Advertisement:

Author Topic: IMPORTANT: Community security breach  (Read 2007242 times)

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,008
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: IMPORTANT: Community security breach
« Reply #40 on: July 23, 2013, 02:26:55 PM »
were all worried my friend, but we are doing what we can and have implemented new security measures for admins to stop it happening again

Offline Simple Site Designs

  • Jr. Member
  • **
  • Posts: 100
  • Gender: Male
    • Simple Site Designs
Re: IMPORTANT: Community security breach
« Reply #41 on: July 23, 2013, 02:27:42 PM »
No email alert here either. Saw on FB

Online vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,244
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: IMPORTANT: Community security breach
« Reply #42 on: July 23, 2013, 02:28:01 PM »
Also reset simplemachinesforum.org too if you can those passes at least for all team members there.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 54,912
  • Gender: Male
    • Kindred-999 on GitHub
Re: IMPORTANT: Community security breach
« Reply #43 on: July 23, 2013, 02:28:26 PM »
I am a fairly low number on the user list.... but the annoucnement has made it through at leats 1500 users
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,008
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: IMPORTANT: Community security breach
« Reply #44 on: July 23, 2013, 02:28:47 PM »
vbgamer we dont actually have access to  that site, thats hosted and controlled by Compu

Offline SpyDie

  • Semi-Newbie
  • *
  • Posts: 31
  • Gender: Male
    • The LandzDown Forum
Re: IMPORTANT: Community security breach
« Reply #45 on: July 23, 2013, 02:33:57 PM »
You could always force a password reset for everyone's accounts, in a similar way Twitter did when they had their attack (I believe they did this).
Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

Offline xrunner

  • Sophist Member
  • *****
  • Posts: 1,019
  • Gender: Male
  • Karma +584/-1
Re: IMPORTANT: Community security breach
« Reply #46 on: July 23, 2013, 02:34:39 PM »
That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

I never got any email about it from this place. I just found out about it from another forum! Good grief.

Offline Tony Reid

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,148
  • Gender: Male
    • @AbsoluteBreeze on Twitter
    • www.fertilityfriends.co.uk
Re: IMPORTANT: Community security breach
« Reply #47 on: July 23, 2013, 02:36:08 PM »
xRunner, There are 320,000 members to email - the email server is going as fast as it can.
Tony Reid


My Big Board
www.FertilityFriends.co.uk/forum - An SMF powered forum with over 5 million posts

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 54,912
  • Gender: Male
    • Kindred-999 on GitHub
Re: IMPORTANT: Community security breach
« Reply #48 on: July 23, 2013, 02:38:39 PM »
Once again...   the system is working its heart out sending thos emails.
I recieved mine, but my user ID is below 1,500.
For those of you with user IDs in the 130,000 range or the 300,000 range, it may take a little while for the system to get your email sent out.

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline xrunner

  • Sophist Member
  • *****
  • Posts: 1,019
  • Gender: Male
  • Karma +584/-1
Re: IMPORTANT: Community security breach
« Reply #49 on: July 23, 2013, 02:39:18 PM »
What the Hell is going on out there? Last week I got a notice that the NASDAQ site was hacked. Then a few days ago I got an email from the Ubuntu forum that they were hacked. Now the SM forum is hacked. I'm starting to get worried about security like never before.

Offline Tony Reid

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,148
  • Gender: Male
    • @AbsoluteBreeze on Twitter
    • www.fertilityfriends.co.uk
Re: IMPORTANT: Community security breach
« Reply #50 on: July 23, 2013, 02:40:13 PM »
I'm starting to get worried about security like never before.

Thats a good thing :)

Tony Reid


My Big Board
www.FertilityFriends.co.uk/forum - An SMF powered forum with over 5 million posts

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,008
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: IMPORTANT: Community security breach
« Reply #51 on: July 23, 2013, 02:40:39 PM »
the simple rules is dont use same password, use a different password for each site :)

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,866
  • Gender: Male
  • CoreISP.net
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
    • CoreISP Corporation :: WebHosting, Dedicated Servers, and more!
Re: IMPORTANT: Community security breach
« Reply #52 on: July 23, 2013, 02:52:47 PM »
Quote
Then a few days ago I got an email from the Ubuntu forum that they were hacked.

Our information says that was the same person behind it. Exactly the same method, too.
- CoreISP.net Corporation -
  WebHosting, Colocation, Domain Registration & Network Services
- DedicatedBox.us Servers -
  Low priced Servers in a high-quality Network, the place for all your (advanced) server needs.
  We specialize in hosting big boards. Contact us!

