next »

[s0]

that's good to hear!

[quantumpotato]

Has anyone heard of this Allergicly before?

[requiemzz]

Apparently, it was all just for fun SMH :
https://twitter.com/Allergically/status/779780762254073857

[s0]

Hey Matthew, someone just suggested this in a chat and I thought it was a good idea: How about having an announcement linking to your post in the in the top bar, a la the ocean marketing link?

[ProgramGamer]

Ok, so in light of this what would be a good password managing program?

[DireLogomachist]

Ok, so in light of this what would be a good password managing program?

I just started using LastPass due to this. Good so far I think.

[Matthew]

Ok, so in light of this what would be a good password managing program?

I like 1Password.  It's kind of surprising how many unique logins you end up with once you start doing one per site.  (I have 85 in there, and I don't feel like I'm *that* active on the Internet).

BTW, I dug through some access logs, and my best guess right now is that this was a shared password issue with the admin account used.  Password was compromised elsewhere and used here.  Sadly, if the attacker gets lucky they'll be able to take a cracked password + email from here and use it somewhere else, keeping the chain alive...

[s0]

Could you do a thing where you reset everyone's password to a random string and force them to change next time they log in? It's a drastic measure, but better safe than sorry.

[ProgramGamer]

At least this is forcing us to take internet security a bit more seriously lol

[Matthew]

Could you do a thing where you reset everyone's password to a random string and force them to change next time they log in? It's a drastic measure, but better safe than sorry.

Yeah, I'm looking at ways to notify affected users.  I think weak hashes are something like 10% out of the 4% of users that made it into the backup table before the script timed out.

To be honest, I'm not that worried about people changing their passwords here.  There isn't a whole lot to be gained from a random, non-privileged TIGForums account!  My worry is if someone made an account here with an easy common password they also use elsewhere (email, domain names, paypal, etc)...

[starsrift]

Fuck! Now I have to change the combination on my luggage. 

[MedO]

Saw this on Twitter. Password changed. I think this actually warrants a mass email to all users.

Would be interested in how he did it, since I run an SMF installation as well (though mine is SMF2) and don't want to be vulnerable to the same issue.

[s0]

To be honest, I'm not that worried about people changing their passwords here.  There isn't a whole lot to be gained from a random, non-privileged TIGForums account!  My worry is if someone made an account here with an easy common password they also use elsewhere (email, domain names, paypal, etc)...

my thinking was that if spammers somehow got their hands on the db with cracked passwords they could use it to mass hijack accounts.

[oahda]

The backup_members table they quoted on Twitter only has 1,793 entries.

Would you be so kind as to tell us who "they" are, if they're so cool and edgy as to proudly announce their great accomplishment on Twitter?

[Matthew]

Would you be so kind as to tell us who "they" are, if they're so cool and edgy as to proudly announce their great accomplishment on Twitter?

It's in the thread here (3rd post).

[oahda]

Thanks. I got the impression from the tone of the other messages in this thread that this was a malicious attack, especially since they apparently "defiled" the templates which didn't sound like something a helpful hacker would do. But I found the other Twitter link now too, so that's good, assuming it's true. Let's hope so.

Might still want to make sure some of the "high-profile" (Derek, Blow...) people whose accounts are visible in that screenshot are personally made aware of this just in case tho, since even someone without initially malicious intentions might be tempted to try and do something with those passwords.

[starsrift]

Serious question - given the brazen nature of the attacker to self-identify, will TIGS be pursuing legal action?

[Schoq]

how are you gonna prosecute a twitter account

[Thaumaturge]

Oh dear. :/

Thank you for letting us know! It's appreciated. ^_^

I do have two questions: While measures have been taken against another such hack, do I gather correctly that the hole has yet to be fully patched? If so, could a hacker not repeat a similar process to gain newly-changed passwords?

[Matthew]

Oh dear. :/

Thank you for letting us know! It's appreciated. ^_^

I do have two questions: While measures have been taken against another such hack, do I gather correctly that the hole has yet to be fully patched? If so, could a hacker not repeat a similar process to gain newly-changed passwords?

My best guess is that this was a password hygiene issue.  The password to an old administrator account was comprised elsewhere, and was the same password used here.

I covered this in the original post, but basically:

- Tripwire added at the file level (monitors files for changes)
- SMF admin tools removed (the attacker only used admin tools and didn't have shell access)
- Old accounts cleaned up, even this account has no admin access until I need it
- Various PHP file functions disabled