It appears that LbNA's database was breached and all of the trailnames, emails and passwords are compromised. I've seen the list--and sure enough, it included the password I used on LbNA. (I use different passwords for every website I know so I know it came from LbNA.) The list has over 58,000 accounts, so it appears to be a complete list as well.

I won't share that list (for obvious reasons!), but it is highly advisable to immediately change your passwords on LbNA and, if you use those passwords on other websites (most notably on AQ), to change it there as well. I'm planning to create a script that will automatically try these passwords against AQ's passwords and sending a notification to anyone with a match, but that'll take some time.

In the meantime, you can protect yourself from hackers by changing passwords immediately.

-- Ryan

When I go to the page to change my password, https is not longer active. It's not secure. Has it always been so?

We're gonna hafta update the password in Box Radar, too, aren't we?

I just dont get it. Who has the time/desire to hack a letterboxing page. What could the benefit be besides being annoying.

When I go to the page to change my password, https is not longer active. It's not secure. Has it always been so?

On AQ, it's always been secure and still is, so I assume you're talking about LbNA? As far as I know, they've never had or gotten an SSL certificate and it's normal to be insecure--but Choi would be the person to know for certain. Although this breach is much bigger than individual passwords being compromised--it looks like the entire database was compromised. I'd go ahead and make the change, even if it doesn't show as being secure.

If it shows up as insecure on AQ, that's definitely wrong and something I need to look into! But everything looks good on my end of things.

We're gonna hafta update the password in Box Radar, too, aren't we?

I'm not sure it's an "update" of the password--but you would have to start using the new one from LbNA or AQ if you change them there.

But if you did set the "App Preferences" from your preferences, AQ uses that for app logins and changing your AQ password wouldn't cause you to use a different password for the app. (Changing your password in the App Preferences would require using a different one from the app, though.)

-- Ryan

Who has the time/desire to hack a letterboxing page.

There are probably some people who would love to get into my account here. There are all sorts of admin options that let people read all AQ mail, edit any boxes, etc. Getting into an admin account could be a big "perk" for some people.

But even non-admin accounts might be of interest to other letterboxes that know you. There have been incidences of "stalking" on AQ before--and being able to log into your account might be a big perk if you want to stalk someone.

And... maybe a hacker isn't interested so much in LbNA, but other websites that they might get into using the same passwords. First thing I did when I saw that list was test all of the admin accounts here on AQ to make sure that they weren't using the same passwords from that list. My own password was in that LbNA list. (Although it wouldn't have done a hacker much good because I have--quite literally--different passwords on every website. I know that's not the case for most people, though.)

And, more dangerous, they might be able to go through the list and try hacking into bank accounts or Facebook accounts and cause a lot more trouble. A password is only as strong as its weakest link, and if the weakest link is LbNA, that's what they might start with.

-- Ryan

What could the benefit be besides being annoying.

The benefit is that they now apparently have a mapping of e-mail addresses to passwords, and can compromise any account on any site where that e-mail/pw combo is valid. If true, this is actually a big deal.

Check every site you care about your account not being compromised for the same e-mail/pw combo, and change it ASAP.

BTW, it is astonishing that LbNA was apparently storing passwords in plain text in the db, or the hash they were using was compromised. Are all the passwords in plain text or just some?

Good luck.

Are all the passwords in plain text or just some?

The list I saw, it's all in plain text. I don't know for certain that LbNA's database stores it in plain text, but if it wasn't, the hacker was able to de-crypt the passwords.

For anyone concerned about AQ--as far as I know--AQ's database has not been compromised, and passwords here are stored using a one-way encryption algorithm. When you type in a password here, AQ encrypts it then compares the encrypted password to the one in the database. Which is why when someone forgets their password, AQ has to reset it to a new value rather than just tell you what it is. AQ doesn't know your password!

But I definitely consider this a major issue with the plain text passwords floating around attached to trail names (i.e. "usernames") and email addresses. *nodding*

-- Ryan

Looks like there's only some insecure content on the page. So when I access in chrome it shows a broken lock. But most of the page is secured.

What about sub-accounts? Do they need to be changed as well?

hx6

Looks like there's only some insecure content on the page.

You still haven't made it clear--are you talking about LbNA or AQ? I'm assuming LbNA, and as far as I know, their page has always been insecure.

I should also point out.... I'm kind of assuming the hacker got the information and moved on, but I don't have any idea about what's going on at LbNA so it's entirely possible that their server is still compromised. Changing a password there might not protect your account there. I still think it's a good idea to change it, but if you do, don't use that password anywhere else. At least not until Choi says the server has been secured again. (At which point, you should probably change the password there. Again. Just to be on the safe side.)

-- Ryan

What about sub-accounts? Do they need to be changed as well?

I hadn't really thought about it but if they use the same username/password as an account on LbNA, definitely. *nodding*

-- Ryan

With no idea how these hackers operate or distribute their findings, I'm curious about how/where you were able to see the list.

