Users browsing this thread:

***sandaoguo*** · 11-20-2014, 01:01 AM

On November 15, the forum's database was remotely downloaded in a cross-site scripting attack. A vulnerability in the code of the forum software that checks to see if our version is the latest was used to download a full copy of the database. Many other MyBB forums were affected. You can read more details about the security breach here: http://community.mybb.com/thread-162942.html

We encourage all registered users to change their forum passwords immediately. Additionally, if your forum password was not unique, you should change it on all services on which you used the same password. All passwords are encrypted and salted. However, all passwords within the database can be cracked through brute-force. Encryption and salting only slows the process down.

When creating new passwords, please ensure your passwords are strong. Also, whenever possible, it is a good idea to implement two-factor authentication, especially for email and online banking services.

Awe · 11-20-2014, 02:47 AM

This might also help

[Image: 9ehfkQV.png]

the island league

Former Offices

RP Information

Vibrant Coconuts · 11-20-2014, 10:27 AM

Thanks for making us aware.

Slightly off topic, but Solorni's posts in the NS forum thread on this matter are absolutely hilarious.

Eluvatar · 11-20-2014, 10:33 AM

(11-20-2014, 10:27 AM)Vibrant Coconuts Wrote: Thanks for making us aware.

Slightly off topic, but Solorni's posts in the NS forum thread on this matter are absolutely hilarious.

While the tone is her usual unserious one, the points happen to be serious.

I've not been a huge fan of this mybb arrangement from the start (though of course I should not have had a 'vote' or whatever as I was completely inactive when it was adopted). This is worse than I expected.

That said, what's done is done and it would probably be impractical to move again. I would ask, however, that we be more vigilant.

[Image: HuoZhaoDao.png]

Eluvatar · 11-20-2014, 10:37 AM

(11-20-2014, 01:01 AM)Sandaoguo Wrote: All passwords are encrypted and salted. However, all passwords within the database can be cracked through brute-force. Encryption and salting only slows the process down.

This is technically true, but sufficiently secure passwords may take longer to crack than the expected survivability of the earth.

(11-20-2014, 01:01 AM)Sandaoguo Wrote: When creating new passwords, please ensure your passwords are strong. Also, whenever possible, it is a good idea to implement two-factor authentication, especially for email and online banking services.

Would it be possible for TSP to pull in zxcvbn a very sensible password strength checker in clientside javascript?

[Image: HuoZhaoDao.png]

Almonaster · 11-20-2014, 11:07 AM

Please don't, or preferably: do, but set it as advisory only.

The security of my password is my responsibility. I also need to be able to remember my p/w over multiple sites. To do that, I use a system to generate pass phrases of appropriate strength. As it happens, they do not fit the arbitrary rules imposed by such modules.

Strolling punster from Canada

Eat o' teh eye pie is teh one!

First member and Procrastinator in Chief of the ice creamists movement

Eluvatar · 11-20-2014, 11:41 AM

(11-20-2014, 11:07 AM)Almonaster Wrote: Please don't, or preferably: do, but set it as advisory only.

The security of my password is my responsibility. I also need to be able to remember my p/w over multiple sites. To do that, I use a system to generate pass phrases of appropriate strength. As it happens, they do not fit the arbitrary rules imposed by such modules.

There's a reason I'm suggesting zxcvbn. It would quite likely find your passwords to be exactly as secure as they are.

I don't think anyone's suggesting mandatory password strength levels.

[Image: HuoZhaoDao.png]

***sandaoguo*** · 11-20-2014, 11:54 AM

I will look into implementing that, Eluvatar. It would be best to write a custom plugin for it, so that it isn't erased when the forums are updated.

As for this incident being related to the choice of forum software or service, I still believe self-hosting is the best choice available. This security issue is very unique, in that it happened because a developer had their GitHub account compromised. It wasn't an issue with the software per se, but rather an unanticipated exploit that could not have happened without the GitHub account being hacked.

That developer really did drop the ball, and MyBB did as well. I would not have known about this if not for Hobbes having a forum of his hacked. They don't have a system to send alerts, aside from the feature that was hacked. I would have expected a mass email at the very least. I will definitely voice that to the development team.

Rach · 11-21-2014, 12:15 AM

(11-20-2014, 10:27 AM)Vibrant Coconuts Wrote: Thanks for making us aware.

Slightly off topic, but Solorni's posts in the NS forum thread on this matter are absolutely hilarious.

Yawn. If you ever want to talk about someone you could always do it to their faces. Although that could just be a me thing, idk.

EDIT: In fairness, I have been rather stressed lately with school and work as well. I was upset that my password and such were compromised and was bitter that choosing this TSP choosing this forum and myself choosing to register for it had caused me an extra hassle and worry. Especially at a time in which I would rather not have to worry about all my accounts being compromised.

(This post was last modified: 11-21-2014, 12:33 AM by Estar.)

Sopo · 11-21-2014, 12:59 AM

Done, thanks for the heads up.

[Image: VjpdZ2V.png?1]