HomeGroupsTalkZeitgeist
  • LibraryThing
  • Book discussions
  • Your LibraryThing
  • Join to start using.

Security Notice and LibraryThing Password Reset

Talk about LibraryThing

Join LibraryThing to post.

This topic is currently marked as "dormant"—the last message is more than 90 days old. You can revive it by posting a reply.

1timspalding
Edited: Feb 4, 2014, 12:33pm Top

Please read the blog post here:
http://blog.librarything.com/main/2014/02/password-reset/

This topic is for discussing the breach, and LibraryThing response to it. You can also send questions and comments to tim@librarything.com or info@librarything.com.

2lorax
Feb 4, 2014, 12:44pm Top

Why did it take so long to discover the breach? Have measures been put in place to ensure that any future breaches are discovered in a more timely manner?

3GwenH
Edited: Feb 4, 2014, 4:38pm Top

Data breach from 2011???? It's fine changing passwords - always a good idea, but if anything bad was going to come of that breach, it's probably already happened.

4sryder
Edited: Feb 4, 2014, 1:00pm Top

2) When the breach took place, we did not have real-time monitoring that would have detected this at the time of it happening.

Secure, real-time monitoring of the sort that would have caught this was in place by January 2013.

The topic arose when a member notified us that they received some spam on an email specific to their LibraryThing account. This prompted to do a top-to-bottom review of our security, and this review discovered the breach.

No system is perfect. Although we do not want to discuss specifics of current security practices, as they can be helpful to hackers, we are confident that LibraryThing is well defended against future attacks.

5timspalding
Feb 4, 2014, 1:03pm Top

>3 GwenH:

That's very true. We simply cannot know, but our gut feeling is that the emails were lumped together with similar lists and sold into the great pool of billions of "living" email accounts that spammers target. We have seen no evidence of further problems. As you say, if there were further problems, they would have happened. I also suspect we'd have seen it.

6lorax
Feb 4, 2014, 1:13pm Top

Yeah, certainly if anything other than spam was going to happen (and any spam was lost in the noise), we'd have seen it by now. Hopefully there weren't too many people who re-used their LT password for other accounts.

7DanieXJ
Feb 4, 2014, 1:28pm Top

Plus, I'm assuming that its the passwords/emails from Nov. 2011 were the ones that were gotten, personally I've changed most of my passwords on the rest of the internet (as well as here) at least once if not twice or more between then...

8lorannen
Edited: Feb 4, 2014, 1:39pm Top

>7 DanieXJ: Yep—password hashes from 2011 (and before) were the only ones that would have been accessed.

9timspalding
Edited: Feb 4, 2014, 1:44pm Top

Failures like this are certainly our fault, and not acceptable. But it's also a good reminder about the basics of password security--use different passwords, use complex passwords and change them from time to time.

10keristars
Feb 4, 2014, 1:59pm Top

This makes me feel simultaneously guilty and smug. My LT password was one I haven't really used since I signed up for LT, and it's the only site that I still use it for. But that means I haven't changed it in over 7 years...

It was fun digging through my memory for something else from the same era to inspire my new password, though. :)

And it's a good reminder that it's time for me to update other passwords and double check that none of the important account share the same passwords as each other or with unimportant things, since I get lazy and might have reused the wrong passwords since my last check a year ago.

11KathyWoodall
Feb 4, 2014, 2:09pm Top

Thanks for letting us know.changed my password.

12Plactus
Feb 4, 2014, 2:14pm Top

For some reason, the change password form isn't recognizing my current password. I have no problem logging in. Fortunately, I just changed my password yesterday.

13lorannen
Feb 4, 2014, 2:23pm Top

>12 Plactus: It looks like it's working fine on our end. If it's still giving you trouble, send a password reset email from here.

14perodicticus
Feb 4, 2014, 2:30pm Top

I put this in the blog comments, but maybe it should've gone here instead:

Do you know where the hackers were located? I remember getting a notification from Gmail at around that time that someone from Mexico had tried to log into my account. At least now I know better than to use the same password elsewhere!

15lorannen
Edited: Feb 4, 2014, 2:45pm Top

>14 perodicticus: Good question. Unfortunately, we don't have any more information about the individual (or individuals) who did this.

16terrell
Feb 4, 2014, 2:45pm Top

Is the password reset URL sent out really an http URL? Passwords getting sent in the clear?

17miketopper
Feb 4, 2014, 3:02pm Top

>16 terrell:

The email doesn't include any passwords and the token is a one time entry for resetting your password.

Currently LibraryThing doesn't force HTTPS for logging into our site, although you are more than welcome to change to the HTTPS url when changing your password so the form isn't sent in the clear.

18MyriadBooks
Feb 4, 2014, 3:31pm Top

I appreciate the notification and the new security updates. Also, thanks for the accounts upgrade to lifetime memberships -- that was an unexpected bonus.

192wonderY
Feb 4, 2014, 3:55pm Top

I sincerely appreciate your thorough explanation of what happened. Just another indicator of your commitment to excellence.

My email account did share a password, and I got a few spam emails last year that appeared to be from people in my address book. Changing my password fixed the issue.

20prosfilaes
Feb 4, 2014, 4:00pm Top

#17: The email doesn't include any passwords

Which is another, relatively recent, improvement on LT's part.

21Nogwater
Feb 4, 2014, 4:20pm Top

How were the passwords hashed? MD5? Was there a different random salt per password, a shared salt, something else? Did they get the salts with the passwords, or were they stored separately?

22sryder
Feb 4, 2014, 4:24pm Top

>21 Nogwater: We do not want to get specific about security details, but I can say they were salted.

23TheGoodbyeGirl
Feb 4, 2014, 4:24pm Top

Is it possible to have 2 step verification on the accounts?? I got the email, the first one i think from you guys and of course being the suspicious person I am I googled to see if the email was real, I have now changed my password also.

