ZA Furries

Cloudflare has reached out to me to inform us of a recently-discovered issue, detailed here, for the technically inclined. They also let me know that a search through search engines have not shown any issues with the domains I am hosting with them, including this one, so no need to worry. I consider any risks this pose to the forum minimal.

However, due to my own paranoia, I have invalidated all stored sessions, in case one got compromised, and are used to log into the forum. If this doesn't work for you, you can also manually log out and back in to obtain a new session. Also, I have changed my own password for the forum, and suggest you do the same. In any case, even in the absence of security issues, it is good practice to regularly change your passwords.

A global forced password reset that may have achieved something, but a session purge fixes absolutely nothing that has to do with what went wrong with CloudFlare.

https://www.forbes.com/sites/thomasbrew ... 52b63a3ca3

Leeward wrote:A global forced password reset that may have achieved something, but a session purge fixes absolutely nothing that has to do with what went wrong with CloudFlare.

https://www.forbes.com/sites/thomasbrew ... 52b63a3ca3

A global forced password change will cause havoc with the user community, as there are enough login issues as it is now. In our case a session purge may actually be useful. The forum have sessions with a long validity, and the vulnerable period period only covers Sept - early February. If you did not use your password during this period, then the only compromised authentication information could possibly be your session ID (which is now dead). Also, inactive users (since September) are not at risk, and doing a forced password change may very well lock them out of their accounts.

I did consider a forced password change, but instead opted (for the moment) for the notice instead.

That said, I stil strongly recommend that everyone do change their passwords, sooner rather than later. Do not take a risk.