Important Your TCF account and Security

Tunnel King

Queen Bee
Administrator
Good day, Terrarians,

Some of you have become aware of a recent incident involving CloudFlare, the content delivery network that we use for security and reliability of our site.

** We have no indication at this time that any TCF personal information was exposed by this incident **

To put the extent of this incident in proper perspective:
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
The incident report also states that the leak was identified and plugged, and is no longer considered a threat. This affected all sites protected by CloudFlare - Reddit has been identified as one of those. (Sorry, I have no idea how to identify other sites affected, other than if they communicate publicly about it.)

Purely as a precaution
, a general TCF forum logout was forced, and the forum staff has been requested to change their passwords. We firmly believe we are safe, but we remain vigilant.

We are not requiring the regular membership to change their passwords at this time. That said, it is generally a good idea to change passwords regularly, and not use the same passwords for multiple sites (especially sites that contain sensitive/financial information).

[I'm going to post this now to allay immediate conncerns, but I will be adding some thoughts on recent Yahoo! breaches as well.]

Update - more general information about the incident:

Issue report from the Google Project Zero folks who discovered the incident

A work-in-progress list of sites that may have been affected by this incident

Again - we feel that the chances that this affected any individual TCF user - here or elsewhere - are exceedingly small, but not zero.

=============================

We do suggest that you consider changing your password for TCF, and for any other site you use that may be affected. Some of the sites that may be of primary interest to our community are:
  • Discordapp.com
  • Reddit.com
  • Patreon.com
  • Uber.com
  • crunchyroll.com
  • puu.sh
  • 4chan.org (lol)
  • authy.com (worrisome because this might make even some accounts protected by 2-factor authentication vulnerable)
Basic password security is easy - change them regularly, use a different one for every site you visit, use hard-to-guess passwords. In practice, this is a pain to do.

A good password manager can help tackle those inconveniences. Here are some suggestions. An incident like this is the perfect wake-up call to step up your personal privacy game. I'm a long-time user of KeePass myself - it's open-source, self-contained, and immune to incidents like this.
 
Last edited:

Tunnel King

Queen Bee
Administrator
And now, some words about Yahoo!, as promised.

Unlike today's (or yesterday's, depending on your timezone) revelation about CloudFlare, the Yahoo! data breach WAS a targeted exploit by hackers, went on for several years affecting an estimated 1 billion accounts, and continued to be an issue long after Yahoo! was aware of it. By contrast, CloudFlare effectively shut down most of their leak within an hour of being notified by Google.

If you've ever had a Yahoo! account, your account information was likely accessed by hackers. If you've used the same password elsewhere, if you've linked a different email account, if you've entered a phone number, or an address there - your information may be in the hands of hackers. Even if you don't think you ever made a Yahoo! account - some ISPs like Rogers in Canada and BT in Great Britain used the same faulty technology in their services.

If you have used a Yahoo! email account, you may wish to consider changing that. Your email is really the only personal information we store at TCF*, so if hackers already have that, there's nothing more for them to want here. We are not going to insist people change that, nor are we going to stop new registrations from using Yahoo! emails. But in the past few months, I've noticed a marked increase in 'invalid' Yahoo! email accounts being used to try and register accounts (in the small pool of accounts I have to manually review and approve).

One good source of information to read about how to check, correct and close your old Yahoo! accounts:

https://krebsonsecurity.com/2016/12/my-yahoo-account-was-hacked-now-what/

*Why does TCF store my email address anyway?
We do not use your email address for any other purposes, and we do not divulge them to any 3rd party for any reason. We treat your information as securely as we would our own.
 
Last edited:

Hunited

Empress of Light
Well, it's great to hear that it isn't all that bad.
Either way, thanks for the affirmation :pinky:
 

Tunnel King

Queen Bee
Administrator
I did a quick search on the list of affected sites and TCF was not on it, let`s hope we stay off that list
Every site that uses CloudFlare is affected, including TCF. But again - it was a very small percentage of all HTTP requests that passed through CloudFlare that inadvertently exposed information. There is a non-zero chance that it did happen.

There have been no reports that I've seen that there have been any exploitation of information revealed. They've been scraping the cached web pages at Google to identify and remove anything they can find related to this.

The publicity of this is good - awareness spurs people to action in a positive way. If you asked me if you should change your TCF password, I would say "Yes." But we're not going to force you to do so. We don't see this as an urgent issue at this time.
 

Wolf kin

Skeletron Prime
Good day, Terrarians,

Some of you have become aware of a recent incident involving CloudFlare, the content delivery network that we use for security and reliability of our site.

** We have no indication at this time that any TCF personal information was exposed by this incident **

To put the extent of this incident in proper perspective:

The incident report also states that the leak was identified and plugged, and is no longer considered a threat. This affected all sites protected by CloudFlare - Reddit has been identified as one of those. (Sorry, I have no idea how to identify other sites affected, other than if they communicate publicly about it.)

Purely as a precaution
, a general TCF forum logout was forced, and the forum staff has been requested to change their passwords. We firmly believe we are safe, but we remain vigilant.

We are not requiring the regular membership to change their passwords at this time. That said, it is generally a good idea to change passwords regularly, and not use the same passwords for multiple sites (especially sites that contain sensitive/financial information).

[I'm going to post this now to allay immediate conncerns, but I will be adding some thoughts on recent Yahoo! breaches as well.]

Update - more general information about the incident:

Issue report from the Google Project Zero folks who discovered the incident

A work-in-progress list of sites that may have been affected by this incident

Again - we feel that the chances that this affected any individual TCF user - here or elsewhere - are exceedingly small, but not zero.
Thanks for the notification, I was forced to a logout as well.
 
iVHfwLc.gif
*rampant shuffling* ARNOLD, THEY ALMOST CAUGHT US, DANG IT
 

Tunnel King

Queen Bee
Administrator
I've updated the OP with some specific sites that may be of particular interest to our community, and some suggestions for password managers.

Also please note: In the interest of bringing this issue to attention, some of the links I've include may list websites that are not generally appropriate for posting on this forum (i.e. porn sites). Please do not bring those specific sites to greater public attention here. Thanks.
 

Mille Marteaux

Empress of Light
This was a friend's input on the issue:

v3B08i2.png


If you're afraid, change your Discord passwords. Enable 2FA if you have a position of power on any large communities, don't believe anybody that says if you type your password it shows up as ******, and always remember correct horse battery staple.
 

Granger

Terrarian

Yes, password lenght matters the most for these things, but the example given is very vulnerable to a book attack (where it tries random common words).

Personal favourite for passwords is this method: Drawing patterns on my numpad.

Lets take a random cheatcode:
unknown.png


Its a circle 4862 triangle 1831 cross 1937 square 1793 circle 4862 square 1793.
Type these numbers into your numpad. :3 Notice something?

Our password: 48621831179348621793
Its super long and its easy to remember (especially when you base it on some cheatcode you use commonly, you cheat :3)
 

Wolf kin

Skeletron Prime
Yes, password lenght matters the most for these things, but the example given is very vulnerable to a book attack (where it tries random common words).

Personal favourite for passwords is this method: Drawing patterns on my numpad.

Lets take a random cheatcode:
unknown.png


Its a circle 4862 triangle 1831 cross 1937 square 1793 circle 4862 square 1793.
Type these numbers into your numpad. :3 Notice something?

Our password: 48621831179348621793
Its super long and its easy to remember (especially when you base it on some cheatcode you use commonly, you cheat :3)
I don't notice anything, what is it?
 
Top Bottom