Account Breaches & Re-Using Passwords
There are ongoing issues with account breaches across the Internet tied in most cases to reused and/or simplistic passwords. I wanted to share a little more about our experiences with them, including what we all can do to help avoid them.
Summary (for non-readers): It doesn't appear this site has been breached, but a few accounts over the last few years have been compromised. We encourage people not to use the same password here as they have on other sites, and we are taking steps to force people use passwords that are not simplistic and have not been found in data dumps of other breaches.
January 3, 2021
Beginning on or before January 3, 2021, there was a bot operated out of Ukraine (likely either under control of someone in Russia or Ukraine) that was targeting systems across the Internet, trying known breached credentials, against running systems based on commonly used platforms, including: Xenforo 1.5x, Xenforo 2.x, Wordpress, phpBB, and IPS Community Suite. At the end of January, the bot was used to breach 3 of our accounts here. One of the three accounts hadn't been used in years, another hadn't been used in a bit, and the other one had been previously active. It didn't cause much trouble but did get our attention.
March 22, 2022
Normally, I wouldn't write much about an incident, however, in this case our conservative/defensive reaction to a troll caused more hassle for everyone that the troll did himself.
On the morning of March 22, 2022, it became very obvious that two user accounts had been breached, and posts and PM (private conversations) were made that obviously did not come from the two account holders. It appeared the same hacker got into both accounts. On one of the accounts, a demand for $1,500 was made with claims of vulnerabilities on the site. We had no discussions with the hacker and no payment was made.
Out of an abundance of caution, we took the site offline for what ended up being a few days while we investigated, and then when we came back up, we force cleared everyone's browser cookies (which amongst other things, logged everyone out). With knowledge in hindsight, these responses turned out to be an over-reaction.
A combination of a few factors played into our decisions: (a) we thought it unusual for an account to be compromised, let alone two of them, (b) with bad timing, the majority of people here were away on a vacation that week, all to mostly 'off-grid' locations, with limited and slow Internet access, and (c) the week before we had learned of a potential exploit that likely opened on March 14 or 15 and we patched on March 17.
As such, we had to investigate whether it was possible for such potential exploit to have been used the week before the breach, and to conduct further investigations. As it turns out, the potential exploit was not attacked by anyone those days, including our troll.
Unlike the bot in January 2021 which attacked countless sites all from the same IP address, our new troublemaker (apparently unrelated to the previous one) apparently used the breached accounts via a browser that sent every request through different IPs in different countries. Still, we were able to track our unwelcome visitor back to a specific city (though at the end of the day, that doesn't mean much).
During this week we conducted extensive testing and reviews. We looked at code (though thankfully had just completed a code review less than 2 weeks earlier), logs, and server configurations. We tested using both our own scripts as well as external tools.
Additionally, one of our active forum members, @conrad (Eric Conrad) runs a company called Backshore Communications (https://www.backshore.net/) which "provides Threat Hunting, Penetration Testing, Intrusion Detection and Incident Handling services." He graciously offered to assist, and we took him up on that offer. We shared our observations with him and he made his own. He provided a variety of help, including confirming our opinions that we were 'taking the right steps'. He also provided extensive external scans of our network and in particular the site's pages and web forms. He found no network vulnerabilities and no SQL injection vulnerabilities. He found no major issues, and only one minor one (which didn't lead to trouble, but we did fix). Eric -- again, thank you for your help.
As mentioned, in hindsight, we didn't have to take the forums down, and we didn't have to clear everyone's cookies. I'm ok that we were conservative in our approach, however.
May 9, 2022
On May 9, 2022, another user had their account breached. Fortunately, the user was around and paying attention, and noticed trouble very quickly. We locked their account while we investigated. Unfortunately, before we were able to shut down the account, the troll had asked and another member had sent $90 to a .ru (Russia) domain email address. After a few days we reset the password on the breached account and there has been no trouble with the account since.
Moving Forward:
Immediately after the March incident, we made one change of note. On the main site's account settings page, whenever someone changes their password, the system checks the password against a database of nearly 12 billion breached accounts from 603 web sites. If it finds the password in the database, it rejects it. Note: It's not looking for whether the password and email address our found together, but just the password. It isn't checking if our member had used the password on another site that was breached, but checking if anyone in the world used the password on a site that was breached. In other words, our process strongly discourages simple and easy to crack passwords, and discourages the re-use of passwords on our site. That said, I'd bet the majority of our users have been members of a breached site, and hopefully aren't using the same password on other sites (ie: here). Enter your email address into https://haveibeenpwned.com/ for more information on some of the sites you have visited that have been breached...
We will continue to take steps to protect this site and our community. These include:
* At some point soon, we will become more proactive and begin to check password security at logins and force existing members to pick more secure passwords, not just when they go to change a password.
* We will continue to get more aggressive at resetting passwords for people that haven't logged in for a long time. [Again, we highly recommend people have phone number and/or secondary email address on file in account settings.]
* We are exploring 2FA. While we probably won't implement it for every day sign-ons, we may utilize it for important account changes (like password or email changes)
Here's to a great 2022.
A lot of changes are in development. It should be an interesting year here… Here is to a safe and fun year.
