USAC security breach

Reply Subscribe

Thread Tools

Search this Thread

03-18-16, 09:21 PM

Fingolfin

Member

Thread Starter

Join Date: Feb 2014

Location: NV

Posts: 32

Bikes: Dover (TCR Adv 1)

Mentioned: 0 Post(s)

Tagged: 0 Thread(s)

Quoted: 3 Post(s)

Likes: 0

Liked 0 Times in 0 Posts

USAC security breach

FYI, if you reuse similar e-mail address and passwords with your USAC account strongly consider changing the passwords on those accounts. You should assume that whatever password you had for the USAC website is known, and any password you use that is a minor (<4 character difference) is compromised.

03-18-16, 11:19 PM

UmneyDurak

RacingBear

Join Date: Dec 2004

Location: NorCal

Posts: 9,053

Mentioned: 2 Post(s)

Tagged: 0 Thread(s)

Quoted: 280 Post(s)

Likes: 3

Liked 68 Times in 36 Posts

The level of incompetence is truly mind boggling.

03-19-16, 08:22 AM

mmmdonuts

Gluteus Enormus

Join Date: Dec 2007

Location: Raleigh, NC

Posts: 2,245

Bikes: Yes

Mentioned: 0 Post(s)

Tagged: 0 Thread(s)

Quoted: 1 Post(s)

Likes: 0

Liked 0 Times in 0 Posts

Well, in my experience they've done a better job of notifying users than most other companies getting hit with a breach. I have to give them points for that. I can't even remember the last time I used my USAC account.

03-19-16, 08:29 AM

Doge

Senior Member

Join Date: Jan 2014

Location: Southern California, USA

Posts: 10,474

Bikes: 1979 Raleigh Team 753

Mentioned: 153 Post(s)

Tagged: 0 Thread(s)

Quoted: 3374 Post(s)

Likes: 123

Liked 371 Times in 253 Posts

I'm wondering if race results and rider categories will be changed?

03-19-16, 09:59 AM

Fingolfin

Member

Thread Starter

Join Date: Feb 2014

Location: NV

Posts: 32

Bikes: Dover (TCR Adv 1)

Mentioned: 0 Post(s)

Tagged: 0 Thread(s)

Quoted: 3 Post(s)

Likes: 0

Liked 0 Times in 0 Posts

Quote:

Originally Posted by mmmdonuts

Very true, and they deserve some kudos for notifying everyone. However, my impression from previously using their password recovery system is that user passwords were stored in plaintext. As such, whoever broke into the site can easily use those passwords to attempt access on other sites (email, Facebook, banking, etc.).

03-19-16, 11:31 PM

mattm

**** that

Join Date: Dec 2006

Location: CALI

Posts: 15,402

Mentioned: 151 Post(s)

Tagged: 0 Thread(s)

Quoted: 1099 Post(s)

Likes: 173

Liked 104 Times in 30 Posts

For some reason this actually doesn't bother me that much.

Unless someone downgrades me, then I'll be pissed!

__________________
cat 1.

my race videos

03-20-16, 02:13 AM

carpediemracing

Senior Member

Join Date: Feb 2007

Location: Tariffville, CT

Posts: 15,405

Bikes: Tsunami road bikes, Dolan DF4 track

Mentioned: 36 Post(s)

Tagged: 0 Thread(s)

Quoted: 385 Post(s)

Likes: 73

Liked 180 Times in 102 Posts

I couldn't remember which password I used so I've been changing passwords wholesale. Ugh.

__________________
"...during the Lance years, being fit became the No. 1 thing. Totally the only thing. It’s a big part of what we do, but fitness is not the only thing. There’s skills, there’s tactics … there’s all kinds of stuff..." Tim Johnson

03-20-16, 03:09 PM

Doge

Senior Member

Join Date: Jan 2014

Location: Southern California, USA

Posts: 10,474

Bikes: 1979 Raleigh Team 753

Mentioned: 153 Post(s)

Tagged: 0 Thread(s)

Quoted: 3374 Post(s)

Likes: 123

Liked 371 Times in 253 Posts

I sent an email.

"To: Help Group - Public
Subject: Thank you for announcing

Kudos to you for not hiding this.

Cheers,"

They sent a reply. As much as things they do annoy me, I sympathize with them on this.

03-21-16, 08:51 AM

Psimet2001

I eat carbide.

Join Date: Jan 2006

Location: Elgin, IL

Posts: 21,627

Bikes: Lots. Van Dessel and Squid Dealer

Mentioned: 25 Post(s)

Tagged: 0 Thread(s)

Quoted: 1325 Post(s)

Likes: 454

Liked 1,306 Times in 560 Posts

My data has been compromised already by much larger companies than this. Part of society now. Meh.

__________________

PSIMET Wheels, PSIMET Racing, PSIMET Neutral Race Support, and 11 Jackson Coffee
Podcast - YouTube Channel
Video about PSIMET Wheels

03-22-16, 09:42 PM

#10

spectastic

commu*ist spy

Join Date: Aug 2012

Location: oregon

Posts: 4,459

Mentioned: 17 Post(s)

Tagged: 0 Thread(s)

Quoted: 653 Post(s)

Likes: 2

Liked 5 Times in 5 Posts

what would be the incentive to hack into usac? get people's credit card information or something?

03-22-16, 09:49 PM

#11

spdntrxi

Senior Member

Join Date: Oct 2013

Location: East Bay Area ,CA

Posts: 1,762

Bikes: not enough

Mentioned: 2 Post(s)

Tagged: 0 Thread(s)

Quoted: 189 Post(s)

Likes: 28

Liked 86 Times in 52 Posts

Quote:

Originally Posted by spectastic

what would be the incentive to hack into usac? get people's credit card information or something?

racing age doping ?

03-22-16, 10:19 PM

#12

spectastic

commu*ist spy

Join Date: Aug 2012

Location: oregon

Posts: 4,459

Mentioned: 17 Post(s)

Tagged: 0 Thread(s)

Quoted: 653 Post(s)

Likes: 2

Liked 5 Times in 5 Posts

also, is it true that most legit websites use some 1 way encryption to hide your password such that hackers can't see it even if they could access it? the rule of thumb is when you do the "forgot password" routine, if they send you a link to reset it, then your password is encrypted. If they send you your existing password, then that's a sign that they don't do anything to protect it. I think usac does the former. but I don't know how safe/unsafe all of this really is....

03-22-16, 11:14 PM

#13

jsk

Senior Member

Join Date: Aug 2012

Location: Houston

Posts: 606

Bikes: Trek Madone, Blue Triad SL, Dixie Flyer BTB

Mentioned: 8 Post(s)

Tagged: 0 Thread(s)

Quoted: 160 Post(s)

Likes: 1

Liked 0 Times in 0 Posts

Quote:

Originally Posted by spectastic

Sites shouldn't store your password at all, they should store a hash that can be used to validate your password when you provide it during authentication. The stored hash cannot be used to "reverse engineer" your password, so even if the site is hacked they can't retrieve your password. Any site that stores your password, and then emails it back to you as part of the "forgot password" routine, is run by idiots and you shouldn't do business with them if you can avoid it (and you sure as hell shouldn't give such a business personal info such as a credit card # or SSN).