Important ***PASSWORD SECURITY NOTICE***

Tex

Tex

O-F Administrator
Administrator
Retired Staff
Tutorial Publisher
Donator
Joined
Oct 16, 2007
Messages
6,586
Reaction score
140
Points
138
Location
Houston
Website
youtube.com
***IMPORTANT PASSWORD SECURITY NOTICE***

Dear Orbinauts,

As with any web site, sometimes exploits are found. Today one was found on ORBITHANGAR.COM where someone was able to gain access to the user table containing passwords. Orbithangar is down while the exploit is addressed, however there is still a remaining threat for some users.

PASSWORDS COMPROMISED:
If you registered an account on Orbithangar using a hotmail email address BEFORE the user accounts were merged with O-F, then your password is likely compromised. If you are using the same password here on Orbiter-Forum (or any other website on the internet) which you were using on Orbithangar, then you should change your password every where it is used. Just to be clear, the only accounts affected are those which registered at Orbithangar using a hotmail email address before the accounts were merged with O-F. If you have re-used your Orbithangar password anywhere on the internet, then it should be changed as it is compromised.


We sincerely apologize for this issue, but assure you we are working hard to quickly address the problem. The user accounts who were specifically affected will be notified by email shortly.

Kind Regards,
O-F Staff
 
I can't remember whether I used my Hotmail or Gmail address to register, however I do know that the password I used was NOT the password for either account.

Therefore, I should be safe, right?
 
If you're in doubt, go ahead and change your passwords. However, as Tex pointed out, this exploit only affected a very specific group of users:

1) Your account was registered at Orbithangar before the accounts were merged with O-F,
AND
2) Your account was using a hotmail email address.

Unless both of these were true with your original Orbithangar account, you're fine.
 
Better safe than sorry.

At least I'm sure I used gmail to register my account. It was the first thing I used my gmail account for.
 
Was the person who was able to gain access to the passwords acting maliciously, or were they the ones to report the exploit?
 
If I used my Hotmail address, then I know I didn't use my Hotmail password.

Therefore, I figure I'm safe, as O-F/OH are the only places that I've used that particular password – and I used a different E-mail address here on O-F.

My Hotmail would be safe as the password I used wasn't for that account.
 
fireballs619 said:
Was the person who was able to gain access to the passwords acting maliciously, or were they the ones to report the exploit?
Click to expand...

It was a malicious information gathering attack. Fortunately I was able to put a stop to it before it went too far. Unfortunately that came at the cost of me having to take the site offline, but better that than to have more user information harvested.

The attacker specifically targeted users with hotmail accounts, probably betting that he could determine the passwords that users registered on my site with and use them to log in to those e-mail accounts in order to do additional information gathering.
 
Vash said:
It was a malicious information gathering attack. Fortunately I was able to put a stop to it before it went too far. Unfortunately that came at the cost of me having to take the site offline, but better that than to have more user information harvested.

The attacker specifically targeted users with hotmail accounts, probably betting that he could determine the passwords that users registered on my site with and use them to log in to those e-mail accounts in order to do additional information gathering.
Click to expand...
Thank you. Fortunately I have about 5 passwords and none repeat for the emails or Orbiter related stuff. I want to know why someone would do something like this.
 
Why wasn't the database encrypted?????
 
Well, ultimately, anything can be decoded. Furthermore, if my understanding is correct, it's not like they will be able to easily determine the form of encoding used, as gibberish in one will most likely be gibberish in another, I assume.
 
James.Denholm said:
Well, ultimately, anything can be decoded.
Click to expand...

Hash collision and and the pigeonhole principle prevent this as long as you're not using a lookup table.
 
Do we just change the password for our forum-accounts here to fix things?

I just visited the hangar-site and even though I'm auto logged-in to it I can't change the password anywhere on that site.
When I click my account over there I can see my uploads but there's nowhere I can change or set a password.
 
The reason you cannot change your password on Orbit-Hangar is because Orbit-Hangar and Orbiter-Forum accounts are linked: to change your Orbit-Hanger password, just change your Orbiter-Forum password.

However, to reiterate the point yet again, you only need to change your O-F/O-H password if 1) your account was registered at Orbithangar before the accounts were merged with O-F, AND 2) your account was using a hotmail email address. If both of those conditions are true for you, then you should change your O-F/O-H password. [In addition, if you are using the same password for Hotmail then you should change your Hotmail account password as well.] Otherwise, you do not need to worry about it.
 
May I humbly inquire how long it may possibly take to fix the problem? Have got a new build and a new description, and perhaps a new screenshot that have to be uploaded :) :tiphat: :cheers:
 
It's already fixed. Vash took down the database yesterday the second he discovered the attacker (I presume from the logs). Then he closed the security hole and restarted the database.
 
To clarify another important point: O-F account passwords are encrypted via a one-way hash in the database, so even if an attacker were to somehow gain access to the O-F account database table he would be unable to determine your O-F/O-H password (one-way hashes are very difficult to crack). The exploit only affected old OrbitHangar logins (which were not encrypted with a one-way hash) that used a Hotmail email account. Based on empirical evidence it appears the attacker was a spammer/spambot attempting to harvest Hotmail account logins.
 
You must log in or register to reply here.

Similar threads

Lucy
  • Sticky
Announcement Privacy policy update
Replies
4
Views
3K
Lucy
Lucy
Lucy
Announcement Orbiter-Forum outage 2025-10-20
Replies
13
Views
5K
Urwumpe
Urwumpe
jacquesmomo
General Question FROZEN text with Ctrl+Shift+F
Replies
3
Views
660
jarmonik
J
Matias Saibene
Update Multistage2026 - Development thread
5 6 7
Replies
137
Views
21K
gattispilot
gattispilot
TorchDesigner
Discussion Orbiter User Requirements and Post-2024 Development
2
Replies
21
Views
18K
Lucy
Lucy
Back
Top