dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
57802

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

4 edits

5 recommendations

justin

Mod

site user password intrusion info

Quick Q+A (updated)

For the accounts compromised, what was obtained?
registration email address and user picked login password

Anything else?
Nothing. No login names, zip codes, private posts, etc.

Was any password and email used by the bad guy(s) to login at dslreports.com?
No. As the intrusion was detected and halted, all user passwords obtained were changed before they could be used.

When did it happen
From 2pm wednesday to about 6pm wednesday, during which time the site was timing out and acting up. (The alert email states tuesday, that was a typo).

When did the alerting emails go out
They started to be generated about midnight that same night, and all compromised passwords were reset at that time.

Who/what did the hack
Initially a single IP in Sweden (the city of Sundsvall) spent time trying urls for an exploitable hole, then a large network (botnet) of 10,000 compromised windows machines. This circumvented individual IP access limits on unusual activity. The attack was blocked before it had completed more than 8% of its work.

What is the likely use for the data gained
The evidence so far is email accounts where the owner did not read and act on our alert email soon enough (hotmail, MSN, gmail, yahoo mail) were used to spam URLs advertising prescription drugs to the contact list of the email account. I've received two confirmations so far that this happened, so there are going to be others.

Is credit card data at risk
It is difficult to see how (with an email address and password) any usable credit card data could be obtained. If you feel this has happened please consider how, to ensure it was not an insecurity in another website, or an unrelated but coincidental event. If one warns 9000 people the chances are more than one of them is at that time dealing with unrelated credit card fraud.

What kind of shoddy operation are you running here?
Not making excuses, but it is sobering to read that just recently mysql.com was hacked with an identical approach to the one used here (blind sql). The encrypted passwords gained were easily reverse engineered, and much more info was revealed. See: »www.acunetix.com/blog/we ··· jection/
More mysql based sites will suffer the same issue this year, so users should take care to reduce their password re-use on multiple sites to at most high medium low value passwords. A common low value password for forums, unique ones for banking, etc. Even if every website was perfectly secure, keyloggers, browser exploits and so on should inform this approach to password management.

how to reactivate your account here IF you can't login
Use the »/forgot password function to obtain a password reset URL by email you can use to select your new site password.

In the case where your email of record is @dslr.net then please contact the site by email and tell us your login name and your @dslr.net email address, so we can get you back in.

Once logged in again you have the option of deleting your account if you wish to do so, please visit »/join and look at the bottom of that page.
------------------------------------------------------------------

If you've received an email, it pointed you to this topic.

If you got the email, your password will have also been changed by the system.

*** If you haven't got the email and your password still works (has not changed), you are not part of the intrusion. All emails went out at the same time, wednesday/thursday. ***

You can recover the new password by using: »/forgot

you can change it (if you are logged in) by using »/prof/passwd

In brief: an sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs. The ones they obtained were basically random. So they cover the entire 10 year history of the membership but sprinkled randomly. Some are very old accounts, some are new accounts, some inactive or deleted.

I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts.

If your email/password was revealed (you received the alert email, or have discovered your login password has been changed by us already), all you need to do is think of what OTHER sites you use allow logins using your registered email address here, and your original site password.

Many sites require a username of some kind and a password, so even if you use the same password, risks are low that you will have an immediate issue. For example, you cannot login to ebay with an email and a password. Online banking, etrade and so on also require account numbers and passwords.

Some sites especially EMAIL services like GMAIL, and PAYPAL, FACEBOOK allow login by email and password. If you are in the habit of sharing the same password among many sites, then the people with the data can login as you. So you should secure your access to those sites by changing your password immediately. Your first priority would be your email account if the password was shared with it.

It is unclear how much data the logged intrusion requested actually reached them - the site was quite unresponsive during the attack - and whether that data is being used yet. I'm going on a worst case scenario here.

It is also unclear whether the emails obtained will be spammed, or just searched for high value targets such as paypal, gmail, google docs.

Older inactive accounts involved are also being notified by email now, although the older the account, the less likely the email is still current, or the password they used is still useful.

Obviously having both an sql injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can.

My apology for any stress this causes. If you are like me you've also got the PSN network issue hanging over your head as well

Judging from the replies to the initial email the impact is varied some people used a unique email or unique password for the site, others use the same password everywhere and have to be more careful.

You can see from the news:
»news.google.com/news/mor ··· CJdugm6M
that SQL injection attacks are rampant on the net right now.

Having "low" and "high" value passwords, or a password 'system' or some kind is good insurance against events like these.
Expand your moderator at work
compn
join:2001-03-05
Livonia, MI

1 recommendation

compn to justin

Member

to justin

Re: site user password intrusion info

its like winning the lottery! heh

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

yeah a bad one you never knew you were up for.

btw if we can keep responses in this topic to any new questions that are not already answered by my post, it will save time for people viewing the topic who are effected and want an answer on something or other, thanks.

You can beat me up in a different topic.

Cho Baka
MVM
join:2000-11-23
there

Cho Baka

MVM

Is this related to my site mail not working?

(mail password was changed to match my new site password)

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

shouldn't be, but I'll propagate your password change again to see if that gets mail working for you.

Jovi
Premium Member
join:2000-02-24
Mount Joy, PA

Jovi to compn

Premium Member

to compn
said by compn:

its like winning the lottery! heh

Yup. In the 8% that got hit, makes you feel that way. Just changed a few passwords just to be safe. Thanks for the heads up Justin.

ExitWound
Porsche Snob
join:2001-12-13
Boalsburg, PA

ExitWound to justin

Member

to justin
Unfortunately, lessons are often learned the hard way. Thanks for the warning. I've been in the process of changing my passwords on all sites to a new format of passwords I use.

Steimes
I make internets
Premium Member
join:2002-01-08
Belle Vernon, PA
·Verizon FiOS

1 recommendation

Steimes to justin

Premium Member

to justin
I am stealing Justin's template if any of my websites get hacked.

Justin, can we please get our passwords and emails encrypted in your database?

Thankfully, my password is relatively unique to this site, but in ten years, I might have used it in more than one place

Cho Baka
MVM
join:2000-11-23
there

Cho Baka to justin

MVM

to justin
Password change got it working.
Thank you.

POP no longer works for me on 995/SSL (or 1100), but it works on 110/no SSL.
ron860928
join:2001-10-09
Putnam, CT

1 edit

ron860928 to justin

Member

to justin
EDIT> Never Mind, I think I just paniced and forgot that I used my "stronger pasword" on Google because of "Google Checkout' having my credit card info that anyone that can sign on there can use to buy stuff (kinda like PayPal).

Hmm... It appears they got into my gmail account and changed the password. :(

I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

said by ron860928:

Hmm... It appears they got into my gmail account and changed the password.

I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.

oh man I was hoping the data would take longer to be sorted and used ..
mhochman1
join:2001-01-06
Bar Harbor, ME

3 recommendations

mhochman1 to justin

Member

to justin
I understand these things happen (look at Sony) Now trying to remember what places I used that username/password combo is a huge PITA, and i have to say, for a fairly tech savvy site like this, in the year 2011, to still be using cleartext passwords is really shocking.
ron860928
join:2001-10-09
Putnam, CT

ron860928 to justin

Member

to justin
I may have been wrong - because Google has "Google Checkout" (a competitor to PayPal) I think I used my "stronger" password there and just panicked. Unfortunately I've already changed the password there so can't 100% verify that but I'm 98% sure - so "Never Mind"
said by justin:

said by ron860928:

Hmm... It appears they got into my gmail account and changed the password.

I was able to change it myself but I hope they didn't download all the password reminders and other personal info in my saved gmail messages.

oh man I was hoping the data would take longer to be sorted and used ..


justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

thanks for the update, I can sleep better now.

melmak
join:2000-10-16
Winnipeg, MB

melmak to justin

Member

to justin
Thanks for the quick heads up justin.
krd
join:2000-08-26
New York, NY

krd to justin

Member

to justin
When I received your email, I was concerned that the message itself might have been a fake and contained a virus payload. I looked at the message source and found no redirects, and that it came from your mail server.
I was also concerned because the link to the forum topic, contained in your message, did not work for me, either before or after I changed my password.
Thank you for the heads up. Thank you for the suggestions about sites to consider changing passwords for.
Best of luck in dealing with all of this.

