Security Notice and LibraryThing Password Reset

Please read the blog post here:
http://blog.librarything.com/main/2014/02/password-reset/

This topic is for discussing the breach, and LibraryThing response to it. You can also send questions and comments to tim@librarything.com or info@librarything.com.

Why did it take so long to discover the breach? Have measures been put in place to ensure that any future breaches are discovered in a more timely manner?

Data breach from 2011???? It's fine changing passwords - always a good idea, but if anything bad was going to come of that breach, it's probably already happened.

2) When the breach took place, we did not have real-time monitoring that would have detected this at the time of it happening.

Secure, real-time monitoring of the sort that would have caught this was in place by January 2013.

The topic arose when a member notified us that they received some spam on an email specific to their LibraryThing account. This prompted to do a top-to-bottom review of our security, and this review discovered the breach.

No system is perfect. Although we do not want to discuss specifics of current security practices, as they can be helpful to hackers, we are confident that LibraryThing is well defended against future attacks.

>3 GwenH:

That's very true. We simply cannot know, but our gut feeling is that the emails were lumped together with similar lists and sold into the great pool of billions of "living" email accounts that spammers target. We have seen no evidence of further problems. As you say, if there were further problems, they would have happened. I also suspect we'd have seen it.

Yeah, certainly if anything other than spam was going to happen (and any spam was lost in the noise), we'd have seen it by now. Hopefully there weren't too many people who re-used their LT password for other accounts.

Plus, I'm assuming that its the passwords/emails from Nov. 2011 were the ones that were gotten, personally I've changed most of my passwords on the rest of the internet (as well as here) at least once if not twice or more between then...

>7 DanieXJ: Yep—password hashes from 2011 (and before) were the only ones that would have been accessed.

Failures like this are certainly our fault, and not acceptable. But it's also a good reminder about the basics of password security--use different passwords, use complex passwords and change them from time to time.

This makes me feel simultaneously guilty and smug. My LT password was one I haven't really used since I signed up for LT, and it's the only site that I still use it for. But that means I haven't changed it in over 7 years...

It was fun digging through my memory for something else from the same era to inspire my new password, though. :)

And it's a good reminder that it's time for me to update other passwords and double check that none of the important account share the same passwords as each other or with unimportant things, since I get lazy and might have reused the wrong passwords since my last check a year ago.

Thanks for letting us know.changed my password.

For some reason, the change password form isn't recognizing my current password. I have no problem logging in. Fortunately, I just changed my password yesterday.

>12 Plactus: It looks like it's working fine on our end. If it's still giving you trouble, send a password reset email from here.

I put this in the blog comments, but maybe it should've gone here instead:

Do you know where the hackers were located? I remember getting a notification from Gmail at around that time that someone from Mexico had tried to log into my account. At least now I know better than to use the same password elsewhere!

>14 perodicticus: Good question. Unfortunately, we don't have any more information about the individual (or individuals) who did this.

Is the password reset URL sent out really an http URL? Passwords getting sent in the clear?

>16 terrell:

The email doesn't include any passwords and the token is a one time entry for resetting your password.

Currently LibraryThing doesn't force HTTPS for logging into our site, although you are more than welcome to change to the HTTPS url when changing your password so the form isn't sent in the clear.

I appreciate the notification and the new security updates. Also, thanks for the accounts upgrade to lifetime memberships -- that was an unexpected bonus.

I sincerely appreciate your thorough explanation of what happened. Just another indicator of your commitment to excellence.

My email account did share a password, and I got a few spam emails last year that appeared to be from people in my address book. Changing my password fixed the issue.

#17: The email doesn't include any passwords

Which is another, relatively recent, improvement on LT's part.

How were the passwords hashed? MD5? Was there a different random salt per password, a shared salt, something else? Did they get the salts with the passwords, or were they stored separately?

>21 Nogwater: We do not want to get specific about security details, but I can say they were salted.

Is it possible to have 2 step verification on the accounts?? I got the email, the first one i think from you guys and of course being the suspicious person I am I googled to see if the email was real, I have now changed my password also.

>23 TheGoodbyeGirl:

Depends what you mean by two-step. Do you mean as in cellphone texting, the way Google does?

I think https:// is probably the next step. But that's a potential future one.

