User database hacked into
- Andrew Lee
- Posts: 3064
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
User database hacked into
If you have come across this thread, you would have known that the user database has been hacked into via SQL injection some months back. TWICE, by some accounts.
Unfortunately, I was unable to download the file and verify their authenticity because they have been taken down. But going by those who have, they seem to be authentic.
The file contains the username, email address and MD5 hashes of the passwords. The first two are already publicly available, but the MD5 hashes is a potential worry, since someone could theoretically run a brute-force attack and reverse-engineer the passwords. As such, I think it is best to change your passwords in the interest of security. I know I have done so.
If this is truely an SQL injection attack, I think we are lucky in a sense because potentially the hacker could have deleted everything in the database. Although I do have daily backups, it will still a major inconvenience for us.
I spent the whole of last night doing a code review and ended up overhauling the database module and making sure all SQL parameters are automatically checked and escaped before going to the database engine. There was a manual system in place previously, but being manual, some code tends to slip through that does not properly check/escape input parameters.
I hope with this change, TPFC is more secure now against SQL injection attacks. I will be keeping my fingers crossed...
Unfortunately, I was unable to download the file and verify their authenticity because they have been taken down. But going by those who have, they seem to be authentic.
The file contains the username, email address and MD5 hashes of the passwords. The first two are already publicly available, but the MD5 hashes is a potential worry, since someone could theoretically run a brute-force attack and reverse-engineer the passwords. As such, I think it is best to change your passwords in the interest of security. I know I have done so.
If this is truely an SQL injection attack, I think we are lucky in a sense because potentially the hacker could have deleted everything in the database. Although I do have daily backups, it will still a major inconvenience for us.
I spent the whole of last night doing a code review and ended up overhauling the database module and making sure all SQL parameters are automatically checked and escaped before going to the database engine. There was a manual system in place previously, but being manual, some code tends to slip through that does not properly check/escape input parameters.
I hope with this change, TPFC is more secure now against SQL injection attacks. I will be keeping my fingers crossed...
Re: User database hacked into
I think that you should force the password change. Or send a PM to everybody.
Casual users will miss this message.
Casual users will miss this message.
- Andrew Lee
- Posts: 3064
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: User database hacked into
Good idea! I have notified all users via mass email from phpBB's control panel.
Re: User database hacked into
I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.Andrew Lee wrote:Good idea! I have notified all users via mass email from phpBB's control panel.
Re: User database hacked into
The other side of that coin is that users, who have just about forgotten about this forum, are reminded that it exists.m^(2) wrote:I think that PM is better because it's not uncommon to have throw away accounts for spam that are never checked, yet everybody who actually uses their account will see a PM notification eventually.
(2nd post in over 4 years ).
- Zach Thibeau
- Posts: 251
- Joined: Tue Nov 28, 2006 3:26 pm
- Contact:
Re: User database hacked into
already changed it a couple of days ago when I first heard of the attack.
Re: User database hacked into
Were the MD5 hashes generated with a salt value or only using the password? I believe PHPBB uses a salt, which limits the effectiveness of rainbow table attacks.
-
- Posts: 2
- Joined: Sun May 03, 2009 6:07 am
- Location: Barrie, Ontario
Re: User database hacked into
A phpbb forum lookup shows that PHPBB 3 apparently uses a variant of salted hashes. Not too secure, since the code that phpbb uses to hash is public and I just saw a post advising how to decrypt the phpbb 3 functions.
The lash, salt in the wounds and boiling oil for the eejuts responsible for wasting Andrew's and our time on this.
The lash, salt in the wounds and boiling oil for the eejuts responsible for wasting Andrew's and our time on this.
- JohnTHaller
- Posts: 717
- Joined: Wed Feb 10, 2010 4:44 pm
- Location: New York, NY
- Contact:
Re: User database hacked into
As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.
PortableApps.com - The open standard for portable software | Support Net Neutrality
Re: User database hacked into
I suggest that you change it again because you don't know whether there wasn't another leak yesterday, some people knew how to get here and could repeat it, seeing their time to do it runs out.Zach Thibeau wrote:already changed it a couple of days ago when I first heard of the attack.
- Zach Thibeau
- Posts: 251
- Joined: Tue Nov 28, 2006 3:26 pm
- Contact:
Re: User database hacked into
already on top of that but thanks for the heads up.
Re: User database hacked into
Agreed, John. Thanks for sending out the mass email, Andrew. I otherwise would have had no idea. Password = changed!JohnTHaller wrote:As the password can be gleaned from the hash, you should remind users that they should change their password on any other sites that they use the same password on (ebay, paypal, bank, forums) with the same email or login. That's the most critical thing to do when a hack like this occurs because the majority of users use the same password for everything.
Re: User database hacked into
I tried both with and without the exclamation mark, but it didn't work.USBman wrote:Password = changed!
- Andrew Lee
- Posts: 3064
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: User database hacked into
Thanks to NickR for sending me the hacked files.
I have verified that they are indeed authentic.
I have verified that they are indeed authentic.
Re: User database hacked into
Any idea on how to improve?