Author Topic: Downtime  (Read 22712 times)

0 Members and 1 Guest are viewing this topic.

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7920
  • Rating: +374/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Downtime
« on: December 05, 2015, 05:23:16 pm »
We got some quite unfortunate news concerning the downtime we experienced today - we got hacked!

We currently don't have any information yet as to whom is behind the attacks, we are still in the process of investigation.

As per things lost - we have 0% data loss! Still restoring the attachments and downloads, but the website is back up already.

Password hashes were stolen so we recommend you to change your password on other websites ADMINs accounts HAVE been accessed by the hackers

We apologize for the inconvenience and hope things will be going smoothly from now on.
« Last Edit: December 05, 2015, 05:59:07 pm by Geekboy1011 »

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline KermMartian

  • Editor
  • LV7 Elite (Next: 700)
  • *******
  • Posts: 500
  • Rating: +233/-20
    • View Profile
    • Cemetech
Re: Downtime
« Reply #1 on: December 05, 2015, 06:21:36 pm »
It appears probable that plaintext passwords were stolen as well, so be aware of that. My and geekboy's accounts elsewhere were both attempted compromised elsewhere. Change your password.

Edit: It's also worth pointing out that if plaintext passwords were stored or logged somewhere, you should NOT change your password to anything you use elsewhere, because nothing about password storage has changed.



Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6266
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Downtime
« Reply #2 on: December 05, 2015, 06:36:13 pm »
It appears probable that plaintext passwords were stolen as well, so be aware of that. My and geekboy's accounts elsewhere were both attempted compromised elsewhere. Change your password.

Edit: It's also worth pointing out that if plaintext passwords were stored or logged somewhere, you should NOT change your password to anything you use elsewhere, because nothing about password storage has changed.
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.

Luckily it looks like the damage was contained to Omnimaga's database itself and they didn't get at any of our other databases or anything. There is a lot of data they can sort through though and possibly some personal information.
/e

Offline KermMartian

  • Editor
  • LV7 Elite (Next: 700)
  • *******
  • Posts: 500
  • Rating: +233/-20
    • View Profile
    • Cemetech
Re: Downtime
« Reply #3 on: December 05, 2015, 06:38:27 pm »
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.
Given how quickly my account was attacked last night (with my Omnimaga password), and geekboy's account was attacked today (ditto), I'm concerned.

Luckily it looks like the damage was contained to Omnimaga's database itself and they didn't get at any of our other databases or anything. There is a lot of data they can sort through though and possibly some personal information.
Geekboy said that nothing in the admin forum was particularly sensitive, but I guess PMs and the Private Matters subforum are of concern?

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7920
  • Rating: +374/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Downtime
« Reply #4 on: December 05, 2015, 06:39:47 pm »
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.
Given how quickly my account was attacked last night (with my Omnimaga password), and geekboy's account was attacked today (ditto), I'm concerned.
SMF currently uses the sha1 method for hashing passwords, i'm writing a mod right now to make it use bcrypt as i couldn't find any existing one.

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline Eeems

  • Mr. Dictator
  • Administrator
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6266
  • Rating: +318/-36
  • little oof
    • View Profile
    • Eeems
Re: Downtime
« Reply #5 on: December 05, 2015, 06:41:36 pm »
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.
Given how quickly my account was attacked last night (with my Omnimaga password), and geekboy's account was attacked today (ditto), I'm concerned.

Luckily it looks like the damage was contained to Omnimaga's database itself and they didn't get at any of our other databases or anything. There is a lot of data they can sort through though and possibly some personal information.
Geekboy said that nothing in the admin forum was particularly sensitive, but I guess PMs and the Private Matters subforum are of concern?
Correct, lots of PMs and private posts.
I'm not that happy with how easy it is for them to get the passwords from how SMF stores them.

