Jump to content

Alert: The phpfreaks forum members data appears to have been stolen.


gizmola

Recommended Posts

It has come to our attention that someone managed to get their hands on a database dump of the phpfreaks members table used in our forum database.
 
We apologize for the inconvenience and concern this may cause you.
 
*UPDATED*
Based on research, we believe that the individual(s) responsible utilized some exploits available in the forum software that allowed them to run a php script that dumped the data from the forum user table.

While the passwords are hashed a number of time and in many cases salted, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices.  

A hash password can not be decrypted, but by generating rainbow tables, crackers can determine if your password matched one of many they may have in a database.
 
The table also includes your name, so it may or may not associate you with the email address you used to register.
 
We highly recommend that you take the following actions:
 
1. Change your password
2. Change the password on any system where you used the same account name/email/password combination.
3. Use unique high/quality passwords on any and all systems you frequent now and in the future.
 
Should we make any additional determinations or discoveries in relation to this issue, we will provide updates here.

 

*PLEASE NOTE*

We will not be deleting accounts upon request. We stated that we would not delete accounts for any reason in our TOS when you signed up. Deleting accounts is not going to retrieve the user table data.

Link to comment
Share on other sites

While the passwords are hashed, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices.   A hash password can not be decrypted, but by generating rainbow tables, crackers can determine if your password matched one of many they may have in a database.

 

Seriously? lol

 

How about FUCK YOU for even trying to play your cards like that. This is 100% your fault for being insecure and allowing this to happen. Not only do you fail as a developer and sysadmin, you fail as a site owner as well. Thanks for letting everyones info get stolen!

 

 

We don't know at present, exactly how this occurred.    

I know how it occurred. You dont know how to properly admin or run a website or database!

 

Taking a quick look at http://forums.phpfreaks.com/members/ for 1 second shows that you dont even know how to stop spam and bot accounts for registering on the forum. Anyone reading this, I would leave this forum forever and never come back as the owner is insecure and incompetent. 

Edited by YouFailAsAnAdmin
Link to comment
Share on other sites

I've ran a few forums and websites and never had any of my databases compromised I can tell you that much. 

dalecosp you can bet your email and info is now gunna be spammed/cracked. I hope your 340 posts here are worth that to you.

I mean this forums tag line is "Where knowledge is power" yet the admin/owner has no knowledge of how to secure their own forums database, stop spam bots from regging accounts, or even protect its members from being hacked and info stolen...

Edited by YouFailAsAnAdmin
Link to comment
Share on other sites

I've ran a few forums and websites and never had any of my databases compromised I can tell you that much.

Then you didn't have a big enough site.

 

Nobody here wrote the forum software. We don't have time to spend thousands of hours writing custom software for a free website.

 

It is not possible to stop spam bots entirely, sorry.

Link to comment
Share on other sites

Suspending actually isn't enough - to actually prevent things like this from happening in the future, you'd have to remove all account information from your databases. Otherwise, the next hack will simply steal the data of our suspended accounts. Is that possible?

Link to comment
Share on other sites

Please completely remove my account from your database(s), thanks.

 

Me too. I don't want anything left that relates to me on your server; haven't used this for years.

 

The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe.

 

I appreciate that you didn't write the software but someone could get a database dump (and most likely did) without it having anything to do with the forum software. It could be due to your negligence if the database password isn't strong, remote connections aren't disabled, privileges are wrong, etc. In the UK, broadband provider TalkTalk got hacked recently by a 15 year old due to bad practices so I suspect you're being somewhat economical with the truth.

 

Please remove anything personal from my account. This will be my last post here.

Edited by texelate
Link to comment
Share on other sites

The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe.

Yes, you are correct. Unfortunately, lots of the distributed applications written in PHP make poor decisions such as this.

Link to comment
Share on other sites

If you don't know how this happened, how are you going to prevent the same thing in the future. Changing password may be a good practice, but if the same vandal can grab a dump again in a month, what good will that do?

Link to comment
Share on other sites

Me too. I don't want anything left that relates to me on your server; haven't used this for years.

 

The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe.

 

I appreciate that you didn't write the software but someone could get a database dump (and most likely did) without it having anything to do with the forum software. It could be due to your negligence if the database password isn't strong, remote connections aren't disabled, privileges are wrong, etc. In the UK, broadband provider TalkTalk got hacked recently by a 15 year old due to bad practices so I suspect you're being somewhat economical with the truth.

 

Please remove anything personal from my account. This will be my last post here.

Obviously we don't want to go into additional detail, but the passwords were salted and hashed multiple times.

Link to comment
Share on other sites

Seriously? lol

 

How about FUCK YOU for even trying to play your cards like that. This is 100% your fault for being insecure and allowing this to happen. Not only do you fail as a developer and sysadmin, you fail as a site owner as well. Thanks for letting everyones info get stolen!

 

 

I know how it occurred. You dont know how to properly admin or run a website or database!

 

Taking a quick look at http://forums.phpfreaks.com/members/ for 1 second shows that you dont even know how to stop spam and bot accounts for registering on the forum. Anyone reading this, I would leave this forum forever and never come back as the owner is insecure and incompetent.

It's pretty much common knowledge that this site is run by volunteers. None of us are owners.

 

The site uses fairly well known commercial forum software. We did not write it.

 

The password file is salted and hashed but that will not prevent someone who is highly motivated and has sufficient computation power available to crunch combinations. Passwords will always be a significant issue.

 

In short, this is a non-commercial venture with limited resources. Of course I could point out that large enterprises with millions of dollars of security hardware and networking infrastructure to support it, as well as entire security staffs have been compromised, but I'm sure you know better than them.

 

Last but not least, spam registrations and the degree to which that is possible here is a tradeoff. We have dialed things down in the past to the degree that legitimate users were discouraged from making accounts. We've decided to open things up and make it simpler for them and for this reason we have to do with a relatively small degree of spam that is cleaned up fairly quickly. It has nothing to do with security or system administration.

Link to comment
Share on other sites

If you don't know how this happened, how are you going to prevent the same thing in the future. Changing password may be a good practice, but if the same vandal can grab a dump again in a month, what good will that do?

 

We think we have an idea of what happened, and we've been spending time looking over our servers.

 

We will not have certain types of forensics to guarantee a postmortem, but even if we did, I don't know that we would post it. We have identified a particular individual and actions they took within the forum software itself. I previously made a statement that suggested it might have been caused by a weak admin password, but after more research, it looks like the problem was actually related to security holes in the forum software.

 

Wit that said, I don't want to offer opinions, and simply stick to the facts.

 

We can not and will not warranty or guarantee anything, and we have a TOS to that effect, which is no different than any other site out there.

 

The staff donates their time to run a site that for over a decade has provided the PHP community with free programming help and advice. It really speaks for itself that it has managed to do that effectively for over 14 years.

 

I can't speak for the entire staff, but if the risk to be here outweighs the rewards, we will advise people of that fact, and in all probability we would shut the site down rather than allow it to be compromised repeatedly.

Link to comment
Share on other sites

DO please enlighten us. How many websites do you run, how many databases, and how long since you had a security incident?

 

Entirely irrelevant. YouFailAsAnAdmin is correct in what he says. Yeh, it might hurt a little, but he is correct.

 

Not impressed at all with the postings from this site's Admins in this thread.

 

 

 

In short, this is a non-commercial venture with limited resources. Of course I could point out that large enterprises with millions of dollars of security hardware and networking infrastructure to support it, as well as entire security staffs have been compromised, but I'm sure you know better than them.

 

The minute you start putting banners on the forum, the "we are not commercial" argument fails. You are earning adsense commision off your members, so please don't plead poverty.

 

You contradict yourself when you correctly point out that even with massive resources, a dedicated hacker will still get in.

 

 

 

They were able to access the admin tools via a normal login. In short, it appears that this is a case where there was simply a compromised password used.

 

So, that would be an Admin password then, and your IPB admin logs will reveal exactly which admin did this?

 

It's looking awfully like your own Admins didn't take your own advice.

 

 

 

While the passwords are hashed, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices.

 

I run a busy forum and have had my share of headaches so you have my sympathy, for what it's worth - but I really hope this is not an #Admin password being so weak it was brute forced, because that is what you have described,

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.