Spammers posting through existing accounts with no need to login?

[Goldoff]

And, worse, with no need of stealing such account.

The fact is that since a week ago or so I am getting some spam messages posted by users with little or no activity, but registered years ago. All IP's are located next, and the message is tipically a link to a Telegram channel related to crypto.

It is not a flood, and actually doesn't pose a problem by now. The thing that seems scary is that it seems to avoid the pwd system. At least, the spammer doesn't leave track of having reset such pwd in the log...

Is anyone else experiencing this problem?

 

[Brogan]

I expect there has been a breach and data dump and it is due to password reuse.

We have had a few accounts here affected.

 

[Goldoff]

So you could affirm that this is not due to a software bug?
Good to know, if yes

 

[Brogan]

We are not aware of any XF bug related to this.

 

[adeel786]

I was about to make a thread on this. Several threads from different established ids were created on our forum as well today.

 

[jeb35]

We've had 2 accounts that were created a few years ago that had valid threads but are now posting spam links. Wondering what was going on.

 

[Moshe1010]

I had it as well. It’s from huge data leaks with very week passwords

 

[Overscan]

Me too. Valid but dormant accounts, up to 11 years old, suddenly trying to post spam, last few days.

 

[z3r010]

I've been getting it on all my vbulletin and Xenforo sites, I quick google of the spam shows it's on every type of comment system, which leads me to believe that it's robot spam using credentials from a huge data breach.

 

[loulou]

Same thing here, mostly dormant but shared IP show also some moderators with 2FA enabled which is alarming !
Server log show some repetitive schema that spammers are using.

 

[Overscan]

All my spam came from a single Moldovan IP address (109.107.166.230) so it was fairly easy to find affected users. I set a custom ban message informing the user their credentials were compromised and to contact me for assistance recovering their account. Only 6 so far and 1 on another forum I manage which uses SMF.

 

[johnny82]

Same here, a two year dormant account and yesterday a crypto spam post with a link to telegram..

 

[z3r010]

I've just batch-updated all my dormant accounts on one of the sites being hit to "Locked: User must reset password" state, hopefully, that helps stop some of it.

 

[alexm]

All my spam came from a single Moldovan IP address (109.107.166.230) so it was fairly easy to find affected users. I set a custom ban message informing the user their credentials were compromised and to contact me for assistance recovering their account. Only 6 so far and 1 on another forum I manage which uses SMF.

Just one here on that IP and I’d already set old accounts to ‘User must reset password’ so he didn’t get anywhere.

 

[johnny82]

Found 4 other old accounts affected searching with the ip mentioned above, will lock them too.

 

[Mr Lucky]

I've just batch-updated all my dormant accounts on one of the sites being hit to "Locked: User must reset password" state, hopefully, that helps stop some of it.

I just did this one a test user and nothing happened. They were able to continue using the site, log out and log in again. No requirement to rest password.

 

[johnny82]

I did a test too and it worked, the user can't interact with the site unless he resets the password. Btw the test user was already logged in.

 

[z3r010]

I just did this one a test user and nothing happened. They were able to continue using the site, log out and log in again. No requirement to rest password.

My test account got the following and could do nothing.

 

[loulou]

My test account got the following and could do nothing.

View attachment 280078

But this is how a legitimate user login. I doubt they are using the login form.

 

[Mr Lucky]

But this is how a legitimate user login. I doubt they are using the login form.

How else to log in?