gizmola Posted October 27, 2015 Share Posted October 27, 2015 It has come to our attention that someone managed to get their hands on a database dump of the phpfreaks members table used in our forum database. We apologize for the inconvenience and concern this may cause you. *UPDATED*Based on research, we believe that the individual(s) responsible utilized some exploits available in the forum software that allowed them to run a php script that dumped the data from the forum user table.While the passwords are hashed a number of time and in many cases salted, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices. A hash password can not be decrypted, but by generating rainbow tables, crackers can determine if your password matched one of many they may have in a database. The table also includes your name, so it may or may not associate you with the email address you used to register. We highly recommend that you take the following actions: 1. Change your password2. Change the password on any system where you used the same account name/email/password combination.3. Use unique high/quality passwords on any and all systems you frequent now and in the future. Should we make any additional determinations or discoveries in relation to this issue, we will provide updates here. *PLEASE NOTE* We will not be deleting accounts upon request. We stated that we would not delete accounts for any reason in our TOS when you signed up. Deleting accounts is not going to retrieve the user table data. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/ Share on other sites More sharing options...
QuickOldCar Posted October 28, 2015 Share Posted October 28, 2015 Updated mine I use a different password every site, this stuff happens. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524546 Share on other sites More sharing options...
mrbraq Posted October 28, 2015 Share Posted October 28, 2015 Where can I disable / delete my account? I no longer do PHP development. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524582 Share on other sites More sharing options...
adrianTNT Posted October 28, 2015 Share Posted October 28, 2015 2 Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524597 Share on other sites More sharing options...
rpoelking Posted October 28, 2015 Share Posted October 28, 2015 ditto...how to I delete my account. I don't even remember signing up it's been that long. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524600 Share on other sites More sharing options...
YouFailAsAnAdmin Posted October 28, 2015 Share Posted October 28, 2015 (edited) While the passwords are hashed, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices. A hash password can not be decrypted, but by generating rainbow tables, crackers can determine if your password matched one of many they may have in a database. Seriously? lol How about FUCK YOU for even trying to play your cards like that. This is 100% your fault for being insecure and allowing this to happen. Not only do you fail as a developer and sysadmin, you fail as a site owner as well. Thanks for letting everyones info get stolen! We don't know at present, exactly how this occurred. I know how it occurred. You dont know how to properly admin or run a website or database! Taking a quick look at http://forums.phpfreaks.com/members/ for 1 second shows that you dont even know how to stop spam and bot accounts for registering on the forum. Anyone reading this, I would leave this forum forever and never come back as the owner is insecure and incompetent. Edited October 28, 2015 by YouFailAsAnAdmin Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524602 Share on other sites More sharing options...
dalecosp Posted October 28, 2015 Share Posted October 28, 2015 You dont know how to properly admin or run a website or database! DO please enlighten us. How many websites do you run, how many databases, and how long since you had a security incident? Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524603 Share on other sites More sharing options...
YouFailAsAnAdmin Posted October 28, 2015 Share Posted October 28, 2015 (edited) I've ran a few forums and websites and never had any of my databases compromised I can tell you that much. dalecosp you can bet your email and info is now gunna be spammed/cracked. I hope your 340 posts here are worth that to you.I mean this forums tag line is "Where knowledge is power" yet the admin/owner has no knowledge of how to secure their own forums database, stop spam bots from regging accounts, or even protect its members from being hacked and info stolen... Edited October 28, 2015 by YouFailAsAnAdmin Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524604 Share on other sites More sharing options...
scootstah Posted October 28, 2015 Share Posted October 28, 2015 I've ran a few forums and websites and never had any of my databases compromised I can tell you that much. Then you didn't have a big enough site. Nobody here wrote the forum software. We don't have time to spend thousands of hours writing custom software for a free website. It is not possible to stop spam bots entirely, sorry. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524605 Share on other sites More sharing options...
requinix Posted October 28, 2015 Share Posted October 28, 2015 Don't feed the troll, guys. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524611 Share on other sites More sharing options...
darkcarnival Posted October 28, 2015 Share Posted October 28, 2015 I too would like my account deleted. I haven't been on here since 2004 or so. I either figure out the issue on my own or use stack overflow. Thanks Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524621 Share on other sites More sharing options...
requinix Posted October 28, 2015 Share Posted October 28, 2015 I'm going to start suspending accounts for people who ask for it. mrbraq, rpoelking, darkcarnival: I'll suspend yours tomorrow (to give you time to see this post). Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524623 Share on other sites More sharing options...