24timspalding
Feb 4, 2014, 4:30pm Top

>23 TheGoodbyeGirl:

Depends what you mean by two-step. Do you mean as in cellphone texting, the way Google does?

I think https:// is probably the next step. But that's a potential future one.

25LesMiserables
Edited: Feb 4, 2014, 4:45pm Top

The technotalk has fried me. Has the salt got anything to do with chips? :-)

Anything can happen online. I just hope that the site is using the best encryption package available as I feel a little uncomfortable knowing someone may have my personal details. Anyway password changed from 'password1' to 'password2' today as I had been using the latter forever. ;-)

26timspalding
Feb 4, 2014, 4:37pm Top

>25 LesMiserables:

"book" is a good one.

27Nogwater
Feb 4, 2014, 4:43pm Top

> 22
I understand. I'll assume the worst. :)

28PhaedraB
Feb 4, 2014, 4:46pm Top

FWIW, I still haven't received an email asking me to change my password, although I did get an email telling me I had just changed my password.

29LesMiserables
Feb 4, 2014, 4:46pm Top

26

Yeah, I had considered that but I thought the hackers might have that covered, which sent a shiver down my spine.

30lorannen
Feb 4, 2014, 4:49pm Top

>28 PhaedraB: Yep, we're informing everyone, so the emails are still in the process of going out.

31RaucousRain
Edited: Feb 4, 2014, 5:45pm Top

Thinking back, around that same time gmail informed me someone tried to get into my email account, and I changed that password. It was not the same as my LT password, and whoever tried to access my gmail was not able to do so. Of course I have no idea if it was connected, just thinking back makes me think it might have been. Anyway, it's always good to be reminded to change passwords -- and I've done so. Probably should head to a few more web sites to update some other accounts. Thanks!

32timspalding
Edited: Feb 4, 2014, 5:41pm Top

Note: Some users have complained that it sent expired tokens. This was because their email application didn't like our line-endings, and was running paragraphs together. This meant the URL had "Please" stuck on the end of it—the beginning of the next sentence. The change-password page now removes the "Please" and emails going out now have spacing that will work for all.

Note that the tokens sent in the hack-announcement email don't "get" you anything. They get you to the user account. You still need to enter your password.

>31 RaucousRain:

It is certainly possible. If your email is listed anywhere, someone will try to hack into it. The most common password is "password" after all. That said, if your email was not generally known, and wasn't easy to find by guessing (e.g., GHSmith, CuteBoy71), then it may be related to this.

33SqueakyChu
Edited: Feb 4, 2014, 5:55pm Top

I had two accounts hacked recently, but I have no way of knowing if the information came from LT or not. The passwords were similar but not the same. Needless to say, I'm putting into effect much stronger passwords and different ones for each website I use. Thanks for keeping us informed, Tim.

34Taphophile13
Feb 4, 2014, 5:44pm Top

18
I appreciate the notification and the new security updates. Also, thanks for the accounts upgrade to lifetime memberships -- that was an unexpected bonus.

I second this. Thank you very much for taking action against security breaches. Not every organization is willing to admit publicly to hacking problems. The upgrade is very much appreciated.

35ysar
Feb 4, 2014, 5:44pm Top

So you're upgrading my lifetime account to a lifetime account? What's the point?

36lilithcat
Feb 4, 2014, 5:52pm Top

> 35

It means you get an extra life.

37bernsad
Feb 4, 2014, 5:54pm Top

It'll now last you two lifetimes. Enjoy!

38acwbooks
Feb 4, 2014, 5:58pm Top

#35 said: "So you're upgrading my lifetime account to a lifetime account? What's the point?"

I think the point is niceness in the service of an apology & explanation. Even though I've had a lifetime account for years, I still appreciate LT's decision to upgrade other people's memberships.
Anne, continuing LT member & fan

39NWADEL
Feb 4, 2014, 6:35pm Top

I just received the email and I'm sorry to hear about the breach. I appreciate the lifetime membership and hope the site has been fixed.
Natalie

40vegetrendian
Feb 4, 2014, 7:06pm Top

I have three accounts that were all created before November of 2011, and two of them were already lifetime accounts, the third one I don't really need upgrading. However, I just created an account for my newborn daughter, any chance I can have the one account upgrade moved over to her account instead? (That is, not an extra upgrade, but just the one upgrade from my account that was not lifetime moved to her account which is not yet lifetime).

Thanks.

41timspalding
Feb 4, 2014, 7:18pm Top

Yes, of course. Message me the account name privately.

42Whisper1
Feb 4, 2014, 7:23pm Top

Tim

How silly am I. I cannot locate my password. Is it possible to create a "new" password without remembering the old one?

Also, I'd like to take this opportunity to thank you very much for creating LT. I'm a member of the 75 challenge group since 2008. I've met some wonderful folk. The group is incredible supportive of each other. Again Tim, LT is a large part of my life. Thanks!!!!

43DaveMiles
Feb 4, 2014, 7:53pm Top

Thanks for letting us know. Password changed. Great to see this being taken so seriously.

44DaveMiles
Edited: Feb 4, 2014, 7:54pm Top

This message has been deleted by its author.

45Mr.Durick
Feb 4, 2014, 8:10pm Top

I changed my passwords then sometime later got the e-mails telling me to.

Robert

PS I just confirmed that my old backup account from before collections is now a lifetime account. Cool. Thanks.

R

46Megi53
Edited: Feb 15, 2014, 6:10pm Top

(Erased very funny joke after days of no response; I must write in invisible ink on this site.)

Seriously, though, thank you so very much for the upgrade.

47erhicks
Feb 4, 2014, 9:01pm Top

Could this breach explain why there are books in my collection which I did not add?

