 justinAustralian
join:1999-05-28
New York, NY
kudos:7
IPv6
Business Connectiv..
Console/Handheld g..
Home/Office setup ..
Photos of Broadban..
4 edits | site user password intrusion info Quick Q+A (updated)
For the accounts compromised, what was obtained?
registration email address and user picked login password
Anything else?
Nothing. No login names, zip codes, private posts, etc.
Was any password and email used by the bad guy(s) to login at dslreports.com?
No. As the intrusion was detected and halted, all user passwords obtained were changed before they could be used.
When did it happen
From 2pm wednesday to about 6pm wednesday, during which time the site was timing out and acting up. (The alert email states tuesday, that was a typo).
When did the alerting emails go out
They started to be generated about midnight that same night, and all compromised passwords were reset at that time.
Who/what did the hack
Initially a single IP in Sweden (the city of Sundsvall) spent time trying urls for an exploitable hole, then a large network (botnet) of 10,000 compromised windows machines. This circumvented individual IP access limits on unusual activity. The attack was blocked before it had completed more than 8% of its work.
What is the likely use for the data gained
The evidence so far is email accounts where the owner did not read and act on our alert email soon enough (hotmail, MSN, gmail, yahoo mail) were used to spam URLs advertising prescription drugs to the contact list of the email account. I've received two confirmations so far that this happened, so there are going to be others.
Is credit card data at risk
It is difficult to see how (with an email address and password) any usable credit card data could be obtained. If you feel this has happened please consider how, to ensure it was not an insecurity in another website, or an unrelated but coincidental event. If one warns 9000 people the chances are more than one of them is at that time dealing with unrelated credit card fraud.
What kind of shoddy operation are you running here?
Not making excuses, but it is sobering to read that just recently mysql.com was hacked with an identical approach to the one used here (blind sql). The encrypted passwords gained were easily reverse engineered, and much more info was revealed. See: »www.acunetix.com/blog/web-securi···jection/
More mysql based sites will suffer the same issue this year, so users should take care to reduce their password re-use on multiple sites to at most high medium low value passwords. A common low value password for forums, unique ones for banking, etc. Even if every website was perfectly secure, keyloggers, browser exploits and so on should inform this approach to password management.
how to reactivate your account here IF you can't login
Use the »/forgot password function to obtain a password reset URL by email you can use to select your new site password.
In the case where your email of record is @dslr.net then please contact the site by email and tell us your login name and your @dslr.net email address, so we can get you back in.
Once logged in again you have the option of deleting your account if you wish to do so, please visit »/join and look at the bottom of that page.
------------------------------------------------------------------
If you've received an email, it pointed you to this topic.
If you got the email, your password will have also been changed by the system.
*** If you haven't got the email and your password still works (has not changed), you are not part of the intrusion. All emails went out at the same time, wednesday/thursday. ***
You can recover the new password by using: »/forgot
you can change it (if you are logged in) by using »/prof/passwd
In brief: an sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs. The ones they obtained were basically random. So they cover the entire 10 year history of the membership but sprinkled randomly. Some are very old accounts, some are new accounts, some inactive or deleted.
I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts.
If your email/password was revealed (you received the alert email, or have discovered your login password has been changed by us already), all you need to do is think of what OTHER sites you use allow logins using your registered email address here, and your original site password.
Many sites require a username of some kind and a password, so even if you use the same password, risks are low that you will have an immediate issue. For example, you cannot login to ebay with an email and a password. Online banking, etrade and so on also require account numbers and passwords.
Some sites especially EMAIL services like GMAIL, and PAYPAL, FACEBOOK allow login by email and password. If you are in the habit of sharing the same password among many sites, then the people with the data can login as you. So you should secure your access to those sites by changing your password immediately. Your first priority would be your email account if the password was shared with it.
It is unclear how much data the logged intrusion requested actually reached them - the site was quite unresponsive during the attack - and whether that data is being used yet. I'm going on a worst case scenario here.
It is also unclear whether the emails obtained will be spammed, or just searched for high value targets such as paypal, gmail, google docs.
Older inactive accounts involved are also being notified by email now, although the older the account, the less likely the email is still current, or the password they used is still useful.
Obviously having both an sql injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can.
My apology for any stress this causes. If you are like me you've also got the PSN network issue hanging over your head as well 
Judging from the replies to the initial email the impact is varied some people used a unique email or unique password for the site, others use the same password everywhere and have to be more careful.
You can see from the news:
»news.google.com/news/more?pz=1&c···CJdugm6M
that SQL injection attacks are rampant on the net right now.
Having "low" and "high" value passwords, or a password 'system' or some kind is good insurance against events like these. |
|
compn
join:2001-03-05
Livonia, MI | reply to justin
Re: site user password intrusion info its like winning the lottery! heh |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 Host:
IPv6
Business Connectiv..
