this is the answer to my question, now i manage to change the pw successfully. Thanks!

haiyo cimb can really go bang wall this time, thier PR manage it so badly. 

You disable it or cimb disable it themself?

it's very awkward that the site required to put my card number + pin number  (wtf?) for reset password...

we suppose to reset our cimbclick account login password but why involve our card + pin number...

Did you guys follow the hint given when changing the password?

Yes

Tz@ra1n-jibbrobank

Secure word: Lyn roti kosong

did u guys check up to 3 months back transactions? all clear?

Frankly speaking you guys think some of these fraudulent transaction really related to the password issue?

Check my CIMB Clicks so far still ok la.. Changed my password also just in case (super long one, straight away put  20 characters one HAHA)

Just joined cimb last 2 weeks and this happen. fffuu

cimb so dumb? Simple solution also cannot?
- Add tac on top of debit paywave and paypal.
- For the password, each session allow 3 tries then lock 24 hours before unlock again, 3 times. Afterward, go cimb unlock.
your avatar so creepy

A few of my family members has cimb debit card but never use it and some did not even acivate it. Should i ask them to check their account? Kind of worried here since it possibly involves info leak. se7en maxpudding

Is the panic bank run on CIMB still on-going? Or people already calm down.

Only a few accounts were hacked, but my guess is CIMB is doing damage control when the news break out about how insecure is their accounts. For me, the main problem that I found out is that their passwords only accept the first 8 characters. Which I find out the hard way when I tried to change my password and failed. It keep lying to me and said my ID is invalid (but I could login with that ID).

Let's say your password is 12345678H%&*GGhklp

Anyone can login with your password if they just type in 12345678

If you were stupid enough to put this kind of password, then sorry la....

But CIMB hopes nobody that stupid, so their damage control is to implement that Google Recaptcha to stop brute force password attempts.

And it is easy with bots these days. There are hackers and spammers selling brute force software that they claim can crack most kinds of passwords.

Knowing the length of a password is a big step to cracking it.

This entire fiasco is really kind of like 'making a mountain out of a molehill'.

Honestly, I was just as worried as you guys initially. First thing in the morning, i went to the CIMB branch near my workplace just to double check my balance with the branch staff (in addition to what I have already checked via CIMB Clicks), and there really was no issue at all. My money, thankfully, is still intact, so to speak.

If the problem was as bad as what some articles are saying, the police stations would have long queues already of people making reports!

This entire fiasco is really kind of like 'making a mountain out of a molehill'.

Honestly, I was just as worried as you guys initially. First thing in the morning, i went to the CIMB branch near my workplace just to double check my balance with the branch staff (in addition to what I have already checked via CIMB Clicks), and there really was no issue at all. My money, thankfully, is still intact, so to speak.

If the problem was as bad as what some articles are saying, the police stations would have long queues already of people making reports!

this is the answer to my question, now i manage to change the pw successfully. Thanks!

haiyo cimb can really go bang wall this time, thier PR manage it so badly. 

Something doesn't seem right to me. Everywhere I look, I'm told that passwords are stored after (one-way) hashing (& even salting), never in its original form.

When you originally set up your password as 12345678H%&*GGhklp, it would have been stored as a certain hash. Any slight diff would result in a totally diff hash. (That's why they say they do not know what your password is)

So what boggles me is how someone can get in when he submits 12345678 - the hash for that would definitely be diff from the hash for 12345678H%&*GGhklp ...No?

The only possibility this can happen is IF at the point you originally set up your password as 12345678H%&*GGhklp, it was truncated to 12345678... damn FUBAR, right? Telling ppl to set up long complex pw & truncating to short