We've decided to ditch the old VBulletin forum, and have launched this new forum on a bigger platform.
* This is a new forum from scratch, and no user accounts or posts carry over.
* You can sign in with Email, Facebook or Google.
* This is a UNIQUE account from your normal Hollywood Camera Work account.
We've used VBulletin as a forum for 15 years, since it's one of the biggest commercial forums. Yet, VBulletin has had ongoing security problems. But even while rigorously applying security updates within minutes of their release, our vBulletin forum was hacked in 2019. Even worse, the forum had so many spam signups that we struggled to email users about the breach.
Here's what you should know about the breach:
* We never trusted VBulletin completely, and kept it very far away from normal Hollywood Camera Work servers.
* The attackers made off with the database, which contained forum usernames, hashed passwords, and email addresses. Hashing is a one-way scrambling used to verify a password without storing the password itself.
* A few thousand very old accounts had MD5 hashing, which is no longer considered secure, since one password can be brute forced in about 30 minutes. All later accounts had high-cost hashing, which can require from hundreds of thousands to trillions of dollars of computing power to brute force just a single password (see https://support.1password.com/pbkdf2/)
* There is zero risk to your Hollywood Camera Work account or data. The forum has intentionally been kept very far away from our real systems, and there's no connection between them.
* The main risk to existing forum users is the ability for attackers to send personalized emails.
* The secondary risk is if you were an early account holder and used the same password on many websites. Once attackers have brute forced a password, they try it on other websites.
* The lesson is always to never trust personalized emails, and to never use the same password on multiple websites, but instead use a password manager so you have unique and complex passwords on every website. You should even use complex passwords for security questions. Name Of Your First Pet? hpE4J5jH70GJSZ%5.
* We are in a relative sense happy to see that the system worked. We rigorously keep systems separate, applications only have minimum access, we have high operational security on a day to day basis, and we've reacted swiftly to security notifications. Therefore, this breach provided no foothold for further attacks, and only yielded a database of relatively low value. We're now taking the final step in our list of right things to do, of ditching the old forum and starting over on a larger, simpler platform.
It means losing the forum history. But trying to keep the history was holding us back from making this change.