What would happen if a hacker got a full database dump of the site?

Discussions about the forum and contents
Post Reply
User avatar
randomizer
Posts: 561
Joined: Sun Jul 06, 2014 3:46 pm

What would happen if a hacker got a full database dump of the site?

Post by randomizer » Thu Mar 09, 2017 3:48 pm

I tend to worry about these things.

While most people post here pseudo-anonymously, others use their real names, and others still do a bit of both (ie. they use a nickname on the forum, but they also have real-life meetings with other Bogleheads at conferences and local chapter meetings, where they are known by their real names).

Somebody illegitimately accessing the database would obtain a treasure trove of very sensitive information: combine a bit of guesswork to figure out people's real names, with knowledge of their email address, and in many cases vast detail about which banks they use, what and where their investments lie, anecdotal evidence of past and planned holidays, car/house purchases etc.

I worry about the nefarious uses to which this could be put, ranging from identity theft and fraud to things like doxing. I sure hope the forum software and server OS is kept up-to-date (I'm sure it is), but even with that, it's always possible that there could be an intrusion. Big companies with supposedly best-in-class security teams have fallen prey.

Anybody else have any thoughts on this?

KyleAAA
Posts: 6285
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: What would happen if a hacker got a full database dump of the site?

Post by KyleAAA » Thu Mar 09, 2017 3:51 pm

If you happen to use the same password here as you do for your financial institutions, you could be at risk. Otherwise, the risk seems minimal. Somebody could stalk you I suppose, but they could do that anyway.

123
Posts: 2410
Joined: Fri Oct 12, 2012 3:55 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by 123 » Thu Mar 09, 2017 4:54 pm

I think that for the most part the only types of data that a hacker could get from this sit that isn't publicly available/posted is likely email address used to establish account, password (likely either hashed or encrypted), ip addresses, and "private" messages between members. A member who is at least a little circumspect in what they post would not be at risk for much in my view.
The closest helping hand is at the end of your own arm.

User avatar
greg24
Posts: 2858
Joined: Tue Feb 20, 2007 10:34 am

Re: What would happen if a hacker got a full database dump of the site?

Post by greg24 » Thu Mar 09, 2017 5:02 pm

Considering the many many many ways that hackers can truly do damage on the internet, getting the database for a discussion board is rather low on the list of possible risks.

livesoft
Posts: 56385
Joined: Thu Mar 01, 2007 8:00 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by livesoft » Thu Mar 09, 2017 5:06 pm

I thought everybody just assumed that all their account info was more or less known by quite a few people. It has always been that way. I assume that the handful of people in the HR department know my name, address, SSN and could find my 401(k) balances. Same goes for the folks at the various financial institutions that I use.

People can already look up who lives at my address, how much my home is estimated to sell for, what are my property taxes, etc. If people google my name, they can see what I do for a living, and estimate how much my salary was pretty easily.

People can already get my credit card numbers because I use them often.

And so on ....
This signature message sponsored by sscritic: Learn to fish.

jebmke
Posts: 6674
Joined: Thu Apr 05, 2007 2:44 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by jebmke » Thu Mar 09, 2017 5:12 pm

The hacker could probably monetize the sponge utilization data.
When you discover that you are riding a dead horse, the best strategy is to dismount.

barnaclebob
Posts: 2133
Joined: Thu Aug 09, 2012 10:54 am

Re: What would happen if a hacker got a full database dump of the site?

Post by barnaclebob » Thu Mar 09, 2017 5:13 pm

They would become a very financially savvy hacker and see that the life of crime is not likely a good long term solution because they just need to get caught once.

Traveller
Posts: 605
Joined: Sat Jun 25, 2011 10:47 am

Re: What would happen if a hacker got a full database dump of the site?

Post by Traveller » Thu Mar 09, 2017 5:36 pm

Well, I guess it's a good thing I have nothing to hide and am comfortable telling the world that my real name is Domingo Voldemort McDoogle and I live in the island nation of Tuvaloo. All by $$ is in gold bars in my bomb shelter guarded by Fang and Sprinkles, my two Rottweilers.

metrunt
Posts: 161
Joined: Thu Jul 16, 2015 9:36 am

Re: What would happen if a hacker got a full database dump of the site?