The technotalk has fried me. Has the salt got anything to do with chips? :-)

Anything can happen online. I just hope that the site is using the best encryption package available as I feel a little uncomfortable knowing someone may have my personal details. Anyway password changed from 'password1' to 'password2' today as I had been using the latter forever. ;-)

>25 LesMiserables:

"book" is a good one.

> 22
I understand. I'll assume the worst. :)

FWIW, I still haven't received an email asking me to change my password, although I did get an email telling me I had just changed my password.

26

Yeah, I had considered that but I thought the hackers might have that covered, which sent a shiver down my spine.

>28 PhaedraB: Yep, we're informing everyone, so the emails are still in the process of going out.

Thinking back, around that same time gmail informed me someone tried to get into my email account, and I changed that password. It was not the same as my LT password, and whoever tried to access my gmail was not able to do so. Of course I have no idea if it was connected, just thinking back makes me think it might have been. Anyway, it's always good to be reminded to change passwords -- and I've done so. Probably should head to a few more web sites to update some other accounts. Thanks!

Note: Some users have complained that it sent expired tokens. This was because their email application didn't like our line-endings, and was running paragraphs together. This meant the URL had "Please" stuck on the end of it—the beginning of the next sentence. The change-password page now removes the "Please" and emails going out now have spacing that will work for all.

Note that the tokens sent in the hack-announcement email don't "get" you anything. They get you to the user account. You still need to enter your password.

>31 RaucousRain:

It is certainly possible. If your email is listed anywhere, someone will try to hack into it. The most common password is "password" after all. That said, if your email was not generally known, and wasn't easy to find by guessing (e.g., GHSmith, CuteBoy71), then it may be related to this.

I had two accounts hacked recently, but I have no way of knowing if the information came from LT or not. The passwords were similar but not the same. Needless to say, I'm putting into effect much stronger passwords and different ones for each website I use. Thanks for keeping us informed, Tim.

18
I appreciate the notification and the new security updates. Also, thanks for the accounts upgrade to lifetime memberships -- that was an unexpected bonus.

I second this. Thank you very much for taking action against security breaches. Not every organization is willing to admit publicly to hacking problems. The upgrade is very much appreciated.

So you're upgrading my lifetime account to a lifetime account? What's the point?

> 35

It means you get an extra life.

It'll now last you two lifetimes. Enjoy!

#35 said: "So you're upgrading my lifetime account to a lifetime account? What's the point?"

I think the point is niceness in the service of an apology & explanation. Even though I've had a lifetime account for years, I still appreciate LT's decision to upgrade other people's memberships.
Anne, continuing LT member & fan

I just received the email and I'm sorry to hear about the breach. I appreciate the lifetime membership and hope the site has been fixed.
Natalie

I have three accounts that were all created before November of 2011, and two of them were already lifetime accounts, the third one I don't really need upgrading. However, I just created an account for my newborn daughter, any chance I can have the one account upgrade moved over to her account instead? (That is, not an extra upgrade, but just the one upgrade from my account that was not lifetime moved to her account which is not yet lifetime).

Thanks.

Yes, of course. Message me the account name privately.

Tim

How silly am I. I cannot locate my password. Is it possible to create a "new" password without remembering the old one?

Also, I'd like to take this opportunity to thank you very much for creating LT. I'm a member of the 75 challenge group since 2008. I've met some wonderful folk. The group is incredible supportive of each other. Again Tim, LT is a large part of my life. Thanks!!!!

Thanks for letting us know. Password changed. Great to see this being taken so seriously.

I changed my passwords then sometime later got the e-mails telling me to.

Robert

PS I just confirmed that my old backup account from before collections is now a lifetime account. Cool. Thanks.

R

(Erased very funny joke after days of no response; I must write in invisible ink on this site.)

Seriously, though, thank you so very much for the upgrade.

Could this breach explain why there are books in my collection which I did not add?

How silly am I. I cannot locate my password. Is it possible to create a "new" password without remembering the old one?

To receive a password-reset link by email, go to http://www.librarything.com/lostsomething.php and enter your account name or email address.

Could this breach explain why there are books in my collection which I did not add?

Well, no. The evidence points quite strongly to the hacker not even exporting LibraryThing ids or names. They were after the emails and (potentially) cracking the passwords, for use against the emails. Those have value to the sorts of lowlifes who do this, and we have evidence that's just what this was. Mucking with LT user accounts does not have value. Indeed, while we are pretty sure they were able to query the database directly, they did not have the sort of access that would enable book creation, which is a rather complex series of insertions and normalizations across many tables. I don't think I could easily fake a book with database access alone, and I wrote most of the code.

