Ben posted this in another forum, one which folks may not check a lot. So read here: https://prince.org/msg/3/468500

It would appear that some nefarious folks have attacked prince.org and found a security hole through which they were able to determine some of the database structure, and then extract usernames, email addresses, and passwords. It's unclear to me how many they managed to actually extract (possibly zero, but we should assume they were able to extract ALL just to be on the safe side).

Hence why you'll need to get a new password to sign in, which will be mailed to your email address on file. You can of course change the password to somethign else, but please do NOT change it back to your original password, as you should assume another party now has that one.

Uncharacteristically sloppy coding on my part, so apologies. It's been remedied and I will do an audit of other similar vectors, it's certainly possible there's another one somewhere lurking. Sorry. Kind of amazing that we actually managed to go over 20 years without a similar successful attack though...

[Edited 1/25/22 0:13am]

Formerley UncleGrandpa, now I'm using my second account as my primary. 18 years of info lost but I'm fine with that. Let's start anew.

TrivialPursuit said:

Ben posted this in another forum, one which folks may not check a lot. So read here.

It would appear that some nefarious folks have attacked prince.org and found a security hole through which they were able to determine some of the database structure, and then extract usernames, email addresses, and passwords. It's unclear to me how many they managed to actually extract (possibly zero, but we should assume they were able to extract ALL just to be on the safe side).

Hence why you'll need to get a new password to sign in, which will be mailed to your email address on file. You can of course change the password to somethign else, but please do NOT change it back to your original password, as you should assume another party now has that one.

Uncharacteristically sloppy coding on my part, so apologies. It's been remedied and I will do an audit of other similar vectors, it's certainly possible there's another one somewhere lurking. Sorry. Kind of amazing that we actually managed to go over 20 years without a similar successful attack though...

Wow so now this explains why i had a hard time signing in.

EmmaMcG said:

I was almost locked out of the org forever . My ex set this account up for me years ago with a throwaway email address. I never even knew what that email address was. It's just thanks to some really good luck and his incredible memory that he was able to recall what that email address was so that he was able to give me the new password. If not for that, that would have been the end of me on this site. Though, I am now contemplating deleting my account anyway...

EmmaMcG said:

I was almost locked out of the org forever . My ex set this account up for me years ago with a throwaway email address. I never even knew what that email address was. It's just thanks to some really good luck and his incredible memory that he was able to recall what that email address was so that he was able to give me the new password. If not for that, that would have been the end of me on this site.

Though, I am now contemplating deleting my account anyway...

Aaaaahhhhh.

So that explains all those viagra spams in my mailbox.

nayroo2002 said:

Aaaaahhhhh.

So that explains all those viagra spams in my mailbox.

Does it, though?

TrivialPursuit said:

nayroo2002 said:

Aaaaahhhhh.

So that explains all those viagra spams in my mailbox.

Does it, though?

Since i've been a "member" of the Org, yeah

EmmaMcG said:

I was almost locked out of the org forever . My ex set this account up for me years ago with a throwaway email address. I never even knew what that email address was. It's just thanks to some really good luck and his incredible memory that he was able to recall what that email address was so that he was able to give me the new password. If not for that, that would have been the end of me on this site.

Though, I am now contemplating deleting my account anyway...

coldcoffeeandcocacola said:

EmmaMcG said:

I was almost locked out of the org forever . My ex set this account up for me years ago with a throwaway email address. I never even knew what that email address was. It's just thanks to some really good luck and his incredible memory that he was able to recall what that email address was so that he was able to give me the new password. If not for that, that would have been the end of me on this site.

Though, I am now contemplating deleting my account anyway...

kpowers said:

EmmaMcG said:

kpowers said:

Not decided yet. We'll see what happens.

Awe, c'mon you've got to keep us updated on the kids.

so if your email used here used the same password... change that one too. and the site stores passwords as plain text, they should be encrypted

OnlyNDaUsa said:

EmmaMcG said:

kpowers said:

Not decided yet. We'll see what happens.

Great, first Betty White and now this

I needed to get my email address changed. I still use the email that I signed up with and works for everything else (including orgnotes) but I never got the warning email.

.

If the hack means that you are currently forced to lurk, perhaps you will need to do the same.

OnlyNDaUsa said:

There is a web site that checks your email to see if it was owns or on the dark web or something... https://haveibeenpwned.com/

.

This is a marketing site for a password manager. It only reports possible breaches. Mine reports:

.

1 A 2013 commonly known Adobe breach long since addressed

.

2 A 2014 unverified potential breach

.

3 A 2017 spambot that grabbed millions of emails and some passwords with no indication of which or for what.

.

4 A 2019 file that included some background information not passwords or IDs on millions of people with no indication of which or for what

.

5 A 2019 email and background data breach for millions with no passwords. Again, not indication of what data or for what.

.

Aside from the commonly known first one, the service is no good. It is unable to tell you which identities and passwords have recently been breached.

.

You are much better off using a password manager, enabling 2 factor authentication and using different and hard to hack passwords that are not based on prior passwords, especially old ones.

IanRG said:

OnlyNDaUsa said:

There is a web site that checks your email to see if it was owns or on the dark web or something... https://haveibeenpwned.com/

.

This is a marketing site for a password manager. It only reports possible breaches. Mine reports:

.

1 A 2013 commonly known Adobe breach long since addressed

.

2 A 2014 unverified potential breach

.

3 A 2017 spambot that grabbed millions of emails and some passwords with no indication of which or for what.

.

4 A 2019 file that included some background information not passwords or IDs on millions of people with no indication of which or for what

.

5 A 2019 email and background data breach for millions with no passwords. Again, not indication of what data or for what.

.

Aside from the commonly known first one, the service is no good. It is unable to tell you which identities and passwords have recently been breached.

.

You are much better off using a password manager, enabling 2 factor authentication and using different and hard to hack passwords that are not based on prior passwords, especially old ones.

YES 2 factor is good as are managers. But this site seems decent. I also have other monatoring services...

Post on that other link. Thanks