CloudBleed HTTPS traffic leak

If you were using DNS services only from what I read you would not be affected by this even with malformed html since it wasn't being run through the problematic code on their end.
That's correct.

I don't trust them with my data.
And the other thing is that it is an American company and I would like to keep my data in the EU so they can't request the data under whatever law it may be.
 
Has anyone found an efficient way of resetting the password of all users?

It's something I'd like to do as a precaution in the interest of forum users. At the very least, it's peace of mind for everyone.

Doesn't seem to be an easy way to do it.

Did you find a good solution @Lucas Nicodemus ?
 
@System0 There are some topics about it in the forums. You can try the query posted here for example: https://xenforo.com/community/resources/password-reset-query.368/. I'm guessing you'll only need to replace WHERE user_id = 1 to WHERE 1 = 1 or remove that line altogether (don't know, not an expert in SQL/database). Basically it'll set all users password into un-guessable one, afterwards users will have to use the lost password feature.
 
Thanks for the quick reply Bobby.

I'm not an expert on SQL either (been a long time since I did it at uni).

Anyone know how to tweak that code so that all passwords are reset.

If I can do that, all I need to do is sent an email out to members explaining the issue afterwards.
 
Tested it on a random localhost database table that I found available. Replacing WHERE user_id = 1 to WHERE 1 = 1 works since it'll make the query run on all entries (since 1 = 1 is always true or something, I guess?).
 
@System0 my requirements were for password reset emails to be sent, and none of the addons I wanted did that. DragonByte security came close but broke down midway through and they ignored my support ticket.
 
What did you end up doing in the end?

A lot of SQL queries to manually invalidate passwords, disable accounts, and emailing all users to manually reset their passwords. Between the combination of actions I tried prior, I'd already forced all users to the password change screen -- I just had to invalidate them manually and then send another email to the forgot password page.

I had actually hoped that someone from XenForo would have replied to this topic or at least provided some guidance in the interim, but I guess I was wrong to hope that.
 
I had actually hoped that someone from XenForo would have replied to this topic or at least provided some guidance in the interim, but I guess I was wrong to hope that.
It's the first time I've seen this, probably because it is in the Forum Management off-topic section of Xenforo.com - so has anyone actually brought it to the attention if @Kier @Mike or @Chris D to ask if we should take any action? (Hint: They have now!)

Cheers,
Shaun :D
 
Has anyone found an efficient way of resetting the password of all users?

It's something I'd like to do as a precaution in the interest of forum users. At the very least, it's peace of mind for everyone.

Doesn't seem to be an easy way to do it.

Did you find a good solution @Lucas Nicodemus ?

With shameless self promotion: https://xenforo.com/community/resources/batch-password-invalidate-and-reset.3935/


It's the first time I've seen this, probably because it is in the Forum Management off-topic section of Xenforo.com - so has anyone actually brought it to the attention if @Kier @Mike or @Chris D to ask if we should take any action? (Hint: They have now!)

Cheers,
Shaun

If your sites data was compromised or at possibility of it being compromised Cloudflare would have sent you a direct email (different from the circular they sent to all customers)
 
We have no specific recommendations beyond the advice CloudFlare would have given you when they contacted all of their customers.
 
Top Bottom