Jump to content


Photo

Alert: The phpfreaks forum members data appears to have been stolen.


  • This topic is locked This topic is locked
27 replies to this topic

#1 gizmola

gizmola
  • Administrators
  • Advanced Member
  • 4,490 posts
  • LocationLos Angeles, CA USA

Posted 27 October 2015 - 11:17 PM

It has come to our attention that someone managed to get their hands on a database dump of the phpfreaks members table used in our forum database.
 
We apologize for the inconvenience and concern this may cause you.
 
*UPDATED*
Based on research, we believe that the individual(s) responsible utilized some exploits available in the forum software that allowed them to run a php script that dumped the data from the forum user table.

While the passwords are hashed a number of time and in many cases salted, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices.  

A hash password can not be decrypted, but by generating rainbow tables, crackers can determine if your password matched one of many they may have in a database.
 
The table also includes your name, so it may or may not associate you with the email address you used to register.
 
We highly recommend that you take the following actions:
 
1. Change your password
2. Change the password on any system where you used the same account name/email/password combination.
3. Use unique high/quality passwords on any and all systems you frequent now and in the future.
 
Should we make any additional determinations or discoveries in relation to this issue, we will provide updates here.

 

*PLEASE NOTE*

We will not be deleting accounts upon request. We stated that we would not delete accounts for any reason in our TOS when you signed up. Deleting accounts is not going to retrieve the user table data.



#2 QuickOldCar

QuickOldCar
  • Moderators
  • Advanced Member
  • 2,995 posts
  • LocationNorthEast Pennsylvania

Posted 28 October 2015 - 01:55 AM

Updated mine

 

I use a different password every site, this stuff happens.



#3 mrbraq

mrbraq
  • Members
  • Pip
  • Newbie
  • 1 posts

Posted 28 October 2015 - 10:53 AM

Where can I disable / delete my account? I no longer do PHP development.

#4 adrianTNT

adrianTNT
  • Members
  • PipPipPip
  • Advanced Member
  • 146 posts

Posted 28 October 2015 - 02:24 PM

chloe.gif



#5 rpoelking

rpoelking
  • Members
  • Pip
  • Newbie
  • 1 posts

Posted 28 October 2015 - 02:57 PM

ditto...how to I delete my account. I don't even remember signing up it's been that long. 



#6 YouFailAsAnAdmin

YouFailAsAnAdmin
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 28 October 2015 - 03:17 PM


While the passwords are hashed, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices.   A hash password can not be decrypted, but by generating rainbow tables, crackers can determine if your password matched one of many they may have in a database.

 

Seriously? lol

How about FUCK YOU for even trying to play your cards like that. This is 100% your fault for being insecure and allowing this to happen. Not only do you fail as a developer and sysadmin, you fail as a site owner as well. Thanks for letting everyones info get stolen!
 

 

We don't know at present, exactly how this occurred.    

I know how it occurred. You dont know how to properly admin or run a website or database!

Taking a quick look at 
http://forums.phpfreaks.com/members/ for 1 second shows that you dont even know how to stop spam and bot accounts for registering on the forum. Anyone reading this, I would leave this forum forever and never come back as the owner is insecure and incompetent. 


Edited by YouFailAsAnAdmin, 28 October 2015 - 03:28 PM.


#7 dalecosp

dalecosp
  • Members
  • PipPipPip
  • Advanced Member
  • 382 posts
  • LocationMissouri

Posted 28 October 2015 - 03:32 PM

You dont know how to properly admin or run a website or database!



DO please enlighten us. How many websites do you run, how many databases, and how long since you had a security incident?
"God doesn't play dice" --- Albert Einstein
"Perl is hardly a paragon of beautiful syntax." --- Weedpacket

#8 YouFailAsAnAdmin

YouFailAsAnAdmin
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 28 October 2015 - 03:42 PM

I've ran a few forums and websites and never had any of my databases compromised I can tell you that much. 

dalecosp you can bet your email and info is now gunna be spammed/cracked. I hope your 340 posts here are worth that to you.

I mean this forums tag line is "Where knowledge is power" yet the admin/owner has no knowledge of how to secure their own forums database, stop spam bots from regging accounts, or even protect its members from being hacked and info stolen...