Post by metrunt » Thu Mar 09, 2017 5:43 pm

What would happen? The hacker would take his ill-gotten gains and put it in a low cost index fund!

Seriously though...all the information I can see on this site a 'hacker' can see and collect. Legally and ethically.

I put the chance of something nefarious happening as a result of "bogleheads.org being hacked" at about .0001%, much lower than I put the chance of the collapse of Western Civilization in the next 100 years.

User avatar
celia
Posts: 6942
Joined: Sun Mar 09, 2008 6:32 am
Location: SoCal

Re: What would happen if a hacker got a full database dump of the site?

Post by celia » Thu Mar 09, 2017 8:21 pm

Do you think we always talk about ourselves accurately?

How do you know I live where I post about? (I moved 3 years ago)
Do you really think "my parents" are really my parents?
I almost feel "retired" but is it possible I goof off at work and really "wish" I was retired?
etc.

Since I post using the name of an ancestor for my username, I sure hope you connect me properly to that person and let me know where you found the info, since I can't find it!

User avatar
Kenkat
Posts: 3751
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: What would happen if a hacker got a full database dump of the site?

Post by Kenkat » Thu Mar 09, 2017 8:27 pm

If the passwords are not encrypted, probably the biggest risk would be for a hacker to hit a bunch of financial sites with the bogleheads user names and passwords and see if they get any hits.

If the passwords are encrypted, it would not necessarily preclude the above, but makes it harder and likely not worth it.

While someone might be able to connect the dots on individual users based on posting data, I am not sure there would be enough value there to make it worthwhile.
Last edited by Kenkat on Thu Mar 09, 2017 8:41 pm, edited 1 time in total.

TomCat96
Posts: 419
Joined: Sun Oct 18, 2015 12:18 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by TomCat96 » Thu Mar 09, 2017 8:37 pm

randomizer wrote:I tend to worry about these things.

While most people post here pseudo-anonymously, others use their real names, and others still do a bit of both (ie. they use a nickname on the forum, but they also have real-life meetings with other Bogleheads at conferences and local chapter meetings, where they are known by their real names).

Somebody illegitimately accessing the database would obtain a treasure trove of very sensitive information: combine a bit of guesswork to figure out people's real names, with knowledge of their email address, and in many cases vast detail about which banks they use, what and where their investments lie, anecdotal evidence of past and planned holidays, car/house purchases etc.

I worry about the nefarious uses to which this could be put, ranging from identity theft and fraud to things like doxing. I sure hope the forum software and server OS is kept up-to-date (I'm sure it is), but even with that, it's always possible that there could be an intrusion. Big companies with supposedly best-in-class security teams have fallen prey.

Anybody else have any thoughts on this?


This has got to be the worst possible waste of a hacker's time. What possible sensitive information would bogleheads have?
Even if they obtained your real name, knowledge of their banks used, and the approximate value of their accounts, what purpose would that serve.

Suppose you knew the following:
Mary Smith is 35 years old. She has 500k in a vanguard account.
She bought a honda civic 2015 last week for 25k. She lives in Hoboken NJ.
She likes to travel. Her email is MarySmith@____.com

What could you do with that information? Do you have a way of obtaining her wealth?

Where you should be worried about are the institutions with actual information about you. I work for the govt and in the recent OPM hack, hackers now have everything there is about me: SSN, entire credit history, finger prints, the results of security clearance questioning, bank account numbers, etc. I believe around 2 million government workers had their information exposed including retirees.

Worrying that some random person will know you have a vanguard account after reading over years of your forum posts is just irrational worrying.

If you want to worry about something, worry about the numerous parties with actual sensitive information on you: every banking institution you've ever banked with, the credit card companies, every merchant you have ever used a credit card with, your HR depart, every hospital you ever stayed at, every doctor you were treated by, every governmental institution you deal with: the DMV, your state tax department, the IRS.

Dieharder
Posts: 967
Joined: Mon Apr 02, 2007 6:22 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by Dieharder » Thu Mar 09, 2017 8:43 pm

Probably a safe bet that any information from this site is not worth more than the OPM database which was hacked. Since that is out there with whoever hacked it, what is there to worry :shock:

2comma
Posts: 1006
Joined: Thu Jul 15, 2010 11:37 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by 2comma » Thu Mar 09, 2017 8:57 pm

I feel that stress and unnecessary worry will probably shorten my life and make my limited time less enjoyable. If a situation arises I'll deal with it at the time.

