News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

Deaks

were all worried my friend, but we are doing what we can and have implemented new security measures for admins to stop it happening again
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Simple Site Designs

No email alert here either. Saw on FB

vbgamer45

Also reset simplemachinesforum.org too if you can those passes at least for all team members there.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Kindred

I am a fairly low number on the user list.... but the annoucnement has made it through at leats 1500 users
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Deaks

vbgamer we dont actually have access to  that site, thats hosted and controlled by Compu
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

SpyDie

You could always force a password reset for everyone's accounts, in a similar way Twitter did when they had their attack (I believe they did this).
Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

xrunner

Quote from: CoreISP on July 23, 2013, 01:35:49 PM
That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

I never got any email about it from this place. I just found out about it from another forum! Good grief.

Tony Reid

xRunner, There are 320,000 members to email - the email server is going as fast as it can.
Tony Reid

Kindred

Once again...   the system is working its heart out sending thos emails.
I recieved mine, but my user ID is below 1,500.
For those of you with user IDs in the 130,000 range or the 300,000 range, it may take a little while for the system to get your email sent out.

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

xrunner

What the Hell is going on out there? Last week I got a notice that the NASDAQ site was hacked. Then a few days ago I got an email from the Ubuntu forum that they were hacked. Now the SM forum is hacked. I'm starting to get worried about security like never before.

Tony Reid

Quote from: xrunner on July 23, 2013, 02:39:18 PM
I'm starting to get worried about security like never before.

Thats a good thing :)

Tony Reid

Deaks

the simple rules is dont use same password, use a different password for each site :)
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

LiroyvH

Quote
Then a few days ago I got an email from the Ubuntu forum that they were hacked.

Our information says that was the same person behind it. Exactly the same method, too.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

DragoN_PT

Well, nice move SMF *Admin.. Guess its time to move on..   :-[

Simple Site Designs

Quote from: Runic on July 23, 2013, 02:40:39 PM
the simple rules is dont use same password, use a different password for each site :)

This is all well and good in theory, but unfortunately not done in practice by a great many (dare I say majority) of users. Perhaps some will learn to change their way after this breach, but more concerning is data that may be harvested from PM's and support messages (as has been noted). Users should also always use strong passwords and we (experts) have been telling them that for a long time, but without forcing it, it is often not adhered to.

I'm on a 9 week long holiday and if I had not been careful to ensure I had internet access (it is hard to get in a lot of the places I am visiting), I may well have not know about this breach for some time. I thankfully do not use the same password for everything and was able to secure the one account that could have been accessed by a password sent in a pm. Others may not be in a position to do the same.

There is little point reiterating what people should have done... It is already done. Instead we should highlight how people can protect themselves from further exposure.

My number 1 tip is if your smf password was the same as any email account you use, change it first, change it now and change it to something strong! If your email is comprised, you are stuffed.

Deaks

of course its easier said than done, and I am guilty of not following the theory as well, but doesnt make it any less of good practice ;)
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

LiroyvH

Quote
There is little point reiterating what people should have done... It is already done. Instead we should highlight how people can protect themselves from further exposure.

Yes, that is the most important goal at this point.


Also please let me stress this point again:
It is *not* a security flaw within the SMF software.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Tony Reid

A lot of good can come out of this. As a community we can do better.

Even though the breach was due to a dumb password error by an admin, and it wasn't an exploit of the SMF software we could look at enhancing SMF in many other ways.

2FA perhaps, HTTPS at logon, separate fields in helpdesk for username/password - which get truncated every 24 hours. Segregation of admin and installer rights on the forum. Automatic password renewal every 90 days.

Automatic detection of password sharing in the forum(including PM's). I am sure there are many other ideas we could list.

The only thing is that as a community we need to pull together and get security enhancements like this done. It cannot be left just to the developers - they already have too much else on.

We need to pull together and make it happen.

Tony Reid

FrizzleFried

I think my only question would be that if you detected this "issue" YESTERDAY... why did it take until TODAY to report it?


FrizzleFried

Quote from: CoreISP on July 23, 2013, 01:35:49 PM
Quote from: The Burglar! on July 23, 2013, 01:35:04 PM
Thanks for the information, changed mine also thanks Antes for the message he just sended me ;)

That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

Thank you :)

I just checked all 3 of my email addresses and no notification was found.

EDIT: Well,  my user id is in the 300K range so I'll not hold my breath for some time.

:)

Advertisement: