As I explained briefly earlier, the reason the hacker was able to retrieve some people's passwords was that they were encrypted using MD5 (because phpBB, the old forum software, also used it), which is susceptible to rainbow table attacks.

We're now using a much stronger encryption algorithm (SHA1 + a unique salt, looped multiple times).

I can now 99.9999999% guarantee that even if somebody were to get access to both the encrypted passwords and our unique salt, there is no way they could convert them into the unencrypted original values.

So, go change your password, esp. if you were on the list of people targeted earlier. After you change it you'll have to log in again.

The forum isn't safe yet, but I promise your passwords are.

Well, thanks Cap.

Indeed. Much appreciated.

Thanks!

Thanks very much for the update and for fixing it!

Another update - some of you might have noticed we had another white-hat hacker. The problem was that some of my code allowed for SQL injection, which is a really simple problem to fix, but something I hadn't taken the time to clean up yet. Again, this is the result of having years-old code, and I knew the problem was there but I figured with custom code we'd be safe until I finished rewriting the entire site. Stupid mistake.

Well, unlike the other one, this guy was actually helpful since he created an account and I was able to email him. He double checked the loophole he had found earlier and said it was fixed. Of course I won't feel completely comfortable until I'm done rewriting the code, but for now, at least the easy ways in are closed.

And now we just have to figure out why everything always seems to break with BDR...

Break Down Risk

Ahem...