It is currently Mon Dec 11, 2017 4:55 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: User database hacked into
PostPosted: Fri Aug 26, 2011 3:00 pm 
Offline
User avatar

Joined: Sat Feb 04, 2006 9:19 am
Posts: 2156
If you have come across this thread, you would have known that the user database has been hacked into via SQL injection some months back. TWICE, by some accounts.

Unfortunately, I was unable to download the file and verify their authenticity because they have been taken down. But going by those who have, they seem to be authentic.

The file contains the username, email address and MD5 hashes of the passwords. The first two are already publicly available, but the MD5 hashes is a potential worry, since someone could theoretically run a brute-force attack and reverse-engineer the passwords. As such, I think it is best to change your passwords in the interest of security. I know I have done so.

If this is truely an SQL injection attack, I think we are lucky in a sense because potentially the hacker could have deleted everything in the database. Although I do have daily backups, it will still a major inconvenience for us.

I spent the whole of last night doing a code review and ended up overhauling the database module and making sure all SQL parameters are automatically checked and escaped before going to the database engine. There was a manual system in place previously, but being manual, some code tends to slip through that does not properly check/escape input parameters.

I hope with this change, TPFC is more secure now against SQL injection attacks. I will be keeping my fingers crossed...


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Fri Aug 26, 2011 11:19 pm 
Offline
User avatar

Joined: Sat Mar 31, 2007 2:38 am
Posts: 890
Location: Kce,PL
I think that you should force the password change. Or send a PM to everybody.
Casual users will miss this message.

_________________
Image


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 12:52 am 
Offline
User avatar

Joined: Sat Feb 04, 2006 9:19 am
Posts: 2156
Good idea! I have notified all users via mass email from phpBB's control panel.


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 1:04 am 
Offline
User avatar

Joined: Sat Mar 31, 2007 2:38 am
Posts: 890
Location: Kce,PL
Andrew Lee wrote:
Good idea! I have notified all users via mass email from phpBB's control panel.

I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.

_________________
Image


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 1:08 am 
Offline

Joined: Thu May 15, 2008 12:38 pm
Posts: 2
m^(2) wrote:
I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.

The other side of that coin is that users, who have just about forgotten about this forum, are reminded that it exists.
(2nd post in over 4 years ;) ).


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 4:46 am 
Offline
User avatar

Joined: Tue Nov 28, 2006 3:26 pm
Posts: 251
already changed it a couple of days ago when I first heard of the attack.

_________________
My personal blog


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 6:13 am 
Offline

Joined: Wed Jan 30, 2008 9:49 am
Posts: 7
Were the MD5 hashes generated with a salt value or only using the password? I believe PHPBB uses a salt, which limits the effectiveness of rainbow table attacks.


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 7:19 am 
Offline

Joined: Sun May 03, 2009 6:07 am
Posts: 2
Location: Barrie, Ontario
A phpbb forum lookup shows that PHPBB 3 apparently uses a variant of salted hashes. Not too secure, since the code that phpbb uses to hash is public and I just saw a post advising how to decrypt the phpbb 3 functions.

The lash, salt in the wounds and boiling oil for the eejuts responsible for wasting Andrew's and our time on this.


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 9:04 am 
Offline
User avatar

Joined: Wed Feb 10, 2010 4:44 pm
Posts: 575
Location: New York, NY
As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.

_________________
PortableApps.com - The open standard for portable software


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 9:21 am 
Offline
User avatar

Joined: Sat Mar 31, 2007 2:38 am
Posts: 890
Location: Kce,PL
Zach Thibeau wrote:
already changed it a couple of days ago when I first heard of the attack.

I suggest that you change it again because you don't know whether there wasn't another leak yesterday, some people knew how to get here and could repeat it, seeing their time to do it runs out.

_________________
Image


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 10:09 am 
Offline
User avatar

Joined: Tue Nov 28, 2006 3:26 pm
Posts: 251
already on top of that but thanks for the heads up.

_________________
My personal blog


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sat Aug 27, 2011 1:22 pm 
Offline

Joined: Thu Sep 21, 2006 11:25 am
Posts: 49
JohnTHaller wrote:
As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.


Agreed, John. Thanks for sending out the mass email, Andrew. I otherwise would have had no idea. Password = changed!


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sun Aug 28, 2011 12:30 am 
Offline
User avatar

Joined: Sat Mar 31, 2007 2:38 am
Posts: 890
Location: Kce,PL
USBman wrote:
Password = changed!

I tried both with and without the exclamation mark, but it didn't work.

_________________
Image


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Sun Aug 28, 2011 1:56 pm 
Offline
User avatar

Joined: Sat Feb 04, 2006 9:19 am
Posts: 2156
Thanks to NickR for sending me the hacked files.

I have verified that they are indeed authentic.


Top
 Profile  
 
 Post subject: Re: User database hacked into
PostPosted: Mon Aug 29, 2011 12:46 pm 
Offline

Joined: Wed Mar 23, 2011 1:44 am
Posts: 175
Any idea on how to improve?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group