First of all: great product.

Now that's out of the way please allow me to tear you a new one.

Your "faq" and email states that the attack was blocked. It clearly was not. If it was blocked I would not be waking up to your email.

It would have been even better if you had not locked the FAQ thread so I (and no doubt others) wouldn't be about to create 1000 threads with the same content.

I am extremely dissatisfied that my personal information has been left vulnerable because of your lax security.

I bet I am not the only one.

Agreed, blocked is not the same as "they have your email". Also the passwords, where they just MD5 hashes or where they salted?

Please delete my account.

It's not open to discussion.

Thanks.

Yeah we need to know more about the password leak, you try to play it down in your FAQ but you recommend changing it on other forums, tell us more.

wow ... drama llama's are in season

Yeah we need to know more about the password leak, you try to play it down in your FAQ but you recommend changing it on other forums, tell us more.

you'd be a grade a moron to use the same password on two sites, and deserve everything that befalls you


The FAQ is quite clear ...

breach detected and stopped ...
RECOMMEND you change your password (covering their arses) ...
Also, if you're a brain dead retard and use the same password on other sites, best you change that password as well

I can't see what more could be said

I've not used this forum in years and luckily the password was one I no longer use.

However the email I received said "your email address was exposed as a result of the attack", if it was just my email address why tell me to change my password?

Was it more than just email addresses that were exposed? Is it a hash that someone has their hands on or is it more than you're letting on?

I've not used this forum in years and luckily the password was one I no longer use.

However the email I received said "your email address was exposed as a result of the attack", if it was just my email address why tell me to change my password?

Was it more than just email addresses that were exposed? Is it a hash that someone has their hands on or is it more than you're letting on?

surely it's better to err on the side of caution

I for one respect the fact that I was contacted about this - if they were sure passwords were not compromised, they could've remained silent about it and nobody would know any different - may get some more spam, but my wife wants my dick bigger and stay hard longer, so it's win win ;)

surely it's better to err on the side of caution

Oh don't get me wrong, disclosure is good and I'm glad they've come forward.

My email address is already all over the Internet so I'm not too upset, I would just like absolute confirmation that nothing else was breached.

So were passwords stored in the DB as plain text?

Oh don't get me wrong, disclosure is good and I'm glad they've come forward.

My email address is already all over the Internet so I'm not too upset, I would just like absolute confirmation that nothing else was breached.

I think all the info they're prepared to release was in the email

Ok so they blocked an attack on the DB, entirely or only in part? How long did the attackers get access to the DB before they were blocked. If they did get access to the DB then surely more than just email address obtained.

Ok so they blocked an attack on the DB, entirely or only in part? How long did the attackers get access to the DB before they were blocked. If they did get access to the DB then surely more than just email address obtained.

change your passwords

change any passwords that are identical on other sites

move on with your life


how hard is that?

The fact is the email addresses were stolen.. I don't care about this stupid Winamp account password, but I do care about my private email and spam!

I want my account deleted as well (havent used it since 2003 anyway.) Please delete it or let me know how to. Cant find the option anywere, not even in the help section.

I want my account deleted as well (havent used it since 2003 anyway.) Please delete it or let me know how to. Cant find the option anywere, not even in the help section.

did you read the FAQ link posted in the email?

here ... let me read it for you

5) How can I delete my account?

We understand how important trust is on the web, and some of you may wish to delete your Winamp Forums account. To delete your account make sure that you are logged into the Winamp Forums and follow these simple instructions:

Scroll down to the bottom of the forum home page and click on View Forum Leaders (http://forums.winamp.com/showgroups.php). Scroll down to the Root section to see the list of Administrators. Send your deletion request to DJ Egg or DrO using the contact link to the right of the administrator's name. The Administrator will delete your account upon receiving the private request message and send you a confirmation email once the account is deleted.

how hard is that?

About as hard as it is for you to STFU. If you don't want to answer the question that was asked, then don't answer at all.

will everyone keep it in check please, especially telling people to STFU is not helpful.

as for the questions raised, i'm not going to answer them as i do not know the complete answer and so do not want to spread mis-information. as such what is officially provided is all there is to know on the matter though there may be further clarification (but i do not know and cannot confirm about that).

-daz

The only reasonable thing you have posted in this thread jarorama is everything from "my wife wants" in post #7.