In general, we have never had a convincing report of the sort of thing you describe. There is, however, always a first time. And there are certainly various ways it could happen and you wouldn't realize it. (For example, many import files will have ISBNs in them you don't realize are there.)

Please email info @ LibraryThing.com with details, and we'll look into it.

Incidentally, the blog post alludes to the prompt--that a user came to us claiming to have received spam recently on an account that was never used for any other purpose. While there are various ways that can happen, it was concerning, and may well be owing to the data breach.

However, sending out this email has revealed at least one user who claims the same set of facts--an email used on at LibraryThing that was never touched with spam.

So I don't know what to think about the spam. But in any case, the breach was real.

Gawd! This is a tempest in a teapot. LibraryThing isn't THAT important. Besides, it happened over two years ago, nothing of mine has been compromised, nothing has happened to my email, and I have not noticed any great increase in spam. Changing passwords at this late date is silly.

I had forgotten I had joined this group and I can't find anyplace to withdraw my membership. Would you please delete my name. Looks like a very worthwhile website, I am just not using it. Thank you.

You can delete your account by signing into LibraryThing and going to http://www.librarything.com/editprofile/change

I'll also post this as a profile comment.

#52 by @timspalding>: I assume (silly me!) that if I've changed password once today in response to a notice/warning pop-up while on LT, that I don't have to do it again in response to the message that eventually hit my e-mail.

Right. The email take a long time to go out and then arrive.

Regarding SPAM and someone divulging my details to other parties stealthily I have received in the past while, unsolicited offers from TIME, The Economist, Reader's Digest, an Online Wine company etc etc.

Obviously nothing to do with LT but its bloody annoying isn't it?

That said, I am interested in the Reader's Digest letter. It says I am only one from a chosen 2% of the Australian population to definitely receive a top prize. I'm not sure how this came about, but I can't believe my luck.

>55 LesMiserables: You simply must tell all of us what a "top prize" entails. I'm dying to know.

When I used to subscribe to magazine—I'm down to National Geographic now!—I would give them my name with initials corresponding to the magazine. Tim Mac Spalding, Tim Review Spalding, etc. Then I would watch those names proliferate across my email, as lists were sold and resold.

Thank you for informing us, Tim and co.!

For the ones who had suspicious things with their Gmail, just for what it is worth:

- it might indeed be connected to this breach
- but not so long ago a lot of GMail and Hotmail e-mailadresses were compromised
- same for services as Evernote and Dropbox. They were compromised recently as well.

Just to say, it could be also related to these events. But it is indeed better to be safe then sorry!

> 56

I believe it is a luxury apartment at Kangaroo Point on the Brisbane river.

I think I'm in with a real chance!

> 57

Great Idea

How do I know that the new email isn't the fake? LOL. The last time I got a "lifetime membership," it took a Supreme Court order to get out of it. ROLF. Thanks for keeping me in touch with THE Library Thing.

@48--the link posted only works if you know the password. I followed it from the blog post yesterday, emailed info with the explanation
that the email on the account hadn't been operational for years, a couple of other bits that could identify the account enough to warrant a temp login be sent and got a response back that I should try and use the password to reset.

My reaction to that response wasn't and still isn't a smile.

61> What browser are you using? Most of them will let you look at the list of passwords you've set and saved, so you might be able to look up your old password there.

In Firefox, for example, you go to Tools --> Options, then Security, then "Saved passwords". There should then be a "Show passwords" button.

>61 debavp:

Sorry. One of us must have read your email too quickly. I'll go back in now and send you another reply.

There are two kinds of companies: those who know that they have been breached, and those who don't.

And for two years LibraryThing was the latter kind. ;)

In order to inform us of the breach you send out an email with a link to a password reset page? really? REALLY??

In order to inform us of the breach you send out an email with a link to a password reset page? really? REALLY??

No, the token just gets you the user name. It's a convenience.

You still have to enter your password, if you're not signed in. If you're signed in already, you won't need to enter your password.

We can see how users misunderstood this. We should probably just have told people to go to LibraryThing and avoided the convenience link which some interpret as spammy and/or insecure.

50>

Librarything is not the concern. The concern is password re-use, coupled with the email addresses.

The reasonable worst-case scenario is that the hackers have email addresses and LT passwords as of Nov. 2011. If anyone re-used the same password on LT and the email address associated with LT, the hackers would be able to log into the email account. That's quite dangerous, because it would then enable the hackers to send out "I forgot my password" requests and receive password resets for various other accounts, potentially including financial ones.

This is exactly why password re-use is strongly discouraged.

68>

+ using the same e-mail/password combination on other sites.

Stuff happens. My password was not reused anywhere else and was not remotely close to anything I used elsewhere. Perhaps the hackers were just looking for good book recommendations.

The free lifetime membership is generous, but those of us who already had one know that it's worth paying for.

No, this isn't an ideal situation, but it's not earth-shattering either. Keep clam and carry on.

>68 lorax:

Password reuse is the big problem. These days I'd like to think that most people use different passwords on different sites. There are various mnemonic tricks to have one basic, complex password, but vary it across sites obscurely. Or you can use a service or a book, etc. The big problem is that this sort of thing was not diffusely understood in 2006. It probable that a decent percentage of the Yahoo accounts listed in 2006 have the same password.

Kudos to LibraryThing for how they managed this at various levels: yellow flag warning upon login, email, detailed explanation (if one wanted to read it) and a discussion (if one wished to participate). Like the comment about having two lifetimes...

I struggle with avoiding password reuse. The problem is that just looking at my FF saved passwords, I have hundreds of accounts. Sure, you can go with a pattern that's somehow based off the site name, but going that route I start to feel that it's pretty obvious what I'm doing and giving someone a good starting point to cracking the other accounts. And it's worse when some sites try to "help" you by requiring certain mixes of upper/lower case and it messes up your entire pattern.

And to make it worse, they also try to "help" you with those damned "security questions" that anyone with a cursory knowledge of you could use to impersonate you. I usually fill those out with random crap, which comes back to bite me when *I* have to reset a password because they put in some hair trigger "three tries and you're locked and you can't reset by email MUST USE SECURITY QUESTIONS" bullshit. I also generate unique emails for every site which can sometimes make remembering THAT a pain, too.

Sometimes I think I should just do what my wife does and use LastPass, which generates a random password and stores it in their database encrypted using a master password. I can't get fully on board that for lots of reasons, though.

I see LastPass as the lesser evil and use it.

>73 brightcopy:

I am grateful for two-factor authentication. My Gmail is, I think, unhackable from it. That's not impossible for us. We have used Twillio before. That would be the way. A month ago, I'd have said that was overkill. Now, if we can do it, why not?

#75 by @timspalding> The problem I have with two factor stuff is that it often makes my email (or whatever) inaccessible by me when I have to use it from a different computer or different wifi connection even. To me it seems to not be worth the hassle. If it was an account that was crucial to my business I'd probably feel otherwise.

# 76 - agree

73>

I figure I'm not trying to prevent a human looking at my password for a specific site from deducing what my password might be for another site, I'm trying to prevent a program that has access to one of my passwords from succeeding with it on other sites. So, yeah, the site-specific portion of my passwords from my low-security* password generation scheme (I use a different one for email and financial institutions) would be reasonably obvious to a human, but that's not the attack vector I'm concerned with.

* This still generates strong passwords by the usual metrics of length, diversity of character types, and resistance to dictionary attacks. It's just the one I use for sites where the results of someone getting my password are relatively minor.

I used to fell otherwise. Now if I don't have my cellphone on me, something is wrong.

>78 lorax:

You can do it in a way that's complex enough for most humans, unless they had six passwords and worked at Bletchley Park*. I mean, don't make your password a234b!Yahoo and a234b!Google.

*Not to be confused with Blachly Park.

Can I just confirm something. I changed my password last night in response to a bar along the top. I've had the same bar popup again today. Is the one change sufficient?

I actually saw the email at 3 am in the morning, I thought 2011 was warped from another time travel.

>81 Helenliz:

I'm looking into it.

>29 LesMiserables:

I see what you did there.

84>

Thanks. I'd assumed a second change wasn't necessary, but if it is I can certainly change it again.

If you get that nav-bar message all the time, it will certainly seem so.

Helenliz, you're getting that constantly?

No, I had it yesterday, so did as it was telling me. I had it when I logged on first time today, but not second time.

#79 by @timspalding> You cellphones battery life must be a hell of a lot better than mine!

I had it come up again, briefly (in just one of the tabs I was opening), about an hour or so ago. I didn't bother to follow it again (figured it was some temporary blip).

I had it when I logged on first time today, but not second time.

Hmm. I'm thinking this is local browser caching.

You cellphones battery life must be a hell of a lot better than mine!

You kidding? I live from tether to tether.

Curiouser and curiouser.

I got a personal warning from Tim on Oct 21, 2011 that the throw-away email account that I use for LT (and for very little else) was apparently hacked, as it was spamming its contact list.

I changed THAT password, and didn't think much else of it, as it seemed to have been an automated attack.

The more 'human' attack described by lorax at #68 makes my blood run cold, and makes me very glad that I didn't use my LT-related email for much else.

50> lorax: Thanks for the insight. After all these years, I still feel naive and vulnerable on cyber-security, despite all the things I've seen, known, heard, and/or been warned about. (Of course, the 147th Rule of Cyber-Security is to never admit on-line that you're naive and vulnerable -- right?) Sometimes it helps for somebody else to make connections like this, particularly when it wouldn't have occurred to us otherwise. I'd hate to think how you came to that understanding!

>17 miketopper: "you are more than welcome to change to the HTTPS url when changing your password so the form isn't sent in the clear."

LT should update the reset form to submit to the HTTPS endpoint, no matter what.

Sending passwords in the clear, by default, is no good.

Separately, the login page should force HTTPS. Why have a cert if you're not using it for the credential exchange?

Thanks for everyone's hard work.

#95 by @lt-security-concern> Who claimed LT ever had unencrypted passwords?

And why is your username lt-security-concern?

95>

Why did you create a new username for the sole purpose of posting to this thread?

>96 brightcopy: "Who claimed LT ever had unencrypted passwords?"

I think Tim claimed that here: http://www.librarything.com/topic/47341#844949

#96 by @brightcopy> Because he's used to a troll-infested talk atmosphere, I assume.

#98 by @cpg> Huh, interesting bit of history. But either he never went through with that or it changed before 2011, as above they stated that the hashes were stolen. Of course, even if they weren't hashed, they could still be encrypted. To be unencrypted, they'd have to be stored in plain text. I'd hope Tim wouldn't have went that route.

#99 by @anglemark> Concern troll?

At this point: Thanks for the open information politic LibraryThing.

@63 Thanks Tim. I received a message and have now reset successfully!

I get so much spam in my email even if my account had been compromised I never would have known lol

It's not so much the spam --into-- your email that you need to worry about (well, as long as you don't give any money to any nigerian princes or click on any links that you don't know where they came from). It's when your account is sending --out-- spam. That's when you know it's been compromised.

Oh, gottcha. That makes sense.

So, I changed my password at the office yesterday, and this evening I thought I should probably sign out at home in order to sign back in with my new password.

I can't sign out. Clicking the "Sign out" at the top right corner of the screen just takes me to my home page and leaves me signed in.

???

>106 paradoxosalpha:

That's very odd. Can you PM me with your browser and OS. And also, after you do it, try reloading with shift- and/or control- on.

107

Tim, I already had a lifetime account prior to the aforesaid date. Any chance of and infinity account?

I couldn't agree more!

The change password invitation email got caught in the gmx spam filter. Might be something to look into. (Added LT to whitelist now, but I was a little surprised to see the LT-email moved to spam folder in the first place.).

I'm sure there are a great many users who registered an account x number of years ago and have since completely forgotten all about it, and thus have marked this email as spam. So if gmx uses Bayesian filtering with feedback from all users, it stands to reason that it is by now considered as spam, statistically speaking.

>109 KinomiyaMichiru: Your Facebook and Twitter connections should not be affected by this. For one thing, every time you login through facebook you are authenticated through Facebook and a new access token is saved. Even if somehow someone was able to obtain that access token, they would also need LibraryThing's private Facebook key which is not stored in the database. On top of that, the access tokens are only good for a short amount of time.

The same is said for twitter. We have no reason to believe that any of the stored tokens were compromised and even if they were somehow, the stored tokens alone are useless.

LibraryThing's private keys for each of these services has been changed multiple times since 2011 as well.