I agree with those who felt any BH hackers would become very wise investors.
If I am stupid I will pay.

User avatar
Tycoon
Posts: 1061
Joined: Wed Mar 28, 2012 7:06 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by Tycoon » Thu Mar 09, 2017 9:09 pm

Dieharder wrote:Probably a safe bet that any information from this site is not worth more than the OPM database which was hacked. Since that is out there with whoever hacked it, what is there to worry :shock:


I agree with this. The OPM database contained mine, my wife's, my children's, my parent's, my in-law's, and my sibling's information. That was the database to steal to damage a person's life. :annoyed
...I might be just beginning | I might be near the end. Enya | | C'est la vie

Mudpuppy
Posts: 5342
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: What would happen if a hacker got a full database dump of the site?

Post by Mudpuppy » Thu Mar 09, 2017 11:37 pm

As others have said, hackers got more worrisome data from the OPM hack (and the Anthem hack, which was attributed to the same hacking group). As long as you use unique passwords here, not much to worry about.

pyld76
Posts: 131
Joined: Thu Feb 09, 2012 4:15 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by pyld76 » Thu Mar 09, 2017 11:42 pm

They are going to know how many financially saavy individuals use B0gl3h3@dz as their password, and be severely disappointed as a result.

TravelGeek
Posts: 1031
Joined: Sat Oct 25, 2014 3:23 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by TravelGeek » Fri Mar 10, 2017 1:34 am

celia wrote:Do you think we always talk about ourselves accurately?


Exactly. When I recently commented on my experiences with our Subaru, I really meant our Toyota.

The MacBook Pro I have is a Dell. The iPad a Samsung tablet. And my Vanguard account is really at Schwab. Or is it Fidelity?

Jokes aside, my password for this site is not used anywhere else. I actually have no idea what it is; it's in my password manager and rather cryptic. My username is not used anywhere else. The email address is for a non-essential account with a strong unique password. Whatever I write here is true, but it generally would probably not be enough to identify me if you didn't already know me well.

daveydoo
Posts: 858
Joined: Sun May 15, 2016 1:53 am

Re: What would happen if a hacker got a full database dump of the site?

Post by daveydoo » Fri Mar 10, 2017 2:01 am

Tycoon wrote: The OPM database contained mine, my wife's, my children's, my parent's, my in-law's, and my sibling's information.


Fingerprints. Don't forget the fingerprints, too.

The only conceivable use of BH data is for social engineering. "It's your grandson and I'm in trouble! You might need to sell the 1999 Lexus with over 200K mi and wire me the $3K!"

User avatar
randomizer
Posts: 561
Joined: Sun Jul 06, 2014 3:46 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by randomizer » Fri Mar 10, 2017 2:06 am

daveydoo wrote:The only conceivable use of BH data is for social engineering. "It's your grandson and I'm in trouble! You might need to sell the 1999 Lexus with over 200K mi and wire me the $3K!"

It's precisely social engineering Attacks that I am worried about. Once you have strong unique passwords and use two factor authentication, it's the main attack vector that remains.

Consider this for an example of what hackers can do with a little bit of info and some tenacity: https://www.wired.com/2012/08/apple-ama ... n-hacking/

carolinaman
Posts: 2592
Joined: Wed Dec 28, 2011 9:56 am
Location: North Carolina

Re: What would happen if a hacker got a full database dump of the site?

Post by carolinaman » Fri Mar 10, 2017 7:50 am

One possible scenario would be to post as someone on the forum (using their password) and provide a link that would enable them to access the device of anyone that clicked on the link. This could potentially enable them to access financial accounts, contact email addresses and other sensitive information. They could use the email addresses to send messages with links that entice people to click on them. Since the hacked person is known to the recipients, some would probably click on the link and be hacked as well.

People post links on this site frequently, so a cleverly presented post would get plenty of clicks and resultant hacks.

Mudpuppy
Posts: 5342
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: What would happen if a hacker got a full database dump of the site?