You're not site admin, let them tell me what the breach was, what was taken (I understand databases and SQL injection so I sincerely doubt all they did was SELECT email FROM usertable WHERE 1;

edit: sorry mod, you posted while I was constructing this post.

About as hard as it is for you to STFU. If you don't want to answer the question that was asked, then don't answer at all.

I believe I've answered the question

no need to get your panties in a bunch, sweetheart

The only reasonable thing you have posted in this thread jarorama is everything from "my wife wants" in post #7.

You're not site admin, let them tell me what the breach was, what was taken (I understand databases and SQL injection so I sincerely doubt all they did was SELECT email FROM usertable WHERE 1;

edit: sorry mod, you posted while I was constructing this post.

but ... I can READ emails, and READ the FAQ ... so I UNDERSTAND

I've admined fora over the years, and know what will and wont be disclosed by 99 out of a 100 admins in such circumstances

but, right now, I'll let the drama llama's carry on their whinging and whining

will everyone keep it in check please, especially telling people to STFU is not helpful.

And neither is all the bull crap he is spouting, nor did I tell him/her to STFU, I was making an observation, which not the same thing. People like him/her are the bane of forums.

If there was any amount of access to the DB, it is not unreasonable to assume it was more than just emails that were stolen.

And neither is all the bull crap he is spouting, nor did I tell him/her to STFU, I was making an observation, which not the same thing. People like him/her are the bane of forums.
they're called facts, sweetheart

I'll stop if I'm told I'm doing anything wrong by admins ... not by someone who made two posts 4 years ago and hasn't been back since

thanks for your input, though, sweetheart
If there was any amount of access to the DB, it is not unreasonable to assume it was more than just emails that were stolen.
yeah, encrypted passwords and all the info you put on your PUBLIC profile page too ... oh noes, they got info you already made public!!! what to do what to do!!!

interesting observation ... the biggest DOOMSAYERS have less than 5 posts on the forum before today

just saying is all

Thanks to the admins at being honest here. Okay, that is a legal requirement when you get your database stolen, but how many other forums get quietly hacked and then everything covered up in secrecy?

Can I make a small suggestion? Any chance of making the "Contact an Admin" links a little easier to find? When I dropped by this website on Jan 8th at 20:47 hrs GMT NOD32 blocked a connection to ciriso9********/multi/jnaojtgpizin.jar (Don't be stupid enough to follow that link, I am typing it here purely as an example...) If I could have found a way to easily contact an Admin, I would have reported this. Trouble is, it was not clear how to report anything so instead of wading around an infected website I ran away. :)

Oh - and nice to see NOD32 in action. Often sit in all kinds of silly debates about the qualities of different AV products, and it is always fun to see NOD32 getting the gloves off.

Edit:Oooo - now that is nice to see. I typed the URL above of the virus that tried to hump my PC on that day. And now I see the domain name gets blocked. I think this is the same virus that got the BBC website ( http://www.theregister.co.uk/2011/02/15/bbc_driveby_download/ ) From that nice place the cocos islands.

If the BBC, with its huge site and cash investments gets nailed, then I think Winamp Admins can be forgiven. :)

Your nothing more than a Troll jaromanda.

Must.. not.. feed.. the.. troll..

I have used Winamp for more years than I care to remember. Just because I haven't posted much doesn't mean that I don't know what I am talking about.

*expletive deleted* happens - I understand that. I just want clarification as to what was lost so I can assess the potential damage. I don't want some nobody from Deservesakicking, Illinois telling me what I should think.

Edit: I just looked over my very small posting history and saw one of my original posts that I joined the forum to create. It was a step by step guide to show people how to get shoutcast running as a Windows service.

Speak little, but when you do make sure the message is useful.

Maybe you should try that.

I'll stop if I'm told I'm doing anything wrong by admins ... not by someone who made two posts 4 years ago and hasn't been back since

You were told to keep it in check, which you seem incapable of comprehending or doing.

interesting observation ... the biggest DOOMSAYERS have less than 5 posts on the forum before today

Did I mention DOOM? All I have done is question the statement that only our emails were leaked. All you have done is be disrespectful and unhelpful in nearly all your posts.

*expletive deleted* happens - I understand that. I just want clarification as to what was lost so I can assess the potential damage. I don't want some nobody from Deservesakicking, Illinois telling me what I should think.

you were told in the email

1) email address, stolen

2) suggest you change password

3) change password on other sites if same as here

all other possible stolen info is already public in your profile ... so it's not really stolen, is it


from 1) you MAY get spam ... I'm sure you do already

from 2) you change your password, no big deal

from 3) if applicable, you learn not to use the same password on different sites

not sure what else you want? class action lawsuit?