There are ongoing issues with account breaches across the Internet tied in most cases to reused and/or simplistic passwords. I wanted to share a little more about our experiences with them, including what we all can do to help avoid them.
Summary (for non-readers): It doesn't appear this site has been breached, but a few accounts over the last few years have been compromised. We encourage people not to use the same password here as they have on other sites, and we are taking steps to force people use passwords that are not simplistic and have not been found in data dumps of other breaches.
January 3, 2021
Beginning on or before January 3, 2021, there was a bot operated out of Ukraine (likely either under control of someone in Russia or Ukraine) that was targeting systems across the Internet, trying known breached credentials, against running systems based on commonly used platforms, including: Xenforo 1.5x, Xenforo 2.x, Wordpress, phpBB, and IPS Community Suite. At the end of January, the bot was used to breach 3 of our accounts here. One of the three accounts hadn't been used in years, another hadn't been used in a bit, and the other one had been previously active. It didn't cause much trouble but did get our attention.
March 22, 2022
Normally, I wouldn't write much about an incident, however, in this case our conservative/defensive reaction to a troll caused more hassle for everyone that the troll did himself.
On the morning of March 22, 2022, it became very obvious that two user accounts had been breached, and posts and PM (private conversations) were made that obviously did not come from the two account holders. It appeared the same hacker got into both accounts. On one of the accounts, a demand for $1,500 was made with claims of vulnerabilities on the site. We had no discussions with the hacker and no payment was made.
Out of an abundance of caution, we took the site offline for what ended up being a few days while we investigated, and then when we came back up, we force cleared everyone's browser cookies (which amongst other things, logged everyone out). With knowledge in hindsight, these responses turned out to be an over-reaction.
A combination of a few factors played into our decisions: (a) we thought it unusual for an account to be compromised, let alone two of them, (b) with bad timing, the majority of people here were away on a vacation that week, all to mostly 'off-grid' locations, with limited and slow Internet access, and (c) the week before we had learned of a potential exploit that likely opened on March 14 or 15 and we patched on March 17.
As such, we had to investigate whether it was possible for such potential exploit to have been used the week before the breach, and to conduct further investigations. As it turns out, the potential exploit was not attacked by anyone those days, including our troll.
Unlike the bot in January 2021 which attacked countless sites all from the same IP address, our new troublemaker (apparently unrelated to the previous one) apparently used the breached accounts via a browser that sent every request through different IPs in different countries. Still, we were able to track our unwelcome visitor back to a specific city (though at the end of the day, that doesn't mean much).
During this week we conducted extensive testing and reviews. We looked at code (though thankfully had just completed a code review less than 2 weeks earlier), logs, and server configurations. We tested using both our own scripts as well as external tools.
Additionally, one of our active forum members, @conrad (Eric Conrad) runs a company called Backshore Communications (https://www.backshore.net/) which "provides Threat Hunting, Penetration Testing, Intrusion Detection and Incident Handling services." He graciously offered to assist, and we took him up on that offer. We shared our observations with him and he made his own. He provided a variety of help, including confirming our opinions that we were 'taking the right steps'. He also provided extensive external scans of our network and in particular the site's pages and web forms. He found no network vulnerabilities and no SQL injection vulnerabilities. He found no major issues, and only one minor one (which didn't lead to trouble, but we did fix). Eric -- again, thank you for your help.
As mentioned, in hindsight, we didn't have to take the forums down, and we didn't have to clear everyone's cookies. I'm ok that we were conservative in our approach, however.
May 9, 2022
On May 9, 2022, another user had their account breached. Fortunately, the user was around and paying attention, and noticed trouble very quickly. We locked their account while we investigated. Unfortunately, before we were able to shut down the account, the troll had asked and another member had sent $90 to a .ru (Russia) domain email address. After a few days we reset the password on the breached account and there has been no trouble with the account since.
Moving Forward:
Immediately after the March incident, we made one change of note. On the main site's account settings page, whenever someone changes their password, the system checks the password against a database of nearly 12 billion breached accounts from 603 web sites. If it finds the password in the database, it rejects it. Note: It's not looking for whether the password and email address our found together, but just the password. It isn't checking if our member had used the password on another site that was breached, but checking if anyone in the world used the password on a site that was breached. In other words, our process strongly discourages simple and easy to crack passwords, and discourages the re-use of passwords on our site. That said, I'd bet the majority of our users have been members of a breached site, and hopefully aren't using the same password on other sites (ie: here). Enter your email address into https://haveibeenpwned.com/ for more information on some of the sites you have visited that have been breached...
We will continue to take steps to protect this site and our community. These include:
* At some point soon, we will become more proactive and begin to check password security at logins and force existing members to pick more secure passwords, not just when they go to change a password.
* We will continue to get more aggressive at resetting passwords for people that haven't logged in for a long time. [Again, we highly recommend people have phone number and/or secondary email address on file in account settings.]
* We are exploring 2FA. While we probably won't implement it for every day sign-ons, we may utilize it for important account changes (like password or email changes)
Here's to a great 2022.
A lot of changes are in development. It should be an interesting year here… Here is to a safe and fun year.
