dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
47517
share rss forum feed


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

4 edits

5 recommendations

site user password intrusion info

Quick Q+A (updated)

For the accounts compromised, what was obtained?
registration email address and user picked login password

Anything else?
Nothing. No login names, zip codes, private posts, etc.

Was any password and email used by the bad guy(s) to login at dslreports.com?
No. As the intrusion was detected and halted, all user passwords obtained were changed before they could be used.

When did it happen
From 2pm wednesday to about 6pm wednesday, during which time the site was timing out and acting up. (The alert email states tuesday, that was a typo).

When did the alerting emails go out
They started to be generated about midnight that same night, and all compromised passwords were reset at that time.

Who/what did the hack
Initially a single IP in Sweden (the city of Sundsvall) spent time trying urls for an exploitable hole, then a large network (botnet) of 10,000 compromised windows machines. This circumvented individual IP access limits on unusual activity. The attack was blocked before it had completed more than 8% of its work.

What is the likely use for the data gained
The evidence so far is email accounts where the owner did not read and act on our alert email soon enough (hotmail, MSN, gmail, yahoo mail) were used to spam URLs advertising prescription drugs to the contact list of the email account. I've received two confirmations so far that this happened, so there are going to be others.

Is credit card data at risk
It is difficult to see how (with an email address and password) any usable credit card data could be obtained. If you feel this has happened please consider how, to ensure it was not an insecurity in another website, or an unrelated but coincidental event. If one warns 9000 people the chances are more than one of them is at that time dealing with unrelated credit card fraud.

What kind of shoddy operation are you running here?
Not making excuses, but it is sobering to read that just recently mysql.com was hacked with an identical approach to the one used here (blind sql). The encrypted passwords gained were easily reverse engineered, and much more info was revealed. See: »www.acunetix.com/blog/web-securi···jection/
More mysql based sites will suffer the same issue this year, so users should take care to reduce their password re-use on multiple sites to at most high medium low value passwords. A common low value password for forums, unique ones for banking, etc. Even if every website was perfectly secure, keyloggers, browser exploits and so on should inform this approach to password management.

how to reactivate your account here IF you can't login
Use the »/forgot password function to obtain a password reset URL by email you can use to select your new site password.

In the case where your email of record is @dslr.net then please contact the site by email and tell us your login name and your @dslr.net email address, so we can get you back in.

Once logged in again you have the option of deleting your account if you wish to do so, please visit »/join and look at the bottom of that page.
------------------------------------------------------------------

If you've received an email, it pointed you to this topic.

If you got the email, your password will have also been changed by the system.

*** If you haven't got the email and your password still works (has not changed), you are not part of the intrusion. All emails went out at the same time, wednesday/thursday. ***

You can recover the new password by using: »/forgot

you can change it (if you are logged in) by using »/prof/passwd

In brief: an sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs. The ones they obtained were basically random. So they cover the entire 10 year history of the membership but sprinkled randomly. Some are very old accounts, some are new accounts, some inactive or deleted.

I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts.

If your email/password was revealed (you received the alert email, or have discovered your login password has been changed by us already), all you need to do is think of what OTHER sites you use allow logins using your registered email address here, and your original site password.

Many sites require a username of some kind and a password, so even if you use the same password, risks are low that you will have an immediate issue. For example, you cannot login to ebay with an email and a password. Online banking, etrade and so on also require account numbers and passwords.

Some sites especially EMAIL services like GMAIL, and PAYPAL, FACEBOOK allow login by email and password. If you are in the habit of sharing the same password among many sites, then the people with the data can login as you. So you should secure your access to those sites by changing your password immediately. Your first priority would be your email account if the password was shared with it.

It is unclear how much data the logged intrusion requested actually reached them - the site was quite unresponsive during the attack - and whether that data is being used yet. I'm going on a worst case scenario here.

It is also unclear whether the emails obtained will be spammed, or just searched for high value targets such as paypal, gmail, google docs.

Older inactive accounts involved are also being notified by email now, although the older the account, the less likely the email is still current, or the password they used is still useful.

Obviously having both an sql injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can.

