OP dude the link you post got nothing to do with the capthcha thing, not even a mention there??

looks to me like their debit card is registered and linked with paypal and some sort of exploit there

ok, ran through their page, apart from the recaptcha, nothing else to worry about.

and for the record, using recaptcha on a bank login page is plain dumb.

so reCAPTCHA not an issue?

Tried app login. Put in correct username and correct image and correct password. Immediately prompt alert ask me go to their website to change password. De fuck? I just successfully login last week.

Probably they notice weird IP hitting their front end. Even after blocking still weird IP appearing and the hits pattern are similar. Which is why they implement this captcha.

Just saying.

dah kantoi since morning

This. Ppl can just bruteforce ur password now. As long as it hits the first 8 or the number or char u use on ur password. Then gg.

So.... No point changing password now. Lol. The change need to come from CIMB.

“The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).”

Not sure if this is actually the case. My 2 cents.

http://php.net/manual/en/function.crypt.php

Security is part of IT dept.

I browsed cimb's twitter and fb, still they wont mention any shit about the issue. If 1st world country, they would have made press release and apologize.

so in simple currently CIMB being attached hacker by:-

1. Brute Force
2. Buffer overflow

Correct?

And does changing password would solve this issue?

Or have to change all debit card, credit card number? Due to if hacker manage to get our card number, they can linked to Paypal?

Yeah, I think ppl just confused with everything

The 8 password can login is probably not a bug, but a feature, maybe a bad 'user friendly' feature la.
Let's say you now have a mixture of users on 8 chareacter password and 8+ passwords, in their DB, they probably have a column, Over8Chars as true or false, they will know if u have updated ur password or not, in login, they may read this field if it's still 8 characters, to trim off excess characters.... from your password entry...
(Maybe too smart, and too user friendly until cause panic) and this is reported as a hack.

Remember, if they already bruteforce until ur 8 character pass is known, they don't need to add in additional digits anyway.

this one issit ?? 

CIMB loses data backups
13 Nov 2017
https://forum.lowyat.net/topic/4455779

"The tape data does not contain any authentication data such as PINs, passwords or credit card CVV numbers," CIMB said in a statement today.

will just leave this here for now

Not IT savvy. What's the problem with the code ?

So the problem is historical and backend issue. People should quickly change to new format. Nothing to do with front end. If you throw old password with longer than 8 characters, the backend will be confused.

But UAT website can show to public?

Bukan for internal only ke?