USPSA passwords database has been hacked

[gose]

I use pwnedlist. I actually got an alert on the USPSA hack from pwnedlist BEFORE USPSA decided to alert users.

I read about it on Facebook before I got anything from USPSA

[retarmyaviator]

The USPSA membership roster would be a big score for anti-gun activists.

Try having an FFL, ATF broadcasts your name and address to the world.

Edited December 2, 2014 by retarmyaviator

[rk272]

I use pwnedlist. I actually got an alert on the USPSA hack from pwnedlist BEFORE USPSA decided to alert users.

I signed up on pwnedlist yesterday and it reported 2 data leaks on my email from the USPSA database one on 11/26 and better yet one YESTERDAY 12/1/2014

Edited December 2, 2014 by rk272

[NewColonial]

I got the second notice as well. It's the same data (same old password) so my guess is the list has been posted somewhere else.

[Jadeslade]

I signed up with pwnedlist today and got nothing about anything for my emails. Am I doing something wrong? I never got a chance to see if my email was on that original dump.

[D.Hayden]

How long it is taking to get the password reset email from USPSA?

the site says up to 48 hours?

[BritinUSA]

I have not received any emails and I've been trying since the notice was sent out.

[jhguns]

I have not received any emails and I've been trying since the notice was sent out.

Same here

Sent from my iPhone using Tapatalk

[Round_Gun_Shooter]

I have not received any emails and I've been trying since the notice was sent out.

I too have been trying since day 1. I couldn't sleep last night (not unusual) and tried it at 0300 and it went right through. Password changed............. Finally.

[pkm]

When I requested a password reset they just told me to use the default pin when I signed up that is located on your frontsite magazine. That being said I have yet to be able to actually change my password on the site, it says my profile is updated but the only thing I can use to login is my PIN.

[NewColonial]

More great USPSA "security": Log into your account with your USPSA # and pin, both printed in clear view on the cover of the magazine for anyone to see.

Edited December 2, 2014 by NewColonial

[pkm]

Its not like the website is an integral part of USPSA or anything.

[CHA-LEE]

This kind of crap is expected when USPSA HQ is leveraging "Volunteers" to do this stuff. Just like anything else in this world, you get what you pay for. If someones head does not roll for this blatant screw up then we really know how screwed up USPSA HQ is.

[BritinUSA]

Its not like the website is an integral part of USPSA or anything.

Back when it was setup it probably wasn't an integral part but now it is and it should be handled by professionals who can support it 24x7. The design and support of the web-site should be outsourced to a credible web-design company.

[pkm]

Sorry Paul I forgot to use the sarcasm font.

Don't forget to add regular security testing as well, their notion that the payments were impacted because they were handled by a third party is also probably bullshit, but it is quite obvious by the SQL error messages that users have received since the site was "fixed" that they didn't fix anything.

A breach is one thing but to store passwords in the clear is just plain incompetence.

[BritinUSA]

We do security audits every 3 months at work, its a pain but it has to be done. Every organization makes mistakes, and every mistake should be cause to re-examine everything related to that mistake.

USPSA needs to undergo some analysis of everything that is being done and identify all problems and all potential problems and fix them. I think there is too much "if its not broken don't fix it" attitude; Stuff may not necessarily be broken but everything can be improved and I think that determination should be based on risk/reward/cost factors.

[pkm]

Agree, and as someone who does this day in and day out for a living it really irks me. Hey Paul, maybe you should run for President

[Richc2048]

I like how I am still getting deals on steel targets shared on their facebook. I can't believe they are still posting pictures and stuff like everything is normal. I would think they would want to be in the dark for a little while. At least until everything is fixed, classifiers from early November are entered, etc...

[Adam B]

for those of you that reset your password before 12/1, per pwnedlist.com, the site was compromised again on 12/1

[NewColonial]

I do not believe that was a new compromise, but a reposting of the same data somewhere else. The 12/1 post on pwnedlist shows the old password. If it was a new hack, my changed password would be listed on pwnedlist.

[D.Hayden]

Does it say somewhere on pwnedlist what site was compromised?

[Adam B]

it may have been a re post of the data, in my report it states uspsa.org credentials leaked 1/26 and 12/1

[bgary]

More info, hot off the press....

http://uspsa.org/uspsa-announcements-details.php?USPSA-Board-Addresses-Website-Issues-191

[outerlimits]

bruce-

even though no other info was compromised, once the id and passwords were available, one could access confidential info such as home address, etc by merely logging in. has your IT guru looked at how many records and which ones were accessed after the breach?

[ron169]

Just read the pdf /bulletin that USPSA released. That is the most transparent I've ever seen them be