Forced Account Reset?

silence1186

Today when I tried to login to the forums on another device, there was a red error bar stating I needed to change my password because an administrator changed my account information.

Is this routine? Should I follow the link? Or is it some kind of error?

ani_game_bum

Same here. Logged into forums on my work PC OK about 9:30 AM EST then tried logging in through my personal laptop around 10:15 AM EST but prompted me to change password due to a change on the admin side or something similar. Provided email address account is associated with, got the password change e-mail, and changed my password OK and logged in OK.

Used Chrome on both PCs to get on the forums.

That's about all I did/can recall.

Commander Zoom

Same for me.

Iruka

Incident report: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

It was an intentional reset, details in the link.

silence1186

Thanks for the follow up.

Undead Scottsman

Greaaaatt...

Thanks for the quick action, at least.

Inquisitor77

Stuff like this is why I'm glad I use Lastpass. Just reset my password for this site and move on with my life...

Athenor

@Iruka

Just FYI, there's nothing on the forum landing page when you are signed out that points to this forced reset. It just happened to me, and I was freaking out for a bit until one of the Discord groups mentioned that it had happened to them too. And then I was freaking out because my account is so ancient, I was worried I had a now defunct email on it.

I'd recommend a banner message, perhaps in a different color than the 4 Tube has up there right now when you are not logged in.

Now that Keepass on my phone supports my fingerprint reader, I'm putting an actual secure password on my account. I didn't before because having to constantly log back in every couple of weeks was a pain on my phone.

Long live my slightly modified password from 1996! I was an idiot back then.

VishNub

I was about to come suggest the same thing. It would be reassuring.

Kipling217

Kinda scary for me since I have been using the same password since I signed up in 2007. I had no idea which email account I was using at all. Lucky I guessed it right.

Shadowfire

Passwords were salted and hashed. The information was disclosed within two weeks of the initial breach.

Thanks, Vanilla. I wish most companies would be half as decent.

[Deleted User]

astrobastard wrote: »

Hey. So the email I used to sign up for my account over a decade ago has moldered into dust. Is there a way to get back to my old profile @astrobstrd without having access to that email?

I have the same problem. My account is LockedOnTarget

The email I used for it isn’t functional anymore, so I can’t do the password reset.

EspantaPajaro

All right cool , just happened to me and gave me a mini heart attack.

Tube

Pgroome@penny-arcade.com is the contact for this

Zilla360

So it was due to a fix to a code regression that introduced a security vulnerability? Ah, I see.

MMMig

I've already reset my password, but the banner is still there saying I might have to.


OK to ignore after 1 reset, right?

Campy

Shadowfire wrote: »

Passwords were salted and hashed. The information was disclosed within two weeks of the initial breach.

Thanks, Vanilla. I wish most companies would be half as decent.

Yeah, most companies would have sat on this for months, if not years.

Jazz

Campy wrote: »

Shadowfire wrote: »

Passwords were salted and hashed. The information was disclosed within two weeks of the initial breach.

Thanks, Vanilla. I wish most companies would be half as decent.

Yeah, most companies would have sat on this for months, if not years.

Not to mention may have stored passwords in plain text or something.

Athenor

MMMig wrote: »

I've already reset my password, but the banner is still there saying I might have to.


OK to ignore after 1 reset, right?

As far as I can tell, the banner can't be dismissed. So yeah - if you can login, that means you've changed your password and are free to ignore.

LockedOnTarget

Issue resolved for me, thanks!

Ianator

Yahoo! mail was a jerk and wasn't giving me any of the several password reset mails, even when Tube sent one manually. Fortunately my account is now linked to my current address.

Infidel

If you used the password you had here anywhere else, it would be good to change it elsewhere.

Also try to not reuse passwords and look into a password keeper.

Feral

This is a pretty milquetoast vulnerability but I appreciate Vanilla for taking it seriously.

Other companies have far worse situations all the time but don't treat it with the same urgency.

Thumbs-up to Vanilla for being ahead of the curve.

Tube

We’ve been able to ascertain that we were at low risk and have restored access to a number of accounts that were still awaiting a reset. We highly recommend making sure your email is up to date and resetting your password. Better safe than sorry.

halkun

Man, that postmortem report was super sexy! I've worked with multi-million dollar enterprises and have never seen a report like that.