We're pretty confident the problem was "OpSec" -- an improperly secured account with Admin access.
, this is not a big deal. That's all more-or-less "public" information anyway.
hm..... Yes, I am a "disillusioned" forum member - but No, this reply is NOT sour-grapes!!
Data security is a very serious matter to me - particularly when it relates to MY DATA!! The replies (above) that underplay the seriousness of these type of security breaches are niave in the extreme! My advice to those that have this mentality is: reserve your opinion untill you are an actual victim of identity theft. And don't assume that it can't happen to you - it's only a matter of time and luck!
I've just had to deal with exactly this issue (i.e. identity theft) as a result of security breaches in the customer database for a large Australian utility company and I now find similar administrative failings in this forum - very disappointing because I consider Ross-Tech to be run by professionals!!
My belief about Ross-Tech notwithstanding, I have to make comment on the astonishing claim that "This is not a big deal" because "That's all more-or-less "public" information anyway". Of course it's true that public information is just that - but getting the details about individual members is generally NOT a worthwhile activity for hackers.
The files thieved from this forum will have an entirely different value proposition on the dark-web because they (likely) provide a complete list of members records linking each forum members details in an easily accessible format. In no way is this the same as hackers trolling individual member's "public information"
XenForo is a mature product that is widely used and I assume that "an improperly secured account with Admin access" was not a problem with the software. If this is correct, it means that this breach was an entirely avoidable matter within the control of the administration of this forum. At the very least, this begs answers to forum member to the question; what changes has been made to guarantee (use the word "ensure" if you want) that the risk of further breaches is at best minimized?
Finally, (sadly) I'm no longer an active member of this forum and I stumbled upon this matter purely because I wanted to access an old post of mine (for another forum). However, there will be other non-regular members that will be totally unaware of these happenings about their personal data. Is it really proper that this remains their problem when they receive the fraudulent emails - or do they deserve to be informed?
Again, very disappointing!
Don
PS: maybe it's somewhere in this forum and I've missed it (my apology if so)- but usually when this type of administrative failure happens, there is a statement of contrition!!