Advertisement:

Author Topic: IMPORTANT: Community security breach  (Read 1964121 times)

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 15,552
  • Gender: Male
  • CoreISP.net
    • coreisp on Facebook
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
    • CoreISP Corporation :: WebHosting, Dedicated Servers, and more!
IMPORTANT: Community security breach
« on: July 23, 2013, 12:45:08 PM »
Dear valued community members,


On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admins account password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being hacked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don't know for sure if the hacker only downloaded the user tables or not, although that's the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It's best not to take the risk and gamble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.

Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.
Hundreds of websites have been hacked lately by using this method, so you are highly encouraged to change your passwords...

... And remember: don't use the same password on multiple sites!
It helps to prevent hacks like this.

Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of hacking and help put a halt to the hacking spree that has affected hundreds, if not thousands, of websites already.

-edit for clarification-
Yes, the passwords are stored with encryption.
Unfortunately, even encrypted passwords can be decrypted. Hence, the passwords used here should not be considered safe anymore.


Any questions, please do feel free to ask.
Please stay on topic.


Kind regards,
Board of Directors
Simple Machines
« Last Edit: July 23, 2013, 02:20:37 PM by Kindred »
- CoreISP.net Corporation -
  WebHosting, Colocation, Domain Registration & Network Services
- DedicatedBox.us Servers -
  Low priced Servers in a high-quality Network, the place for all your (advanced) server needs.
  We specialize in hosting big boards. Contact us!

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline Looking

  • SMF Hero
  • ******
  • Posts: 2,008
  • SMF Customization
    • SMF Custom Themes
Re: IMPORTANT: Community security breach
« Reply #1 on: July 23, 2013, 12:49:07 PM »
You are serious about this? How can this happen? Not using the SAME password is basic, I don't even know my own password  I use a key for that.

Offline vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 18,005
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: IMPORTANT: Community security breach
« Reply #2 on: July 23, 2013, 12:50:27 PM »
Ouch that means we are going to get spammed now too. So the whole database and pms?

I am thinking a full site wide password reset is then in order.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Looking

  • SMF Hero
  • ******
  • Posts: 2,008
  • SMF Customization
    • SMF Custom Themes
Re: IMPORTANT: Community security breach
« Reply #3 on: July 23, 2013, 12:53:10 PM »
Just updated mine.

Wondering which Admin goofed.
« Last Edit: July 23, 2013, 01:40:20 PM by Looking »

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 15,552
  • Gender: Male
  • CoreISP.net
    • coreisp on Facebook
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
    • CoreISP Corporation :: WebHosting, Dedicated Servers, and more!
Re: IMPORTANT: Community security breach
« Reply #4 on: July 23, 2013, 12:53:44 PM »
Ouch that means we are going to get spammed now too. So the whole database and pms?

That is most likely out of order, thankfully.
From what we understand and hear from other website that have been hacked in similar fashion (eg: the Ubuntu forum, vBulletin powered), all they are after are the passwords so they can hack more websites and see how much they can get in to in the end.

As such, spamming should be unlikely. That's at least one bright point about it, I guess...
- CoreISP.net Corporation -
  WebHosting, Colocation, Domain Registration & Network Services
- DedicatedBox.us Servers -
  Low priced Servers in a high-quality Network, the place for all your (advanced) server needs.
  We specialize in hosting big boards. Contact us!

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline Alpay

  • Language Moderator
  • SMF Hero
  • *
  • Posts: 3,526
  • Gender: Male
    • Personal Web Page
Re: IMPORTANT: Community security breach
« Reply #5 on: July 23, 2013, 12:58:02 PM »
OMG !!

Offline gisfreak

  • Jr. Member
  • **
  • Posts: 321
  • Gender: Male
  • NO TRESPASSING
    • GIS Community
Re: IMPORTANT: Community security breach
« Reply #6 on: July 23, 2013, 12:58:23 PM »
oh my God  :-[
Me fail English? That’s unpossible.

Online Antes

  • Evil Black Cat
  • Marketing
  • SMF Hero
  • *
  • Posts: 7,754
  • Gender: Male
  • Black cat rulz!
    • Antes on GitHub
    • merta on LinkedIn
    • @antesistan on Twitter
    • MMOBrowser
Re: IMPORTANT: Community security breach
« Reply #7 on: July 23, 2013, 01:01:30 PM »
Not to say much we 're truly sorry about what happened :(
- Solutions for everyone, It's that simple.

[ ezPortal 3.1 ] # Responsive Kitteh

Offline jackregan

  • Jr. Member
  • **
  • Posts: 167
  • Gender: Male
Re: IMPORTANT: Community security breach
« Reply #8 on: July 23, 2013, 01:04:07 PM »
Surely they could only get encrypted passwords though, right??
Bible Study, Catholic News, Youth Group Stuff (my humble attempt at an SMF site... I'm grateful to the amazing people who have made SMF what it is!!

Offline Looking

  • SMF Hero
  • ******
  • Posts: 2,008
  • SMF Customization
    • SMF Custom Themes
Re: IMPORTANT: Community security breach
« Reply #9 on: July 23, 2013, 01:05:47 PM »
That can be decrypted.

