Simple Machines Community Forum (HACKED)

wickedstangs

Well-known member
I thought I share this with you all, I started my first forum with them.. Got this email today and have been changing all my passwords...

Dear valued community members,
On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admin accounts password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.
Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being hacked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don't know for sure if the hacker only downloaded the user tables or not, although that's the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It's best not to take the risk and gamble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.
Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.
The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.
Hundreds of websites have been hacked lately by using this method, so you are highly encouraged to change your passwords...
... And remember: don't use the same password on multiple sites!
It helps to prevent hacks like this.
Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of hacking and help put a halt to the hacking spree that has affected hundreds, if not thousands, of websites already.
Any questions, please do feel free to ask.
Please stay on topic.
Kind regards,
Board of Directors
Simple Machines
 
You'd think Admins would know better than to reuse passwords... Yes I have a "default" insecure password I use on a lot of forums but only on forums where I am just a regular member. Any forum I have mod or admin access has a unique password- very unique... Can't trust any sites these days.
 
It still baffles me why all admins of their forums aren't using two stage or IP security for their accounts.
I find it sad that admins lack due diligence in relation to their members and customers privacy that they have insecure administrative access to their accounts. If you've taken atleast some type of additional account security and hackers get past it, at least you can be honest that you reduced the risk of access significantly with a two stage process / IP based two stage process.

HTTPS encrypts a text fields data from third party interception at around $30 p/a, two step authentication is FREE to use... I just don't get it.

Someone as large as Simple Machines... I would expect decent security on those admin accounts.
 
Got that email too! Does not really look good considering SMF has 320,324 Members as of this time of writing.

Cracking the password to be able to login will be time consuming using brute force. But SMF should opt to stronger password hashing than the one they are using now like how XF does. XF has probably one of the tougher password encryptions implemented in version 1.2 using blowfish encryption. The other similar stronger encryption I've had hard time to get password decryption working for my poker board service is PBKDF2 which Modx uses. XF also makes it harder to read the encrypted password even you restore from a stolen database dump because XF saves encrypted password as serialized data which needs first be be deserialized to be readable.

Yeah, I've to change passwords to all my other accounts. Even though I don't have sensitive datas, my only concern with the hack is they can get your private email from the database and use it.
 
Or we could all end up getting a notice like this one, which I recently received from Simple Machines (my former forum platform):

Dear valued community members,


On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admins account password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being hacked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don't know for sure if the hacker only downloaded the user tables or not, although that's the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It's best not to take the risk and gamble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.

Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.
Hundreds of websites have been hacked lately by using this method, so you are highly encouraged to change your passwords...

... And remember: don't use the same password on multiple sites!
It helps to prevent hacks like this.

Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of hacking and help put a halt to the hacking spree that has affected hundreds, if not thousands, of websites already.

-edit for clarification-
Yes, the passwords are stored with encryption.
Unfortunately, even encrypted passwords can be decrypted. Hence, the passwords used here should not be considered safe anymore.


Any questions, please do feel free to ask.
Please stay on topic.


Kind regards,
Board of Directors
Simple Machines
 
Damn, and I looked for a similar thread too. Well, feel free to delete. And how did you pounce on that so quickly? You sure you're not a bot? :rolleyes:
 
Top Bottom