You were told to keep it in check, which you seem incapable of comprehending or doing.

no, sweetheart, that was directed at you .... telling someone to STFU is rude

Please, Mr 4 posts, don't think you can tell me what to do on this forum ... I'll take direction from admin/moderators ... but not from Chicken "the sky is falling" Little

Did I mention DOOM? All I have done is question the statement that only our emails were leaked. All you have done is be disrespectful and unhelpful in nearly all your posts.

read post above ... clearly the passwords would be stolen, but encrypted, so that's why it was recommended you change your password here

all other info possibly "stolen" was clearly visible in your public profile here ... so ... you going to sue AOL for leaking information you gave out willingly and publicly?

read my sig .... and take into consideration I'm also modest

Information in your profile could include your web address.

A whois search could then reveal your real name *edit* and address. Not Winamp's fault but a link in a chain.

The date of birth could be stored in the forum database so they can send you birthday greetings. It doesn't have to appear on your profile page ("Hide age and date of birth").

Now I potentially have a name, address, email and a date of birth. A little social engineering and I can get access to your ICQ account. Then I can take over the world. Or something.

It's been done before. Just not by me.

no, sweetheart, that was directed at you .... telling someone to STFU is rude

Both those statements are incorrect. Keep it in check was directed at everyone. I did not tell you to stfu, I made an observation / a comparison which is not the same. You however continue to be disrespectful, clearly you get some kind of kick out of it, which says a lot.

read post above ... clearly the passwords would be stolen, but encrypted, so that's why it was recommended you change your password here

It's not clear the passwords were stolen at all. And how do you know the passwords are encrypted? You don't.

I can get access to your ICQ account. Then I can take over the world.
ROFL

see

a little humour never hurt

Both those statements are incorrect. Keep it in check was directed at everyone. I did not tell you to stfu, I made an observation / a comparison which is not the same. You however continue to be disrespectful, clearly you get some kind of kick out of it, which says a lot.
.how was I disrespectful to you before you told me to STFU (I didn't say you told me, admin did)


It's not clear the passwords were stolen at all.

so why were you told to change them?

And how do you know the passwords are encrypted? You don't.

I'm the one that stole the database :up: useless to me because the passwords are encrypted

- or -

I know a lot more about this forum than johnny come seldoms

$password_hash = md5(md5($password_text) . $user_salt);

sorry, I said encrypted ... but 99% of n00bs wouldn't understand "hashed"

how was I disrespectful to you before you told me to STFU (I didn't say you told me, admin did)

Waste of effort conversing with you as there seems some kind of language barrier, as you continually misinterpret plain English, which as Troll seems to be your primary language is probably not surprising.

Waste of effort conversing with you
and yet, here you are
as there seems some kind of language barrier, as you continually misinterpret plain English,

let me type it out SLOWLY for you

I never claimed you told me to STFU ... I was not rude or disrespectful to you until you basically told me to stop posting

not ONE admin/mod has corrected any points in any of my posts

why do you think that is?

because it's COMMON SENSE

http://forums.shoutcast.com/online.php?s=&sortfield=username&sortorder=asc&who=members&pp=200

ROFL

look at all the users in the control panel

hardly any are bitchin an moanin in this thread

http://forums.shoutcast.com/online.php?s=&sortfield=username&sortorder=asc&who=members&pp=200

ROFL

look at all the users in the control panel

hardly any are bitchin an moanin in this threadYeah they are too busy changing their passwords.

Yeah they are too busy changing their passwords.

yeah, because it takes HOURS to do that :rolleyes:

As I understand it, the MD5 hashes which *MAY* have also been taken in addition to the emails (as written in the security bulletin), could be used to generate a collision (ie. something which has the same hash) and that could be used to login to your Winamp Forums account.

The odds of the collision being your actual password are minimal so your password will most likely be safe on other sites unless they also use MD5 hashes, but to err on the side of caution we've all been advised to change passwords on other sites if it's the same. At the very (very) least your Winamp forum password should be changed.

Hope that helps anyone who's still a bit confused.

MD5 Rainbow tables.
Ask google about them.

Says it all really.

