It has come to our attention that TechRadar's user registration database has been compromised. User details including username, email address, date of birth and encrypted passwords have been stolen in the process.
Our IT team has identified the cause of the problem and has taken action to rectify it. The forums have been closed and will remain closed until we are satisfied there are no further issues and the forum can be safely restored to service.
In the meantime, although passwords are encrypted, we are contacting all registered users of the site and the forums today to let them know that if they use the same password on TechRadar for other websites then we strongly advise them to change these passwords immediately.
We will contact registered users shortly with instructions on how to update their password details for the site.
TechRadar takes the security of its registered users extremely seriously and we apologise for any inconvenience caused.
TechRadar includes a number of old Future Publishing computing magazine forums that were migrated onto the TechRadar forum software a while ago, so if you have received the TechRadar Support alert email, it will be because you have an account with us, whether current or unused. So do please follow the advice outlined in the email and above.
Our user registration database was compromised. User details including username, email address, encrypted passwords and, in some cases, date-of-birth have been stolen in the process. We are not aware of any misuse of this data.
How was the attack discovered and when did it take place?
The attack was initially discovered on Friday 22 June, during a routine update of the site. Following further work over the weekend the data leak was discovered on Monday 25 June. From our investigation it would appear that the initial hack took place on 7 May 2012 through our forum.
How were the passwords encrypted?
Without giving any inappropriate information to the attacker we can confirm that the passwords in the stolen data were encrypted using two rounds of an industry standard algorithm which was salted.
What actions have you taken to resolve the problem?
We immediately shut down TechRadar's forum and registration process while investigating the nature and extent of the breach. We have reconfigured our security protocols, adding extra security measures in light of our understanding of the attack methodology. We have contacted all registered users to inform them of the situation and we have posted a statement on the TechRadar site. We take the security of our users' data very seriously.
Who did this and what remedial action are we taking against them?
Work continues to trace the attacker. We have informed the Information Commissioner's Office in line with our obligations.
What details have been taken and how could this affect TechRadar's users?
Users details are: username, email address, encrypted passwords and, in some cases, date-of-birth. No further data was recorded.
Although the passwords were encrypted, if users use the same password on TechRadar for any other websites then we strongly advise users to change these passwords immediately. We are not aware of any use of this data.
If I have connected my TechRadar account to my Facebook account in the past, does this mean I need to change my Facebook password?
Connecting TechRadar to Facebook does not share any password details between the sites. There is no exposure of your Facebook password.
What are the next steps for users of TechRadar?
Users have been strongly advised that if they use the same password on TechRadar for any other websites they should change these passwords immediately.
The registration and login system is currently shut down but when it is restored to service, TechRadar will also be contacting users with instructions on how to update their passwords on the TechRadar website and have set-up an email address for anyone who may be concerned – firstname.lastname@example.org.
Is there anyone at Future/TechRadar who concerned users can contact directly?
Concerned users can email email@example.com.