Feedback → Re: site user password intrusion info

Justin,

I come at this from the perspective of someone who develops security monitoring tools for a living. My first comment is that you are to be commended for your fast, responsible disclosure of the problem, and for fixing the SQL injection bug. Obviously, we're all hoping you spend a good amount of time combing the rest of the site's source for further exploitable vulnerabilities over the coming days, but your initial turnaround on this is worthy of praise.

In terms of being beaten up about this, I'd hate it if my skills as a programmer were judged based on only my worst bugs. I think that the more time we waste beating you up on this is time we're not spending learning how to avoid these mistakes ourselves in the future.

With that in mind, could you tell us all a bit about how you were first alerted of this attack in progress? What was your first indication, and how did you follow up to determine the scope of the attack? Were you just operating off of server logs on the web server, RDBMS, etc. or do you run an IDS/IPS that helped you figure out what was happening?

Finally, are you absolutely, 100% certain that the 8% of accounts you've already emailed are the only ones who are compromised, and what makes you sure that others were not? I bring up this last point because often times attackers will have a way of covering up their tracks. At a minimum, I think a front page post on this is in order to let everyone else on the site who isn't following this forum know that there's a remote chance their credentials were also exposed.

Thanks again for your quick response, and I hope you'll share some more details of how you detected and responded to this attack with us soon so that we can all learn from your mistakes.

Wow! Two zingers in one week (PSN and DSLR). Thanks for the quick notice Justin. I do appreciate it and fortunately had a unique password for this site. For those recommending lastpass type software, isn't that putting yourself in the same type of boat. You're basically utilizing one password to access all of your passwords. There was something a little unsettling about that for me. I typically store all my passwords in a password protected Excel password file on my laptop. Probably not the best place in the world, but at least it's local and I don't take my laptop around that much. I am open to other suggestions or thoughts.