On January 9, 2017 at approximately 10:00 AM EST, we were notified of an unauthorized access to our forums database that occurred in 2013, resulting in usernames, emails and passwords being obtained by an unauthorized third party.
In August 2013, a security vulnerability was exploited in our old forums platform – vBulletin – which allowed an unauthorized third-party to access our user database. This particular weakness was eliminated in subsequent security updates over the years, meaning such an incursion could not reoccur.
What information was compromised?
The database contained RedFlagDeals forum usernames, email addresses and an encoded password hash and salt.
Was the information stored in plaintext?
No. Your password is never stored in plaintext on RedFlagDeals servers. The leaked database may contain a text version of your password, which was reverse-engineered by the third-party using the password hash and password salt.
Why weren’t users notified immediately?
The compromised data did not surface until this past week – the stolen information has not been readily accessible over the past three years.
We have been investigating the breach to uncover what exactly happened which has resulted in some delays in response times. We apologize for any frustration this has caused but we want to provide all users with factually accurate information.
Who is affected?
All users who registered before August 28, 2013.
What are you doing about it?
We have disabled passwords on all accounts registered before August 28, 2013 and logged out all users. Logging out users was essential, as anyone with your information could have logged in and remain logged in as you, even after you changed your email or password..
What should I do?
We advise all affected users to change their passwords as soon as possible by visiting the password reset page. You will be sent an email with a temporary password you can use to log into your account. Afterwards, go to your account settings page to create a new password.
In addition, we strongly recommend changing the passwords to any other services or accounts you may have that utilize the same email address or password.
What security measures do you have in place to prevent this from happening again?
We migrated to a completely different forums platform – phpBB – and a new authentication system in August, 2016. This type of incursion would no longer be possible.
This new authentication system has additional layers of security and resides on separate servers. If our forums were to be compromised, your information is safe and cannot be obtained. We also conduct regular penetration tests and security updates.
I am still having trouble with my account. Who should I contact?
Please send an email to email@example.com and we will address your issue as soon as possible. A thread in our Site Suggestions forum is also available if you have more questions.