My apology for any stress this causes. If you are like me you've also got the PSN network issue hanging over your head as well

Judging from the replies to the initial email the impact is varied some people used a unique email or unique password for the site, others use the same password everywhere and have to be more careful.

You can see from the news:
»news.google.com/news/more?pz=1&c···CJdugm6M
that SQL injection attacks are rampant on the net right now.

Having "low" and "high" value passwords, or a password 'system' or some kind is good insurance against events like these.

Expand your moderator at work

compn

join:2001-03-05
Livonia, MI

1 recommendation

reply to justin

Re: site user password intrusion info

its like winning the lottery! heh



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

yeah a bad one you never knew you were up for.

btw if we can keep responses in this topic to any new questions that are not already answered by my post, it will save time for people viewing the topic who are effected and want an answer on something or other, thanks.

You can beat me up in a different topic.



Cho Baka
Premium,MVM
join:2000-11-23
there
kudos:2

Is this related to my site mail not working?

(mail password was changed to match my new site password)
--
The talented hawk speaks French.



justin
..needs sleep
Australian
join:1999-05-28
kudos:15

shouldn't be, but I'll propagate your password change again to see if that gets mail working for you.



Jovi
Premium
join:2000-02-24
Mount Joy, PA
reply to compn

said by compn:

its like winning the lottery! heh

Yup. In the 8% that got hit, makes you feel that way. Just changed a few passwords just to be safe. Thanks for the heads up Justin.
--
"Some people have no respect for logic."


ExitWound
Porsche Snob

join:2001-12-13
State College, PA
reply to justin

Unfortunately, lessons are often learned the hard way. Thanks for the warning. I've been in the process of changing my passwords on all sites to a new format of passwords I use.
--
»www.theexitwound.com



Steimes
I make internets
Premium
join:2002-01-08
Belle Vernon, PA
kudos:1
Reviews:
·Comcast

1 recommendation

reply to justin

I am stealing Justin's template if any of my websites get hacked.

Justin, can we please get our passwords and emails encrypted in your database?

Thankfully, my password is relatively unique to this site, but in ten years, I might have used it in more than one place
--
Making procrastination an art form since Pluto was still a planet.



Cho Baka
Premium,MVM
join:2000-11-23
there
kudos:2
reply to justin

Password change got it working.
Thank you.

POP no longer works for me on 995/SSL (or 1100), but it works on 110/no SSL.
--
The talented hawk speaks French.


ron860928

join:2001-10-09
Putnam, CT

1 edit
reply to justin

EDIT> Never Mind, I think I just paniced and forgot that I used my "stronger pasword" on Google because of "Google Checkout' having my credit card info that anyone that can sign on there can use to buy stuff (kinda like PayPal).

Hmm... It appears they got into my gmail account and changed the password. :(

I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

said by ron860928:

Hmm... It appears they got into my gmail account and changed the password.

I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.

oh man I was hoping the data would take longer to be sorted and used ..

mhochman1

join:2001-01-06
Bar Harbor, ME

2 recommendations

reply to justin

I understand these things happen (look at Sony) Now trying to remember what places I used that username/password combo is a huge PITA, and i have to say, for a fairly tech savvy site like this, in the year 2011, to still be using cleartext passwords is really shocking.


ron860928

join:2001-10-09
Putnam, CT
reply to justin

I may have been wrong - because Google has "Google Checkout" (a competitor to PayPal) I think I used my "stronger" password there and just panicked. Unfortunately I've already changed the password there so can't 100% verify that but I'm 98% sure - so "Never Mind"

said by justin:

said by ron860928:

Hmm... It appears they got into my gmail account and changed the password.

I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.

oh man I was hoping the data would take longer to be sorted and used ..



justin
..needs sleep
Australian
join:1999-05-28
kudos:15

thanks for the update, I can sleep better now.



melmak

join:2000-10-16
Winnipeg, MB
reply to justin

Thanks for the quick heads up justin.
--
Melmak


krd

join:2000-08-26
New York, NY
reply to justin

When I received your email, I was concerned that the message itself might have been a fake and contained a virus payload. I looked at the message source and found no redirects, and that it came from your mail server.
I was also concerned because the link to the forum topic, contained in your message, did not work for me, either before or after I changed my password.
Thank you for the heads up. Thank you for the suggestions about sites to consider changing passwords for.
Best of luck in dealing with all of this.