>81 Helenliz:

I also got a second change password notice on this account (and I believe I was forced to do it) after changing it via the link the first time. I'll note that I've probably an account within the first 5000 (assuming that the account notifications were sent in some kind of order) so I was probably among the first to get the notification of the hack via email.

That said I have two accounts attached to the same email address, and I had just received the email for the second account (much newer: less than a month old) so perhaps that's the issue?

Mac Chrome and iPad Chrome, emails via gmail.

Thanks for offering to upgrade my account from free to lifetime membership. When should I expect this to happen?

I upgraded you now. I'll dig into why you were not already.

T

> 116

Tim, I applaud you on your good faith on the upgrades. I am in no way grumpy that I am one of the ones who paid for the privilege, but was curious to know why you might forego the possibility of an upgrade by a cash paying user?

Thank you!

81> the same thing has happened to me and I am still getting the prompt at the top of each LT page I access. could the problem be that I changed my password from one of those prompts and not from the email link? Should I change it again?

>119 Maura49:

No. Let me know if you're still getting it now.

Private messaging you.

Ah, shame, my kid's account was created on the 20th of November 2011...

PM me it. I'll upgrade it.

I hate when a site makes me have to change passwords. I can never remember them after changing them and have to write them down in a notebook. I'm sure I don't have any data listed here that they can hack. They might get my address but I don't care.

> 124

Write them down in a book. Ensure that every website has a different and a strong password. Trust me; you don't want any of your websites hacked. I didn't believe it could happen to me. It just did. It's a nightmare.

I agree with #124 ... I have such a hard time remembering new passwords ... had this one since 2005 ... fortunately, LT keeps me logged in, so I only rarely have to use it.

The problem here (as mentioned earlier) is that Tim isn't as worried about someone hacking into your LT account as he is someone hacking into your EMAIL account. Often people use the same password for their email account as they do for others. The hackers stole the list of email addresses and (hashed) passwords for the LT account. So they could use that to break into your email, which you may care about a great deal more.

127> But if that's the case he should be advising members to change the passwords on their e-mail accounts. For the situation that you describe, changing your LT password is irrelevant as they hackers have already made off with the old (albeit hashed) passwords.

#128 by @jjwilson61> Well, he did include "Members should change their password at LibraryThing and any other service on which they used the same password." in the blog post the notification email links to. But it's a fair point. I was more referring to Tim caring about it and thus making sure everyone knew about it (via the blog, emails and here) rather than keeping mum.

The changing of the password itself is actually a separate issue, apparently because "We have upgraded our password system to the highest industry standards. Users who joined in the last week or so, or changed their passwords, are already on the new system." You need to set a new password to get in the new system, for whatever reason (I can imagine a few).

Oddly enough, gmail did something a bit wonky on the notification email for me. Well, the SECOND one, as I had two accounts that eventually forward to the same mailbox (brightcopy and brightcopytest). On the second email, gmail helpfull decided everything from "Please read our longer description of the breach here:" and below was quoted text and hid it behind a (...) button. But perhaps this is only because it threaded the two messages into one conversation. It probably would never get hidden for anyone who just got one email.

>129 brightcopy:

Yeah, that's a conversation thing. Irritating.

As you say, we did tell people to change their passwords elsewhere. We didn't say so in the email, but the email was SUCH a small canvas. It was deuce-difficult to convey even a minimal set of facts within it, and keep it short enough that it didn't look like a newsletter or a legal document.

fortunately, LT keeps me logged in, so I only rarely have to use it

Make sure you DO have it, though. Future security improvements will kick you at some point.

I was also already a lifetime member when the breach happened. It doesn't seem to have affected me, though, no spam emails or anything, and I have successfully changed my password. Sorry for this headache, everyone.

Appreciate the transparency Tim!

And the lack of upset comments in this thread is just another indication of how wonderful the LT community really is :)

Relatedly, has anyone had trouble signing in to an Android app (LT Browser by sbear1) after changing his or her password? I can't get in on my tablet. I've emailed the developer about it, but I was wondering if anyone else suffered from the same malady.

Like >81 Helenliz: and >119 Maura49: I'm getting the security prompt banner at the top even though I changed my password tonight by clicking on the link in the banner. I've cleared my cache (I think), signed out and back in. The system is recognizing my new password with no problem, but still prompting me to change it. Is there an issue with Firefox?

> 133 : Same here : "Login failed".