48timspalding
Edited: Feb 4, 2014, 9:08pm Top

How silly am I. I cannot locate my password. Is it possible to create a "new" password without remembering the old one?

To receive a password-reset link by email, go to http://www.librarything.com/lostsomething.php and enter your account name or email address.

Could this breach explain why there are books in my collection which I did not add?

Well, no. The evidence points quite strongly to the hacker not even exporting LibraryThing ids or names. They were after the emails and (potentially) cracking the passwords, for use against the emails. Those have value to the sorts of lowlifes who do this, and we have evidence that's just what this was. Mucking with LT user accounts does not have value. Indeed, while we are pretty sure they were able to query the database directly, they did not have the sort of access that would enable book creation, which is a rather complex series of insertions and normalizations across many tables. I don't think I could easily fake a book with database access alone, and I wrote most of the code.

In general, we have never had a convincing report of the sort of thing you describe. There is, however, always a first time. And there are certainly various ways it could happen and you wouldn't realize it. (For example, many import files will have ISBNs in them you don't realize are there.)

Please email info @ LibraryThing.com with details, and we'll look into it.

49timspalding
Feb 4, 2014, 9:11pm Top

Incidentally, the blog post alludes to the prompt--that a user came to us claiming to have received spam recently on an account that was never used for any other purpose. While there are various ways that can happen, it was concerning, and may well be owing to the data breach.

However, sending out this email has revealed at least one user who claims the same set of facts--an email used on at LibraryThing that was never touched with spam.

So I don't know what to think about the spam. But in any case, the breach was real.

50dangnad
Edited: Feb 4, 2014, 9:23pm Top

Gawd! This is a tempest in a teapot. LibraryThing isn't THAT important. Besides, it happened over two years ago, nothing of mine has been compromised, nothing has happened to my email, and I have not noticed any great increase in spam. Changing passwords at this late date is silly.

51starbright57
Feb 4, 2014, 9:35pm Top

I had forgotten I had joined this group and I can't find anyplace to withdraw my membership. Would you please delete my name. Looks like a very worthwhile website, I am just not using it. Thank you.

52timspalding
Feb 4, 2014, 9:37pm Top

You can delete your account by signing into LibraryThing and going to http://www.librarything.com/editprofile/change

I'll also post this as a profile comment.

53jasbro
Feb 4, 2014, 10:05pm Top

#52 by timspalding>: I assume (silly me!) that if I've changed password once today in response to a notice/warning pop-up while on LT, that I don't have to do it again in response to the message that eventually hit my e-mail.

54timspalding
Feb 4, 2014, 10:38pm Top

Right. The email take a long time to go out and then arrive.

55LesMiserables
Edited: Feb 5, 2014, 12:51am Top

Regarding SPAM and someone divulging my details to other parties stealthily I have received in the past while, unsolicited offers from TIME, The Economist, Reader's Digest, an Online Wine company etc etc.

Obviously nothing to do with LT but its bloody annoying isn't it?

That said, I am interested in the Reader's Digest letter. It says I am only one from a chosen 2% of the Australian population to definitely receive a top prize. I'm not sure how this came about, but I can't believe my luck.

56lorannen
Feb 5, 2014, 1:09am Top

>55 LesMiserables: You simply must tell all of us what a "top prize" entails. I'm dying to know.

57timspalding
Feb 5, 2014, 1:31am Top

When I used to subscribe to magazine—I'm down to National Geographic now!—I would give them my name with initials corresponding to the magazine. Tim Mac Spalding, Tim Review Spalding, etc. Then I would watch those names proliferate across my email, as lists were sold and resold.

58sophies_choice
Feb 5, 2014, 4:07am Top

Thank you for informing us, Tim and co.!

For the ones who had suspicious things with their Gmail, just for what it is worth:

- it might indeed be connected to this breach
- but not so long ago a lot of GMail and Hotmail e-mailadresses were compromised
- same for services as Evernote and Dropbox. They were compromised recently as well.

Just to say, it could be also related to these events. But it is indeed better to be safe then sorry!

59LesMiserables
Feb 5, 2014, 4:10am Top

> 56

I believe it is a luxury apartment at Kangaroo Point on the Brisbane river.

I think I'm in with a real chance!

> 57

Great Idea

60burneggroll
Feb 5, 2014, 5:02am Top

How do I know that the new email isn't the fake? LOL. The last time I got a "lifetime membership," it took a Supreme Court order to get out of it. ROLF. Thanks for keeping me in touch with THE Library Thing.

61debavp
Feb 5, 2014, 7:05am Top

@48--the link posted only works if you know the password. I followed it from the blog post yesterday, emailed info with the explanation
that the email on the account hadn't been operational for years, a couple of other bits that could identify the account enough to warrant a temp login be sent and got a response back that I should try and use the password to reset.

My reaction to that response wasn't and still isn't a smile.

62jules_l
Feb 5, 2014, 7:56am Top

61> What browser are you using? Most of them will let you look at the list of passwords you've set and saved, so you might be able to look up your old password there.

In Firefox, for example, you go to Tools --> Options, then Security, then "Saved passwords". There should then be a "Show passwords" button.

63timspalding
Feb 5, 2014, 8:14am Top

>61 debavp:

Sorry. One of us must have read your email too quickly. I'll go back in now and send you another reply.

64Jim53
Feb 5, 2014, 8:34am Top

There are two kinds of companies: those who know that they have been breached, and those who don't.

65anglemark
Feb 5, 2014, 8:54am Top

And for two years LibraryThing was the latter kind. ;)

66TheCriticalTimes
Feb 5, 2014, 9:10am Top

In order to inform us of the breach you send out an email with a link to a password reset page? really? REALLY??

67timspalding
Feb 5, 2014, 9:31am Top

In order to inform us of the breach you send out an email with a link to a password reset page? really? REALLY??

