• Welcome to Simple Machines Community Forum. Please login or sign up.
December 07, 2021, 11:25:37 PM

News:

SMF 2.1 RC4 has been released! Try it out and help us test! :) Read more.


IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

LiroyvH

Quote
  By the way, why the hell is necessarily as ALL admins have access to the database? They play mysql with our accounts every day? Databases should be exposed only to one, maximul two server admins.

You know how SMF works, right? :)
The software itself has access to the database, as such a admin account has at least some access to the database.
With some tools, that's a lot of information you can obtain simply by reading out the database.

Quote
I'm just saying I'm a lawyer and I'd love to be a prosecutor on a case like this...

I'm not really too interested in a legal argument, but what exactly is it you would want to prosecute the victim of a hack for?
Hacking is illegal, being hacked is something entirely different.

That's like saying you want to prosecute the owner of a liquor shop that got robbed.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

exxocet

Yes, if that liquor shop holds my goods just lost them. What you gonna do if a bank get robbed and it holds your economies? You won't ask your money back just because they got robbed?
SM lost our goods (identities) and there is no way to get them back, as now those are public.

Regarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

Daniel15

Quote from: exxocet on July 23, 2013, 05:24:13 PM
By the way, why the hell is necessarily as ALL admins have access to the database? They play mysql with our accounts every day? Databases should be exposed only to one, maximul two server admins.
Once you have admin access to SMF, you can upload custom code via a package and basically do whatever you want.

QuoteDepends on how much they got to..the db is quite big. Last i was on the team it was around 2-3 gb and its sure to be bigger now.
You haven't seen big until you see a 300 GB database. Those are fun to deal with. :P
(not a forum database, but a database at work is close to that size)
Daniel15, former Customisation team member, resigned due to lack of time. I still love everyone here :D.
Go to smfshop.com for SMFshop support, do NOT email or PM me!

exxocet


LiroyvH

Quote
SM lost our goods (identities) and there is no way to get them back, as now those are public.

And that happened due to theft. (Note that "identity" (nickname + email) is not a tangible good in this scenario and you didn't lose it, you still have it. The problem is someone has *a copy* of that information. Which is of course a entirely different situation.)
Also, by signing the registration agreement you agree never to hold SM liable for anything.

Look, I understand this is highly annoying. We, obviously, don't like it that our site was compromised either and I understand your frustration... Trust me, I share it. It's as much a pain to the staff as it is to users.
But I feel it's a bit of a long shot to actually say we are responsible for the fact that the hacker decided to hack in to our system and steal all the information as if we told him/her to do it. :)
We did our very best to limit the impact of the theft and let everyone know as soon as possible, I'm not sure what else you want from us. :)

Anyway, if you really want to discuss that; perhaps it's better to either move to PM or if you feel that you want to publicly talk about it: the chit chat section. (Do note: I do not promise any response.) It is after all offtopic here as this topic serves the purpose of informing users on what happened and what to do now to protect themselves. :)

For what it's worth, we do sincerely apologize for any inconvenience you may have due to this data theft.

Thanks! :)
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

vbgamer45

I got the email subject was odd though "Simple Machines Community Forum: Onderwerp"
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Burke ♞ Knight

CoreISP is right. What is done, is done.
There is no way to blame SMF, or anyone else, except of course, the hackers.
I really believe that as long as people change their passwords, all will be fine.
That is a reason why I seriously recommend changing passwords often.
Not only on website, but also for personal things, like emails, chats, web hosts/servers, etc.

[yub] Lazo

I do not understand why now should argue about these things. The hacker has alredy done his mess, now it is time to just do the best that is possible that this don't hapens again. And of course the admin whose data they have stolen is anonymous now, it is better that way because more problems could actually happen that would not help at this time.

Dynamic forum signatures v1.2

Trekkie101

Quote from: vbgamer45 on July 23, 2013, 06:09:17 PM
I got the email subject was odd though "Simple Machines Community Forum: Onderwerp"

That's a bug. Liroy's sent it, causing it to send his language over.

Horme Gaming

Quote from: [yub] Lazo on July 23, 2013, 06:14:20 PM
I do not understand why now should argue about these things. The hacker has alredy done his mess, now it is time to just do the best that is possible that this don't hapens again. And of course the admin whose data they have stolen is anonymous now, it is better that way because more problems could actually happen that would not help at this time.

Truer words have seldom been spoken :)

[yub] Lazo

Quote from: Runic on July 23, 2013, 06:39:23 PM
Truer words have seldom been spoken :)

I know this was not a issue caused by the SMF system, but I think this situation will help in some ways to do the SMF system even more secure. I still think that this is just a good point to see how good the community can stand together in hard days. :)

Dynamic forum signatures v1.2

GravuTrad

On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

jrstark

Check your profile here, my preferred language was Albanian ;-)

Didn't notice any other changes.

Horme Gaming

thats nothing to do with the hack attempt jrstark, that shows when you didnt set a language has done for years :P

MacGig

this happened to ubuntu forums the other day. 1.8 million accounts compromised. that site is still down.

anyone here use lastpass? I hear its the best thing to do, use a password manager which creates long and different passwords for every site. any thoughts password managers like lastpass?

Horme Gaming

yeh it was the same hackers, and luckily we have a team that dont sleep lol

lc62003

People who wanna bash.....go back to listening to your Haties music.   ;D

We can see this as a horrific incident, roll in misery, and gain nothing from it.  We could also run over to one the "other" sites that haven't been hacked YET.  OR, we can see this as a learning opportunity.  The SMF team has already posted information to increase the security on our sites.  That's a big positive in itself.  I get the suspicion more good info will be posted when the time comes.  Good things come to those who wait.   8)

ARG01

All of my passwords associated with SMF sites have been changed. Thanks to the SMF staff for informing us in a timely manner.  ;)
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

IchBin™

Ouch, this sucks. Glad you guys caught the issue quickly. Changing passwords even if I do use different ones. :)
IchBin™        TinyPortal

Horme Gaming


Advertisement: