password reset required

[JERRY1 17]

Does EMBY sends email requesting such ?

[ebr 14913]

Hi.  Yes, it is legit.  Thanks.

 

[gstuartj 39]

4 hours ago, ebr said:

Hi.  Yes, it is legit.  Thanks.

 

This has been incredibly frustrating for me. There was zero warning, and now all of my users' accounts are deactivated and I'm stuck dealing with the fallout and confused messages. There had to be a better way to roll this out.

Edited January 17, 2023 by gstuartj

[ebr 14913]

4 minutes ago, gstuartj said:

now all of my users' accounts are deactivated

Hi.  Exactly what do you mean by "deactivated"?

[gstuartj 39]

3 minutes ago, ebr said:

Hi.  Exactly what do you mean by "deactivated"?

Maybe I am misinterpreting? Are Emby Connect and the forums completely separate accounts now? All I know is my Emby Connect users started getting random emails about forced password resets. Because they use the accounts for connecting to Emby servers and don't care about the forums.

If Connect accounts are no longer tied to the forum accounts then that's potentially a good change, but this stuff could be communicated better outside the forums. I have several confused people to deal with.

[Harry14 0]

I am suspicious of emails providing links for password resets, so went to https://emby.media/index.html and clicked the sign page. Which then asks for my email and password on a non-secure page. Something isn't sitting right with me about this. Is the request to reset for just the community forum or more?

FYI: The sign link I landed on is: http://app.emby.media/#!/startup/connectlogin.html

I've now used the link sent in the email, at least that landed on a secure page. Fingers crossed that I've done the right thing.

[Happy2Play 8282]

@gstuartj It is one system for Connect/Forum.

In the end some Connect users email and passwords have been breached via other sites as they utilze the same information and Spammer are using that information here on the Forum.  So, Connect users that have had the same password for Years is the issue. 

  

15 hours ago, Abobader said:

Again, it not Emby Community Accounts the issue, other sites been breached, and many users using same user/email/pass everywhere, as we notice lately spammers group been using these old account mostly 0 posts for spamming.

 

[Happy2Play 8282]

4 minutes ago, Harry14 said:

I am suspicious of emails providing links for password resets, so went to https://emby.media/index.html and clicked the sign page. Which then asks for my email and password on a non-secure page. Something isn't sitting right with me about this. Is the request to reset for just the community forum or more?

FYI: The sign link I landed on is: http://app.emby.media/#!/startup/connectlogin.html

I've now used the link sent in the email, at least that landed on a secure page. Fingers crossed that I've done the right thing.

That is a server choice as we have https and http app.emby.media options.  Your server has to be configure with ssl to manually use https.

Will link Lukes's comment when I find it about this.

 

Edited January 17, 2023 by Happy2Play

[gstuartj 39]

14 minutes ago, Happy2Play said:

@gstuartj It is one system for Connect/Forum.

In the end some Connect users email and passwords have been breached via other sites as they utilze the same information and Spammer are using that information here on the Forum.  So, Connect users that have had the same password for Years is the issue. 

  

 

Okay, but I know for a fact that none of my users' passwords have been found in a third-party breach because I randomly generated them myself, individually. I'll also note that I've reset a couple of accounts to the exact same password I originally generated, which seems like a silly thing to allow if you're actually concerned about these passwords being leaked/used elsewhere.

So essentially Emby has decided to make all users without forum participation reset their passwords, which isn't a metric that corresponds to security or likelihood of leakage. Most Emby Connect users don't post here. In the future you could run salted password hashes against breach DBs, if trying to avoid sloppiness and blanket resets. And please communicate about things like this! Even some admins here are confused about the phishy email, and many of us have users that are functionally tech-illiterate.

Edited January 17, 2023 by gstuartj

[Luke 37065]

On 1/17/2023 at 6:30 PM, gstuartj said:

Okay, but I know for a fact that none of my users' passwords have been found in a third-party breach because I randomly generated them myself, individually. I'll also note that I've reset a couple of accounts to the exact same password I originally generated, which seems like a silly thing to allow if you're actually concerned about these passwords being leaked/used elsewhere.

So essentially Emby has decided to make all users without forum participation reset their passwords, which isn't a metric that corresponds to security or likelihood of leakage. Most Emby Connect users don't post here. In the future you could run salted password hashes against breach DBs, if trying to avoid sloppiness and blanket resets. And please communicate about things like this! Even some admins here are confused about the phishy email, and many of us have users that are functionally tech-illiterate.

Hi, we apologize for any disruption this may have caused.

[pearsco 0]

On 1/17/2023 at 5:30 PM, gstuartj said:

Okay, but I know for a fact that none of my users' passwords have been found in a third-party breach because I randomly generated them myself, individually. I'll also note that I've reset a couple of accounts to the exact same password I originally generated, which seems like a silly thing to allow if you're actually concerned about these passwords being leaked/used elsewhere.

So essentially Emby has decided to make all users without forum participation reset their passwords, which isn't a metric that corresponds to security or likelihood of leakage. Most Emby Connect users don't post here. In the future you could run salted password hashes against breach DBs, if trying to avoid sloppiness and blanket resets. And please communicate about things like this! Even some admins here are confused about the phishy email, and many of us have users that are functionally tech-illiterate.

 

This is the part that gets me. Did the admins not stop to think the a fair number of "member"s with 0 posts would be emby connect users? Like relatives who are using emby connect because you either dont have a static IP or they aren't computer savvy enough to be walked thru how to setup a direct remote connection over the phone. Why not just remove forum privileges for said group instead?

[Happy2Play 8282]

4 minutes ago, pearsco said:

Why not just remove forum privileges for said group instead?

You can't from a one system standpoint as that would cause all new users to not be able to use the forum.  So you as a current "Member" could not have made your post.

[pearsco 0]

22 minutes ago, Happy2Play said:

You can't from a one system standpoint as that would cause all new users to not be able to use the forum.  So you as a current "Member" could not have made your post.

Do what other forums have done in the past. Make members such as myself reset our passwords before we can login/post on the forum. Which brings up another point. How come I myself never got the email or was required to change my PW since I fall into this category? For this reason alone I thought it was legit phishing attempt when I got the "IT Help Desk" call.

Edited January 20, 2023 by pearsco

[Happy2Play 8282]

6 minutes ago, pearsco said:

Do what other forums have done in the past. Make members such as myself reset our passwords before we can login/post on the forum. Which brings up another point. How come I myself never got the email or was required to change my PW since I call into this category? For this reason alone I thought it was legit phishing attempt when I got the "IT Help Desk" call.

You did not meet the conditions "Member" with 0 posts.  But in the end, it came down to some accounts being logged in and Spamming effecting all in that category.  Since it is one system for Connect and Forum this creates this big conflict on how to treat this base.  

[ebr 14913]

12 hours ago, pearsco said:

Do what other forums have done in the past. Make members such as myself reset our passwords before we can login/post on the forum

Hi.  That's actually exactly what we thought we were doing.  The maker of this forum software changed the way that feature works so that, when our admin turned it on, it automatically sent out emails.  That was completely unintentional and we apologize.

[BenCisco 0]

Thanks for clearing this up.

[KungFuJim1981 0]

On 17/01/2023 at 23:19, Happy2Play said:

In the end some Connect users email and passwords have been breached via other sites as they utilze the same information and Spammer are using that information here on the Forum.  So, Connect users that have had the same password for Years is the issue.

If you know which accounts have been used for spam then surely you force a reset of just those accounts' passwords and not affect literally everyone. But even if you can't do that, why does the normal Login prompt state that my credentials are invalid while also not prompting me to switch to the password reset form? If you're going to break people's ability to login (before they change their passwords), then you need the error message to point people to the same form that your email pointed them to. eg "access to your account is blocked pending a password reset; please click here to reset your password" and not "your credentials are invalid". Also, if the reason for the password reset is caused by people using compromised passwords, then don't let me reset my password to exactly what it was before, because I guarantee you that a password "reset" will not mean a password "change" to most people.