No, the token just gets you the user name. It's a convenience.

You still have to enter your password, if you're not signed in. If you're signed in already, you won't need to enter your password.

We can see how users misunderstood this. We should probably just have told people to go to LibraryThing and avoided the convenience link which some interpret as spammy and/or insecure.

68lorax
Feb 5, 2014, 9:47am Top

50>

Librarything is not the concern. The concern is password re-use, coupled with the email addresses.

The reasonable worst-case scenario is that the hackers have email addresses and LT passwords as of Nov. 2011. If anyone re-used the same password on LT and the email address associated with LT, the hackers would be able to log into the email account. That's quite dangerous, because it would then enable the hackers to send out "I forgot my password" requests and receive password resets for various other accounts, potentially including financial ones.

This is exactly why password re-use is strongly discouraged.

69divinenanny
Feb 5, 2014, 10:27am Top

68>

+ using the same e-mail/password combination on other sites.

70TooBusyReading
Feb 5, 2014, 10:36am Top

Stuff happens. My password was not reused anywhere else and was not remotely close to anything I used elsewhere. Perhaps the hackers were just looking for good book recommendations.

The free lifetime membership is generous, but those of us who already had one know that it's worth paying for.

No, this isn't an ideal situation, but it's not earth-shattering either. Keep clam and carry on.

71timspalding
Feb 5, 2014, 10:53am Top

>68 lorax:

Password reuse is the big problem. These days I'd like to think that most people use different passwords on different sites. There are various mnemonic tricks to have one basic, complex password, but vary it across sites obscurely. Or you can use a service or a book, etc. The big problem is that this sort of thing was not diffusely understood in 2006. It probable that a decent percentage of the Yahoo accounts listed in 2006 have the same password.

72librogurl
Feb 5, 2014, 11:03am Top

Kudos to LibraryThing for how they managed this at various levels: yellow flag warning upon login, email, detailed explanation (if one wanted to read it) and a discussion (if one wished to participate). Like the comment about having two lifetimes...

73brightcopy
Feb 5, 2014, 11:16am Top

I struggle with avoiding password reuse. The problem is that just looking at my FF saved passwords, I have hundreds of accounts. Sure, you can go with a pattern that's somehow based off the site name, but going that route I start to feel that it's pretty obvious what I'm doing and giving someone a good starting point to cracking the other accounts. And it's worse when some sites try to "help" you by requiring certain mixes of upper/lower case and it messes up your entire pattern.

And to make it worse, they also try to "help" you with those damned "security questions" that anyone with a cursory knowledge of you could use to impersonate you. I usually fill those out with random crap, which comes back to bite me when *I* have to reset a password because they put in some hair trigger "three tries and you're locked and you can't reset by email MUST USE SECURITY QUESTIONS" bullshit. I also generate unique emails for every site which can sometimes make remembering THAT a pain, too.

Sometimes I think I should just do what my wife does and use LastPass, which generates a random password and stores it in their database encrypted using a master password. I can't get fully on board that for lots of reasons, though.

74anglemark
Feb 5, 2014, 11:39am Top

I see LastPass as the lesser evil and use it.

75timspalding
Edited: Feb 5, 2014, 11:56am Top

>73 brightcopy:

I am grateful for two-factor authentication. My Gmail is, I think, unhackable from it. That's not impossible for us. We have used Twillio before. That would be the way. A month ago, I'd have said that was overkill. Now, if we can do it, why not?

76brightcopy
Feb 5, 2014, 12:01pm Top

#75 by timspalding> The problem I have with two factor stuff is that it often makes my email (or whatever) inaccessible by me when I have to use it from a different computer or different wifi connection even. To me it seems to not be worth the hassle. If it was an account that was crucial to my business I'd probably feel otherwise.

77suitable1
Feb 5, 2014, 12:24pm Top

# 76 - agree

78lorax
Feb 5, 2014, 12:33pm Top

73>

I figure I'm not trying to prevent a human looking at my password for a specific site from deducing what my password might be for another site, I'm trying to prevent a program that has access to one of my passwords from succeeding with it on other sites. So, yeah, the site-specific portion of my passwords from my low-security* password generation scheme (I use a different one for email and financial institutions) would be reasonably obvious to a human, but that's not the attack vector I'm concerned with.

* This still generates strong passwords by the usual metrics of length, diversity of character types, and resistance to dictionary attacks. It's just the one I use for sites where the results of someone getting my password are relatively minor.

79timspalding
Feb 5, 2014, 12:42pm Top

I used to fell otherwise. Now if I don't have my cellphone on me, something is wrong.

80timspalding
Feb 5, 2014, 12:45pm Top

>78 lorax:

You can do it in a way that's complex enough for most humans, unless they had six passwords and worked at Bletchley Park*. I mean, don't make your password a234b!Yahoo and a234b!Google.

*Not to be confused with Blachly Park.

81Helenliz
Feb 5, 2014, 12:49pm Top

Can I just confirm something. I changed my password last night in response to a bar along the top. I've had the same bar popup again today. Is the one change sufficient?

82Snodgrass99
Feb 5, 2014, 1:06pm Top

I actually saw the email at 3 am in the morning, I thought 2011 was warped from another time travel.

83Snodgrass99
Edited: Feb 5, 2014, 1:08pm Top

This message has been deleted by its author.

84timspalding
Feb 5, 2014, 1:14pm Top

>81 Helenliz:

I'm looking into it.

85joemontibello
Edited: Feb 5, 2014, 1:26pm Top

>29 LesMiserables:

I see what you did there.

86lorax
Feb 5, 2014, 1:33pm Top

84>

Thanks. I'd assumed a second change wasn't necessary, but if it is I can certainly change it again.