Hope that helps anyone who's still a bit confused.

I'll take "Common Sense on the Internet" for 400, please, Alex

MD5 Rainbow tables.
Ask google about them.

Says it all really.

So, change your password ... rainbows and unicorns can't get you then!!

category 5 cyclone in a tea cup averted

Right, but was the salt compromised as well?

Right, but was the salt compromised as well?

it's stored in the user table


so ... it's not AS secure as if the salt wasn't compromised

by the way ... I'd say if email addresses (stored in the user table) were compromised, hashed passwords and hash salts are also compromised

it's still a bit of work to retrieve A password (maybe not THE password), but far easier having the salt than without

I recently had to do a full round of password changes after a similar compromise at Gawker Media a few months ago. Now, back at stage one doing it over again... thanks, Winamp.

It is unreasonable to expect people to use a unique password for each and every website. I visit hundreds of websites, and I imagine the average person has a few dozen they regularly go to as well. I do use many passwords, but hundreds?

I would advise others here who don't want to use a separate PW for each site to use password 'sets', where you use 1 PW for a group of similar sites, and spread your PWs out amongst the most important sites you use (example: don't use your online banking PW as the same as your paypal or other very important site, to lessen any possible damage from a breach.)

Regardless, in this day and age it is suicide for a trusted site to not properly protect valuable data like this. I do so hope it doesn't happen again.

I recently had to do a full round of password changes after a similar compromise at Gawker Media a few months ago. Now, back at stage one doing it over again... thanks, Winamp.
read the terms of service, and privacy policy before blaming winamp

It is unreasonable to expect people to use a unique password for each and every website. sure, it may be unreasonable ... but winamp can't be held accountable for poor internet practices by users

Regardless, in this day and age it is suicide for a trusted site to not properly protect valuable data like this. I do so hope it doesn't happen again.
seriously? it was winamp forum that was compromised. the vulnerability is in the forum software = vBulletin.

I can guarantee there are thousands of chinese and russian spotty teens working on hacking vbulletin one handed whilst I'm typing this

build a more secure forum, someone somewhere will hack it eventually

welcome to the internet, you must be new

Please correct me if I am wrong but could all of this been avoided if the forum software was updated in the first place ?

Not accusing, just asking.

@Jaromanda

Next occurrence of you calling people morons and retards will get you permanently banned.

Capice?

I have to apologise to admin for sticking my beak in here about this national security breach. I'm sure my glib comments haven't helped allay the fears of the Chicken Little's on the forum

I've also made a lot of assumptions about the nature of the breach

Feel free to remove any posts that inaccurately address the nature of the breach ... last thing I want to do is spread more FUD

look up ... the sky is still where it should be

Must say I'm slightly disappointed with the FAQ too and understand the posts on this thread. If you get your users compromised, it is polite not only to tell them exactly what got stolen, but to also assure them that no passwords were stolen if that's the case. Right now, I can't be sure.

ps. Where do these Major Dude jaromandas come from?? I had a good laugh reading his arrogant and totally irrelevant posts. Sure, it's nice that there's internet and Winamp forum to fulfill the need for recognition, but it makes sensible forum threads an obscurity.

@Jaromanda

Next occurrence of you calling people morons and retards will get you permanently banned.

Capice?
I never called anyone specifically a retarded moron

I merely pointed out that you'd have to be a retarded moron to use the same password in multiple places

That's Common Sense on the Internet 101

Si la chaussure s'adapte

P.S. I just checked http://forums.winamp.com/showgroups.php - you don't seem to be there, I'm just wondering, on whose authority are you making that unwarranted threat?

totally irrelevant posts

moo

Hey

This is my thread where *I* asked for answers. You can't give me answers, just your best guess.

S something U or G something O

The same common sense Internet 101 that did not update the forum software ?


Not for nothing Jaromanda but you are very condecending towards some posters in this thread. Why dont you take some of your own advice and go enjoy your day. As you said it does not bother you about the breach. Seems like you are bothered that others have some concerns though. Makes you come across as a bit of a cock, just saying.

Hey

This is *my* thread where *I* asked for answers from the forum Administration. I didn't ask for some passing Antipodean to speculate.

Seriously, unless you are here in an official capacity with official answers and the title "Site Admin", "Admin" or "Moderator" please S.U. and G.O.

I refuse to let your banal antics derail my thread.

