Topic: Please Change Your Passwords

Posted under General

In response to news of an information leak at CloudFlare, we are requesting that our users take the time to change their passwords on potentially affected websites, including e621. Here at e621 we use CloudFlare to help protect against distributed denial of service attacks that would be disruptive to usage of the site, and it is an important part of our architecture. CloudFlare recently announced that an extremely small percentage of requests could result in leaked information from previous requests being included by mistake. CloudFlare has since resolved the issue that was leaking information.

While we have found no evidence that this leak has personally affected e621, we cannot be sure of the scope of the leaked information. As a result, we are requesting that you change your password as a precaution.

The official announcement from CloudFlare can be found here.

Because this has the potential to have impacted a very large number of sites, you should review your passwords sharing habits and consider using a password manager and a unique password per website.

A list of potentially impacted sites can be found here.

Stay safe out there.
~e621 Staff

Clarification edit:
This does not represent a compromise of the e621 website or services. The website was not hacked or compromised as a result of this event. This is a precautionary advisory only.

Updated by fewrahuxo

Fer goodness sake its 2017 and buffer overruns keep getting by programmers. This is why we can't have nice things.

The details...

It's insanely unlikely anything will come of this.

Updated by anonymous

rysyN said:
Fer goodness sake its 2017 and buffer overruns keep getting by programmers. This is why we can't have nice things.

The details...

It's insanely unlikely anything will come of this.

I also consider it unlikely that anything will come of this. It was well handled, and the search engine teams were on board clearing out indexed information before it was announced.

I still consider it good practice to let users know if their information was potentially compromised, no matter how small the chance, and how they can respond to it. I would much rather have a user know and be able to respond, than be unaware and be unable to react if that chance is not in their favor.

Updated by anonymous

I question how a memory leak from here would benefit those who don't browse e621.

Updated by anonymous

Unless it's something official like a bank account, I use a bullshit password for random online services. I hope to God no one uses my e621 password to also access two expired porn subscriptions and an empty discord

Updated by anonymous

Neferpitou said:
I wonder how a memory leak from here would benefit those who don't browse e621.

Thinking this through only two options that pop into my head at the moment are:
a) A group of people having a furry witch hunt.
b) pepper can use the accounts as members of his 'army'.

Updated by anonymous

FustratedFeathers said:
I've been inconvenienced for a few seconds.

Curses.

I know, right? Updating my passwords is such a chore. :P

Shouldn't be a big deal, but better safe than paranoid I always say. Which is really small condolences when you actually have clinical paranoia....

Updated by anonymous

OrangeLightning said:
Thinking this through only two options that pop into my head at the moment are:
a) A group of people having a furry witch hunt.
b) pepper can use the accounts as members of his 'army'.

Who's pepper?

Updated by anonymous

404_ArtNotFound said:
Nobody worth remembering.

Not for me, that is. I feed on drama-whores' tears but I try keeping the enjoyment all to myself.

Updated by anonymous

Genjar

Former Staff

Neferpitou said:
This guy?

Like I said, not worth talking about. He hasn't been active after his troll-group (and main gaming account) got banned on Steam, anyway.

v He's a troll. Admin of a trolling-group on Steam, and all that.

Updated by anonymous

Wait, would our password be sent in requests if we've been logged in the entire time, or only if we had to re-enter it?

Updated by anonymous

Furrin_Gok said:
Wait, would our password be sent in requests if we've been logged in the entire time, or only if we had to re-enter it?

Only if you had to re-enter it. It would still be wise to change it as a precaution, even if you did not log in during that period, but the choice is yours.