87timspalding
Feb 5, 2014, 1:38pm Top

If you get that nav-bar message all the time, it will certainly seem so.

Helenliz, you're getting that constantly?

88Helenliz
Feb 5, 2014, 2:05pm Top

No, I had it yesterday, so did as it was telling me. I had it when I logged on first time today, but not second time.

89brightcopy
Feb 5, 2014, 2:18pm Top

#79 by timspalding> You cellphones battery life must be a hell of a lot better than mine!

90omargosh
Feb 5, 2014, 2:24pm Top

I had it come up again, briefly (in just one of the tabs I was opening), about an hour or so ago. I didn't bother to follow it again (figured it was some temporary blip).

91timspalding
Edited: Feb 5, 2014, 2:47pm Top

I had it when I logged on first time today, but not second time.

Hmm. I'm thinking this is local browser caching.

You cellphones battery life must be a hell of a lot better than mine!

You kidding? I live from tether to tether.

92AsYouKnow_Bob
Feb 5, 2014, 3:08pm Top

Curiouser and curiouser.

I got a personal warning from Tim on Oct 21, 2011 that the throw-away email account that I use for LT (and for very little else) was apparently hacked, as it was spamming its contact list.

I changed THAT password, and didn't think much else of it, as it seemed to have been an automated attack.

The more 'human' attack described by lorax at #68 makes my blood run cold, and makes me very glad that I didn't use my LT-related email for much else.

93jasbro
Feb 5, 2014, 3:16pm Top

50> lorax: Thanks for the insight. After all these years, I still feel naive and vulnerable on cyber-security, despite all the things I've seen, known, heard, and/or been warned about. (Of course, the 147th Rule of Cyber-Security is to never admit on-line that you're naive and vulnerable -- right?) Sometimes it helps for somebody else to make connections like this, particularly when it wouldn't have occurred to us otherwise. I'd hate to think how you came to that understanding!

94terrell
Feb 5, 2014, 3:33pm Top

>17 miketopper: "you are more than welcome to change to the HTTPS url when changing your password so the form isn't sent in the clear."

LT should update the reset form to submit to the HTTPS endpoint, no matter what.

Sending passwords in the clear, by default, is no good.

Separately, the login page should force HTTPS. Why have a cert if you're not using it for the credential exchange?

Thanks for everyone's hard work.

95lt-security-concern
Feb 5, 2014, 3:42pm Top

When did LT switch from unencrypted to encrypted passwords?

Also why is there a 20 character limit on passwords?

-Mike

96brightcopy
Feb 5, 2014, 3:50pm Top

#95 by lt-security-concern> Who claimed LT ever had unencrypted passwords?

And why is your username lt-security-concern?

97lorax
Feb 5, 2014, 3:57pm Top

95>

Why did you create a new username for the sole purpose of posting to this thread?

98cpg
Feb 5, 2014, 4:00pm Top

>96 brightcopy: "Who claimed LT ever had unencrypted passwords?"

I think Tim claimed that here: http://www.librarything.com/topic/47341#844949

99anglemark
Feb 5, 2014, 4:08pm Top

#96 by brightcopy> Because he's used to a troll-infested talk atmosphere, I assume.

100brightcopy
Feb 5, 2014, 4:38pm Top

#98 by cpg> Huh, interesting bit of history. But either he never went through with that or it changed before 2011, as above they stated that the hashes were stolen. Of course, even if they weren't hashed, they could still be encrypted. To be unencrypted, they'd have to be stored in plain text. I'd hope Tim wouldn't have went that route.

#99 by anglemark> Concern troll?

101BasKoeln
Feb 5, 2014, 5:45pm Top

At this point: Thanks for the open information politic LibraryThing.

102debavp
Feb 5, 2014, 5:58pm Top

@63 Thanks Tim. I received a message and have now reset successfully!

103KansasFarmMomma
Feb 5, 2014, 7:29pm Top

I get so much spam in my email even if my account had been compromised I never would have known lol

104DanieXJ
Feb 5, 2014, 7:37pm Top

It's not so much the spam --into-- your email that you need to worry about (well, as long as you don't give any money to any nigerian princes or click on any links that you don't know where they came from). It's when your account is sending --out-- spam. That's when you know it's been compromised.

105KansasFarmMomma
Feb 5, 2014, 7:40pm Top

Oh, gottcha. That makes sense.

106paradoxosalpha
Edited: Feb 5, 2014, 7:42pm Top

So, I changed my password at the office yesterday, and this evening I thought I should probably sign out at home in order to sign back in with my new password.

I can't sign out. Clicking the "Sign out" at the top right corner of the screen just takes me to my home page and leaves me signed in.

???

107timspalding
Feb 5, 2014, 7:46pm Top

>106 paradoxosalpha:

That's very odd. Can you PM me with your browser and OS. And also, after you do it, try reloading with shift- and/or control- on.

108LesMiserables
Feb 5, 2014, 8:36pm Top

107

Tim, I already had a lifetime account prior to the aforesaid date. Any chance of and infinity account?

109KinomiyaMichiru
Feb 5, 2014, 8:49pm Top

A. I wasn't even a member of LT till June 2012.
B. What do we do if we use FB connect or Twitter connect to log in? Just delete the connection for LT on said site, and re-enable it?

110SuryaSrijith
Feb 6, 2014, 1:34am Top

I couldn't agree more!

111lesling
Edited: Feb 6, 2014, 5:52am Top

The change password invitation email got caught in the gmx spam filter. Might be something to look into. (Added LT to whitelist now, but I was a little surprised to see the LT-email moved to spam folder in the first place.).

112anglemark
Edited: Feb 6, 2014, 6:03am Top

I'm sure there are a great many users who registered an account x number of years ago and have since completely forgotten all about it, and thus have marked this email as spam. So if gmx uses Bayesian filtering with feedback from all users, it stands to reason that it is by now considered as spam, statistically speaking.

