The Two Plus Two Forums have been hacked, and the forums have been taken down by the admins to prevent further damage. The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)
In other words, you should assume that there is currently a hacker that knows your 2p2 username, your e-mail, and your 2p2 password. That’s really bad. This isn’t your standard cryptonerd/privacy nut’s rant that makes you do a lot of work to prevent a potential attack that may or may not come and that you don’t understand; this is a situation in which a very serious hacker has already done the attack. Apologies in advance for the bold and all caps and stuff.
So, right now, here’s what you should do:
First, if you use the same password on 2p2 and some other site(s), change the password on the OTHER site(s) IMMEDIATELY. If you don’t know what your 2p2 password is, go to 2p2 (whose forums are down but whose servers are still up), log out, and then try logging in again to check your password. If you have the same password across a large number of accounts, use the following priority when changing passwords: 1) e-mail address(es), 2) bank account(s), 3) poker sites, 4) sites that have your credit card number stored (e.g., Amazon), and 5) everything else. For advice on how to choose a good password, see this blog post.
However, do not change your password on 2p2. As far as I know, the vulnerability still exists, so changing your 2p2 password will just give you another potentially compromised password to worry about. And, 2p2 forums is down right now, so there’s no reason to worry about someone using your account. You obviously will want to change your password eventually, but now is not the time. If 2p2 responds to this properly, you’ll be forced to change your password there once the vulnerability is found and fixed, so you don’t need to worry right now.
That’s by far the most important thing. So, go do that. Seriously… go do that. I’m not being a crypto nut.
Now, here’s some other stuff that you should do, though they’re less urgent (and in descending order of importance):
- Quit using the same password for lots of stuff (if you do). This will not be the last time that this happens. The huge problem with passwords is that the server has to store (some version of) them in order for them to be useful. (There are cool cryptographic ways around this, but that’s for another post, and nobody uses them yet.) When information exists, people get access to it–especially when it comes with a big sign on it that says “This information can be used to earn lots of money.” Password leaks happen really really often. Don’t put all your eggs in one basket because, when it comes to password security, baskets get stolen really frequently.
- Change the password on the e-mail that you use for 2p2 to something secure. While the hacker has no immediate access to this if you use a different password, a hacker with your e-mail address is a scary thing. E-mail addresses are really really important things to keep secure because a lot of accounts can be easily accessed through your e-mail address (e.g., your poker accounts). So, this is a nice time to remember basic password security, which means changing your passwords frequently (e.g., now) and using secure passwords. Again, see my previous post about secure passwords. If you’re not sure what e-mail you used for 2p2, you should have recently received an e-mail from firstname.lastname@example.org or you will receive one shortly. The address that received this e-mail is the one whose password you should change.
- Change your other important passwords similarly. Again, see my previous post about secure passwords–It’s really not a hassle at all to have a secure password if you follow good advice instead of the standard stupid “Use lots gibberish with special characters and weird capitalization” advice.
- If you’re a high stakes player, a moderator, or otherwise someone whose account may have been interesting to the hacker, worry about what was in your PM box. If I were a hacker (and had fewer scruples) who had access to durrrr’s 2p2 password, for example, I would have downloaded his PMs. There’s some reason to believe that this hacker was familiar with 2p2 and the poker community, so it’s not too far-fetched to think that he may have had this idea. He had access to the forums for long enough to have downloaded a lot of PMs.
- Keep forgetting that 2p2’s down, opening it up, and then getting really pissed off. That’s not actually advice; it’s just what I’ve been doing.