The same common sense Internet 101 that did not update the forum software ?.assuming it wasn't up to date ... remember, 1000's of chinese and russian teens are h4x0ring away as you type


Not for nothing Jaromanda but you are very condecending towards some posters in this thread.
it's called RETALIATION - you're not French, so you should know the meaning

Why dont you take some of your own advice and go enjoy your day.
it's 1 A.M. ... and I am enjoying it very much, thanks
a bit of a cock
DAMN!! I was hoping to come across as a WHOLE cock

passing Antipodean

passing with 1040 posts, all of them factual and helpful, compared to your 2 before today ... hmmm ...

Hey

This is my thread where *I* asked for answers. You can't give me answers, just your best guess.

S something U or G something O

You had me at "Hey"

you lost me at S something U or G something O

but ... go outside, look up, the sky is securely in place

Jaromanda, OUT

DAMN!! I was hoping to come across as a WHOLE cock

Your wish just came true. Headcheese and all....

nothign is full proof, and I respect that Winamp has notified us all of the situation, hopefully in time before someone posts on here with our usernames and spams etc...

As for sending us spam emails? Already happens with others, just empty span bin regularly.

Hope you can sort out further protection in time.

LOL haven't used my winamp forum account in YEARS :D last login was 2007 :P
even my password was 1234567 :)
Why on earth would someone bother stealing it is beyond me :)

did you read the FAQ link posted in the email?Tried but got: This webpage is not available
The webpage at http://forums.winamp.com/showthread.php?t=327366 might be temporarily down or it may have moved permanently to a new web address.
Error 101 (net::ERR_CONNECTION_RESET): Unknown error.

Tried but got: This webpage is not available
The webpage at http://forums.winamp.com/showthread.php?t=327366 might be temporarily down or it may have moved permanently to a new web address.
Error 101 (net::ERR_CONNECTION_RESET): Unknown error.The site has been doing that to me all day.

As an extremely regular member of the site (twice in my life) I cannot say if this is a recurring problem.

it's due to all of the hits on the forum server.

-daz

Well, it's in fact not the best what ever could happen.
I changed my passwords except this here on winamp.com. I don't care about someone who is using my account here. If you see some posts like "Blahblah penis blahalbhablahb", remove the post ;)
Anyway. It teached all of us, that we should NOT use the same passwords on every website.
Every software does have some safety failures. The best example would be Windows, Mac and Linux. Deal with it.

I think it is just a clever way to get all the old users to come back and visit the forum. :D

I'm fairly certain that my email has been compromised by the security breach, since I got a large spike in spam since the breach. I'd kept this email account largely spam-free until now.

:) haha jaromanda, before I even looked at this thread I knew thered be a sorry sod who'd fight to death for "his" precious company. Winamp messed up on this one period. Now maybe you should stop crying and accusing others of being chickens while you are a company loving sheep... :)

PS: I just saw you're from AU. That sheep comment was't meant racist...

Why worry about accidental racist connotations when his signature is completely racist anyway?

labratofel: French people aren't a race, but you're right, it is offensive, and was clearly changed to goad Kaminari (who is from Paris).

bur2000: Llamas aren't sheep. ;)

:) haha jaromanda, before I even looked at this thread I knew thered be a sorry sod who'd fight to death for "his" precious company. Winamp messed up on this one period. Now maybe you should stop crying and accusing others of being chickens while you are a company loving sheep... :)

PS: I just saw you're from AU. That sheep comment was't meant racist...
Sheep thing is New Zealand ;) and I aint fighting to the death for winamp ... I'm fighting to the death for common sense ;)
Why worry about accidental racist connotations when his signature is completely racist anyway?
My signature is factual
labratofel: French people aren't a race, but you're right, it is offensive, and was clearly changed to goad Kaminari (who is from Paris).

bur2000: Llamas aren't sheep. ;)
goad Kaminari? the french knuckle made threats beyond his station ... he should expect a little fun at his expense

FAQ...

7) What happened?

As a result of our continuous security monitoring, we identified and blocked this attack. Additionally, new security measures have been deployed to help keep this type of breach from happening in the future.

Does that suggest they weren't employing a full range before they were hacked?

FAQ...

7) What happened?



Does that suggest they weren't employing a full range before they were hacked?

You can say nobody is perfect. How many staff do you need to have? 1? 2? 1000?

Hmm, guess I won't store vital personal information like social security number in my Winamp Forums profile