We were hacked.

[sl1982]

As many of you are aware someone gained access to an administrator account and locked us all out. Qhimm was nice enough to come save the day and set things back to the way they were before but there are some things to consider.

The hacker may have gotten access to the database so your email addresses and passwords may be compromised. Please update your passwords on here and change any passwords on other sites that are the same as this one.

It is not advisable to share the same password over many sites as one hack compromises everything else. Please use unique strong passwords on every site. I also recommend using a password manager. Keepass and bitwarden are good ones. They will create a unique strong password for every site.

Apologies for any inconvenience this has caused everyone.

[Qhimm]

I've done a bare-bones post-mortem and secured what I could. Looks like they got in via an administrator account that used the same password as on another compromised site. (Never reuse passwords between websites!)

Unfortunately, it seems plausible they got hold of a database backup through the compromised account. In terms of sensitive material, this includes things like private messages and forum-internal data like password hashes.

No one is going to recover any cleartext passwords from those hashes anytime soon, but there are some unfortunate design flaws in SMF (the software powering this and many other forums) that mean there are a few additional concerns. I've patched these forums to protect against these issues for the time being, but to be on the safe side you should change your password, as well as double-check that you're not using the same username & password combination on any other forums or website.

As part of general checkup and mitigation efforts, I've also enabled always-on HTTPS, wiped all existing sessions, erased any unused accounts and removed the ability to make database backups from administrator accounts.

[Koby]

As someone who has ran forums since 2000, I've never liked the ability to backup databases from the admin cp. One of the first things I do is disable the ability to do so. Leave stuff such as backups to the server side of things.

But yes, never use the same password on multiple sites for any account that has any kind of power that could be used to do harm. In fact, I'd also recommend staff to periodically change their password at least once or twice a year and not to use a repeat.

2FA is also a good idea so even if password is compromised, a user who shouldn't have access to the account has a harder time of actually getting into the account.

In any case, good that the compromise was discovered quickly. Sometimes bad actors will gain access, making backups, and not do anything to be noticed so they can continue to access the account in the future.

[Yagami Light]

I was wondering what was going on, thought it was a joke due to the euro football finals, I've changed my password to be on the safe side, were you able to identify which account was compromised? So they can do a virus scan on their end etc

[Covarr]

I was wondering what was going on, thought it was a joke due to the euro football finals, I've changed my password to be on the safe side, were you able to identify which account was compromised? So they can do a virus scan on their end etc

We know which account was compromised and how. No malware or anything, just a reused password on another site that was hacked.

[IFireflyl]

Thanks for the heads up, but I think this note should be mass-emailed to users if possible. I don't allow users to email me, but I would hope that this would be something that administrators could bypass, especially in regards to user security. I use 1Password, and every site has its own password so there is no harm done to me now that I changed my site password. However, I know that most users don't have their email/password setup that way, and I wouldn't want a user to have a compromised email/password on other sites that they aren't aware of because they don't check this site enough. This is just food for thought.

Thanks for getting everything taken care of though!

[Koby]

Thanks for the heads up, but I think this note should be mass-emailed to users if possible. I don't allow users to email me, but I would hope that this would be something that administrators could bypass, especially in regards to user security. I use 1Password, and every site has its own password so there is no harm done to me now that I changed my site password. However, I know that most users don't have their email/password setup that way, and I wouldn't want a user to have a compromised email/password on other sites that they aren't aware of because they don't check this site enough. This is just food for thought.

Thanks for getting everything taken care of though!

Problem with that is the way these kinds of forums are setup in terms of the email capabilities... Sending a mass email to all users tends to send out so many at once that most mail servers automatically end up flagging the server as spam and either don't deliver the email to the address or places it into spam and then future emails also automatically get flagged from the server.

So mass emailing users on large forums tends to require a separate mail server setup so that it can send say x amount of emails per x amount of time, until it's sent out to all users.

On top of this, users can opt out of admin emails too, so this doesn't even guarantee that everyone gets notified. On top of this many users have likely abandoned such account here and no longer care about it at all... and getting an email about the site they'll just opt to flag it as spam or contact admins to delete their account.

In any event, mass emailing a few dozen thousand users can open a can of worms of it's own.

