Omnimaga
Omnimaga => News => Topic started by: Sorunome on December 05, 2015, 05:23:16 pm
-
We got some quite unfortunate news concerning the downtime we experienced today - we got hacked!
We currently don't have any information yet as to whom is behind the attacks, we are still in the process of investigation.
As per things lost - we have 0% data loss! Still restoring the attachments and downloads, but the website is back up already.
Password hashes were stolen so we recommend you to change your password on other websites ADMINs accounts HAVE been accessed by the hackers
We apologize for the inconvenience and hope things will be going smoothly from now on.
-
It appears probable that plaintext passwords were stolen as well, so be aware of that. My and geekboy's accounts elsewhere were both attempted compromised elsewhere. Change your password.
Edit: It's also worth pointing out that if plaintext passwords were stored or logged somewhere, you should NOT change your password to anything you use elsewhere, because nothing about password storage has changed.
-
It appears probable that plaintext passwords were stolen as well, so be aware of that. My and geekboy's accounts elsewhere were both attempted compromised elsewhere. Change your password.
Edit: It's also worth pointing out that if plaintext passwords were stored or logged somewhere, you should NOT change your password to anything you use elsewhere, because nothing about password storage has changed.
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.
Luckily it looks like the damage was contained to Omnimaga's database itself and they didn't get at any of our other databases or anything. There is a lot of data they can sort through though and possibly some personal information.
-
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.
Given how quickly my account was attacked last night (with my Omnimaga password), and geekboy's account was attacked today (ditto), I'm concerned.
Luckily it looks like the damage was contained to Omnimaga's database itself and they didn't get at any of our other databases or anything. There is a lot of data they can sort through though and possibly some personal information.
Geekboy said that nothing in the admin forum was particularly sensitive, but I guess PMs and the Private Matters subforum are of concern?
-
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.
Given how quickly my account was attacked last night (with my Omnimaga password), and geekboy's account was attacked today (ditto), I'm concerned.
SMF currently uses the sha1 method for hashing passwords, i'm writing a mod right now to make it use bcrypt as i couldn't find any existing one.
-
We shouldn't have had any plaintext passwords. It looks like SMF doesn't salt+hash their passwords in a very secure way. Sorunome is looking into cleaning that up.
Given how quickly my account was attacked last night (with my Omnimaga password), and geekboy's account was attacked today (ditto), I'm concerned.
Luckily it looks like the damage was contained to Omnimaga's database itself and they didn't get at any of our other databases or anything. There is a lot of data they can sort through though and possibly some personal information.
Geekboy said that nothing in the admin forum was particularly sensitive, but I guess PMs and the Private Matters subforum are of concern?
Correct, lots of PMs and private posts.
I'm not that happy with how easy it is for them to get the passwords from how SMF stores them.
Sorununome, would you mind opening an issue on SMFs stuff complaining about it?
-
Someone recently tried to access my PSN account, which I haven't used for months since I no longer have a PS3. Sony sent me an email to notify me that my password was automatically reset to counteract any suspicious activity. When I got rid of my PS3, I removed any personal info and card data from that account, so luckily it's not an issue. Everybody else may nonetheless want to double-check any accounts they have connected to their Omnimaga email address.
My email was also bombarded with spam.
-
No one attempted anything on any of my accounts as far as I know other than the usual "there was security breaches on some other website that isn't ours and we think your account may be compromised so we've reset your password" (last one in date was Netflix btw, got one on Patreon and Adobe too, these breaches seems to be everywhere). Thankfully, nothing happened on CodeWalrus as the attacker could easily have tried there a well. Anyway, if you guys know the IP of the offender, please tell me so I can check on my side.
-
Seriously, plain text passwords in 2015 ?
-
Seriously, plain text passwords in 2015 ?
Not plain text, sha1 hashes, which are VERY weak.
And yeah, I was thinking the same "Seriously? Why would SMF even do that?"
I'm working right now on a thing so that the passwords will be stored using bcrypt
-
It's more because SMF only salts the hashes with the username. A good password hasher also has a secret salt stored outside the database.
Let us know when your mod is done, so that we can deploy it on CW as well, and also so that I can change my password here. I'm in the process of changing all my other passwords.
-
The attachments should be all up now, if something is missing please tell me! Still need to upload the downloads
-
RevSoft got hacked, too. phpBB3 still uses looped MD5 hashing :( And with, I belive, another admin's credentials they got access to our admin panel, changed files and downloaded the database (including the pw hashes).
-
why would they even use md5......you should report it to phpBB devs ^.^
-
It seems nothing ever changes until something goes wrong :(
It is nice to see that no data was lost here :)
-
Wow... well, this has driven me to actually start using KeePass2. I've been using KeePass2 in a few places, but I think I'll be using it a bit more often from now on!
(Someone remind me at the end of December to write a tutorial for KeePass2!)
-
It seems nothing ever changes until something goes wrong :(
Unfortunately this is true for way too many things :/
-
This should serve as a big reminder for admins to be very careful with their login credentials. If possible, use two factor authentication. If not, consider changing your password every so often.
-
This is the only site where I have an unique password <3
Is it expected this was a random attack?
-
The password-mod is up now!
As soon as you log in your password will get re-hashed using bcrypt!
Also, for anybody wanting to improve the security of their own SMF site, here's the mod: https://github.com/Sorunome/SMF-bcrypt
-
Q: What is SMF?
Thanks.
-
Q: What is SMF?
Thanks.
SFM is the forum software we use, Simple Machines Forum (http://www.simplemachines.org/)