113miketopper
Feb 6, 2014, 7:16am Top

>109 KinomiyaMichiru: Your Facebook and Twitter connections should not be affected by this. For one thing, every time you login through facebook you are authenticated through Facebook and a new access token is saved. Even if somehow someone was able to obtain that access token, they would also need LibraryThing's private Facebook key which is not stored in the database. On top of that, the access tokens are only good for a short amount of time.

The same is said for twitter. We have no reason to believe that any of the stored tokens were compromised and even if they were somehow, the stored tokens alone are useless.

LibraryThing's private keys for each of these services has been changed multiple times since 2011 as well.

114parelle
Feb 6, 2014, 2:34pm Top

>81 Helenliz:

I also got a second change password notice on this account (and I believe I was forced to do it) after changing it via the link the first time. I'll note that I've probably an account within the first 5000 (assuming that the account notifications were sent in some kind of order) so I was probably among the first to get the notification of the hack via email.

That said I have two accounts attached to the same email address, and I had just received the email for the second account (much newer: less than a month old) so perhaps that's the issue?

Mac Chrome and iPad Chrome, emails via gmail.

115eilidhm
Feb 6, 2014, 7:37pm Top

Thanks for offering to upgrade my account from free to lifetime membership. When should I expect this to happen?

116timspalding
Feb 6, 2014, 7:58pm Top

I upgraded you now. I'll dig into why you were not already.

T

117LesMiserables
Feb 6, 2014, 8:01pm Top

> 116

Tim, I applaud you on your good faith on the upgrades. I am in no way grumpy that I am one of the ones who paid for the privilege, but was curious to know why you might forego the possibility of an upgrade by a cash paying user?

118eilidhm
Feb 7, 2014, 1:06am Top

Thank you!

119Maura49
Feb 7, 2014, 6:04am Top

81> the same thing has happened to me and I am still getting the prompt at the top of each LT page I access. could the problem be that I changed my password from one of those prompts and not from the email link? Should I change it again?

120timspalding
Feb 7, 2014, 7:33am Top

>119 Maura49:

No. Let me know if you're still getting it now.

121timspalding
Feb 7, 2014, 7:36am Top

Private messaging you.

122JerryMmm
Feb 7, 2014, 10:19am Top

Ah, shame, my kid's account was created on the 20th of November 2011...

123timspalding
Feb 7, 2014, 10:19am Top

PM me it. I'll upgrade it.

124CatBooks
Feb 7, 2014, 5:10pm Top

I hate when a site makes me have to change passwords. I can never remember them after changing them and have to write them down in a notebook. I'm sure I don't have any data listed here that they can hack. They might get my address but I don't care.

125SqueakyChu
Feb 7, 2014, 5:14pm Top

> 124

Write them down in a book. Ensure that every website has a different and a strong password. Trust me; you don't want any of your websites hacked. I didn't believe it could happen to me. It just did. It's a nightmare.

126BTRIPP
Feb 7, 2014, 5:29pm Top

I agree with #124 ... I have such a hard time remembering new passwords ... had this one since 2005 ... fortunately, LT keeps me logged in, so I only rarely have to use it.

127brightcopy
Feb 7, 2014, 6:05pm Top

The problem here (as mentioned earlier) is that Tim isn't as worried about someone hacking into your LT account as he is someone hacking into your EMAIL account. Often people use the same password for their email account as they do for others. The hackers stole the list of email addresses and (hashed) passwords for the LT account. So they could use that to break into your email, which you may care about a great deal more.

128jjwilson61
Feb 7, 2014, 6:24pm Top

127> But if that's the case he should be advising members to change the passwords on their e-mail accounts. For the situation that you describe, changing your LT password is irrelevant as they hackers have already made off with the old (albeit hashed) passwords.

129brightcopy
Edited: Feb 7, 2014, 10:10pm Top

#128 by jjwilson61> Well, he did include "Members should change their password at LibraryThing and any other service on which they used the same password." in the blog post the notification email links to. But it's a fair point. I was more referring to Tim caring about it and thus making sure everyone knew about it (via the blog, emails and here) rather than keeping mum.

The changing of the password itself is actually a separate issue, apparently because "We have upgraded our password system to the highest industry standards. Users who joined in the last week or so, or changed their passwords, are already on the new system." You need to set a new password to get in the new system, for whatever reason (I can imagine a few).

Oddly enough, gmail did something a bit wonky on the notification email for me. Well, the SECOND one, as I had two accounts that eventually forward to the same mailbox (brightcopy and brightcopytest). On the second email, gmail helpfull decided everything from "Please read our longer description of the breach here:" and below was quoted text and hid it behind a (...) button. But perhaps this is only because it threaded the two messages into one conversation. It probably would never get hidden for anyone who just got one email.

130timspalding
Feb 8, 2014, 1:20am Top

>129 brightcopy:

Yeah, that's a conversation thing. Irritating.

As you say, we did tell people to change their passwords elsewhere. We didn't say so in the email, but the email was SUCH a small canvas. It was deuce-difficult to convey even a minimal set of facts within it, and keep it short enough that it didn't look like a newsletter or a legal document.

fortunately, LT keeps me logged in, so I only rarely have to use it

Make sure you DO have it, though. Future security improvements will kick you at some point.

131jenreidreads
Feb 8, 2014, 12:54pm Top

I was also already a lifetime member when the breach happened. It doesn't seem to have affected me, though, no spam emails or anything, and I have successfully changed my password. Sorry for this headache, everyone.

132ojchase
Feb 9, 2014, 4:00am Top

Appreciate the transparency Tim!

