Your mama may have had eyes in the back of her head, but our admin team just can't see everything at once. It takes a village to make sure TVTropes is running the way it should, so when it comes to spotting tech snafus, dreaming up a better digital mousetrap, or just diagnosing plain old asshattery, the quicker you let us know something's up, the quicker we can address it. See a bug? Point to it and we'll squash it. Have idea for a new feature? Post in the Tech Wishlist.
NOTE: Do not post duplicate bug queries, please check existing queries to see if your issue has already been reported and then comment on it.
How do I change my password?
Join the Five-Man Band cleanup project!
Is there a mod here?
Join the Five-Man Band cleanup project!
I'm not sure if any mods are currently on, but to change your password you click on your picture in the upper-right, then go to your Profile. To the right of your email address you will see the link to Change Password.
I still want a mod to verify that this has happened. Who was the leaker?
Edited by Lymantria Join the Five-Man Band cleanup project!
I changed my password.
Join the Five-Man Band cleanup project!
I changed my password too. Thanks for letting us know about this.
Password changed, thanks.
Currently Working On: Incorruptible Pure Pureness
@Lymatria I don't have enough evidence to tell if it was leaked or stolen, just that a password that could only have come from this site's database showed up in scam emails.
Still haven't heard from any of the Mods or Admins.
Did you use this password on TV Tropes back in ye olden days before they switched from "having your password unencrypted on a cookie" to "handling them seriously"?
That's what encouraged me to use unique passwords in the first place.
Edited by Medinoc "And as long as a sack of shit is not a good thing to be, chivalry will never die."
It's an opportune time to change an 8 year old password of mine. Darn my naivete for thinking that I'd be safe on this wiki and that I was lazy for changing my password for 8 years. I'm thankful that I haven't used the "Sign In with Facebook" feature because I had no idea, and still have no idea, what it's all about. Thanks for this info.
If I'm going to dig deeper on this, is this why there were so many sock votes on the TLP?
Edited by alnair20aug93 ᜇᜎᜈ᜔ᜇᜈ᜔|I DO COMMISSIONS|ᜇᜎᜈ᜔ᜇᜈ᜔
Probably not, I haven't seen evidence the passwords have been used to attempt to log in here - or anywhere for that matter. More than likely they were first used to try to break into other sites on the theory that people re-use passwords, then sold to scam emailers.
Also, 5 days and counting with no Mod or Admin response. 35 days if you count the month I gave them before I went public.
Late reply, but this what what one of the mods told me
. They told me that the leaked passwords came from the time the site moved to encryption, and that the site is "low risk ". Though you ought to address that on the link I had provided.
Fighteer also had that spam, but he said that it wasn't his password.
Also, not sure about other people; I had a previous password that I had been using for more than 7 years, but not once was there spam mail about my password. Curiouser and curiouser.
Edited by alnair20aug93 ᜇᜎᜈ᜔ᜇᜈ᜔|I DO COMMISSIONS|ᜇᜎᜈ᜔ᜇᜈ᜔
The password in the spam could be anything. The issue here is that the password in this particular spam was my unique password only used here on the TV Tropes site.
If they were EVER leaked, for ANY reason, the admins should have immediately notified the community to change their passwords via email, or a site banner, or some other method - just like any other website or service that has had a leak.
And as a particularly painful note, the mods/devs/admins STILL haven't replied here or to me via email...
The admins ought to take alert on this. I know that this is a low-risk site, and perhaps they don't want us to panic, but alerting the userbase should be a precautionary measure. We do not want another Google Incident, this time regarding privacy issues, don't we?
Not sure if you could also contact them on this thread.
I dunno how active the Bugs part of things is re: mod involvement. Ask the Tropers seems more active, as does that thread.
The Protomen enhanced my life.
Weird, I can't seem to post/reply there. If either of you can, would you please note that they should look at this post? Mind you, I also emailed them via the Contact Us form, and got no response that way either.
You have to go to the final page of a thread to be able to reply.
The Protomen enhanced my life.
^^ What lalalei said. You have to address this at Ask The Tropers. This thread is mainly for reporting bugs, and the password breach you're addressing is more than just a bug.
Edited by alnair20aug93 ᜇᜎᜈ᜔ᜇᜈ᜔|I DO COMMISSIONS|ᜇᜎᜈ᜔ᜇᜈ᜔
"I cite the fact that a unique password I used only for this one site alone started showing up in scam emails as proof."
What are the chances that it's just "lucky guess"?
We can never truly eradicate the coronavirus, but we can suppress its threat like influenza
Not impossible, but highly improbable. Like I said, I can't confirm it with just one point of evidence, but the probability of a database breach is high based on that evidence.
so... over 3 months out and still no official reply? That's just disgraceful. Even if you're wrong about this being a complete breach, they should at least have replied by now publicly to reassure everyone on the matter. The fact they haven't makes me think this site might be dying or that they just don't give a damn about security... Shamefur Dispray!
Regardless of the apparent negligence, I'm not inclined to be one of the statistics and have changed my password. It was a really old password any way that was leaked in another breach I know of, and I simply hadn't considered this site important enough to go out of my way (it was used on A LOT of sites so making all those updates was exhausting. Lesson learned!) to update it here.
Edited by macks2010 Christian, gamer, programmer, brony, and quadriplegic (paralyzed mid-thorax down). I am filled with determination...
As it has been 31 days since I notified the administrators of this via a Private posting on this forum, I now have to go public with the details to defend users. TV Tropes.org has had its password database exfiltrated, and passwords decrypted. I cite the fact that a unique password I used only for this one site alone started showing up in scam emails as proof. That password (which I have since changed) is not used for any other site or logon, it could only have been obtained from the password database of TV Tropes.
I suggest all users change their passwords here, and on any other site they have used the same password for. I would also like to note that I'm truly dismayed that after posting in this form to the Mods only, and emailing the Contact Us address, not one person at TV Tropes has responded to my disclosure. I can only hope that my going public after an industry-accepted 30 day waiting period will spur them into action to protect their users.
Write up is here: https://www.miketalon.com/2019/07/tvtropes-had-a-breach-passwords-stolen/