Seen at MrExcel.com, a breach disclosure with some plain English writing and transparency. Although it’s not good if the hack occurred because vBulletin hadn’t been patched/updated, this disclosure is an example of clear and helpful writing.
1) What happened?
This is Bill Jelen from MrExcel.com. On the morning of December 6, 2016, our moderators detected a hack in progress at the MrExcel forum. We quickly acted to shut the forum down, removed the user, and restored from the previous day’s backup. At the time, we had no reason to believe that the hack had compromised any user data. However, on or about January 8, 2017, we became aware of evidence suggesting that some user information had been acquired in the December 5 hack and had been posted online.
2) What Information Was Involved?
The hacker accessed and posted userid, e-mail address, and the encrypted password in the form of hash+salt. A hacker with a fast computer can test a billion passwords an hour and stands a 25% chance of breaking the password. The hacker also accessed and posted information from administrative fields showing your last login, number of posts and similar non-personally identifiable information. If you had an account at the MrExcel Message Board on or before December 6, 2016, you are affected.
3) What We Are Doing?
We previously scanned for malicious code and restored from a backup to remove any lingering effects from the hack. Additionally, we continue to update and patch the website software from vBulletin and we are converting the website to use a Secure Socket Layer.
4) What Can You Do?
We are requiring all users you to promptly change your password at MrExcel.com and encourage you to take other steps appropriate to protect this online account. We also encourage you to change your password and take steps to protect any other online accounts where you have used the same password with your username or email address for MrExcel.com. You are are further encouraged to maintain different passwords for MrExcel.com and for any other online account that connects to the same email address or password.
During the investigation of this incident, you can search also for your e-mail address at leakedsource.comto find a list of data breaches involving your e-mail address.
I deeply regret this incident occurred and I apologize.
5) For More Information
Contact Bill Jelen – [email protected]
Date of Notice: January 14, 2017.
Update: Frequent Questions:
Q: What is the longest password we can use?
A: 50 characters, a mix of letters, numbers, and symbols
Q: How can I delete my account?
A: Write to the e-mail address [email protected] and I will gladly remove you.
Q: How do I know this is not a clever Phishing scam?
A: When you are signed in on the board, you will see our notice. I’ve also been posting notices that this is not a hoax on Facebook and Twitter. See the Twitter notice here: https://twitter.com/MrExcel/status/820641834670104576
Q: Some members have their date of birth displayed. How can I delete mine?
A: Annoyingly, once the date of birth is entered, it does not seem to be removable. Please set it to a generic Jan 1, 1917 date. (Making sure you appear older than 13 to avoid COPPA issues).
Q: I also have an account at your MrExcel store. Was that data compromised?
A: No.
Q: You just sent me an e-mail to [email protected] but when I try to sign in with that very same e-mail, it says I don’t have an account!
A: In most of these cases, I am finding the actual address in the forum is [email protected] and someone in I.T. has cleverly designed an e-mail forwarding recipe to send those e-mails to the new corporate name. If you can’t figure it out, send me a note to [email protected] and I will do a wildcard search to try to find you.