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline DragoN_PT

  • Jr. Member
  • **
  • Posts: 107
  • Gender: Male
Re: IMPORTANT: Community security breach
« Reply #53 on: July 23, 2013, 02:53:15 PM »
Well, nice move SMF *Admin.. Guess its time to move on..   :-[

Offline Simple Site Designs

  • Jr. Member
  • **
  • Posts: 100
  • Gender: Male
    • Simple Site Designs
Re: IMPORTANT: Community security breach
« Reply #54 on: July 23, 2013, 02:53:40 PM »
the simple rules is dont use same password, use a different password for each site :)

This is all well and good in theory, but unfortunately not done in practice by a great many (dare I say majority) of users. Perhaps some will learn to change their way after this breach, but more concerning is data that may be harvested from PM's and support messages (as has been noted). Users should also always use strong passwords and we (experts) have been telling them that for a long time, but without forcing it, it is often not adhered to.

I'm on a 9 week long holiday and if I had not been careful to ensure I had internet access (it is hard to get in a lot of the places I am visiting), I may well have not know about this breach for some time. I thankfully do not use the same password for everything and was able to secure the one account that could have been accessed by a password sent in a pm. Others may not be in a position to do the same.

There is little point reiterating what people should have done... It is already done. Instead we should highlight how people can protect themselves from further exposure.

My number 1 tip is if your smf password was the same as any email account you use, change it first, change it now and change it to something strong! If your email is comprised, you are stuffed.

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,008
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: IMPORTANT: Community security breach
« Reply #55 on: July 23, 2013, 02:58:24 PM »
of course its easier said than done, and I am guilty of not following the theory as well, but doesnt make it any less of good practice ;)

Offline CoreISP

  • Server Admin
  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,866
  • Gender: Male
  • CoreISP.net
    • liroyvh on LinkedIn
    • @liroyvh on Twitter
    • CoreISP Corporation :: WebHosting, Dedicated Servers, and more!
Re: IMPORTANT: Community security breach
« Reply #56 on: July 23, 2013, 03:00:44 PM »
Quote
There is little point reiterating what people should have done... It is already done. Instead we should highlight how people can protect themselves from further exposure.

Yes, that is the most important goal at this point.


Also please let me stress this point again:
It is *not* a security flaw within the SMF software.
- CoreISP.net Corporation -
  WebHosting, Colocation, Domain Registration & Network Services
- DedicatedBox.us Servers -
  Low priced Servers in a high-quality Network, the place for all your (advanced) server needs.
  We specialize in hosting big boards. Contact us!

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Offline Tony Reid

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,148
  • Gender: Male
    • @AbsoluteBreeze on Twitter
    • www.fertilityfriends.co.uk
Re: IMPORTANT: Community security breach
« Reply #57 on: July 23, 2013, 03:08:40 PM »
A lot of good can come out of this. As a community we can do better.

Even though the breach was due to a dumb password error by an admin, and it wasn't an exploit of the SMF software we could look at enhancing SMF in many other ways.

2FA perhaps, HTTPS at logon, separate fields in helpdesk for username/password - which get truncated every 24 hours. Segregation of admin and installer rights on the forum. Automatic password renewal every 90 days.

Automatic detection of password sharing in the forum(including PM's). I am sure there are many other ideas we could list.

The only thing is that as a community we need to pull together and get security enhancements like this done. It cannot be left just to the developers - they already have too much else on.

We need to pull together and make it happen.

Tony Reid


My Big Board
www.FertilityFriends.co.uk/forum - An SMF powered forum with over 5 million posts

Offline FrizzleFried

  • Drama-Monger
  • Sr. Member
  • ****
  • Posts: 754
Re: IMPORTANT: Community security breach
« Reply #58 on: July 23, 2013, 03:08:50 PM »
I think my only question would be that if you detected this "issue" YESTERDAY... why did it take until TODAY to report it?


Offline FrizzleFried

  • Drama-Monger
  • Sr. Member
  • ****
  • Posts: 754
Re: IMPORTANT: Community security breach
« Reply #59 on: July 23, 2013, 03:10:21 PM »
Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)

That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

Thank you :)

I just checked all 3 of my email addresses and no notification was found.

EDIT: Well,  my user id is in the 300K range so I'll not hold my breath for some time.

:)