SparkleGirlSparkle Posted October 29, 2015 Share Posted October 29, 2015 Hi, thanks for the email notification. I too no longer do this kind of work, so no longer need my account. Please could you delete my account when you start removing others? No need to let me know when, just go for it! Thank you for telling us all about what happened Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524636 Share on other sites More sharing options...
Vinze Posted October 29, 2015 Share Posted October 29, 2015 Suspending actually isn't enough - to actually prevent things like this from happening in the future, you'd have to remove all account information from your databases. Otherwise, the next hack will simply steal the data of our suspended accounts. Is that possible? Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524670 Share on other sites More sharing options...
Anzeo Posted October 29, 2015 Share Posted October 29, 2015 Please completely remove my account from your database(s), thanks. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524691 Share on other sites More sharing options...
RichE Posted October 29, 2015 Share Posted October 29, 2015 Hello, I would appreciate it if my account could be deleted as well. Thank you, Rich Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524692 Share on other sites More sharing options...
texelate Posted October 29, 2015 Share Posted October 29, 2015 (edited) Please completely remove my account from your database(s), thanks. Me too. I don't want anything left that relates to me on your server; haven't used this for years. The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe. I appreciate that you didn't write the software but someone could get a database dump (and most likely did) without it having anything to do with the forum software. It could be due to your negligence if the database password isn't strong, remote connections aren't disabled, privileges are wrong, etc. In the UK, broadband provider TalkTalk got hacked recently by a 15 year old due to bad practices so I suspect you're being somewhat economical with the truth. Please remove anything personal from my account. This will be my last post here. Edited October 29, 2015 by texelate Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524694 Share on other sites More sharing options...
phileplanet Posted October 29, 2015 Share Posted October 29, 2015 Please delete my account Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524696 Share on other sites More sharing options...
scootstah Posted October 29, 2015 Share Posted October 29, 2015 The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe. Yes, you are correct. Unfortunately, lots of the distributed applications written in PHP make poor decisions such as this. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524699 Share on other sites More sharing options...
MockY Posted October 29, 2015 Share Posted October 29, 2015 If you don't know how this happened, how are you going to prevent the same thing in the future. Changing password may be a good practice, but if the same vandal can grab a dump again in a month, what good will that do? Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524700 Share on other sites More sharing options...
aniesh82 Posted October 29, 2015 Share Posted October 29, 2015 I have modified my password. Thank you for the mail. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524703 Share on other sites More sharing options...
gizmola Posted October 29, 2015 Author Share Posted October 29, 2015 Me too. I don't want anything left that relates to me on your server; haven't used this for years. The whole point of hashing properly is if your database is stolen it's not worth it to try and work out the passwords. If you have a salt per password and use something like bcrypt with a decent strength (unlike something like MD5 or SHA1) you're going to be pretty safe. I appreciate that you didn't write the software but someone could get a database dump (and most likely did) without it having anything to do with the forum software. It could be due to your negligence if the database password isn't strong, remote connections aren't disabled, privileges are wrong, etc. In the UK, broadband provider TalkTalk got hacked recently by a 15 year old due to bad practices so I suspect you're being somewhat economical with the truth. Please remove anything personal from my account. This will be my last post here. Obviously we don't want to go into additional detail, but the passwords were salted and hashed multiple times. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524709 Share on other sites More sharing options...
gizmola Posted October 29, 2015 Author Share Posted October 29, 2015 Seriously? lol How about FUCK YOU for even trying to play your cards like that. This is 100% your fault for being insecure and allowing this to happen. Not only do you fail as a developer and sysadmin, you fail as a site owner as well. Thanks for letting everyones info get stolen! I know how it occurred. You dont know how to properly admin or run a website or database! Taking a quick look at http://forums.phpfreaks.com/members/ for 1 second shows that you dont even know how to stop spam and bot accounts for registering on the forum. Anyone reading this, I would leave this forum forever and never come back as the owner is insecure and incompetent. It's pretty much common knowledge that this site is run by volunteers. None of us are owners. The site uses fairly well known commercial forum software. We did not write it. The password file is salted and hashed but that will not prevent someone who is highly motivated and has sufficient computation power available to crunch combinations. Passwords will always be a significant issue. In short, this is a non-commercial venture with limited resources. Of course I could point out that large enterprises with millions of dollars of security hardware and networking infrastructure to support it, as well as entire security staffs have been compromised, but I'm sure you know better than them. Last but not least, spam registrations and the degree to which that is possible here is a tradeoff. We have dialed things down in the past to the degree that legitimate users were discouraged from making accounts. We've decided to open things up and make it simpler for them and for this reason we have to do with a relatively small degree of spam that is cleaned up fairly quickly. It has nothing to do with security or system administration. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524711 Share on other sites More sharing options...
gizmola Posted October 29, 2015 Author Share Posted October 29, 2015 If you don't know how this happened, how are you going to prevent the same thing in the future. Changing password may be a good practice, but if the same vandal can grab a dump again in a month, what good will that do? We think we have an idea of what happened, and we've been spending time looking over our servers. We will not have certain types of forensics to guarantee a postmortem, but even if we did, I don't know that we would post it. We have identified a particular individual and actions they took within the forum software itself. I previously made a statement that suggested it might have been caused by a weak admin password, but after more research, it looks like the problem was actually related to security holes in the forum software. Wit that said, I don't want to offer opinions, and simply stick to the facts. We can not and will not warranty or guarantee anything, and we have a TOS to that effect, which is no different than any other site out there. The staff donates their time to run a site that for over a decade has provided the PHP community with free programming help and advice. It really speaks for itself that it has managed to do that effectively for over 14 years. I can't speak for the entire staff, but if the risk to be here outweighs the rewards, we will advise people of that fact, and in all probability we would shut the site down rather than allow it to be compromised repeatedly. Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524713 Share on other sites More sharing options...
R0CKY Posted October 29, 2015 Share Posted October 29, 2015 DO please enlighten us. How many websites do you run, how many databases, and how long since you had a security incident? Entirely irrelevant. YouFailAsAnAdmin is correct in what he says. Yeh, it might hurt a little, but he is correct. Not impressed at all with the postings from this site's Admins in this thread. In short, this is a non-commercial venture with limited resources. Of course I could point out that large enterprises with millions of dollars of security hardware and networking infrastructure to support it, as well as entire security staffs have been compromised, but I'm sure you know better than them. The minute you start putting banners on the forum, the "we are not commercial" argument fails. You are earning adsense commision off your members, so please don't plead poverty. You contradict yourself when you correctly point out that even with massive resources, a dedicated hacker will still get in. They were able to access the admin tools via a normal login. In short, it appears that this is a case where there was simply a compromised password used. So, that would be an Admin password then, and your IPB admin logs will reveal exactly which admin did this? It's looking awfully like your own Admins didn't take your own advice. While the passwords are hashed, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices. I run a busy forum and have had my share of headaches so you have my sympathy, for what it's worth - but I really hope this is not an #Admin password being so weak it was brute forced, because that is what you have described, Link to comment https://forums.phpfreaks.com/topic/298874-alert-the-phpfreaks-forum-members-data-appears-to-have-been-stolen/#findComment-1524717 Share on other sites More sharing options...
Recommended Posts