>133 Linkmeister:, 135 perhaps related to the https change the other day?

seabear was looking into https before the switch by LT

> 136 : Thanks. I'll let a message on the thread.

Just logged in here after not doing so in a little while and saw the notice about needing to change password. Done, and thanks for the info! And also for the offer of upgrading to a lifetime membership! But as I've been a lifetime member since I joined, can I please have a pony instead? ;-) :-)

I think Tim’s at the point of needing to genetically engineer ponies with wings, unicorn horns, sparkling hooves, and a whinny that can turn an illiterate self-published pile of pony-poo into a best selling, genre-bending, literary masterpiece.

And I want one too.

Woo hoo, the warning banner is now gone! Don't know if it was Tim or the cache, but I'm a happy camper now that everything is back to normal.

P.S. I'd love one of those genetically engineered ponies, too, please :)

#139> But I want to be able to choose to turn off any of those features on my pony, and the default should always be off, especially for whinnying.

I just want to thank LibraryThing for your transparency on this. Apparently Kickstarter just got hacked, which they are communicating by email to their users - but not by their internal messaging system, or notices on the home page. (It is on the blog, with links from Twitter and Facebook, but none of those have the high profile on Kickstarter that they do on LibraryThing.) You did a much better job than they're doing so far, and thanks for that.

Well, we didn't put it on our sign-out home page—which some have criticized us for. But if you actually sign IN, you find out immediately, as it takes you to the change password page with a notice. And it's on the signed-in home page, and on every page of the site (in the nav bar) until you change your password. I figured that trying to put it on the home page was a lot of work for no gain. For if you're a user, you're going to get told—that is, if you haven't been already. And if you're not a user, it doesn't affect you.

I thought their letter was rather good, however, and managed to say it in fewer words.

As I said on Twitter, if the CEO of Kickstarter needs a drink now, I got the bottle… right… here!

I got the email from Kickstarter, too. As soon as I logged in, I got a notice across the top to change my password, just as on LT. It wasn't there until I logged in.

Ah - perhaps I didn't see it since I was already logged in through Facebook. That's its own set of problems, of course, but the Facebook connections weren't touched by this breach. I saw it as a Facebook trending story first, and then couldn't find information easily on their site, and I check that email only about once a day.

All of which just goes to show you can't really control asynchronous communication...

I recently had multiple attempts made to access my email account, perhaps as a result of the LibraryThing data breach. I'm suggesting this is the case because the email and password used for my LT account are unique to it; I created it for the purpose of signing up for my LT account and have not used it for anything else (my LT password was the same for the email).

All of the access attempts were from obscure locations in Russia and one in Peru. Luckily, trusty gmail did not allow them to log in.

This seems to show that whoever captured LT account information isn't just storing it somewhere; they are actually trying to use LT passwords to break into associated emails.

So, be aware of this and change your passwords to any accounts associated with LibraryThing, as their notice asked users to do.

It's over two years since the breach happened. Odd that you should experience these attempts at cracking your Gmail account now. It's probably a coincidence in timing, I doubt the crackers monitor this discussion board.

>148 anglemark: Again, the email, password, and account information were exclusive to LT and were used only for access here. Unless Google was hacked (which would have triggered an automatic password change), the LT breach would be the only source. They had my account name and password, but gmail stopped them because of their location. It also wouldn't be that uncommon for a delay like that. Hackers store this information then sell it, often years later, when buyers make themselves available. So a coincidence in timing, perhaps, but not origin. But your right, there is no way of definitively saying one way or another.

Oh, I don't doubt that it's the breach here that's the source of the attempts, from what you describe. I only meant that the attacks on your email account coming approximately when this breach was discovered and published is probably a coincidence.

>147 andrewsd:

Interesting. We can't know for certain, but it's definitely possible.

That the emails are out there is almost certain. The user who brought this to our attention got spam on an email he believed to be LT-only. As I said in the announcement, I think it's likely that the emails have entered the great big pool of emails. There is such a pool, certainly. A recent report on an unsolved and unsourced leak of 360 million stolen credentials ( http://www.reuters.com/article/2014/02/25/us-cybercrime-databreach-idUSBREA1O20S... ) mentioned that the criminals are also selling 1.25 billion email addresses. Yes, billion!

But your details concern me. Did you have two-factor authentication going? I didn't know Google stopped requests purely on location.

