IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

LiroyvH

Dear valued community members,


On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admins account password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being hacked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don't know for sure if the hacker only downloaded the user tables or not, although that's the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It's best not to take the risk and gamble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.

Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.
Hundreds of websites have been hacked lately by using this method, so you are highly encouraged to change your passwords...

... And remember: don't use the same password on multiple sites!
It helps to prevent hacks like this.

Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of hacking and help put a halt to the hacking spree that has affected hundreds, if not thousands, of websites already.

-edit for clarification-
Yes, the passwords are stored with encryption.
Unfortunately, even encrypted passwords can be decrypted. Hence, the passwords used here should not be considered safe anymore.


Any questions, please do feel free to ask.
Please stay on topic.


Kind regards,
Board of Directors
Simple Machines
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Looking

You are serious about this? How can this happen? Not using the SAME password is basic, I don't even know my own password  I use a key for that.

vbgamer45

Ouch that means we are going to get spammed now too. So the whole database and pms?

I am thinking a full site wide password reset is then in order.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Looking

#3
Just updated mine.

Wondering which Admin goofed.

LiroyvH

Quote from: vbgamer45 on July 23, 2013, 12:50:27 PM
Ouch that means we are going to get spammed now too. So the whole database and pms?

That is most likely out of order, thankfully.
From what we understand and hear from other website that have been hacked in similar fashion (eg: the Ubuntu forum, vBulletin powered), all they are after are the passwords so they can hack more websites and see how much they can get in to in the end.

As such, spamming should be unlikely. That's at least one bright point about it, I guess...
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.


gisfreak

Me fail English? That's unpossible.

Antes

Not to say much we 're truly sorry about what happened :(

jackregan

Surely they could only get encrypted passwords though, right??
Bible Study, Catholic News, Youth Group Stuff (my humble attempt at an SMF site... I'm grateful to the amazing people who have made SMF what it is!!


jackregan

Bible Study, Catholic News, Youth Group Stuff (my humble attempt at an SMF site... I'm grateful to the amazing people who have made SMF what it is!!

Raths Rants

I have always used low security passwords for forums. Time to step it up again  :o

There are various ways to build a better password that is unique to every site you visit.

This might be a good read for some people.

How to Build Better Passwords Without Losing Your Mind

I use a slightly advanced method of this. You might give it a try. Takes a bit to wrap your head around it.
The DDC Network
a lot of hard work goes into easy

LiroyvH

Yes, they are encrypted. Unfortunately it's possible to brute force with about 6.7 million 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

xyxis_fahim

SMF never let me down security wise. Its as safe as you want it to be, things like this are due to server breach rather then the forum.

bloc

This is not good, the admin in question should have known better IMO. On such a big site like this, its insane to use the same password as other sites, at least if you have any kind of admin rights here.

Oh well, done is done.

Thank you for letting us know, I've changed mine just in case, though the password here were different from my personal sites.

Looking

Does the SMF team use hidden boards here to discuss admin stuff? If so they will have access to read all of that! If you had PMs where you passed on info - they will be able to read all of that - you are talking about everything since the start of SMF on the database - that is a big breach!

Burke ♞ Knight

Changed mine.
I rather suggest changing passwords once a month at the longest, due to hackers.

bloc

Quote from: Looking on July 23, 2013, 01:12:47 PM
Does the SMF team use hidden boards here to discuss admin stuff? If so they will have access to read all of that! If you had PMs where you passed on info - they will be able to read all of that - you are talking about everything since the start of SMF on the database - that is a big breach!
Depends on how much they got to..the db is quite big. Last i was on the team it was around 2-3 gb and its sure to be bigger now. Quite a task just to get a backup done as I recall. So hopefully they only got the members table and PM's perhaps. The messages table would take the longest I would imagine.

Deaks

SMF is secure just this one admin did a mistake, one that many of us have done at some point, and didnt think that they would be hit, all admins have updated there passwords and ive been working on a post for admins regarding passwords in future to help prevent this in future.  I do wish to say some Thank You's though, firstly the user that reported it, security ill keep this name quiet, I also wish to thank Antes for doing correct thing, informing myself and asking the user to file a security report.  Also Liroy for giving up his first proper sleep in days to take action on server side.  I know our server team are going through all the logs to find everything they can so we can about the breach!  We of course will provide more information as we learn it.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Chalky

I just want to say thank you to all of you who are working on this for your swift action and dedication to sealing the breach and limiting the damage.  Unfortunately mistakes happen.  It's the slime who prey on such mistakes that are to blame.

Advertisement: