In an attempt to be more proactive in communicating to the membership about new developments on the forum, on Thursday, I used some native VBulletin functionality to message our members about the new customizable user profile feature. The message went to a subset of our members who were eligible to use this new feature. Unfortunately, when VBulletin sent out this message, it included email addresses in the "to" field. That apparently is how it works (there is no bcc functionality).
What it means is that a list of email addresses of a subset of active members was circulated to a subset of our member base - specifically members with 500 posts or more. The email did not include member names. If you didn't receive the email, you weren't impacted.
I offer my sincerest apologies for the mishap. The leadership team on the forum take your privacy seriously. The purpose of this note is to communicate some steps you can take to protect yourself and further steps that we are taking more broadly on the issue.
First, these are all optional but there are a few things you can consider doing if you received the email:
Name Change - For those who request it, if your are concerned there may be a connection to your forum and real name (or anything similar) we'll do an immediate name change. This won't count towards name change quotas.
Change Email Adddress Outside the Forum - Some may wish to consider this. By deactivating and changing your account, it reduces the potential, albeit small, that your email address could be used for something other than what you wish. You'll have to do this action on your own
Change Email Address on the Forum - You can change your email address on the forum by going into UserCP, My Account, Edit Email & Password. You have to put in your password and then jump down the the email address field and enter the desired email address twice. See attached for an example. Please note that you need to use a valid email address or your account will go into suspense.
Account Deletion - Though it is our policy to not delete accounts, we are making an exception to the policy for those who request it for the next 30 days. While your posts will remain on the forum, your account profile will be gone and the posts will no longer be searchable by username. This is not necessarily recommended, but is an option should the member so desire. The action is irreversible. EDIT: You are also allowed to create a new ID after the deletion.
As to what we're doing more broadly on the forum:
No Bulk Emails - Except for the follow up email to impacted members notifying them of the issue, how it impacts them etc., we're not going to be sending out any more bulk emails. There is a way to do this securely, by generating an email address list and copying it into the BCC field of an email (as was done when we implemented Tapatalk). However, it's too easy to make a mistake and we're not going to take the risk.
Forum Security Measures - We've taken a lot of steps to beef up forum security over the past few months already, as I've mentioned before. This has included hardening the operating system, removing unnecessary software, staying current on our software and mods, putting the site behind a firewall, implementing anti-malware software checks four times per day, and other items. The latest round of changes in this regard were made last weekend. We will continue to be diligent and look for opportunities to to improve and or maintain this.
Taking Care With New Features - It's apparent that we need to more carefully consider the privacy related implications of any changes or enhancements we make to the forum. It will be a key consideration on implementation of any new features and forum enhancements in general moving forward.
As always, any feedback you have on the matter would be appreciated.