MeetFighters News

16000 Members, Password Security

Hello Fighters,

Important announcement: If you are using your MeetFighters password on other sites, change your password now. Sharing a password increases the risk of your account being hacked. Scroll down for more.

But let's start with some great news: our beloved site, MeetFighters, now has over 16000 members worldwide! This is a time to celebrate, open a bottle of champagne and be merry!

At the time of writing, we have

[IMAGE:https://www.meetfighters.com/Content/profile/ja/adminxdgfysqpjqawekkywxgdjctnclbfaubmbnefgxwal.jpg]

Password Security

We recently had a nasty incident originating from another site. Normally here at MeetFighters we love competition and to trade links with similar sites. We believe that friendly rivalry is 100% in line with our theme as a fighting site. We had this disposition when we were the smallest, and have now that we are the largest.

Since the start, we have the utmost respect for our members' privacy. We do not participate in any advertising networks or other schemes that could compromise your browsing experience.

Unfortunately not every site shares our sunny disposition. We recently discovered that the operator of another site, f********oday.com (site name redacted, you'll see why), has taken the password of a MeetFighters member from his site database, and used it to break into that member's MeetFighters account. He then proceeded to send messages, impersonating that member, in an attempt to redirect others to his site and soliciting some to send e-mails to him. He could do this because our member was naive enough to use the same password on both sites.

[IMAGE:https://www.meetfighters.com/Content/Images/Admin/cuffs.jpg]
Photo credit: BMN Network

We have contacted the site operator and warned him that such criminal activity will not be tolerated, and if he makes any further attempts we will turn over all the evidence that we have gathered to the authorities.

The sad part is that we would have been happy to do link exchange with his little site, like any other wrestling personals site, if he just contacted us directly like a normal person. Instead, he chose to run a number of sock puppets with the best stolen male pictures that the internet could provide, trying to push his scam operation. Needless to say, we are not so ready to do link exchange anymore or to name them here.

To summarize: If you use the same password on other sites, change it now. Your account's security is important to us; let it be important to you too.

Regards,
Admin.

Translate
Last edited on 5/24/2018 5:22 PM by Admin
PermaLink

Comments

37

Ironbull (96)

5/24/2018 7:27 PM

Just curious. Are you planning to issue a GDPR-style privacy notice, or have I received it but not spotted it among the hundreds of others?

Translate

grappleruk (120)

5/24/2018 8:08 PM

(In reply to this)

My understanding of GDPR is that the main practical change it has created for many companies is that it is no longer good enough to assume users are happy to receive marketing emails or give your data to others without asking your explicit consent. Defaulting to having the box ticked is not allowed any more - users must *choose* to opt-in to these things.

I suspect MF simply doesn't have this issue so it doesn't have to do anything. It doesn't sell or give your data to others and it has a clear privacy policy. And you only receive emails related to the running of the service.

Translate

Ironbull (96)

5/24/2018 8:19 PM

(In reply to this)

It's a bit more than that. But I'd be grateful for Admin's comments.

I assume, Admin, that you hold data about me such as my date of birth and special category data such as my sexual orientation and, sometimes, health data.

GDPR is a headache and not all of it is entirely clear, at least not in the UK. Apart from anything else it was written in French and doesn't always translate. IN the UK, the Information Commissioner's Office is going to have to issue quite a bit of clarification and no one can reasonably expect perfection on the effective date, which is tomorrow. Nor does any data controller want to be bombarded with subject access requests.

The privacy policy, I am guessing, is pre GDPR. I can't see any explicit reference to GDPR in the link and it reads like a pre-GDPR document.

But I would in general like to know whether the site, and the data controller, is subject to the GDPR and/or it's statutory equivalent in whatever country the site is domiciled in.

Is there any chance of a general statement?

Translate

grappleruk (120)

5/24/2018 8:45 PM

(In reply to this)

Were you asking about the emails a lot of companies have been sending out recently? Or about the privacy policy of the site? My answer assumed the former.

Translate

Ironbull (96)

5/24/2018 8:50 PM

(In reply to this)

NO my question was more general.

The GDPR has been brought into force within the EEA in recognition of the cyber world that we all live in.

In the UK it preserves the principles of the existing Data Protection Act and strengthens them.

My data is in here. All I really want to know is whether MF is subject to GDPR and to see a general statement from Admin as to how the site is meeting those standards.

I know I'm off topic slightly here and my apologies if I'm detracting from the point Admin was making. I'm happy to shut up and open a new thread, but I would like to know

Translate

Admin

5/24/2018 8:53 PM

(In reply to this)

You're right the GDPR is a headache.

