Forum Hacked!

Zenerdiode · Oct 25, 2022

Uwe said:
Last night at 8:09 PM, I received the following PM from a legitimate user's account that has existed since 2014:

That rules me out then… :eek:

Uwe · Oct 25, 2022

Zenerdiode said:
That rules me out then…

It wasn't your account.

-Uwe-

iichel · Oct 25, 2022

Well done Uwe, fast and appropriate response

myounus · Oct 25, 2022

Scum bags. I hope the hackers have a VAG car and it blows up. They can go to hell.

myounus · Oct 25, 2022

I hope they need help from us - I’ll be happy to tell them to ‘foxtrot Oscar’ and jump into a fire. Scum

brundozg · Oct 25, 2022

Uwe said:
...$500 is not very much money, but this is a matter of principle...
...I will NEVER reward your criminal behavior...

Did not think for a second Uwe would negotiate with terrorists. Hats off to a man of principle!

NZDubNurd · Oct 25, 2022

Uwe said:
It wasn't your account.

-Uwe-

I joined in 2014... and my password wouldn't work... and Dana had to fix my email so I could get back in

(I assume the user knows who they are now though...?)

Jef · Oct 25, 2022

myounus said:
Scum bags. I hope the hackers have a VAG car and it blows up. They can go to hell.

Or at the very least have leaking fuel injectors like the rest of us do.

davisev5225 · Oct 25, 2022

Jef said:
Or at the very least have leaking fuel injectors like the rest of us do.

... is that a euphemism for something?

Uwe · Oct 25, 2022

NZDubNurd said:
I joined in 2014... and my password wouldn't work... and Dana had to fix my email so I could get back in

(I assume the user knows who they are now though...?)

That user probably does not. It looks like he hasn't been active here in recent years.

-Uwe-

Uwe · Oct 25, 2022

brundozg said:
Hats off to a man of principle!

Thank you.

But it's not just principle, it's also practicality. They clearly already had whatever they got, and since it's data, there's no way for them to give it back, or to even to prove that it has been destroyed. So let's say I had paid them $500 worth of BTC last night (which would have been difficult in any case because I do not own any crypto, nor do I have an account with anyplace that would let me buy and transmit it). What would prevent them from coming back tonight and demanding $1000? Or tomorrow and demanding $5000?

Then there is the question of ethics. The only thing they really had to hold over my head was the idea that I could keep you folks, my customers from finding out that there had been a data breach, and thus I wouldn't be embarrassed, or have my reputation damaged. Would it have been ethical of me to try to keep the breach a secret? I don't think so! I mean does anyone think they wouldn't add whatever they got to the databases of such stuff that surely exist in the dark corners of the internet, even if I did pay them?

Nope, the only sensible way to handle this was for me to be honest with you guys immediately, and by doing that they have absolutely nothing to hold over my head, or any of yours either.

-Uwe-

Gavra · Oct 26, 2022

Thank you for fast action. Although I haven't logged in for a long time , it is nice to see someone respect privacy and act responsibly and promptly.

iichel · Oct 26, 2022

Mate of mine once had this. He kept insisting he should receive an invoice, otherwise he could not justify spending money without a trace.

But I think the way Uwe acted is the only right way of doing so. Exactly for the reasons he states. Data is easily copied, transferred and there is no way to prove you destroyed it. And even if you did, there are many ways to un-delete it.

Mike R · Oct 26, 2022

Uwe said:
That user probably does not. It looks like he hasn't been active here in recent years.

-Uwe-

downtime · Oct 26, 2022

And pro tip if you haven't already activated. Activate the two-step authentication for the forum for your account. This will prevent the change of your password if your account gets leaked as hackers cannot change the authentication email and also the codes are not visible for the backup method.

Uwe · Oct 26, 2022

downtime said:
Activate the two-step authentication for the forum for your account.

Yes, this is now mandatory for all R-T employees.

-Uwe-

Crasher · Oct 26, 2022

Done the two step. There are some evil people out there.

ArtooDeeDad · Oct 26, 2022

Coming from (cough) years of software, systems, infrastructure, etc...

Good call all around. Even if it is the right choice, it isn't always the easy choice. To Uwe's point, the compromised data isn't exactly high risk PII. That helps.

Thanks for the transparancy.

Was happy to see a 2FA option when i signed up. For something like a forum it is still a great way to keep someone from logging into an account with a compromised password. And i do think it worthwhile even for forums.

And having been through a number of all-night systems emergencies, i hope ya'll are able to catch up on some deserved sleep. Wish i could help.

romad · Oct 26, 2022

myounus said:
I hope they need help from us - I’ll be happy to tell them to ‘foxtrot Oscar’ and jump into a fire. Scum

Even better: Foxtrot Oscar & Delta!

dieseldub · Oct 26, 2022

A bit more excitement than most of us had asked for, for sure. lol

Well-handled, Uwe.

Forum Hacked!

Verified VCDS User

Benevolent Dictator

Verified VCDS User

Verified VCDS User

Verified VCDS User

Verified VCDS User

Verified VCDS User

Ross-Tech Employee

Verified VCDS User

Benevolent Dictator

Benevolent Dictator

Verified VCDS User

Verified VCDS User

Ross-Tech Employee

Verified VCDS User

Benevolent Dictator

Professional User

Verified VCDS User

Verified VCDS User

Verified VCDS User