The Portable Freeware Collection Forums

If you have come across this thread, you would have known that the user database has been hacked into via SQL injection some months back. TWICE, by some accounts.

Unfortunately, I was unable to download the file and verify their authenticity because they have been taken down. But going by those who have, they seem to be authentic.

The file contains the username, email address and MD5 hashes of the passwords. The first two are already publicly available, but the MD5 hashes is a potential worry, since someone could theoretically run a brute-force attack and reverse-engineer the passwords. As such, I think it is best to change your passwords in the interest of security. I know I have done so.

If this is truely an SQL injection attack, I think we are lucky in a sense because potentially the hacker could have deleted everything in the database. Although I do have daily backups, it will still a major inconvenience for us.

I spent the whole of last night doing a code review and ended up overhauling the database module and making sure all SQL parameters are automatically checked and escaped before going to the database engine. There was a manual system in place previously, but being manual, some code tends to slip through that does not properly check/escape input parameters.

I hope with this change, TPFC is more secure now against SQL injection attacks. I will be keeping my fingers crossed...

I think that you should force the password change. Or send a PM to everybody.
Casual users will miss this message.

Good idea! I have notified all users via mass email from phpBB's control panel.

Andrew Lee wrote:Good idea! I have notified all users via mass email from phpBB's control panel.

I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.

m^(2) wrote:I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.

The other side of that coin is that users, who have just about forgotten about this forum, are reminded that it exists.
(2nd post in over 4 years ).

already changed it a couple of days ago when I first heard of the attack.

Were the MD5 hashes generated with a salt value or only using the password? I believe PHPBB uses a salt, which limits the effectiveness of rainbow table attacks.

A phpbb forum lookup shows that PHPBB 3 apparently uses a variant of salted hashes. Not too secure, since the code that phpbb uses to hash is public and I just saw a post advising how to decrypt the phpbb 3 functions.

The lash, salt in the wounds and boiling oil for the eejuts responsible for wasting Andrew's and our time on this.

As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.

Zach Thibeau wrote:already changed it a couple of days ago when I first heard of the attack.

I suggest that you change it again because you don't know whether there wasn't another leak yesterday, some people knew how to get here and could repeat it, seeing their time to do it runs out.

already on top of that but thanks for the heads up.

JohnTHaller wrote:As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.

Agreed, John. Thanks for sending out the mass email, Andrew. I otherwise would have had no idea. Password = changed!

USBman wrote:Password = changed!

I tried both with and without the exclamation mark, but it didn't work.

Thanks to NickR for sending me the hacked files.

I have verified that they are indeed authentic.

Any idea on how to improve?