which fixed it. Every case I investigated, that could have been an exploit attempt, turned out not to be.
- Were the attack to be successful, only encrypted passwords and their salts would be exposed - not human-readable passwords. So, it would still take considerable effort to derive usable passwords from that information.
Again: I have no proof that this bug was exploited, or that any member information has actually been revealed to anyone. Someone claimed to have exploited the bug, but I have seen no evidence to support this claim.
So, this whole thing may well be a vast false alarm. If that is so, I hugely apologize.
Still, I feel it is my duty to let all ADISC members know the situation, even if nothing bad can be confirmed to have happened.
I also feel I need to take steps to ensure members' security, just in case the worst happens.
Everyone will need to set a new password, by using the forgot password page. Nobody will be able to log in until they do this.
Obviously, when choosing a new password, don't make it anything like the old one.
In fact, take this opportunity to make it a really strong password.
IRC / live chat users: If you sign onto ADISC automatically, be sure to update the password which you have set in your IRC client.
I would also ask that everyone to please ensure their email account has a strong password.
A "strong" password is one that:
* contains lowercase letters, uppercase letters, numbers, and symbols
* is at least 8 characters in length
* is not the same as the password you use for any other service (e.g: your email password should NOT be the same, or even close to, your ADISC password)
If you find yourself unable to reset your password using the forgot password page, then please contact me using this form, giving your username, the email on your account, your current email (one I can reach you at) and your date of birth.
Again, I hugely apologize for the inconvenience.
I realize that having to reset your passwords like this is a big chore, and, with any luck, it is all for nothing, because we were never exploited in the first place.
Still, since I cannot guarantee that, I hope you'll forgive the inconvenience of these steps, designed to protect your security and privacy.