Sorununome, would you mind opening an issue on SMFs stuff complaining about it?
/e

Offline Escheron

  • LV3 Member (Next: 100)
  • ***
  • Posts: 52
  • Rating: +10/-0
    • View Profile
Re: Downtime
« Reply #6 on: December 05, 2015, 09:40:00 pm »
Someone recently tried to access my PSN account, which I haven't used for months since I no longer have a PS3. Sony sent me an email to notify me that my password was automatically reset to counteract any suspicious activity. When I got rid of my PS3, I removed any personal info and card data from that account, so luckily it's not an issue. Everybody else may nonetheless want to double-check any accounts they have connected to their Omnimaga email address.

My email was also bombarded with spam.

Offline Juju

  • Incredibly sexy mare
  • Coder Of Tomorrow
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 5730
  • Rating: +500/-19
  • Weird programmer
    • View Profile
    • juju2143's shed
Re: Downtime
« Reply #7 on: December 06, 2015, 12:55:26 am »
No one attempted anything on any of my accounts as far as I know other than the usual "there was security breaches on some other website that isn't ours and we think your account may be compromised so we've reset your password" (last one in date was Netflix btw, got one on Patreon and Adobe too, these breaches seems to be everywhere). Thankfully, nothing happened on CodeWalrus as the attacker could easily have tried there a well. Anyway, if you guys know the IP of the offender, please tell me so I can check on my side.

Remember the day the walrus started to fly...

I finally cleared my sig after 4 years you're happy now?
THEGAME
This signature is ridiculously large you've been warned.

The cute mare that used to be in my avatar is Yuki Kagayaki, you can follow her on Facebook and Tumblr.

Offline squalyl

  • LV3 Member (Next: 100)
  • ***
  • Posts: 49
  • Rating: +2/-0
    • View Profile
Re: Downtime
« Reply #8 on: December 06, 2015, 05:03:03 am »
Seriously, plain text passwords in 2015 ?

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7920
  • Rating: +374/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Downtime
« Reply #9 on: December 06, 2015, 05:32:49 am »
Seriously, plain text passwords in 2015 ?
Not plain text, sha1 hashes, which are VERY weak.
And yeah, I was thinking the same "Seriously? Why would SMF even do that?"

I'm working right now on a thing so that the passwords will be stored using bcrypt

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline Streetwalrus

  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3821
  • Rating: +80/-8
    • View Profile
Re: Downtime
« Reply #10 on: December 06, 2015, 06:40:16 am »
It's more because SMF only salts the hashes with the username. A good password hasher also has a secret salt stored outside the database.
Let us know when your mod is done, so that we can deploy it on CW as well, and also so that I can change my password here. I'm in the process of changing all my other passwords.

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7920
  • Rating: +374/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Downtime
« Reply #11 on: December 06, 2015, 09:59:43 am »
The attachments should be all up now, if something is missing please tell me! Still need to upload the downloads

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline NanoWar

  • LV4 Regular (Next: 200)
  • ****
  • Posts: 140
  • Rating: +18/-6
    • View Profile
Re: Downtime
« Reply #12 on: December 07, 2015, 04:14:51 am »
RevSoft got hacked, too. phpBB3 still uses looped MD5 hashing :( And with, I belive, another admin's credentials they got access to our admin panel, changed files and downloaded the database (including the pw hashes).

Offline Sorunome

  • Fox Fox Fox Fox Fox Fox Fox!
  • Support Staff
  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 7920
  • Rating: +374/-13
  • Derpy Hooves
    • View Profile
    • My website! (You might lose the game)
Re: Downtime
« Reply #13 on: December 07, 2015, 05:43:14 am »
why would they even use md5......you should report it to phpBB devs ^.^

THE GAME
Also, check out my website
If OmnomIRC is screwed up, blame me!
Click here to give me an internet!

Offline c4ooo

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 252
  • Rating: +10/-1
  • The impossible chemical compound.
    • View Profile
Re: Downtime
« Reply #14 on: December 07, 2015, 10:27:57 am »
It seems nothing ever changes until something goes wrong :(
It is nice to see that no data was lost here :)
-German Kuznetsov
The impossible chemical compound.