| "Privacy Is A Myth" Its better if you change the password because each year people's information gets leaked and there is no stop to it and yours might be in that leak...depends on where you registered using same email and password that you used here.... Now how people breach/get the data ? Ans. By using sql attacks.. Also have some patience...they are doing this to protect our data.. |
| No idea what happened, but this is kinda annoying... I can't seem to change the password and have to use the one that the site provided me with... |
 |
| Idk what happened, I'm rarely online and just came on to check on stuff and it said my acc got locked out. Well fortunately I could reset my password. |
 |
| Such a bore. First we have to change the password, then we have to use the password you sent to us in the mail as autenticifaction or however it's written. That last part made no sense. Why not use the password we chose? |
 |
Because they reset that password. Basically, your account was "locked", so doing the reset both unlocked the account (allowing login) and set the password to the one sent by e-mail. Once you log in with that, you can change the password to whatever you would like. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
| What kind of moron exposes passwords/sessions trough the API? Or the API wasn't the problem after all? Forcing passwords means shit ton of accounts getting locked for no reason, I'd rather change it on my own than being butt raped by the admins. If you lost your e-mail good luck with the headache meds. |
 |
| Exactly two and a half years of sbscription today and the website never asked me to provide a new password. WHen did that happen? @motoko I'm using both, depending on the computer I'm on and/or the fact I have one of those social websites open at the time. Thanks for your answer. |
Rei_IIIMay 25, 2018 12:49 PM
Aquamirror said: What kind of moron exposes passwords/sessions trough the API? Or the API wasn't the problem after all? The API, because it was ancient, required that you pass the username and password using basic authentication. This means each call resulted in transmission of the login information. Rei366 said: Exactly two and a half years of sbscription today and the website never asked me to provide a new password. WHen did that happen? If you are using one of the social login buttons, you're not affected. It's only for those accounts using direct password login. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
DJBay1 said: Exactly, *in my opinion* it just seems like an over reaction to lock people out until they change their password based on potential risks, just fix the risk and tell people that they *maybwant to* change their password. I’m just annoyed because I lose access to an account that I’ve held for so long with a risk of not getting hm it back. Disclaimer: I am in no way associated to MAL but can somewhat speculate from professional experience. The "maybewant to change their password" is not always compatible if you want to fix a potential risk or simply IMPROVE your current security. Since the passwords are already NOT stored in plain text it's probably safe to assume that they are somewhat at least hashed if not even hashed and salted to some degree. So if MAL decides to change the way they store their passwords they can't simply convert the existing passwords into the new format, since the hashing is by design a one-way trip (except vulnerability in hash, rainbow table or similar). Without your input they simply don't know what your password is. So the most logical step is reset all passwords, implement the new password hashing method and use for the first connection the other authentication method: email. Passwords should anyway be changed from time to time.The only thing that I found strange was that after you used the password from the email they did not force you to change your password again. With the coming possibly monumental fines you may risk in case of stolen data under the new GDPR legislation it's very likely that someone decided/imposed it's time to beef up security to the max to at least be able to say that they everything they could to protect the data. |
DJBay1 said: @Yzeelb I would agree with you if that was what was being said. The message when you log in is: The MyAnimeList Team is working to address a vulnerability in the API, which has been made temporarily unavailable while the team works on this issue. Out of an abundance of caution If the reason they wanted us to change passwords was because of they wanted to change the way they want to store it, then they should say it. Until then, I can only use the reasons they have clearly given to us, which are that: Vulnerability with API No passwords of info was stolen. If they have other reasons for doing this, then say it or expect people to be angry. The last problem is, I use a multitude of site, games, forum, news sites etc etc. Small to giant. Over the time a few have been involved in data breaches or potiental ones, some hitting the news, others barely spoken. Never, ever have I been forced to change passwords. That's what makes me so confused. It just seems like: 1: a panicked overdone reaction or 2:They are hiding some infomation about the incident that would change are views on this or 3: There was info stolen and they are lying. I'd hope it's option 1. Check out what facebook is suffering right now...and myanimelist dont want to end up like facebook did...so they took this step to save privacy of [users] in future... Also API makes it easy to hack...if they add hashes like hmac->sha [when you login the password gets hashed] then it wont be possible to hack any mal account that easily... Also no hack was done on mal so no need to worry... And i also want to suggest MAL team to check out csrf token on their login page because its easy to make a brute force tool thats why and i also suggest them to make password hashed in their API and in their site just like i mentioned above... |
Doctor-Doom said: i also suggest them to make password hashed in their API and in their site just like i mentioned above... MAL was actually working on a new API that used OAuth so tools wouldn't need to know account passwords. It was actually under testing by a few select developers. Unfortunately, they closed it a few weeks ago with a similar indefinite status, so there is literally no way to "hook" into the service short of emulating browser actions and scraping content from all HTML pages. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
More topics from this board
» [Resolved] ask if i want to discuss a chapter when i change it on my list not showing updeg - Jan 26, 2024 |
17 |
by deg
»»
Yesterday, 11:04 PM |
|
» Badges regarding "Spirit of science" and "comedy killer"Nishimiya_279 - Yesterday |
1 |
by loveyaall
»»
Yesterday, 8:09 PM |
|
» Why has MAL been delisted from basic search functionality?kairyu-shin - Oct 14, 2021 |
12 |
by deg
»»
Yesterday, 7:59 PM |
|
» Angel x Demon Cant get alongTahohi - Aug 31 |
7 |
by Alexioos95
»»
Aug 31, 10:24 PM |
|
» Login order suggestionfulminicolibri - Aug 31 |
0 |
by fulminicolibri
»»
Aug 31, 12:27 PM |