StuartMW2
@qwest.net

StuartMW2 to justin

Anon

to justin
Um, I'm registered at this site with my DSLR email address. Since the site/email password are the same I've lost all access (can't log into my emai). How can I regain access. I really really want my DSLR email address back NOT a new one.

tazman01
join:2002-02-10
NY

tazman01 to justin

Member

to justin
I was one of the ones to receive your email and my dslreports password was changed. I logged out and couldn't log back in until I clicked forgot password, recieved a password that was not chosen by me. I have since changed dslreports and a few key others.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

1 recommendation

justin to StuartMW2

Mod

to StuartMW2
If you are logged in, I've got a solution, the newly assigned password (will shortly) appear on the /forgot page for you.

If you are NOT logged in and your site email is @dslr.net and your password got reset, you have to drop me a line at justinbeech (at) gmail.com and give me your email address, the first letter of your old pasword, and your site username. Please put in the subject of the email "dslr.net password".

thanks.

baloosh
join:2000-08-03
Dayton, OH

baloosh to justin

Member

to justin
So where's the other topic in which we can beat you up over this, Justin?

A SQL injection vulnerability *and* clear text passwords? Piss-poor, bro. Actually kind of shocking, given the reputation of dslr.

But thank you for the heads up - definitely appreciated.
speeddemon100
join:2001-02-18
West Hempstead, NY

speeddemon100 to justin

Member

to justin
Justin, thanks for gettin this done quickly. Now if banks that get hacked can do the same, we'll be in a better place.

greenman
join:2002-06-18
Athens, GA

greenman to justin

Member

to justin
I got the email, but my password had not been scrambled. I created a new password anyway. I'm glad I hadn't used the original password anywhere else.

RenHoek
You Eeeediot
Premium Member
join:2000-10-02
Peyton, CO

RenHoek to justin

Premium Member

to justin
Yeah, just an FYI, I got the email also, but when I went to the dslreports.com website, I was already logged in and able to post just fine without changing anything.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

said by RenHoek:

Yeah, just an FYI, I got the email also, but when I went to the dslreports.com website, I was already logged in and able to post just fine without changing anything.

yes, password changes don't log you out. There didn't seem any point in doing that. So your password has actually changed, and you should recover it, and change it to something you want. thanks.
psx_defector
join:2001-06-09
Allen, TX

psx_defector to justin

Member

to justin
I'm glad I used my alias email address versus my actual email address and my password here is nothing like any of my other passwords on any other forums/accounts.

Judging by the other messages, I think they were grabbing any web based email accounts and hoping the passwords matched up. Then fire off password reminders to grab other stuff.

Just goes to show you, make your passwords unique for all services you use.

MxxCon
join:1999-11-19
Brooklyn, NY
ARRIS TM822
Actiontec MI424WR Rev. I

MxxCon to justin

Member

to justin
Justin, what about logins with rpxnow, was that info compromised in some way? could they somehow use the fact that I'm authenticated using that system to access other sites that implemented rpxnow?

Justin, I really hope you'll update your system to support long secure passwords. Not just 12 lower case chars long.

Folks, this is another wake up call to start using some password management system. Don't use the same (or a few of the same) passwords everywhere. Please make sure that each login has a unique strong password. Use apps like LastPass or KeePass. They have a proven track record of keeping your passwords secure and will allow you to have unique logins everywhere without having to remember each one.

trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

trparky to psx_defector

Premium Member

to psx_defector
Yeah, I had about few dozen web sites that used the same password as this site and a few others that used a variation of the same password. Including my Battle.NET account.

Needless to say, those sites now use random passwords now that have been generated with random characters.

Dersgniw
Disco Crunchin
MVM
join:2001-08-10
behind you

Dersgniw to Steimes

MVM

to Steimes
said by Steimes:

Justin, can we please get our passwords and emails encrypted in your database?

I assumed passwords were. Guess I was wrong.

Jethroz
Stuck in Stone Age
join:2000-07-11
Frederick, MD

Jethroz to justin

Member

to justin
said by justin:

If you are logged in, I've got a solution, the newly assigned password (will shortly) appear on the /forgot page for you.

Thanks for the update on showing the new password. Just had to run around to a bunch of machines to find one that was still logged in so I could reset it.

Working great now - thanks!