StuartMW2

@qwest.net
reply to justin

Um, I'm registered at this site with my DSLR email address. Since the site/email password are the same I've lost all access (can't log into my emai). How can I regain access. I really really want my DSLR email address back NOT a new one.



tazman01

join:2002-02-10
NY
reply to justin

I was one of the ones to receive your email and my dslreports password was changed. I logged out and couldn't log back in until I clicked forgot password, recieved a password that was not chosen by me. I have since changed dslreports and a few key others.



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

1 recommendation

reply to StuartMW2

If you are logged in, I've got a solution, the newly assigned password (will shortly) appear on the /forgot page for you.

If you are NOT logged in and your site email is @dslr.net and your password got reset, you have to drop me a line at justinbeech (at) gmail.com and give me your email address, the first letter of your old pasword, and your site username. Please put in the subject of the email "dslr.net password".

thanks.



baloosh

join:2000-08-03
Dayton, OH
reply to justin

So where's the other topic in which we can beat you up over this, Justin?

A SQL injection vulnerability *and* clear text passwords? Piss-poor, bro. Actually kind of shocking, given the reputation of dslr.

But thank you for the heads up - definitely appreciated.


speeddemon100

join:2001-02-18
West Hempstead, NY
reply to justin

Justin, thanks for gettin this done quickly. Now if banks that get hacked can do the same, we'll be in a better place.



greenman

join:2002-06-18
Athens, GA
reply to justin

I got the email, but my password had not been scrambled. I created a new password anyway. I'm glad I hadn't used the original password anywhere else.



RenHoek
You Eeeediot
Premium
join:2000-10-02
Peyton, CO
Reviews:
·Skybeam
reply to justin

Yeah, just an FYI, I got the email also, but when I went to the dslreports.com website, I was already logged in and able to post just fine without changing anything.
--
Don't touch that, it's the history eraser button you fool!



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

said by RenHoek:

Yeah, just an FYI, I got the email also, but when I went to the dslreports.com website, I was already logged in and able to post just fine without changing anything.

yes, password changes don't log you out. There didn't seem any point in doing that. So your password has actually changed, and you should recover it, and change it to something you want. thanks.

psx_defector

join:2001-06-09
Allen, TX
kudos:1
reply to justin

I'm glad I used my alias email address versus my actual email address and my password here is nothing like any of my other passwords on any other forums/accounts.

Judging by the other messages, I think they were grabbing any web based email accounts and hoping the passwords matched up. Then fire off password reminders to grab other stuff.

Just goes to show you, make your passwords unique for all services you use.



MxxCon

join:1999-11-19
Brooklyn, NY
reply to justin

Justin, what about logins with rpxnow, was that info compromised in some way? could they somehow use the fact that I'm authenticated using that system to access other sites that implemented rpxnow?

Justin, I really hope you'll update your system to support long secure passwords. Not just 12 lower case chars long.

Folks, this is another wake up call to start using some password management system. Don't use the same (or a few of the same) passwords everywhere. Please make sure that each login has a unique strong password. Use apps like LastPass or KeePass. They have a proven track record of keeping your passwords secure and will allow you to have unique logins everywhere without having to remember each one.
--
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is)



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
reply to psx_defector

Yeah, I had about few dozen web sites that used the same password as this site and a few others that used a variation of the same password. Including my Battle.NET account.

Needless to say, those sites now use random passwords now that have been generated with random characters.
--
Tom



Dersgniw
Disco Crunchin
Premium,MVM
join:2001-08-10
behind you
kudos:4
reply to Steimes

said by Steimes:

Justin, can we please get our passwords and emails encrypted in your database?

I assumed passwords were. Guess I was wrong.
--
I Smell Cures! -- Our Hope

Jethroz
Stuck in Stone Age

join:2000-07-11
Frederick, MD
reply to justin

said by justin:

If you are logged in, I've got a solution, the newly assigned password (will shortly) appear on the /forgot page for you.

Thanks for the update on showing the new password. Just had to run around to a bunch of machines to find one that was still logged in so I could reset it.

Working great now - thanks!