Updated by anonymous

somehow, i don't feel much of a need to do this. the oldest account i even remember using my current password for is my account on kongregate and that one is 9 years old as of november 28 this year. not only that but the closest i ever come using any personal info for anything would be my PSN account (which i only use on the console) and signing my name on a check each month. unless i'm forgetting a, likely dead or inactive, account somewhere that asked for such info.

no, wait, i think i have a different username & password for the PSN account. plus, whenever a site asks for my birth date i always enter it with at least one number off (month, day, or year). so that's useless info.

even i don't know how far my trail of dead and/or inactive accounts goes. it goes at least as far as whenever the lich king expansion for WoW was released. i remember that much.

so yeah, it's far more likely that anyone with my password will hit 1 of a VERY few active accounts of little to no value or countless dead and forgotten accounts. i know better than to leave personal info lying around. :P

HypnoBitch said:
Just looked at his comments... This guy is nuts. I can't tell if he's delusional or just trolling.

welcome to the club. here's some snacks. lol

Updated by anonymous

According to this one, there could be over 4 million sites effected, which includes some mobile apps.
https://github.com/pirate/sites-using-cloudflare

Also remember this does effect other furry related sites using cloudflare services, including furaffinity, weasyl and patreon, not just e6.

It does already help if you are doing your basic account security correctly, meaning 2fa on at least most important services, differend password on every single service, passwords that are hard to use brute force, changing password periodically on services you use commonly especially if they do not allow 2fa, etc. This way even if single login has bled from this mess, it means attacker can only access that one account of yours, if even that.

Good password managers (not the one build in browser) can also help to avoid falling into pitfalls like easy/same passwords and avoid keyloggers getting information, but in cases like this they bleed exactly the same as other passwords.

Updated by anonymous

treos said:
i know better than to leave personal info lying around. :P=

> leaves a bunch of personal info lying around

Updated by anonymous

Change your password

What?! No! NO! NO!

I have finally managed to consolidate all of my online accounts under a master password that nobody is likely to ever guess! I am NOT changing my f**king password again! I don't have to worry about any sensitive personal or financial information on the web being stolen, because I don't have any sensitive personal or financial information on the web TO steal! I don't care if CloudFlare had a leak--I cannot deal with this crap again! >:C

Updated by anonymous

remember your NUCs (never use Cloudflare).

@above poster, having a single hard-to-guess password is many orders of magnitude unsafer than having multiple easy-to-guess passwords. best thing is to have many hard-to-guess passwords, which is why you use a password manager like Master Password (the app).

Updated by anonymous

fewrahuxo said:
remember your NUCs (never use Cloudflare).

@above poster, having a single hard-to-guess password is many orders of magnitude unsafer than having multiple easy-to-guess passwords. best thing is to have many hard-to-guess passwords, which is why you use a password manager like Master Password (the app).

I believe that they are joking.

Updated by anonymous

The_Masked_Newfag said:
What?! No! NO! NO!

I have finally managed to consolidate all of my online accounts under a master password that nobody is likely to ever guess! I am NOT changing my f**king password again! I don't have to worry about any sensitive personal or financial information on the web being stolen, because I don't have any sensitive personal or financial information on the web TO steal! I don't care if CloudFlare had a leak--I cannot deal with this crap again! >:C

Calm down. Literally something as easy as "synonym for theme or name of site" followed by "something I really enjoy" (Especially if it can relate to the site as well) and finally just a number you like is better than a master password. Like, "Big_Salted_Boobs_11", where e621 is another term for salt, and your favorites include large boobs, with your joindate being 2011.
...Though I'd definitely recommend a tad more personalization than two things directly visible from your profile, of course. Another way to look at the theme of e621 is porn of whatever sort, blue/yellow, hexagons, or any of the mascots. You can even go a bit indirect: The San Diego Chargers use both blue and yellow in their team colors, which would make Chargers or Charging a viable word for use, if your mind can process mnemonics that way.

Updated by anonymous

Already affected me, wads of money started disappearing out of my bank account. I managed to put a stop to it, but it's still gonna take a few weeks to get the money back. I've already gone and changed my password on ALL of the MILLION BILLION sites I use.

Updated by anonymous

JimJams said:
Already affected me, wads of money started disappearing out of my bank account. I managed to put a stop to it, but it's still gonna take a few weeks to get the money back. I've already gone and changed my password on ALL of the MILLION BILLION sites I use.

looking at your favorites, I suppose you could say your bank account was mangled

https://www.youtube.com/watch?v=_tWC5qtfby4

Updated by anonymous

Thanks, this helps, just in case.
I looked through the list of sites using this and I use none of them, phew.

Updated by anonymous

Cakemix said:
Thanks, this helps, just in case.
I looked through the list of sites using this and I use none of them, phew.

Well, hate to break it to you, but you're on one of those sites.

Updated by anonymous

fewrahuxo said:
remember your NUCs (never use Cloudflare).

@above poster, having a single hard-to-guess password is many orders of magnitude unsafer than having multiple easy-to-guess passwords. best thing is to have many hard-to-guess passwords, which is why you use a password manager like Master Password (the app).

Furrin_Gok said:
Calm down. Literally something as easy as "synonym for theme or name of site" followed by "something I really enjoy" (Especially if it can relate to the site as well) and finally just a number you like is better than a master password. Like, "Big_Salted_Boobs_11", where e621 is another term for salt, and your favorites include large boobs, with your joindate being 2011.
...Though I'd definitely recommend a tad more personalization than two things directly visible from your profile, of course. Another way to look at the theme of e621 is porn of whatever sort, blue/yellow, hexagons, or any of the mascots. You can even go a bit indirect: The San Diego Chargers use both blue and yellow in their team colors, which would make Chargers or Charging a viable word for use, if your mind can process mnemonics that way.

Don't care. I'm NOT changing it again. I have nothing worth stealing in any of my internet accounts, and I already have too much crap to deal with in my life as it is. I don't need to add 'trying to remember exactly which password or variation of my master password I use on X website' on top of it all-- especially considering the fact that I'm stuck using a mobile phone to access the internet at this time, and I have to manually enter all passwords on a fucking touchscreen keyboard that intermittently crashes and takes up to five minutes to open up again. The list of affected websites (at least from what I read on the list of potentially affected sites) did NOT include e621, so I'm not really concerned about it. If e621 was affected after all, that's a risk I'm willing to take. And if my account ends up being hacked, well then I'll be a stubborn idiot who should've listened and it'll suck to be me.

Updated by anonymous

The_Masked_Newfag said:
especially considering the fact that I'm stuck using a mobile phone to access the internet at this time, and I have to manually enter all passwords on a fucking touchscreen keyboard that intermittently crashes and takes up to five minutes to open up again.

Open up your apps menu and actually close your apps. Having multiple apps open at the same time is what causes the keyboard sub-app to crash, and it's generally unhealthy for the phone to try and multitask so much in the first place. Even factory default apps (Calculator, Clock, calendar, memo) can cause trouble. Close everything except for one or two apps and your keyboard should be fine.
As for how to open up that list, well, just google it. It'll require too much back and forth here for any of us tell you how to handle it on your exact phone model (It's different for different brands and models).

Updated by anonymous

Genjar said:
Like I said, not worth talking about. He hasn't been active after his troll-group (and main gaming account) got banned on Steam, anyway.

v He's a troll. Admin of a trolling-group on Steam, and all that.

If he seriously considers what he does as trolling... That's baby/edgy tween tier shit. For something really good, you gotta make yourself appear as one of them. I don't feel like elaborating more.
But it'll never be seen coming.

Updated by anonymous

The_Masked_Newfag said:
Don't care. I'm NOT changing it again. I have nothing worth stealing in any of my internet accounts, and I already have too much crap to deal with in my life as it is. I don't need to add 'trying to remember exactly which password or variation of my master password I use on X website' on top of it all-- especially considering the fact that I'm stuck using a mobile phone to access the internet at this time, and I have to manually enter all passwords on a fucking touchscreen keyboard that intermittently crashes and takes up to five minutes to open up again. The list of affected websites (at least from what I read on the list of potentially affected sites) did NOT include e621, so I'm not really concerned about it. If e621 was affected after all, that's a risk I'm willing to take. And if my account ends up being hacked, well then I'll be a stubborn idiot who should've listened and it'll suck to be me.

e621 has been (somewhat) affected, we do use CF, but all traffic is encrypted before it goes over CF servers, so they only leaked encrypted garbage as far as we are aware.

Besides that, if you're on android have a look at Keepass2Android, it offers one of the best password managers, and comes with a keyboard that will enter your username and passwords for you, so no need to stupidly copy and paste stuff around all the time. Also it has a counterpart on all OS, so you can use the password database on your PC, Mac, and other devices.
Depending on which standard keyboard you're using have a look at Swiftkey, that keyboard is/was a lot faster on my old and rather weak device, so maybe it'll make your life easier as well.
Besides, check if you can uninstall garbage apps that most vendors force on you, a good chunk can either be removed outright, or at least disabled without issue. Before doing that however definitely check on the internet if the app is actually critical or not, some apps do fuck you over if they're removed. Restarting your device once a month also helps a lot in speeding things up, android does a little house cleaning every boot.

Updated by anonymous

Thanks for the heads up. Due to the severity of this breach (although everything was encrypted), wouldn't it be worth forcing users to change their password on the next login? Even if it allowed them to keep it the same as last time, it just seems proactive, and that way all users are definitely 100% sure of the issue.

I know it's common sense, but it's just a though. That way no users are at risk unless it's their own doing, rather than because of CF.

Updated by anonymous

wisp_the_husky said:
Thanks for the heads up. Due to the severity of this breach (although everything was encrypted), wouldn't it be worth forcing users to change their password on the next login? Even if it allowed them to keep it the same as last time, it just seems proactive, and that way all users are definitely 100% sure of the issue.

I know it's common sense, but it's just a though. That way no users are at risk unless it's their own doing, rather than because of CF.

Not a bad idea, though I'm not sure if the site staff have the immediate tools to do so without programming. And of yet, there's only been one report of a password potentially being stolen. I'd say the notion's rather up in the air

Updated by anonymous

NotMeNotYou said:
e621 has been (somewhat) affected, we do use CF, but all traffic is encrypted before it goes over CF servers, so they only leaked encrypted garbage as far as we are aware.

But the encryption isn't end-to-end, I don't think. e621-to-Cloudflare traffic is encrypted separately from Cloudflare-to-visitor traffic. So the Cloudflare servers still have an unencrypted view of all traffic. After all, that's what makes Cloudflare's caching work. Right?

Updated by anonymous

CatGod said:
Thanks better safe than sorry

Aye. That's why I changed my password from "password" to "password134".

Updated by anonymous

DankMeme7 said:
Aye. That's why I changed my password from "password" to "password134".

Mine is "mypassword" No ones going to guess that!

Updated by anonymous

rhyolite said:
Mine is "mypassword" No ones going to guess that!

LOL like we'd put our actual passwords here.

Updated by anonymous

DankMeme7 said:
LOL like we'd put our actual passwords here.

Wait. You weren't supposed to do that?

Updated by anonymous

SmartGenius85 said:
Haha! My password is my real world name followed by the now defunct phone number at my nan and pops old house that has since burnt down! And for important stuff it's my real name followed by my old houses numbers! And both numbers don't exist in the phone book any more, and I live in Australia! Try working them out!

If there has been leakage like this, it actually doesn't matter how hard your password is, because nobody has to guess it as it's already on their hands. Just that in this case it wasn't just one site but millions of them.

This is the reason why it's highly recommended to use differend password in all places and change them regularly at least on more important services. If there is hole, security issues or bug in code with one service, you don't automatically lose them all.

Also reason why I hate services which require you to have security questions is insane at this day where many state their personal affairs online. Even if using some old unused phone number, that number still exsisted at some point, so if someone is really good at social engineering, they can easily get it.

Updated by anonymous

Neferpitou said:
This guy?

HypnoBitch said:
Just looked at his comments... This guy is nuts. I can't tell if he's delusional or just trolling.

he's not nuts, that guilmon is being absolutely abused

no but this shit is funny AF to me. mostly because seeing furries get worked up over shit like this is hilarious to me

Updated by anonymous

it's not polite to post in an old thread to share bad opinions.

Updated by anonymous

  • 1