As I can see this issue was nothing then become attention because of media,I wonder if other bank also got this problem not only cimb? suddenly everyone just say  got problem la , lose money la.I do remember last time Maybank go issue with their portal but that time there were no "viral" movement,and they were forgotten as time passes on. Now the question is, how many ppl here really were hacked??

WTA. Yesterday I can enter my cimbclick using my existing password. Today evening it says invalid password & ask me to reset. But to reset password, they ask for my atm & atm pin. Im quite sceptical to provide. Is this legit?
Sorry if this has been mentioned. I'm feel like drowning going through 80 pages

I just know viral only
Then all panic. True o not still dont know
Power of viral. Sometime it fake only to make customers panic.
Till now no customer i hear make police report because lose money

u never read is it?

this issue is real

people are losing money

yes, not everyone but a lot of them

this is security issue not portal

and it happen at the same time frame

I read it,yes there was and issue but as we know they already address the issue promptly,what I want to say is cimb has the guts to admit at settle it but other Banks quietly sweep the issue under the rug,if not for the viral issue there would not be a big issue.

I read it,yes there was and issue but as we know they already address the issue promptly,what I want to say is cimb has the guts to admit at settle it but other Banks quietly sweep the issue under the rug,if not for the viral issue there would not be a big issue.

My issue still no news. So how?

Thx bro, saw that & thinking thru the implications. How does CIMB store passwords? As Is? or after hashing?

If after hashing, old passwords longer than 8char should not be able to get in if just key in first 8 chars. Why? becos the hash would be diff. No? Only way can get in is IF the old password was stored As Is. Wonder if that makes sense 

no, the code snippet does not prove anything on how they store the password. it only shows thier 'lazy' development to do not want to change backend API, so they convert/translate those inputs (for this case password) as front end.

This is not necessarily the case. What the Javascript is doing is encrypting the password for transmission. If you read the code, it also does the same thing for username. You might ask.. why? Its to protect against sniffing or mitm attacks. This way even if an attacker sniffs out your traffic, its not obvious what your actual plaintext username/password is. They can still replay the request to get in, but at least they don't know what your actual username/pass is.. which you might be using for other sites as well.

The backend could then just decrypt the value, then run it through a different hash/encryption algorithm to check against the DB.

The stupid thing about CIMB was having a max limit on password length. Even now it doesn't make sense that its limited to 20 chars, if you're encrypting/hashing passwords the max length shouldn't really matter.

Polis repot takes some time to process. Sir back with popcorn on us .

This is one of the sms received. The available and current amount not tally and match the sms deducted amount

Looked up ac cancer soc on Google...

Seems like a hospital in ampang...

http://www.moderncancerhospital.com.my

These guys have been charging you... Not sure if this is a legit hospital, never heard of them before. I see many of these kinds of sites where they ask people to write their names, address, phone number etc (lol only dummies will fall for this) pretending they want to contact you later (why the hell need all that info for). Try ask family members if they've visited any sites asking them to submit personal details.

Nasi lemak tech says cimb did nothing wrong:
NLT

just read sin chew daily , they put this cimb thing as "fake news" section lol 

Nasi lemak tech says cimb did nothing wrong:
NLT