Truth be told, we are running late on GDPR-related activities. The site is ran by a handful of volunteers, and there is only so much we can do on our free times. The legislation comes into effect tomorrow, which is unfortunate. Even less fortunate is that we keep receiving self-contradicting statements from official sources in the past weeks, and still trying to sort through the best course of action, if any, for the site to take. This is why there's now a cacophony of online (mis)information as to what exactly is and isn't legal.

We will be following up on this before the end of the month, you will hear from us.

Translate

Ironbull (96)

5/24/2018 8:56 PM

(In reply to this)

Thanks Admin.

I'm sitting here in my office with exactly the same headache so I totally get where you are coming from. We've taken a bunch of very expensive legal advice and the only thing for sure is that the consultants are getting rich.

I look forward to your statement when you're ready.

Translate

john el (15)

5/25/2018 1:46 AM

(In reply to this)

Gah.. I work in the US for a European security company, talk about headaches.

But from a site operators perspective, the gist seems to be if I tell you to delete my account and data, you pretty much have to wipe my identifiable records, and some transparency aspects.

Translate

ProJobberUK (9 )

5/24/2018 9:03 PM

(In reply to this)

Hi Admin,

Firstly a big thank you to yourself and the rest of your volunteers for continuing to run the site.

In very simply terms (and from my fairly limited understanding) that as MF is a membership site, you won't have to do too much beyond showing how the information is used and stored, thus giving people the choice whether they want to stay or not (or "opt in" / "opt out")

Translate

Ironbull (96)

5/24/2018 9:08 PM

(In reply to this)

PS. I have very limited free time but if you want some help with writing standard docs (e.g. subject access requests) I would be happy to chip in

Translate

BCNBOXER (20)

5/24/2018 7:45 PM

It's a bad new, it means your security is not good enough...

Translate

dalwrestle42 (10)

5/24/2018 7:53 PM

BCNBOXER, your vommentg is clueless.

MF was breached because the user gave his MF password to a corrupt site, which was then used by that site to impersonate the MF user.

This is a risk inherent in using the same password on multiple accounts.

Translate

Zeus (15)

5/24/2018 7:56 PM

(In reply to this)

Agree with that!

Translate

BCNBOXER (20)

5/24/2018 8:37 PM

(In reply to this)

I don't use the same password on multiple accounts, but there is a security issue in Meetfighters.com.

On their own words: 'We recently had a nasty incident originating from another site'. This is a problem for the users of the site. If the issue only affects to one profile, please, don't give an advise to all the members of the site, It's not necessary.

Translate

SileX (208 )

5/24/2018 8:41 PM

(In reply to this)

@BCNBOXER: dalwrestle42 is right, your comments are clueless.

If you make security doors, it doesn't matter how good they are if the homeowner hands his keys to a burglar.

Translate

BCNBOXER (20)

5/25/2018 12:09 AM

(In reply to this)

Cruelty is another thing, not a disagree comment written with respect. Please, a bit of respect with the opinion of users who have been supported this site for years. This kind of advises don't appear in other sites.

Translate

ProJobberUK (9 )

5/25/2018 12:16 AM

(In reply to this)

BCNBOXER: Yes they do, Facebook for example: https://www.facebook.com/help/379220725465972

Translate

rafalbel (11)

5/24/2018 8:46 PM

(In reply to this)

BNCBOXER please read admin information again:
Other website has taken the password of MeetFighter's member from his site database, and used it to break into that member's MeetFighters account.
Other website could do so because other users of MF are not as good as you in password protection. They used probably the same user and password to login on other website.
I appreciate admin honesty with us and warning sent to all users.

Translate

BCNBOXER (20)

5/25/2018 12:16 AM

(In reply to this)

I know the meaning of the advise. It's an not important thing. Maybe the administrator think we are stupid and we don't know the risks of using the same passeord in different sites. What about driving under alcohol effects? Or walking fixing our look on the phone instead on the things around us? Is it necessary to treat us like stupid people?

Translate

munichsubfight (179)

5/25/2018 12:55 AM

(In reply to this)

If it would only be about a single person, well, I´d be in your camp that it´s that single person´s problem if he chooses to use the same password everywhere.

However, it´s not just their problem alone.
By using the same password it becomes possible that another person from another website can use that very same password to impersonate that single person and harrass other users here, and voila, no longer just that single person´s problem alone but a problem affecting many users and therefore the whole site community.

So please, even if any of you think you don´t have important data or think you don´t have any secrets to hide or whatever excuse you might come up with to use just one same precious password everywhere: Don´t! The potential trouble you might cause is much bigger than you might imagine.

It´s fine if you(BCNBOXER) are using different passwords for different sites, but it would be even better if you(all 16thousand users here) would also use different passwords. I bet there is a tiny handful who doesn´t, and that alone is enough for trouble if some evil site joins the game.

Translate

Julian Chang (131 )

5/27/2018 1:19 AM

(In reply to this)

Yes. Anyone who has ever worked in IT can confirm that it is necessary. Survey after survey have concluded that some 80% of users regularly reuse passwords, and that these passwords are also frighteningly easy to crack. This figure is also stable across age groups so it's not a generational issue. The reality is that admin is being responsible in sharing this and encouraging users to update their passwords.
As for DUIs and injuries arising from device usage, the sheer amount of policing and public health resources being dedicated to these two problems seem to support the idea that people don't understand the risks associated with both.

Translate

dgwrestler (50)

5/24/2018 9:27 PM

Admin Thanks for your work on this matter!

Translate

SJB (5)

5/24/2018 9:54 PM

Thanks Admin for the warning :) and for all the other amazing work you do on Meetfighters!

Translate

BikerE1W (5)

5/24/2018 10:02 PM

Over 16000 members but less than 1,100 verified... ?

Translate

andrewj (21)

5/25/2018 1:17 AM

(In reply to this)

Personally, i see verification as something needed by someone with no past opponent's, it gives them a reputation as real. But if you have 5 plus past past opponent's then its pointless.

Translate

redlandguy (195)

5/25/2018 5:43 AM

(In reply to this)

I won't verify because I do not want to post my face in a public portion of a wrestling website, and I wasn't able to get the workaround to work. But ask any of my almost 200 past opponents if I am real.

As for sockpuppets... it's a nuisance that Admin is correct in trying to address. My meetfighters password is unique, but since I am job hunting, I have to set a password for each and every company I apply to, each site I register on, each place... and there are hundreds of them. I wish I were smart enough to keep track of all that (or successful enough to be hired in a smaller number of attempts), but not all of those passwords are unique.

Translate

Julian Chang (131 )

5/27/2018 1:14 AM

(In reply to this)

Two words: password manager. Remember one strong master password, and the manager will create and fill in all the unique ones for you.

Translate

redlandguy (195)

5/27/2018 7:16 AM

(In reply to this)

Call me a cynic but I don't trust the password managers. My passwords for important stuff are secure; my candidate logins aren't meaningful since I have no real access and they didn't hire me anyway.

Translate

active (0)

5/27/2018 7:20 AM

(In reply to this)

i do agree with your last. i always consider my password and make it unique not to me but to something so out there it would not be obvious to anyone ,

Translate

Julian Chang (131 )

5/27/2018 7:34 AM

(In reply to this)

Understandable, but an offline open source password manager can alleviate that. I guess from my perspective, just knowing how much data gets processed in recruitment management systems, I really wouldn't want someone accessing my data using a shared password.

Translate

redlandguy (195)

5/27/2018 3:51 PM

(In reply to this)

Most of that data is already on the public recruitment sites and LinkedIn. If they want me... I'm out there. I don't want to be an open book, but I don't have a choice if I want to work.

Translate

Mikey Aarons (16)

5/24/2018 10:19 PM

This is a pretty good wake up call for making sure your have different passwords not just here but across all social media/email/etc. The hard part is remembering them all lol.

Translate

active (0)

5/24/2018 10:58 PM

May i say thank you Admin for bringing this to our attention, and yes to use any password for more than one site is foolish. Although you do your best to keep all our details private it is a;so upto each and every individual to be vigilant and not just rely on Admin.

Translate

Ereignis (35 )

5/25/2018 12:29 AM

Oh, then we will toast with cyber sparkling wine. Cheers ;-) and thanks for site maintenance.
When I joined the forum, it was only approx. 6000 user.

Translate

HalfGuard (59)

5/25/2018 11:50 AM

Another scary point to raise would be that since the owner was able to get one password out, they just store members' passwords in their database in plain text, unencrypted - if their database is ever compromised, whoever did it would have access to every member's password with really no extra effort.

If you're on that site and really don't want to commit to remembering different passwords, at least have a different one for that one or get a password manager.

Translate

edscissors (31 )

5/25/2018 5:12 PM

Thank you once again, Admin, for all your efforts on our behalf, making this such a good, honest, safe, tolerant place to be. I think I'll change my password as you suggest. Not that I can imagine anyone would particularly want to hack into my MF account ... but it's just good practice to change passwords every so often. Thank you for the timely reminder.

Translate

kimmetje (149 )

5/28/2018 10:10 AM

Admin, if you need any assistance on the GDPR front, I'm a GDPR expert - lobbied on the original law and am now running support programmes for SMEs worldwide as part of my employment activities... I'm certified by the University of Maastricht as a Data Protection Officer, etc. Be more than happy to help out the site pro bono considering how much it's given me. :)

Translate