| View previous topic :: View next topic |
| Author |
Message |
|
|
unready
Joined: 07 Jun 2009
Posts: 428
Location: Illinois, USA
|
Posted: Fri Feb 24, 2017 10:06 pm |
|
|
| Quote: | | ... passwords were not viewable as they are encrypted. |
What this probably means is that the passwords were hashed (think SHA-1, etc.) and, hopefully, salted, which means the hackers can try off-line password-cracking algorithms to guess passwords.
People who chose poor passwords, which is anything that can be found in any dictionary, including substitutions like "$" for "s" and "3" for "e", need to change their password now, because dictionary cracks are easy. Everyone should change their passwords, anyway, just in case the hackers get lucky. Reversing a hash can be difficult. Changing your password after someone stole your hash makes the stolen hash useless.
|
| Back to top |
|
|
|
Kikaioh
Joined: 01 Jun 2009
Posts: 1205
Location: Antarctica
|
Posted: Fri Feb 24, 2017 10:53 pm |
|
|
|
I did not receive a notification from Funimation.
However, I did receive a notification from a third-party ID theft monitoring service, that alerted me that my email address had been compromised on the Funimation site, and that I should change my password there.
So my recommendation is that even if you didn't receive a notification from Funimation, you should update your password anyways.
TBH, this response from Funimation is a bit lackluster. It feels like they should have fully disclosed the issue to everyone, erring on the side of safety. It comes across like they were more concerned about saving face, than the privacy and security of their site users.
|
| Back to top |
|
|
|
Gamer Goku
Joined: 07 May 2015
Posts: 56
|
Posted: Sat Feb 25, 2017 8:49 am |
|
|
|
I love FUNi to death, but they seem to enjoy making very odd business decisions.
|
| Back to top |
|
|
|
KabaKabaFruit
Joined: 20 Sep 2007
Posts: 1903
Location: Winnipeg, Manitoba
|
Posted: Sat Feb 25, 2017 4:53 pm |
|
|
FUNimation screwed up. What else is new?
| Gamer Goku wrote: | | I love FUNi to death, but they seem to enjoy making very odd business decisions |
With sentiments like this, they'll go on making them.
|
| Back to top |
|
|
|
|
lostbirdinatree
|
Posted: Sun Feb 26, 2017 1:49 am |
|
|
|
I got a notification through haveibeenpwned...but my account is kinda dead since I signed up for the forums a few years ago and never used them for anything except viewing the forums once, getting free wallpapers and trying to watch the extra videos. I tried to get in to change my password nonetheless, but I'm outside the region and due to one of Funi's site changes, I'm now greeted with a broken site.
...yeah, you can tell I'm not very pleased with this.
|
| Back to top |
|
|
|
Kalessin
Joined: 15 Aug 2007
Posts: 931
|
Posted: Mon Feb 27, 2017 4:48 am |
|
|
| Kikaioh wrote: | | So my recommendation is that even if you didn't receive a notification from Funimation, you should update your password anyways. |
If a company is breached, then unless the company can guarantee that your password was not leaked (which they usually can't), then you should change your password - and even they can guarantee it, you should still change your password. You have no guarantee that they're right (or even that they're telling the truth), and it's better to be safe than sorry.
Unfortunately, the reality of the matter is that most companies simply don't handle sensitive data or network security correctly - in part because it can be hard to do so and in part because they frequently don't have the required knowledge or expertize, and even if they do, they don't want to spend the money required. How bad Funimation is in this regard, I have no idea, but if you know that a comany had a breach, and you have a password with them, you change it, no matter what they promise about their security.
| unready wrote: | | Quote: | | ... passwords were not viewable as they are encrypted. |
What this probably means is that the passwords were hashed (think SHA-1, etc.) and, hopefully, salted, which means the hackers can try off-line password-cracking algorithms to guess passwords. |
I would certainly hope that they hashed rather than encrypted, but I wouldn't be surprised if they were foolish enough to encrypt rather than hash. And even if they hashed, they may not have used a salt and they may have used a poor hashing algorithm. It's all too easy to handle passwords incorrectly, and a disturbingly large number of websites do. I don't even want to think about how many sites choose to e-mail you your password when you change it or to e-mail it to you when you forget it rather than doing a proper password reset. The fact that they're able to tell send you your password proves that they're doing it wrong, but so many sites don't seem to get that fact. Restrictions on password length and the allowed characters show similar problems with how passwords are handled, and yet they're also incredibly common. At this point, I have very little faith in most sites handling passwords correctly.
Hopefully, Funimation got this right, but even if they did, it sounds like other sensitive information was leaked, and a password reset won't fix that.
|
| Back to top |
|
|
|
Kadmos1
Joined: 08 May 2014
Posts: 13765
Location: In Phoenix but has an 85308 ZIP
|
Posted: Tue Feb 28, 2017 7:50 am |
|
|
|
Even if we ask them why it took almost 1/2 a year, they are probably going to give some BS answer to save face. With their lame redesign (I can stream on my laptop but not my computer) and this, I am tempted to cancel my subscription.
|
| Back to top |
|
|
|
|
ragnawind
Joined: 29 Sep 2009
Posts: 69
Location: Florida, USA
|
Posted: Fri Mar 31, 2017 1:25 pm |
|
|
|
This is pretty old news now, but there seems to be a lot of false info and Anti-Funimation posts here.
Anyway, the Have I Been PWNed website does NOT reveal who was affected by a data breach for a website, like some have claimed that their info was on the websiteas being affected. This is completely false, since that info is not made available publicly and cannot be given, even if requested, since they can't confirm if it was really you or not who owned the account.
Next, it was made clear that all that was taken with the hack was usernames, e-mail addresses, date of birth, and salted SHA-1 hashed passwords. So the passwords were definited secured. In the end, it is still best to change the passwords anyway, as with any data breach
Third, they are already taking steps, and have been, to improve network security, but there is no way to make a network truly secure.
Last, they have notified those potentially affected. Not ALL of the acquired info was gained on everyone. If anyone's account was likely to be a target, an ID theft company would contact the owner of the account via e-mail about the data breach on behalf of the company who had the data stolen, in this case Funimation. It is very rare, if at all, that the company itself would individually contact each potentially affected customer. Some people do claim to have recieved a message from an ID theft company, and this is how victims are normally contacted, NOT directly from the company itself that was affected.
|
| Back to top |
|
|
|
yuna49
Joined: 27 Aug 2008
Posts: 3804
|
Posted: Thu Jul 13, 2017 6:20 am |
|
|
|
Today I received my first spam email directed to the address I registered with Funimation. I use unique addresses for each service to which I subscribe, so today's message about Ray-Ban sunglasses addressed to my funimation@mydomain account was clearly a consequence of the breach.
|
| Back to top |
|
|
|
|