User database hacked into
Posted: Fri Aug 26, 2011 3:00 pm
If you have come across this thread, you would have known that the user database has been hacked into via SQL injection some months back. TWICE, by some accounts.
Unfortunately, I was unable to download the file and verify their authenticity because they have been taken down. But going by those who have, they seem to be authentic.
The file contains the username, email address and MD5 hashes of the passwords. The first two are already publicly available, but the MD5 hashes is a potential worry, since someone could theoretically run a brute-force attack and reverse-engineer the passwords. As such, I think it is best to change your passwords in the interest of security. I know I have done so.
If this is truely an SQL injection attack, I think we are lucky in a sense because potentially the hacker could have deleted everything in the database. Although I do have daily backups, it will still a major inconvenience for us.
I spent the whole of last night doing a code review and ended up overhauling the database module and making sure all SQL parameters are automatically checked and escaped before going to the database engine. There was a manual system in place previously, but being manual, some code tends to slip through that does not properly check/escape input parameters.
I hope with this change, TPFC is more secure now against SQL injection attacks. I will be keeping my fingers crossed...
Unfortunately, I was unable to download the file and verify their authenticity because they have been taken down. But going by those who have, they seem to be authentic.
The file contains the username, email address and MD5 hashes of the passwords. The first two are already publicly available, but the MD5 hashes is a potential worry, since someone could theoretically run a brute-force attack and reverse-engineer the passwords. As such, I think it is best to change your passwords in the interest of security. I know I have done so.
If this is truely an SQL injection attack, I think we are lucky in a sense because potentially the hacker could have deleted everything in the database. Although I do have daily backups, it will still a major inconvenience for us.
I spent the whole of last night doing a code review and ended up overhauling the database module and making sure all SQL parameters are automatically checked and escaped before going to the database engine. There was a manual system in place previously, but being manual, some code tends to slip through that does not properly check/escape input parameters.
I hope with this change, TPFC is more secure now against SQL injection attacks. I will be keeping my fingers crossed...