Details of Data Breach at MrExcel.com


Update from October 2018.

It appears that hackers have reverse engineered the hash+salt for some of our members and are trying to extort a payment. If you receive such a message, please ignore it. The e-mail is cleverly designed to make you believe they obtained the data from a key logger. The hackers do not have any way to track your browsing history.

  1. What happened?

    This is Bill Jelen from MrExcel.com. On the morning of December 6, 2016, our moderators detected a hack in progress at the MrExcel forum. We quickly acted to shut the forum down, removed the user, and restored from the previous day’s backup. At the time, we had no reason to believe that the hack had compromised any user data. However, on or about January 8, 2017, we became aware of evidence suggesting that some user information had been acquired in the December 5 hack and had been posted online. That information was taken down around January 26, 2017 in an apparent federal raid.

  2. What Information Was Involved?

    The hacker accessed and posted userid, e-mail address, and the hashed password in the form of hash+salt. A hacker with a fast computer can test a billion passwords an hour and stands a 25% chance of breaking the password. The hacker also accessed and posted information from administrative fields showing your last login, number of posts and similar non-personally identifiable information. If you had an account at the MrExcel Message Board on or before December 6, 2016, you are affected.

  3. What We Are Doing?

    We previously scanned for malicious code and restored from a backup to remove any lingering effects from the hack. Additionally, we continue to update and patch the website software from vBulletin and we are converting the website to use a Secure Socket Layer.

  4. What Can You Do?

    We are requiring all users you to promptly change your password at MrExcel.com and encourage you to take other steps appropriate to protect this online account. We also encourage you to change your password and take steps to protect any other online accounts where you have used the same password with your username or email address for MrExcel.com. You are are further encouraged to maintain different passwords for MrExcel.com and for any other online account that connects to the same email address or password.

    During the investigation of this incident, you can search also for your e-mail address at HaveIBeenPwned.com to find a list of data breaches involving your e-mail address.

    I deeply regret this incident occurred and I apologize.

  5. For More Information

    Contact Bill Jelen – pub@MrExcel.com

Date of Notice: January 14, 2017

E-mails were sent to all 350K+ people affected on January 14-15, 2017 from Bill Jelen via pairlist.net or pairlist.com. The subject line was: “Notification of Data Breach at MrExcel.com”. Please check your spam or gmail Promo folders for this message. I self-reported the information to Troy Hunt at HIBP in order to reach people who have changed their e-mail address or otherwise missed or deleted my notice. His notification went out January 22, 2017.

Update: Frequent Questions

  • Q: What is the longest password we can use?
    A: 50 characters, a mix of letters, numbers, and symbols

  • Q: How can I delete my account?
    A: Write to the e-mail address pub@mrexcel.com and I will gladly remove you.

  • Q: How do I know this is not a clever Phishing scam?
    A: When you are signed in on the board, you will see our notice. I’ve also been posting notices that this is not a hoax on Facebook and Twitter. See the Twitter notice here: https://twitter.com/MrExcel/status/820641834670104576

  • Q: Some members have their date of birth displayed. How can I delete mine?
    A: All members who used the default setting of “Hide my birthdate” have had their birthday removed from the database on January 26, 2017.

  • Q: I also have an account at your MrExcel store. Was that data compromised?
    A: No.

  • Q: You just sent me an e-mail to me@xyzcorp.com but when I try to sign in with that very same e-mail, it says I don’t have an account!
    A: In most of these cases, I am finding the actual address in the forum is me@xyzBeforeTheMerger.com and someone in I.T. has cleverly designed an e-mail forwarding recipe to send those e-mails to the new corporate name. If you can’t figure it out, send me a note to pub@MrExcel.com and I will do a wildcard search to try to find you.