What's new

Data breach on vi-control? (MOD EDIT - Unlikely)

star.keys

Senior Member
Hi moderators,

I got a message from Apple that my password for vi control forums has been found in the dark web. Kindly look into this immediately and ensure security of user data.

Thanks
 

thesteelydane

Bunker Samples
Hi moderators,

I got a message from Apple that my password for vi control forums has been found in the dark web. Kindly look into this immediately and ensure security of user data.

Thanks
I'm pretty sure Apple is not engaged in scouring the dark web for stolen passwords. What email address did that message come from?
 

Markrs

Complete Beginner
I'm pretty sure Apple is not engaged in scouring the dark web for stolen passwords. What email address did that message come from?
Apple, Google, Microsoft, etc plus password management companies (last pass, etc) all check for compromised passwords. They often use 3rd party security companies that do trawl the dark web and record companies that have had data compromised.
 

thesteelydane

Bunker Samples
Apple, Google, Microsoft, etc plus password management companies (last pass, etc) all check for compromised passwords. They often use 3rd party security companies that do trawl the dark web and record companies that have had data compromised.
Well, I learned something new today. Probably just suspicious because I have never received such a message myself.

EDIT: I mean, I have, but whenever I check the actual email address it's usually from afghanhacker123 @ hotmail.com or something similar...
 

Markrs

Complete Beginner
Well, I learned something new today. Probably just suspicious because I have never received such a message myself.
I've had money stolen due to a compromised password. So learned my lesson and use unique passwords for every site. I think since then I have had to change a couple of passwords as the company had an attack and the passwords could have potentially been compromised.

If you save passwords in Chrome or Safari or Firefox, they will also let you know of it has been compromised.
 

thesteelydane

Bunker Samples
I've had money stolen due to a compromised password. So learned my lesson and use unique passwords for every site. I think since then I have had to change a couple of passwords as the company had an attack and the passwords could have potentially been compromised.

If you save passwords in Chrome or Safari or Firefox, they will also let you know of it has been compromised.
Sorry to hear, and of course we can't be too careful. Just saying that most of these password stolen emails are phishing attempts. I had to teach my mum to check the sender email, and never click through a link in any email to change her supposedly compromised password.
 

Mike Greene

Senior Member
Moderator
We'll look into this. It's possible we had a breach, but my guess is you have a shared password somewhere else. FWIW, all my devices are Apple, and I've gotten similar notifications, but never regarding VI-C.

Either way, bear in mind that beyond you Screen name, email and password, we don't have any user data on you. (In case anyone is wondering, the password isn't something we have access to, either. Obviously it's on a server somewhere, but it's not available to us.)
 

Markrs

Complete Beginner
Sorry to hear, and of course we can't be too careful. Just saying that most of these password stolen emails are phishing attempts. I had to teach my mum to check the sender email, and never click through a link in any email to change her supposedly compromised password.
Totally agree, lots of back actors might say you're password is compromised, with a link to change it, which if course whilst it looks like the real site, it actually isn't and the plan is to capture your password.
 

Mike Greene

Senior Member
Moderator
Can I ask OP to change the title, until there is 100% clarity. AFAIK there has not been a data breach, so the title is misleading until proven otherwise. Thanks.
Agreed. No one else seems to have the same issue (lots of Apple users here, so surely in the hour since this was posted, someone else would?), and as a crude test, I logged out, then logged back in with no warning from my iPhone. So until there's confirmation of an actual problem, I've changed the title.

I'll reiterate that even if there was such a breach, it would be mostly inconsequential. Sure, I guess a hacker might change a few posts from"HZ Strings sucks!" to "I love HZ Strings!", but ... wait a minute ... has anyone seen Paul or Christian lately???
 
Last edited:

gamma-ut

Senior Member
How strong is the password? Apple's check in iOS14 doesn't match passwords to accounts on specific websites. It only checks if a password has ever been leaked when it gets used. It may not be your password that has leaked but someone else's that happens to match - but the device flags it when you log into a site. Plenty of people would get a warning with "password123", for example.

Even with a strong randomly generated password it's possible to get collisions, though not all that likely.

I've just checked haveibeenpwned via 1Password and my VI-C password doesn't come up.
 

nyxl

Member
(In case anyone is wondering, the password isn't something we have access to, either. Obviously it's on a server somewhere, but it's not available to us.)
It shouldn't even be on a server somewhere, at least not in clear text form. Afaik, XenForo hashes passwords with a random salt. This means that even if someone had access to the forum's database, it would be extremely difficult (if not impossible) for them to find out the clear text password of even a single user (unless it is an easy to guess password of course). Every time you log in, your password hash is recalculated and compared with the one stored in the database, but this hash calculation is a non-reversible operation.

That's why you can't retrieve your password in case you forget it, you can only reset it.

Sorry if this is obvious to everyone, just thought it should be stated clearly that the clear text passwords are not stored (and should not be stored) anywhere.
 

tack

Damned Dirty Ape
Which is why when any time a website says you can't use certain characters or that your password can't be longer than a certain length (as is distressingly common with Canadian financial institutions), it is a near certainty that they are mismanaging user credentials.
 

Wedge

Active Member
Seeing that I used to live a five minute walk from Apple's compound, I'm pretty sure Corporate Apple is located in the Bay Area and not in Plunketsville AL. Even if they were in Alabama, I don't think their address would be a lot #. And I'm laughing my ass off at the idea that they'd be located on Swampvista Cir. (I get it it's the south, but it's not Florida.)
 
Top Bottom