Offline jackregan

  • Jr. Member
  • **
  • Posts: 167
  • Gender: Male
Re: IMPORTANT: Community security breach
« Reply #10 on: July 23, 2013, 01:07:29 PM »
Oh :(
Bible Study, Catholic News, Youth Group Stuff (my humble attempt at an SMF site... I'm grateful to the amazing people who have made SMF what it is!!

Offline Raths Rants

  • Semi-Newbie
  • *
  • Posts: 94
  • Gender: Male
  • Just goofing off...
    • @Carrissis on Twitter
    • The Day Dreamers Consortium Network
Re: IMPORTANT: Community security breach
« Reply #11 on: July 23, 2013, 01:08:28 PM »
I have always used low security passwords for forums. Time to step it up again  :o

There are various ways to build a better password that is unique to every site you visit.

This might be a good read for some people.

How to Build Better Passwords Without Losing Your Mind

I use a slightly advanced method of this. You might give it a try. Takes a bit to wrap your head around it.
The DDC Network
a lot of hard work goes into easy
Looking for feedback on my site, see it in the Showcase Board

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 15,552
  • Gender: Male
  • CoreISP.net
    • coreisp on Facebook
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
    • CoreISP Corporation :: WebHosting, Dedicated Servers, and more!
Re: IMPORTANT: Community security breach
« Reply #12 on: July 23, 2013, 01:08:59 PM »
Yes, they are encrypted. Unfortunately it's possible to brute force with about 6.7 million 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125
- CoreISP.net Corporation -
  WebHosting, Colocation, Domain Registration & Network Services
- DedicatedBox.us Servers -
  Low priced Servers in a high-quality Network, the place for all your (advanced) server needs.
  We specialize in hosting big boards. Contact us!

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline xyxis_fahim

  • Jr. Member
  • **
  • Posts: 213
  • Gender: Male
  • !! SMF THE BEST !!
Re: IMPORTANT: Community security breach
« Reply #13 on: July 23, 2013, 01:09:44 PM »
SMF never let me down security wise. Its as safe as you want it to be, things like this are due to server breach rather then the forum.
SMF IS THE BEST, FORGET THE  REST
By- The realm of underground

bloc

  • Guest
Re: IMPORTANT: Community security breach
« Reply #14 on: July 23, 2013, 01:12:40 PM »
This is not good, the admin in question should have known better IMO. On such a big site like this, its insane to use the same password as other sites, at least if you have any kind of admin rights here.

Oh well, done is done.

Thank you for letting us know, I've changed mine just in case, though the password here were different from my personal sites.

Offline Looking

  • SMF Hero
  • ******
  • Posts: 2,008
  • SMF Customization
    • SMF Custom Themes
Re: IMPORTANT: Community security breach
« Reply #15 on: July 23, 2013, 01:12:47 PM »
Does the SMF team use hidden boards here to discuss admin stuff? If so they will have access to read all of that! If you had PMs where you passed on info - they will be able to read all of that - you are talking about everything since the start of SMF on the database - that is a big breach!

Offline Burke ♞ Knight

  • SMF Hero
  • ******
  • Posts: 3,534
Re: IMPORTANT: Community security breach
« Reply #16 on: July 23, 2013, 01:12:57 PM »
Changed mine.
I rather suggest changing passwords once a month at the longest, due to hackers.

bloc

  • Guest
Re: IMPORTANT: Community security breach
« Reply #17 on: July 23, 2013, 01:17:36 PM »
Does the SMF team use hidden boards here to discuss admin stuff? If so they will have access to read all of that! If you had PMs where you passed on info - they will be able to read all of that - you are talking about everything since the start of SMF on the database - that is a big breach!
Depends on how much they got to..the db is quite big. Last i was on the team it was around 2-3 gb and its sure to be bigger now. Quite a task just to get a backup done as I recall. So hopefully they only got the members table and PM's perhaps. The messages table would take the longest I would imagine.

Offline Bryan D

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,943
  • Gender: Male
  • His Royal Runicness
    • bryan.deakin.1 on Facebook
    • pouvik on GitHub
    • @bryandeakin on Twitter
Re: IMPORTANT: Community security breach
« Reply #18 on: July 23, 2013, 01:19:28 PM »
SMF is secure just this one admin did a mistake, one that many of us have done at some point, and didnt think that they would be hit, all admins have updated there passwords and ive been working on a post for admins regarding passwords in future to help prevent this in future.  I do wish to say some Thank You's though, firstly the user that reported it, security ill keep this name quiet, I also wish to thank Antes for doing correct thing, informing myself and asking the user to file a security report.  Also Liroy for giving up his first proper sleep in days to take action on server side.  I know our server team are going through all the logs to find everything they can so we can about the breach!  We of course will provide more information as we learn it.

Offline Chalky

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 3,335
  • Gender: Female
  • If in doubt, give me beer...
    • ChalkCat
Re: IMPORTANT: Community security breach
« Reply #19 on: July 23, 2013, 01:29:07 PM »
I just want to say thank you to all of you who are working on this for your swift action and dedication to sealing the breach and limiting the damage.  Unfortunately mistakes happen.  It's the slime who prey on such mistakes that are to blame.