And thanks for the heads up!

I'm curious about how/where you were able to see the list.

I've got my sources. ;o)

It was actually another letterboxer who brought it to my attention. I'm not sure if he/she would prefer to stay anonymous or not so I'll let them post if they want. As I understand it, they signed up for a service that monitors for data breaches and received a notification that an email address they used showed up in a recent data dump. They contact me about the breach (along with a link to the list) at first thinking AQ had been breached, but it was actually LbNA's data.

I'm assuming they contacted LbNA about the problem too, but they could be on vacation for all I know. I'm not sure when they'll learn about the breach or warn everyone, but it seemed important enough that I let everyone know ASAP. I just found out about it minutes before I posted my announcement--I happened to be online when the information was sent to me. (Good thing I wasn't hiking!)

So that's how the information came into my hands. I don't think the letterboxer who sent me the information really knows anything about how or when the hack happened either--just that information is floating out there on the web where it's not supposed to be.

-- Ryan

I'm not sure when they'll learn about the breach or warn everyone, but it seemed important enough that I let everyone know ASAP.

I posted a link to this thread, and cut and paste the first message, to the letterbox-usa yahoo group. I do not know if you have to be an AQ member to click thru the link, but the first message should be sufficient warning.

Stupid but honest question... What if you genuinely can't remember if you have a lbna account? Will trying to figure out do any harm?

I do not know if you have to be an AQ member to click thru the link...

Not for the public boards. Private boards require someone to be logged in to read, but this board is public so not a problem. =)

What if you genuinely can't remember if you have a lbna account? Will trying to figure out do any harm?

It won't do any harm, but I've imported the LbNA data into AQ and am cross-referencing the two to send an AQ mail message to anyone with a compromised password that they're using on AQ. If you have an AQ mail message, it applies to you. If you don't... you're in the clear. All LbNA accounts appear to be compromised, but if you have an account there and the password works nowhere else, you probably don't have to worry about it.

-- Ryan

I can't believe they're still storing passwords. But... Can you send me mine? Lol

Thanks for letting me know what fun things hacking LBNA can do. It just seems crazy.

I am not sure if I have and LBNA account either. Is this cross reference and email something you will be doing or something you've already done?

Is this cross reference and email something you will be doing or something you've already done?

When I started the thread, it was something I was going to do. As of right now, it's already done. If you didn't get an AQ mail from me about the problem, the passwords on the two accounts are different. (Or maybe you're using different email addresses or trail names on the two sites so AQ wasn't able to match the accounts.)

-- Ryan

There have been incidences of "stalking" on AQ before--and being able to log into your account might be a big perk if you want to stalk someone.

Wow. Just wow. Never thought about this...

Thank you. You're awesome. :)

I use different passwords for every website I know

Not everyone has your memory.

That's why I use KeePassX. It stores passwords in a local, encrypted database. It is available for MS Windows, Macintosh and (my favorite) Linux. For most Linux distributions you should install it from your Software Center (or whatever it is called on your distribution).

Ryan, we didn’t get an AQ message. However we used same email and password (now changed) on both accounts. Thanks for the heads up on the board.

And, more dangerous, they might be able to go through the list and try hacking into bank accounts...

Let's face it, anyone with any online presence to speak of these days has waaaaay too many passwords to remember. Here's what I do: For sites that are truly important, such as bank accounts, brokerage accounts, etc., I not only use a different password for each, I use a different style of password, doesn't even look like it came from the same person. But for the relatively unimportant sites, no money involved, sometimes you wonder why they bother, for those I'll use "canned" passwords and often the same password on a bunch of sites. I have a document on my 'puter where I write my passwords down -- protected by password, of course -- but for some of these sites it isn't even worth opening that document up and editing it, I'll just use the same ol' same ol' that I've used for a dozen other sites.

With no idea how these hackers operate or distribute their findings...

I'm betting they sell them.

Ryan, we didn’t get an AQ message.

Hmm.... you should have. Your email and trailname are the same on both accounts, so AQ should have been able to cross-reference them.

BUT--if you had already changed your password before I finished the script that cross-referenced them, you wouldn't have gotten an email because by that point, the passwords were different. Those who changed their passwords the first few hours after I posted about the breach wouldn't have gotten the message--they didn't need it by then!

So if I had to guess, you were probably one of those people. =)

-- Ryan

I think if someone hacks MY bank accounts, they'll see how much of a waste of time it was .....

That'll teach em!!

jaxx

Same passwords on both accounts. Just changed LbNA but unable to change atlas quest keeps going to page telling me Whoops must be a bug, sending notice. Tried several times. What am I doing wrong??

They contact me about the breach (along with a link to the list) at first thinking AQ had been breached, but it was actually LbNA's data.

Wait, so they protect your data by sending the entire list to everyone who pays them??? Where do I sign up??