And the lack of upset comments in this thread is just another indication of how wonderful the LT community really is :)

133Linkmeister
Feb 13, 2014, 1:11am Top

Relatedly, has anyone had trouble signing in to an Android app (LT Browser by sbear1) after changing his or her password? I can't get in on my tablet. I've emailed the developer about it, but I was wondering if anyone else suffered from the same malady.

134eomalley
Feb 13, 2014, 1:11am Top

Like >81 Helenliz: and >119 Maura49: I'm getting the security prompt banner at the top even though I changed my password tonight by clicking on the link in the banner. I've cleared my cache (I think), signed out and back in. The system is recognizing my new password with no problem, but still prompting me to change it. Is there an issue with Firefox?

135Louve_de_mer
Feb 13, 2014, 2:32am Top

> 133 : Same here : "Login failed".

136JerryMmm
Feb 13, 2014, 4:42am Top

>133 Linkmeister:, 135 perhaps related to the https change the other day?

seabear was looking into https before the switch by LT

137Louve_de_mer
Feb 13, 2014, 7:18am Top

> 136 : Thanks. I'll let a message on the thread.

138Rachael
Feb 13, 2014, 11:40am Top

Just logged in here after not doing so in a little while and saw the notice about needing to change password. Done, and thanks for the info! And also for the offer of upgrading to a lifetime membership! But as I've been a lifetime member since I joined, can I please have a pony instead? ;-) :-)

139joannasephine
Edited: Feb 14, 2014, 1:41am Top

I think Tim’s at the point of needing to genetically engineer ponies with wings, unicorn horns, sparkling hooves, and a whinny that can turn an illiterate self-published pile of pony-poo into a best selling, genre-bending, literary masterpiece.

And I want one too.

140eomalley
Feb 14, 2014, 12:46am Top

Woo hoo, the warning banner is now gone! Don't know if it was Tim or the cache, but I'm a happy camper now that everything is back to normal.

P.S. I'd love one of those genetically engineered ponies, too, please :)

141rosalita
Feb 14, 2014, 4:33pm Top

#139> But I want to be able to choose to turn off any of those features on my pony, and the default should always be off, especially for whinnying.

142hipdeep
Feb 16, 2014, 10:46am Top

I just want to thank LibraryThing for your transparency on this. Apparently Kickstarter just got hacked, which they are communicating by email to their users - but not by their internal messaging system, or notices on the home page. (It is on the blog, with links from Twitter and Facebook, but none of those have the high profile on Kickstarter that they do on LibraryThing.) You did a much better job than they're doing so far, and thanks for that.

143timspalding
Feb 16, 2014, 11:11am Top

Well, we didn't put it on our sign-out home page—which some have criticized us for. But if you actually sign IN, you find out immediately, as it takes you to the change password page with a notice. And it's on the signed-in home page, and on every page of the site (in the nav bar) until you change your password. I figured that trying to put it on the home page was a lot of work for no gain. For if you're a user, you're going to get told—that is, if you haven't been already. And if you're not a user, it doesn't affect you.

I thought their letter was rather good, however, and managed to say it in fewer words.

As I said on Twitter, if the CEO of Kickstarter needs a drink now, I got the bottle… right… here!

144PhaedraB
Feb 16, 2014, 2:40pm Top

I got the email from Kickstarter, too. As soon as I logged in, I got a notice across the top to change my password, just as on LT. It wasn't there until I logged in.

145hipdeep
Feb 17, 2014, 12:06am Top

Ah - perhaps I didn't see it since I was already logged in through Facebook. That's its own set of problems, of course, but the Facebook connections weren't touched by this breach. I saw it as a Facebook trending story first, and then couldn't find information easily on their site, and I check that email only about once a day.

All of which just goes to show you can't really control asynchronous communication...

146larissalai
Edited: Feb 23, 2014, 2:30am Top

This message has been deleted by its author.

147andrewsd
Edited: Feb 26, 2014, 9:40am Top

I recently had multiple attempts made to access my email account, perhaps as a result of the LibraryThing data breach. I'm suggesting this is the case because the email and password used for my LT account are unique to it; I created it for the purpose of signing up for my LT account and have not used it for anything else (my LT password was the same for the email).

All of the access attempts were from obscure locations in Russia and one in Peru. Luckily, trusty gmail did not allow them to log in.

This seems to show that whoever captured LT account information isn't just storing it somewhere; they are actually trying to use LT passwords to break into associated emails.

So, be aware of this and change your passwords to any accounts associated with LibraryThing, as their notice asked users to do.

148anglemark
Feb 26, 2014, 9:15am Top

It's over two years since the breach happened. Odd that you should experience these attempts at cracking your Gmail account now. It's probably a coincidence in timing, I doubt the crackers monitor this discussion board.

149andrewsd
Edited: Feb 26, 2014, 9:27am Top

>148 anglemark: Again, the email, password, and account information were exclusive to LT and were used only for access here. Unless Google was hacked (which would have triggered an automatic password change), the LT breach would be the only source. They had my account name and password, but gmail stopped them because of their location. It also wouldn't be that uncommon for a delay like that. Hackers store this information then sell it, often years later, when buyers make themselves available. So a coincidence in timing, perhaps, but not origin. But your right, there is no way of definitively saying one way or another.

150anglemark
Feb 26, 2014, 10:47am Top

Oh, I don't doubt that it's the breach here that's the source of the attempts, from what you describe. I only meant that the attacks on your email account coming approximately when this breach was discovered and published is probably a coincidence.

151timspalding
Edited: Feb 26, 2014, 10:53am Top

>147 andrewsd:

Interesting. We can't know for certain, but it's definitely possible.

That the emails are out there is almost certain. The user who brought this to our attention got spam on an email he believed to be LT-only. As I said in the announcement, I think it's likely that the emails have entered the great big pool of emails. There is such a pool, certainly. A recent report on an unsolved and unsourced leak of 360 million stolen credentials ( http://www.reuters.com/article/2014/02/25/us-cybercrime-databreach-idUSBREA1O20S... ) mentioned that the criminals are also selling 1.25 billion email addresses. Yes, billion!