Edited by YouFailAsAnAdmin, 28 October 2015 - 03:42 PM.


#9 scootstah

scootstah
  • Moderators
  • Advanced Member
  • 3,864 posts
  • LocationUSA

Posted 28 October 2015 - 03:53 PM

I've ran a few forums and websites and never had any of my databases compromised I can tell you that much.


Then you didn't have a big enough site.

Nobody here wrote the forum software. We don't have time to spend thousands of hours writing custom software for a free website.

It is not possible to stop spam bots entirely, sorry.
while(!$succeed = try());

#10 requinix

requinix
  • Administrators
  • Forgotten Administrator
  • 8,703 posts
  • LocationWA

Posted 28 October 2015 - 05:49 PM

Don't feed the troll, guys.

#11 darkcarnival

darkcarnival
  • Members
  • PipPipPip
  • Advanced Member
  • 162 posts

Posted 28 October 2015 - 10:13 PM

I too would like my account deleted. I haven't been on here since 2004 or so. I either figure out the issue on my own or use stack overflow. Thanks

#12 requinix

requinix
  • Administrators
  • Forgotten Administrator
  • 8,703 posts
  • LocationWA

Posted 28 October 2015 - 11:02 PM

I'm going to start suspending accounts for people who ask for it.

mrbraq, rpoelking, darkcarnival: I'll suspend yours tomorrow (to give you time to see this post).

#13 SparkleGirlSparkle

SparkleGirlSparkle
  • Members
  • Pip
  • Newbie
  • 8 posts

Posted 29 October 2015 - 01:17 AM

Hi, thanks for the email notification. I too no longer do this kind of work, so no longer need my account. Please could you delete my account when you start removing others? No need to let me know when, just go for it! :D Thank you for telling us all about what happened



#14 Vinze

Vinze
  • Members
  • PipPipPip
  • Advanced Member
  • 80 posts

Posted 29 October 2015 - 11:36 AM

Suspending actually isn't enough - to actually prevent things like this from happening in the future, you'd have to remove all account information from your databases. Otherwise, the next hack will simply steal the data of our suspended accounts. Is that possible?


WTH? I became a guru by asking questions!

#15 Anzeo

Anzeo
  • Members
  • PipPipPip
  • Advanced Member
  • 213 posts

Posted 29 October 2015 - 12:38 PM

Please completely remove my account from your database(s), thanks.



#16 RichE

RichE
  • Members
  • PipPip
  • Member
  • 20 posts

Posted 29 October 2015 - 12:57 PM

Hello, I would appreciate it if my account could be deleted as well.

Thank you,

Rich



#17 texelate

texelate
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 29 October 2015 - 01:02 PM

Please completely remove my account from your database(s), thanks.

 

Me too. I don't want anything left that relates to me on your server; haven't used this for years.

 

The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe.

 

I appreciate that you didn't write the software but someone could get a database dump (and most likely did) without it having anything to do with the forum software. It could be due to your negligence if the database password isn't strong, remote connections aren't disabled, privileges are wrong, etc. In the UK, broadband provider TalkTalk got hacked recently by a 15 year old due to bad practices so I suspect you're being somewhat economical with the truth.

 

Please remove anything personal from my account. This will be my last post here.


Edited by texelate, 29 October 2015 - 01:04 PM.


#18 phileplanet

phileplanet
  • Members
  • PipPip
  • Member
  • 19 posts

Posted 29 October 2015 - 02:17 PM

Please delete my account



#19 scootstah

scootstah
  • Moderators
  • Advanced Member
  • 3,864 posts
  • LocationUSA

Posted 29 October 2015 - 02:49 PM

The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe.


Yes, you are correct. Unfortunately, lots of the distributed applications written in PHP make poor decisions such as this.
while(!$succeed = try());

#20 MockY

MockY
  • Members
  • PipPipPip
  • Advanced Member
  • 76 posts
  • LocationSacramento

Posted 29 October 2015 - 03:12 PM

If you don't know how this happened, how are you going to prevent the same thing in the future. Changing password may be a good practice, but if the same vandal can grab a dump again in a month, what good will that do?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users