I am fairly certain that whoever breached my email account two months ago did so with information from 2011. At that time, I discovered someone using my personal information for some gaming sites which I never used. I changed my password to my email account at that time (2011).

The password I used then on LT was one five-letter word. The password on my email account at that time was the same word followed by "123". Easy enough to guess. I would not be surprised if the hacker got the information from this site. Not that it matters at this point as all of my accounts online have now been changed to stronger and individual passwords.

I mentioned this issue to my son (an IT professional) who said it's only coincidence. I'm not convinced.

My take on this matter is that anyone who wants to breach my email can. It's only a matter of time. I use my stronger passwords to simply make it more difficult for hackers and so they might move along to hassle someone else besides me. I lost all of my previous email account information at a most inopportune time. It was a true nightmare and one which I'd prefer not to have other LTers endure.

It's possible. I would find it more definitive if they were the same password. Hackers are very lazy. They automate. But if it was fully guessable, then they probably fail to trying it with a "suffix dictionary"—1, 123, 69, 321, etc.

>151 timspalding: I didn't know Google stopped requests purely on location.

I don't actually believe they do. They will send you an email when there's been an attempt from a location that doesn't seem likely to be yours. For instance, if I attempt to log into my email at work, which has an IP address as being on the opposite coast as I live due to that being where national headquarters is, and I mistype the password, I will get an email about the attempt to access my email, and a suggestion to change the password. If I log in with the correct password, it has no issues whatsoever. My customers who need to print things from their emails are all able to log in, in California, to Gmail, on a network that claims that it is in Florida.

I've deleted most of the emails I've received, because I know when I screw up my password occasionally, and seeing a Florida IP doesn't worry me. Here's a copy of one I received on a friend's behalf, as he uses my email as his recovery email.

N,

Someone recently tried to use an application to sign in to your Google Account - redacted - showed my friend's actual email address. We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Wednesday, January 16, 2013 1:05:34 AM UTC
IP Address: 208.87.203.243 (sjc-default-egress-nat-c.seven.com.)
Location: Redwood City, CA, USA

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately. Find out how at http://support.google.com/accounts?p=reset_pw

If this was you, and you want to give this application access to your account, complete the troubleshooting steps listed at http://support.google.com/mail?p=client_login

Note: This email address cannot accept replies.

Sincerely,
The Google Accounts Team

I know that my email address has been recently sold. I never used to get spam, at least not on a daily basis. Now I'm getting "You've won 1.5 million dollars!" and eviction notices. Who knows whether it was from LT or something else. The address is not strictly for LT so could be anything. Annoying as heck though.

I was evicted today, too. At least that is what the subject of the email in my junk folder would lead me to believe. I don't think it is LT's breach, though. I've been getting a relatively small amount of junk mail for a long time, and have no idea how it first started.

(Dear Junk Mailers,
I do not have the body part you wish to enlarge. I have no money for Nigerian princes. I do not wish to hypnotize women into sleeping with me. And I don't, silly me, use Internet pharmacies touted by junk mail or buy "Rolex" watches.

Sincerely,
Me)

Pssh, what do they care? If you dig down into a landfill, you will periodically find sedimentary layers of phone books. That was shown by an archaeological dig of a landfill in 1975. Back then it was probably every year when the new phone books came out and people threw out their old ones. These days it's people throwing out the useless NEW phone books the same day they come out.

I've been getting those eviction notices too. But getting spam isn't necessarily because an e-mail address has been sold. Every now and then I get an e-mail from a friend who's obviously been hacked (i.e., it's just a link to click on -- NOT), and thus gave the hackers access to all the e-mails on that person's contact list.

Just got a phishing attempt at an email I've only used for LT (@brightcopytest account). There was an attached zip file, but upon downloading it, it was 0 bytes. Still trying to figure out if something scrubbed it somewhere along the chain.

Message follows:

---

From: Sean Reed
Subject: ACH - Bank account information form

Please fill out and return the attached ACH form along with a copy of a voided check.

Sean Reed

GRE Project Accounting
Vendor Management & Bid/Supervisor

Fax-601 597-6997

GRE Project Accounting

This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.

I've had 1-2 solid reports of the email being out there for spam. I'm surprised that, if you got one, you didn't get 100.

Indeed. I also just got two PMs from you on new badges. Second one same as the first, only with badge pics. Just FYI.

Yeah. I did it again, so I could get the images in. It's a lot of trouble to edit it.