Console/Handheld g..
Home/Office setup ..
Photos of Broadban..
| yeah a bad one you never knew you were up for.
btw if we can keep responses in this topic to any new questions that are not already answered by my post, it will save time for people viewing the topic who are effected and want an answer on something or other, thanks.
You can beat me up in a different topic. |
|
 TA63ST215WPremium,MVM
join:2000-11-23
there
kudos:2 | Is this related to my site mail not working?
(mail password was changed to match my new site password)
--
The talented hawk speaks French. |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | shouldn't be, but I'll propagate your password change again to see if that gets mail working for you. |
|
 Jovi
join:2000-02-24
Mount Joy, PA | reply to compn
said by compn:its like winning the lottery! heh
Yup. In the 8% that got hit, makes you feel that way. Just changed a few passwords just to be safe. Thanks for the heads up Justin.
--
"Some people have no respect for logic." |
|
 ExitWoundPorsche Snob
join:2001-12-13
State College, PA | reply to justin
Unfortunately, lessons are often learned the hard way. Thanks for the warning. I've been in the process of changing my passwords on all sites to a new format of passwords I use.
--
»www.theexitwound.com |
|
 SteimesI make internetsPremium
join:2002-01-08
Belle Vernon, PA
kudos:1 | reply to justin
I am stealing Justin's template if any of my websites get hacked.
Justin, can we please get our passwords and emails encrypted in your database?
Thankfully, my password is relatively unique to this site, but in ten years, I might have used it in more than one place
--
Making procrastination an art form since Pluto was still a planet. |
|
|
|
TA63ST215WPremium,MVM
join:2000-11-23
there
kudos:2 | reply to justin
Password change got it working.
Thank you.
POP no longer works for me on 995/SSL (or 1100), but it works on 110/no SSL.
--
The talented hawk speaks French. |
|
1 edit | reply to justin
EDIT> Never Mind, I think I just paniced and forgot that I used my "stronger pasword" on Google because of "Google Checkout' having my credit card info that anyone that can sign on there can use to buy stuff (kinda like PayPal).
Hmm... It appears they got into my gmail account and changed the password. :(
I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages. |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 Host:
IPv6
Business Connectiv..
Console/Handheld g..
Home/Office setup ..
Photos of Broadban..
| said by ron860928:Hmm... It appears they got into my gmail account and changed the password.
I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.
oh man I was hoping the data would take longer to be sorted and used .. |
|
| reply to justin
I understand these things happen (look at Sony) Now trying to remember what places I used that username/password combo is a huge PITA, and i have to say, for a fairly tech savvy site like this, in the year 2011, to still be using cleartext passwords is really shocking. |
|
| reply to justin
I may have been wrong - because Google has "Google Checkout" (a competitor to PayPal) I think I used my "stronger" password there and just panicked. Unfortunately I've already changed the password there so can't 100% verify that but I'm 98% sure - so "Never Mind"  said by justin:said by ron860928:Hmm... It appears they got into my gmail account and changed the password.
I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.
oh man I was hoping the data would take longer to be sorted and used .. |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | thanks for the update, I can sleep better now. |
|
 melmak
join:2000-10-16
Winnipeg, MB | reply to justin
Thanks for the quick heads up justin.
--
Melmak |
|
krd
join:2000-08-26
New York, NY | reply to justin
When I received your email, I was concerned that the message itself might have been a fake and contained a virus payload. I looked at the message source and found no redirects, and that it came from your mail server.
I was also concerned because the link to the forum topic, contained in your message, did not work for me, either before or after I changed my password.
Thank you for the heads up. Thank you for the suggestions about sites to consider changing passwords for.
Best of luck in dealing with all of this. |
|
| reply to justin
Um, I'm registered at this site with my DSLR email address. Since the site/email password are the same I've lost all access (can't log into my emai). How can I regain access. I really really want my DSLR email address back NOT a new one. |
|
| reply to justin
I was one of the ones to receive your email and my dslreports password was changed. I logged out and couldn't log back in until I clicked forgot password, recieved a password that was not chosen by me. I have since changed dslreports and a few key others. |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 Host:
IPv6
Business Connectiv..
Console/Handheld g..
Home/Office setup ..
Photos of Broadban..
| reply to StuartMW2
If you are logged in, I've got a solution, the newly assigned password (will shortly) appear on the /forgot page for you.
If you are NOT logged in and your site email is @dslr.net and your password got reset, you have to drop me a line at justinbeech (at) gmail.com and give me your email address, the first letter of your old pasword, and your site username. Please put in the subject of the email "dslr.net password".
thanks. |
|
