Forum password reset
About the issue
On November 15, 2019, Vanilla Forums discovered a vulnerability in their forum software that exposed their user records. They immediately deployed a fix and initiated password resets for potentially affected users.
Your 1Password data is entirely separate from your 1Password Support forum account.
What you should do
Go to https://discussions.agilebits.com/entry/passwordrequest and reset your password.
If your forum password is the same as your Master Password, change your Master Password.
If you used your forum password anywhere else, change those other passwords. You can use Watchtower to identify reused passwords.
Comments
-
What we know (updated)
Vanilla forums has posted an incident report, and so I am updating this message.
What could have been exposed
The bug would allow an attacker to get "full user records" for Vanilla forum accounts (including the the very discussion forum you are reading) which include
- Forum usernames
- Forum passwords (salted & hashed using bcrypt with bcrypt cost parameter 10)
- IP addresses from which you signed up for the forum
- Forum user preferences
- Forum user roles and ranks
- Email address associated with your forum account
Again, that potential exposure is about accounts on this discussion forum. Your 1Password data and account is entirely separate.
What we don't yet know is whether the bug that they fixed was ever exploited.
This is what 1Password is for
1Password makes it easy to have unique passwords for each and every service you use. And so I hope that everyone who has signed up for our forums does have a unique and strong password. And so you get a nice demonstration in this case of how 1Password keeps you safe. If an attacker manages to learn your forum password the damage that they can do is limited.
And so, I encourage everyone to use 1Password to identify and change reused passwords. So if like Molly (one of my dogs), you use the same password for Barkbook and Bone Bank, you should update those
0