But your details concern me. Did you have two-factor authentication going? I didn't know Google stopped requests purely on location.

152SqueakyChu
Edited: Feb 26, 2014, 11:33am Top

I am fairly certain that whoever breached my email account two months ago did so with information from 2011. At that time, I discovered someone using my personal information for some gaming sites which I never used. I changed my password to my email account at that time (2011).

The password I used then on LT was one five-letter word. The password on my email account at that time was the same word followed by "123". Easy enough to guess. I would not be surprised if the hacker got the information from this site. Not that it matters at this point as all of my accounts online have now been changed to stronger and individual passwords.

I mentioned this issue to my son (an IT professional) who said it's only coincidence. I'm not convinced.

My take on this matter is that anyone who wants to breach my email can. It's only a matter of time. I use my stronger passwords to simply make it more difficult for hackers and so they might move along to hassle someone else besides me. I lost all of my previous email account information at a most inopportune time. It was a true nightmare and one which I'd prefer not to have other LTers endure.

153timspalding
Edited: Feb 26, 2014, 11:50am Top

It's possible. I would find it more definitive if they were the same password. Hackers are very lazy. They automate. But if it was fully guessable, then they probably fail to trying it with a "suffix dictionary"—1, 123, 69, 321, etc.

154bestem
Feb 26, 2014, 8:21pm Top

>151 timspalding: I didn't know Google stopped requests purely on location.

I don't actually believe they do. They will send you an email when there's been an attempt from a location that doesn't seem likely to be yours. For instance, if I attempt to log into my email at work, which has an IP address as being on the opposite coast as I live due to that being where national headquarters is, and I mistype the password, I will get an email about the attempt to access my email, and a suggestion to change the password. If I log in with the correct password, it has no issues whatsoever. My customers who need to print things from their emails are all able to log in, in California, to Gmail, on a network that claims that it is in Florida.

I've deleted most of the emails I've received, because I know when I screw up my password occasionally, and seeing a Florida IP doesn't worry me. Here's a copy of one I received on a friend's behalf, as he uses my email as his recovery email.

N,

Someone recently tried to use an application to sign in to your Google Account - redacted - showed my friend's actual email address. We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Wednesday, January 16, 2013 1:05:34 AM UTC
IP Address: 208.87.203.243 (sjc-default-egress-nat-c.seven.com.)
Location: Redwood City, CA, USA

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately. Find out how at http://support.google.com/accounts?p=reset_pw

If this was you, and you want to give this application access to your account, complete the troubleshooting steps listed at http://support.google.com/mail?p=client_login

Note: This email address cannot accept replies.

Sincerely,
The Google Accounts Team

155Morphidae
Feb 27, 2014, 1:32pm Top

I know that my email address has been recently sold. I never used to get spam, at least not on a daily basis. Now I'm getting "You've won 1.5 million dollars!" and eviction notices. Who knows whether it was from LT or something else. The address is not strictly for LT so could be anything. Annoying as heck though.

156TooBusyReading
Feb 27, 2014, 2:41pm Top

I was evicted today, too. At least that is what the subject of the email in my junk folder would lead me to believe. I don't think it is LT's breach, though. I've been getting a relatively small amount of junk mail for a long time, and have no idea how it first started.

(Dear Junk Mailers,
I do not have the body part you wish to enlarge. I have no money for Nigerian princes. I do not wish to hypnotize women into sleeping with me. And I don't, silly me, use Internet pharmacies touted by junk mail or buy "Rolex" watches.

Sincerely,
Me)

157brightcopy
Feb 27, 2014, 3:28pm Top

Pssh, what do they care? If you dig down into a landfill, you will periodically find sedimentary layers of phone books. That was shown by an archaeological dig of a landfill in 1975. Back then it was probably every year when the new phone books came out and people threw out their old ones. These days it's people throwing out the useless NEW phone books the same day they come out.

158rebeccanyc
Feb 27, 2014, 4:46pm Top

I've been getting those eviction notices too. But getting spam isn't necessarily because an e-mail address has been sold. Every now and then I get an e-mail from a friend who's obviously been hacked (i.e., it's just a link to click on -- NOT), and thus gave the hackers access to all the e-mails on that person's contact list.

159brightcopy
Edited: May 29, 2014, 12:03pm Top

Just got a phishing attempt at an email I've only used for LT (brightcopytest account). There was an attached zip file, but upon downloading it, it was 0 bytes. Still trying to figure out if something scrubbed it somewhere along the chain.

Message follows:


From: Sean Reed
Subject: ACH - Bank account information form

Please fill out and return the attached ACH form along with a copy of a voided check.

Sean Reed

GRE Project Accounting
Vendor Management & Bid/Supervisor

Fax-601 597-6997

GRE Project Accounting

This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.

160timspalding
May 29, 2014, 12:11pm Top

I've had 1-2 solid reports of the email being out there for spam. I'm surprised that, if you got one, you didn't get 100.

161brightcopy
May 29, 2014, 12:13pm Top

Indeed. I also just got two PMs from you on new badges. Second one same as the first, only with badge pics. Just FYI.

162timspalding
May 29, 2014, 12:48pm Top

Yeah. I did it again, so I could get the images in. It's a lot of trouble to edit it.

Group: Talk about LibraryThing

138,828 messages

This group does not accept members.

About

This topic is not marked as primarily about any work, author or other topic.

Touchstones

No touchstones

You are using the new servers! | About | Privacy/Terms | Help/FAQs | Blog | Store | APIs | TinyCat | Legacy Libraries | Early Reviewers | Common Knowledge | 113,204,575 books! | Top bar: Always visible