Forum password reset

jpgoldberg
jpgoldberg
1Password Alumni
edited November 2019 in Lounge

About the issue

On November 15, 2019, Vanilla Forums discovered a vulnerability in their forum software that exposed their user records. They immediately deployed a fix and initiated password resets for potentially affected users.

Your 1Password data is entirely separate from your 1Password Support forum account.

What you should do

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited November 2019

    What we know (updated)

    Vanilla forums has posted an incident report, and so I am updating this message.

    What could have been exposed

    The bug would allow an attacker to get "full user records" for Vanilla forum accounts (including the the very discussion forum you are reading) which include

    • Forum usernames
    • Forum passwords (salted & hashed using bcrypt with bcrypt cost parameter 10)
    • IP addresses from which you signed up for the forum
    • Forum user preferences
    • Forum user roles and ranks
    • Email address associated with your forum account

    Again, that potential exposure is about accounts on this discussion forum. Your 1Password data and account is entirely separate.

    What we don't yet know is whether the bug that they fixed was ever exploited.

    This is what 1Password is for

    1Password makes it easy to have unique passwords for each and every service you use. And so I hope that everyone who has signed up for our forums does have a unique and strong password. And so you get a nice demonstration in this case of how 1Password keeps you safe. If an attacker manages to learn your forum password the damage that they can do is limited.

    And so, I encourage everyone to use 1Password to identify and change reused passwords. So if like Molly (one of my dogs), you use the same password for Barkbook and Bone Bank, you should update those

    Barkbook password reuse

This discussion has been closed.