News:

Wondering if this will always be free?  See why free is better.

Main Menu

IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

Ronald_1938

Thanks for the report.. Good to know your ahead of it..

I also changed my password..

Ron..

Herman's Mixen

Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

LiroyvH

Quote from: The Burglar! on July 23, 2013, 01:35:04 PM
Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)

That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

Thank you :)
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Herman's Mixen

I dont read that email much as its an old account wich i dont see much....
i like to change the email someday to my own one... as Antes did mentioned it... i logged into the email account then yes i got the announcement...

Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

vbgamer45

Haven't see any notifications yet but probably has a lot of email to send out for the community
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Crip

I have become comfortably numb!


I remember my mother's prayers and they have always followed me.
   - Abraham Lincoln -



TOTM Winner. | Demo Site1on1 Theme Support

Tomy Tran

I have changed my pass, but we lost another: our address. They now have a huge of email addresses to sell to spamers.

By the way, pay attention on your Secret Question/Answer <== it has lost and this way may be hacked some other accounts.

Bas

How can they guess a password? That can only be done if it was too simple in the first place.
I would fire that admin ;D

Greetings Bas.

Antes

Quote from: Bas on July 23, 2013, 01:57:37 PM
How can they guess a password? That can only be done if it was too simple in the first place.
I would fire that admin ;D

Quote from: CoreISP on July 23, 2013, 01:08:59 PM
Yes, they are encrypted. Unfortunately it's possible to brute force with about 6.7 million 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125

Adrek

Password changed everywhere :)

Quote from: CoreISP on July 23, 2013, 01:35:49 PM
That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.
I didn't get any email about this incident.
Polskie wsparcie SMF na simplemachines.org

the simplest solution is most likely the right one

Tony Reid

Quote from: ChalkCat on July 23, 2013, 01:29:07 PM
I just want to say thank you to all of you who are working on this for your swift action and dedication to sealing the breach and limiting the damage.  Unfortunately mistakes happen.  It's the slime who prey on such mistakes that are to blame.

I agree.

My main concern other than users sharing usernames and passwords via PM is that the helpdesk may contain usernames and passwords - Was the helpdesk database compromised? I realise the announcement has gone out - but if the helpdesk has been compromised do we need to take further steps and reiterate to people who have used the helpdesk?

Thanks for the fast action on this.
Tony Reid

Owdy

Quote from: Tony Reid on July 23, 2013, 02:07:51 PM
My main concern other than users sharing usernames and passwords via PM
This!
Former Lead Support Specialist

Tarvitsetko apua SMF foorumisi kanssa? Otan työtehtäviä vastaan, lue:http://www.simplemachines.org/community/index.php?topic=375918.0

Tony Reid

Oh - and we need to force users to change their passwords on this site asap.

Its standard practice with breaches like this.



Tony Reid

Deaks

We are still investigating but are assuming the worst, so at this we are running under premis that use it has been we will be working with charter members to change there passwords if they do not know how, I have also spoken to a couple of or hosts on here asking them to remind there users that use smf to update there passwords for there sites.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Kindred

Yes, we are aware of the potential information which is avaiable in PMs and from the helpdesk records.

We are still attempting for figure out exactly WHAT information was garnered, but we did not want to delay the notification of the main issue while we narrowed down details on potentials.

I believe that we are also working to inform charter members separately.

Luckily, I do not believe that there are any currently open tickets with connection details.

Finally, just a general security note: Any time you share connection details, even with the trustworthy staff here - it is always good to change the password(s) after your issue is resolved.

Tony,
I am not aware of any feature in SMF which forces users to change their password.

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Ronald_1938

Quote from: The Burglar! on July 23, 2013, 01:38:56 PM
I dont read that email much as its an old account wich i dont see much....
i like to change the email someday to my own one... as Antes did mentioned it... i logged into the email account then yes i got the announcement...

Did not get an email, I seen it on my Facebook

Deaks

OldCrow may take a few hours with the size of member list :P
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Ronald_1938

Quote from: Runic on July 23, 2013, 02:22:38 PM
OldCrow may take a few hours with the size of member list :P

No problem Bryan, I'm not worried about this, I know you and the others have it under control. What happens, happens..

Colin

Thanks for your understanding. I can say with confidence that everything possible to minimize the damage and prevent this from happening again is happening.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Tony Reid

Kindred - there was once a method used with a flag on a table that forced users to update when logging in. It was used if their password was stored in MD5, and that updated it to salted SHA1.

I guess the alternative is to do something forced with a password reset - or custom code something.

Tony Reid

Advertisement: