Possible Security Leak? (Change Your Passwords, Just in Case

[Vanguard]

So, a few things have happened in the past 24 hours that, after connecting the dots, show a bit of a pattern.

We might have a security breach here on the forums.

Thus far I've gotten the same exact spam message sent to be as a direct message on Twitter by two different Runners (both Jester and Goat). Also, according to Facebook Wraith had some problems earlier today. I've never been one to believe in coincidence, so I'm willing to say that everyone's passwords may have been compromised.

Just to be safe I'd recommend that you make sure any accounts you have that use the same password as the LRR forums are safe, and just to be sure it might not hurt to change them altogether.

Now, this is just speculation, but the pattern is there, and it's better to be safe than sorry.

~V

[JustAName]

I got the message from Theremin first; that may have been where it started. In any case, I don't cross-use passwords, so I should be fine. And I think it's probably spreading by runner because we know the same people, so we see it from the same people who clicked on it.

[LogicSword]

Only Jester and Goat for me. Changing passwords just to be safe.

[Metcarfre]

Has anyone told Paul and/or Graham yet?

[Vanguard]

Fayili, you bringing up the link makes me think that it's not forum-based, but Facebook-based. Whatever application that link leads to on Facebook is dirty and hijacks both Facebook and Twitter (the app connects the both of them). It's just spreading through the Runner population because, well, we all know each other on Twitter, don't we?

I hope I'm preaching to the choir here, but just to be safe, a couple of tips:

• Just ignore app requests on Facebook. Period. Or at the very least if they have names that make no goddamn sense.
• On Facebook, in Account Settings > Security there's an option to turn on both secure browsing, login approvals and recognized devices. These are all extra layers of protection that'll secure your Facebook account and notify you via email when someone tries to log in from an unrecognized device. Use them.

[2stepz]

I got the spammarific twitter direct message, too... from Theremin; and the FB from Wraith.

[King Kool]

I got a spammy link from Jester on Twitter this morning. I couldn't tell him about it because I was running out the door to work.

[Wraith]

I got a spam message on Twitter from Jester, and then my Facebook account got hacked. It had to be a hack, though; I have a different password for every site I belong to.

[empath]

Well, it'd be a week early, but I suppose there's no harm in resetting my passwords; I've got a few days off.

I can't be hacked through Facebook, and...when did I last tweet? *goes to check for these spam-tweets* Right, couple of weeks ago with that 'Insurance Company Makes Ghouls Look Upstanding And Moral' brouhaha. Oh, and I don't follow anyone who appears to have been 'infected'.

Good luck, everyone, and here's hoping we all see one another when the dust settles!

[tak197]

I went ahead and updated my Facebook security settings. That should be safe.

[Graham]

So, we're fine here though right?

Good. That's good.


Also, sorry to hear that guys

[Deedles]

I'll go ahead and change passwords anyway. It's about time I updated it.

[Merrymaker_Mortalis]

The advantages of being an anti-social bastard. Risks of being hacked by chain messages is reduced!

[Yaxley]

From this I learned that Facebook has two factor authentication. But do I really want to give Facebook my phone number?

[Keab42]

I believe because the spam links through to Facebook it harvests your FB details, and the firm on there that fakes the twitter login harvests your twitter password if you fill it in.

Goat has also been hijacked now.

[Lord Hosk]

You guys I dont know what you are talking about there is no hack get rich fast by buying penny stocks You too can watch the newest movies FOR FREE

My uncle is prince in Morocco would you money him give you so he get his money from the terrorist?

[Vanguard]

... so what we're getting at here is that we need to kill Hosk?

[Lord Hosk]

People have tried before, with little success.

[Metcarfre]

But you don't have that hat anymore...

[Vanguard]

That won't be a problem, Hosk, I barely count as "people"...

[The Jester]

And Elomin certainly doesn't!

[Elomin Sha]

That's just typical. You burn a few corpses and people think less of you. Young people have no sense of knowing their place or what perfect art truly is.

[Smeghead]

So this is only a facebook/twitter issue then? Good thing I have neither. Being an anti-social bastard pays off!

[King Kool]

Got another one from Jester's twitter.

[Keab42]

Jester is aware, he says he doesn't have any twitter apps that have requested DM permissions, and he's changed his password, so my assumption was that they'd used OAuth to grab an access token.

He's tried logging out which should invalidate any access tokens (assuming twitter are implementing OAuth properly) and should hopefully solve the problem.

We'll wait and see.

Also if you do spot any rogue Twitter or Facebook apps in their respective Apps list I suggest you remove them and/or flag them. Although Twitter's page has a Javascript error that prevents you from revoking the access right now.