[IFireflyl]

Problem with that is the way these kinds of forums are setup in terms of the email capabilities... Sending a mass email to all users tends to send out so many at once that most mail servers automatically end up flagging the server as spam and either don't deliver the email to the address or places it into spam and then future emails also automatically get flagged from the server.

So mass emailing users on large forums tends to require a separate mail server setup so that it can send say x amount of emails per x amount of time, until it's sent out to all users.

On top of this, users can opt out of admin emails too, so this doesn't even guarantee that everyone gets notified. On top of this many users have likely abandoned such account here and no longer care about it at all... and getting an email about the site they'll just opt to flag it as spam or contact admins to delete their account.

In any event, mass emailing a few dozen thousand users can open a can of worms of it's own.

SMF has a built-in Mail Queue system which allows the admin to restrict the total number of emails sent per hour. This just needs to be set to something that is less than the hosting provider's hourly email limit, and then there is no issue. Forums generally allow admins to bypass the user-enabled email opt-out specifically because the admins may need to contact users for things like a security breach. I'm fairly certain that SMF also allows this, although the admins or someone more familiar with SMF would need to confirm this.

Additionally, this is just a recommendation I had. If the people running this forum don't agree then that's fine. I just thought I'd throw my two cents in for how something like this should be handled going forward.

[Koby]

SMF has a built-in Mail Queue system which allows the admin to restrict the total number of emails sent per hour.

Ah, last time I used SMF it didn't have that ability. Shoot even licensed IPS, which I currently maintain a forum running on, doesn't have the option to limit it, so I assumed SMF still hadn't included it.

[sithlord48]

Great to see https finally!

[darxide]

On the topic of not using the same username/email/password combination, I've got a tip for those who don't want to use one of those fancy account manager programs/services: Yahoo mail.

Yea, I know. Yahoo? *GROAN* But hear me out. I don't use Yahoo as my personal or professional email. But I do use it anytime I need to sign up to a website. Why? Because Yahoo has built-in disposable email addresses. If you didn't know (and most people seem to be completely unaware) if you got to Settings -> More Settings (it's at the bottom of the Settings menu) you'll find a option for Mailboxes. In there, you'll find disposable email addresses. You can have up to 500 of them on a free Yahoo account. It's pretty insane. If for some ungodly reason you manage to come up with more than 500 different email addresses, just make a second Yahoo account and you've got 1000.

Couple this with Firefox and Chrome's abilities to randomly generate passwords and you're golden. Just remember to keep backups of your saved passwords file somewhere in case of profile corruptions which happen frequently with both Firefox and Chrome. Google can help you with finding the right files to backup.

Now you've got not only unique passwords, but also unique email addresses for all of your accounts. Now you can keep using the same username without fear of being cross hacked if one of your accounts is compromised and it makes it easy to sign up to fishy websites that you might not trust because you can always delete that email address and stop the spam pretty quickly. On that topic, it makes it super easy to see which websites are selling your info because you'll start getting spam emails on one of your addresses and you'll know exactly who you used that to sign up with.

[Vehek]

You can have up to 500 of them on a free Yahoo account. It's pretty insane. If for some ungodly reason you manage to come up with more than 500 different email addresses, just make a second Yahoo account and you've got 1000.

I tried, and it looks like your information is out-of-date. At some point it became a Yahoo-Plus-only thing, at least the massive number part (my settings menu says 3 for free). People who were already using the feature may have got to keep it. I haven't found too much information on the change yet.

[Koby]

I tried, and it looks like your information is out-of-date. At some point it became a Yahoo-Plus-only thing, at least the massive number part (my settings menu says 3 for free). People who were already using the feature may have got to keep it. I haven't found too much information on the change yet.

Not just this but many sites block and ban DEAs because they're prone for use by spammers and not secure at all since they're disposable. Most DEAs are only active for about 15 minutes, enough to register on a site and be done. As a result someone else can utilize the same one and easily gain access to your account. Even if that isn't the case, in the event you forget or lose your password you have no way of resetting it if you've lost access to the DEA... But yeah since they're prone to just be abused or used for spam bots... many forums and such have DEA blacklists setup in order to block and ban the use of them... I've even seen sites that would ban active users if they realized a DEA was used for the account.
Should be fine here, but on other forums its worth looking into to ensure they're okay with it.