User database hacked into

Changes, updates etc. related to this website will be posted here.
Message
Author
User avatar
Andrew Lee
Posts: 2212
Joined: Sat Feb 04, 2006 9:19 am
Contact:

User database hacked into

#1 Post by Andrew Lee » Fri Aug 26, 2011 3:00 pm

If you have come across this thread, you would have known that the user database has been hacked into via SQL injection some months back. TWICE, by some accounts.

Unfortunately, I was unable to download the file and verify their authenticity because they have been taken down. But going by those who have, they seem to be authentic.

The file contains the username, email address and MD5 hashes of the passwords. The first two are already publicly available, but the MD5 hashes is a potential worry, since someone could theoretically run a brute-force attack and reverse-engineer the passwords. As such, I think it is best to change your passwords in the interest of security. I know I have done so.

If this is truely an SQL injection attack, I think we are lucky in a sense because potentially the hacker could have deleted everything in the database. Although I do have daily backups, it will still a major inconvenience for us.

I spent the whole of last night doing a code review and ended up overhauling the database module and making sure all SQL parameters are automatically checked and escaped before going to the database engine. There was a manual system in place previously, but being manual, some code tends to slip through that does not properly check/escape input parameters.

I hope with this change, TPFC is more secure now against SQL injection attacks. I will be keeping my fingers crossed...

User avatar
m^(2)
Posts: 890
Joined: Sat Mar 31, 2007 2:38 am
Location: Kce,PL
Contact:

Re: User database hacked into

#2 Post by m^(2) » Fri Aug 26, 2011 11:19 pm

I think that you should force the password change. Or send a PM to everybody.
Casual users will miss this message.

User avatar
Andrew Lee
Posts: 2212
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: User database hacked into

#3 Post by Andrew Lee » Sat Aug 27, 2011 12:52 am

Good idea! I have notified all users via mass email from phpBB's control panel.

User avatar
m^(2)
Posts: 890
Joined: Sat Mar 31, 2007 2:38 am
Location: Kce,PL
Contact:

Re: User database hacked into

#4 Post by m^(2) » Sat Aug 27, 2011 1:04 am

Andrew Lee wrote:Good idea! I have notified all users via mass email from phpBB's control panel.
I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.

apveening
Posts: 2
Joined: Thu May 15, 2008 12:38 pm

Re: User database hacked into

#5 Post by apveening » Sat Aug 27, 2011 1:08 am

m^(2) wrote:I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.
The other side of that coin is that users, who have just about forgotten about this forum, are reminded that it exists.
(2nd post in over 4 years ;) ).

User avatar
Zach Thibeau
Posts: 251
Joined: Tue Nov 28, 2006 3:26 pm
Contact:

Re: User database hacked into

#6 Post by Zach Thibeau » Sat Aug 27, 2011 4:46 am

already changed it a couple of days ago when I first heard of the attack.

nabber00
Posts: 7
Joined: Wed Jan 30, 2008 9:49 am

Re: User database hacked into

#7 Post by nabber00 » Sat Aug 27, 2011 6:13 am

Were the MD5 hashes generated with a salt value or only using the password? I believe PHPBB uses a salt, which limits the effectiveness of rainbow table attacks.

IanFromBarrie
Posts: 2
Joined: Sun May 03, 2009 6:07 am
Location: Barrie, Ontario

Re: User database hacked into

#8 Post by IanFromBarrie » Sat Aug 27, 2011 7:19 am

A phpbb forum lookup shows that PHPBB 3 apparently uses a variant of salted hashes. Not too secure, since the code that phpbb uses to hash is public and I just saw a post advising how to decrypt the phpbb 3 functions.

The lash, salt in the wounds and boiling oil for the eejuts responsible for wasting Andrew's and our time on this.

User avatar
JohnTHaller
Posts: 614
Joined: Wed Feb 10, 2010 4:44 pm
Location: New York, NY
Contact:

Re: User database hacked into

#9 Post by JohnTHaller » Sat Aug 27, 2011 9:04 am

As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.
PortableApps.com - The open standard for portable software | Support Net Neutrality

User avatar
m^(2)
Posts: 890
Joined: Sat Mar 31, 2007 2:38 am
Location: Kce,PL
Contact:

Re: User database hacked into

#10 Post by m^(2) » Sat Aug 27, 2011 9:21 am

Zach Thibeau wrote:already changed it a couple of days ago when I first heard of the attack.
I suggest that you change it again because you don't know whether there wasn't another leak yesterday, some people knew how to get here and could repeat it, seeing their time to do it runs out.

User avatar
Zach Thibeau
Posts: 251
Joined: Tue Nov 28, 2006 3:26 pm
Contact:

Re: User database hacked into

#11 Post by Zach Thibeau » Sat Aug 27, 2011 10:09 am

already on top of that but thanks for the heads up.

USBman
Posts: 49
Joined: Thu Sep 21, 2006 11:25 am

Re: User database hacked into

#12 Post by USBman » Sat Aug 27, 2011 1:22 pm

JohnTHaller wrote:As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.
Agreed, John. Thanks for sending out the mass email, Andrew. I otherwise would have had no idea. Password = changed!

User avatar
m^(2)
Posts: 890
Joined: Sat Mar 31, 2007 2:38 am
Location: Kce,PL
Contact:

Re: User database hacked into

#13 Post by m^(2) » Sun Aug 28, 2011 12:30 am

USBman wrote:Password = changed!
I tried both with and without the exclamation mark, but it didn't work.

User avatar
Andrew Lee
Posts: 2212
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: User database hacked into

#14 Post by Andrew Lee » Sun Aug 28, 2011 1:56 pm

Thanks to NickR for sending me the hacked files.

I have verified that they are indeed authentic.

zak_711
Posts: 175
Joined: Wed Mar 23, 2011 1:44 am

Re: User database hacked into

#15 Post by zak_711 » Mon Aug 29, 2011 12:46 pm

Any idea on how to improve?

Post Reply