Post by Mudpuppy » Fri Mar 10, 2017 10:50 am

randomizer wrote:
daveydoo wrote:The only conceivable use of BH data is for social engineering. "It's your grandson and I'm in trouble! You might need to sell the 1999 Lexus with over 200K mi and wire me the $3K!"

It's precisely social engineering Attacks that I am worried about. Once you have strong unique passwords and use two factor authentication, it's the main attack vector that remains.

Consider this for an example of what hackers can do with a little bit of info and some tenacity: https://www.wired.com/2012/08/apple-ama ... n-hacking/

Keep in mind that Mat Honan's hack did not involve financial institutions, which have more stringent authentication methods in place than "ask the last 4 digits of your credit card number" as confirmation. The issue with Mat's hack is that customer support went with "appease the customer", even when the social engineer could not answer existing security questions. Vanguard on the other hand is going to hand your account off to the fraud department and not answer you or the social engineer's calls until it's all sorted out.

The sort of information commonly used for secondary authentication is also not going to be handy in a dump of the Boglehead's database. We're not in the habit of posting our last four of our SSN, mother's maiden name, first pet's name, favorite sports team, and all the other simple "authentication" methods used by places like Amazon or Apple. Knowing that livesoft makes oatmeal with Dr. Pepper isn't going to get you into livesoft's financial accounts, even if you used a database dump to get livesoft's real name.

Nowizard
Posts: 1169
Joined: Tue Oct 23, 2007 5:33 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by Nowizard » Fri Mar 10, 2017 11:34 am

Someone did hack into the site at one point, obtaining my password. It was an easily guessed one since I thought it did not matter if someone had it. They posted inappropriate responses to questions of at least one poster which resulted in my being briefly banned from this site. A brief email to the moderator led to recognition that I had not posted the inflammatory responses. I was given my current password, and I think it highly unlikely that it would be figured out by anyone.

Tim

User avatar
greg24
Posts: 2858
Joined: Tue Feb 20, 2007 10:34 am

Re: What would happen if a hacker got a full database dump of the site?

Post by greg24 » Fri Mar 10, 2017 1:47 pm

pyld76 wrote:They are going to know how many financially saavy individuals use B0gl3h3@dz as their password, and be severely disappointed as a result.


What are the odds! That is the password on my luggage.

TravelGeek
Posts: 1031
Joined: Sat Oct 25, 2014 3:23 pm

Re: What would happen if a hacker got a full database dump of the site?

Post by TravelGeek » Fri Mar 10, 2017 2:07 pm

Mudpuppy wrote:Vanguard on the other hand is going to hand your account off to the fraud department and not answer you or the social engineer's calls until it's all sorted out.


Let's hope they do. But that would be the same Vanguard that employ representative who recently called me (unsolicited) from a number I did not recognize and start the conversation with

"Hi, I am John Smith from Vanguard. I would like to talk to you about your account with us, but before I can do that, I need to authenticate you. Can you please tell me the answer to <secret question>."

User avatar
grabiner
Advisory Board
Posts: 20694
Joined: Tue Feb 20, 2007 11:58 pm
Location: Columbia, MD

Re: What would happen if a hacker got a full database dump of the site?

Post by grabiner » Fri Mar 10, 2017 9:08 pm

TravelGeek wrote:
Mudpuppy wrote:Vanguard on the other hand is going to hand your account off to the fraud department and not answer you or the social engineer's calls until it's all sorted out.


Let's hope they do. But that would be the same Vanguard that employ representative who recently called me (unsolicited) from a number I did not recognize and start the conversation with

"Hi, I am John Smith from Vanguard. I would like to talk to you about your account with us, but before I can do that, I need to authenticate you. Can you please tell me the answer to <secret question>."


I had a similar incident, but not as egregious, possibly because I wasn't home when the call was made. The message on my machine said, "Hello, this is John Doe at Vanguard. I need to talk to you about your IRA contribution. Please call back at this number." This would have been reasonable, except that I couldn't associate the number with Vanguard; a phisher could have set up his own fake response line.

But in your situation, I would have called Vanguard security; your incident is serious enough that the Vanguard caller should be subject to disciplinary action.
David Grabiner

EyeDee
Posts: 1225
Joined: Tue Feb 20, 2007 12:15 am

Vanguard Verification Procedures

Post by EyeDee » Fri Mar 10, 2017 9:43 pm

.
Our experience has been that when Vanguard calls about something before they will discuss things they attempt to verify our identity. Although it seems to be Vanguard's standard procedure, unless we are expecting the call or we can get them to discuss things without involving account information from us or them, we ask for name and extension and call back using a standard Vanguard phone number and then provide verification information.

Although Vanguard should probably change their procedures to provide a name and request a call back, disciplining someone for following what appears to be current company procedures does not seem appropriate.

grabiner wrote:
TravelGeek wrote:
Mudpuppy wrote:Vanguard on the other hand is going to hand your account off to the fraud department and not answer you or the social engineer's calls until it's all sorted out.


Let's hope they do. But that would be the same Vanguard that employ representative who recently called me (unsolicited) from a number I did not recognize and start the conversation with

"Hi, I am John Smith from Vanguard. I would like to talk to you about your account with us, but before I can do that, I need to authenticate you. Can you please tell me the answer to <secret question>."


I had a similar incident, but not as egregious, possibly because I wasn't home when the call was made. The message on my machine said, "Hello, this is John Doe at Vanguard. I need to talk to you about your IRA contribution. Please call back at this number." This would have been reasonable, except that I couldn't associate the number with Vanguard; a phisher could have set up his own fake response line.

But in your situation, I would have called Vanguard security; your incident is serious enough that the Vanguard caller should be subject to disciplinary action.
Randy

Mudpuppy
Posts: 5342
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: What would happen if a hacker got a full database dump of the site?

Post by Mudpuppy » Fri Mar 10, 2017 10:03 pm

TravelGeek wrote:
Mudpuppy wrote:Vanguard on the other hand is going to hand your account off to the fraud department and not answer you or the social engineer's calls until it's all sorted out.


Let's hope they do. But that would be the same Vanguard that employ representative who recently called me (unsolicited) from a number I did not recognize and start the conversation with

"Hi, I am John Smith from Vanguard. I would like to talk to you about your account with us, but before I can do that, I need to authenticate you. Can you please tell me the answer to <secret question>."

I personally do not like this practice because that makes you vulnerable to social engineering (someone calling you up claiming to be Vanguard). Such situations could be more safely handled by leaving a message to call back xyz employee or department at a specific extension. Then you could look up the main Vanguard number and get back in contact with them if it is a legitimate call (and in fact, Vanguard reps are fine if you request their name and extension to do this).

However, the original scenario (Mat Honan's hack) is more applicable to the question of whether Vanguard call reps are vulnerable to social engineering (someone calling Vanguard up claiming to be you). And there have been several prior threads that document Vanguard's standard response to a potential fraud situation: tell nothing over the phone until the fraud department clears the matter up.

Mudpuppy
Posts: 5342
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: What would happen if a hacker got a full database dump of the site?

Post by Mudpuppy » Fri Mar 10, 2017 10:05 pm

Nowizard wrote:Someone did hack into the site at one point, obtaining my password. It was an easily guessed one since I thought it did not matter if someone had it. They posted inappropriate responses to questions of at least one poster which resulted in my being briefly banned from this site. A brief email to the moderator led to recognition that I had not posted the inflammatory responses. I was given my current password, and I think it highly unlikely that it would be figured out by anyone.

That was not a hack of the Boglehead's database. That was a "guessing" attack where they guessed passwords until they got a hit or gave up. Several posters with easily guessed passwords were affected, but those with reasonably random passwords were not affected.

User avatar
VictoriaF
Posts: 17407
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: What would happen if a hacker got a full database dump of the site?

Post by VictoriaF » Sat Mar 11, 2017 2:03 pm

Mudpuppy wrote:That was not a hack of the Boglehead's database. That was a "guessing" attack where they guessed passwords until they got a hit or gave up. Several posters with easily guessed passwords were affected, but those with reasonably random passwords were not affected.


Hi Mudpuppy,

I always appreciate your insights. Thanks!

Do you know if the Bogleheads site times-out after a number of unsuccessful login attempts. I have never tried it.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

Post Reply