Quick Q+A (updated)
For the accounts compromised, what was obtained?registration email address and user picked login password
Anything else?Nothing. No login names, zip codes, private posts, etc.
Was any password and email used by the bad guy(s) to login at dslreports.com?No. As the intrusion was detected and halted, all user passwords obtained were changed before they could be used.
When did it happenFrom 2pm wednesday to about 6pm wednesday, during which time the site was timing out and acting up. (The alert email states tuesday, that was a typo).
When did the alerting emails go outThey started to be generated about midnight that same night, and all compromised passwords were reset at that time.
Who/what did the hackInitially a single IP in Sweden (the city of Sundsvall) spent time trying urls for an exploitable hole, then a large network (botnet) of 10,000 compromised windows machines. This circumvented individual IP access limits on unusual activity. The attack was blocked before it had completed more than 8% of its work.
What is the likely use for the data gainedThe evidence so far is email accounts where the owner did not read and act on our alert email soon enough (hotmail, MSN, gmail, yahoo mail) were used to spam URLs advertising prescription drugs to the contact list of the email account. I've received two confirmations so far that this happened, so there are going to be others.
Is credit card data at riskIt is difficult to see how (with an email address and password) any usable credit card data could be obtained. If you feel this has happened please consider how, to ensure it was not an insecurity in another website, or an unrelated but coincidental event. If one warns 9000 people the chances are more than one of them is at that time dealing with unrelated credit card fraud.
What kind of shoddy operation are you running here?Not making excuses, but it is sobering to read that just recently mysql.com was hacked with an identical approach to the one used here (blind sql). The encrypted passwords gained were easily reverse engineered, and much more info was revealed. See: »
www.acunetix.com/blog/we ··· jection/More mysql based sites will suffer the same issue this year, so users should take care to reduce their password re-use on multiple sites to at most high medium low value passwords. A common low value password for forums, unique ones for banking, etc. Even if every website was perfectly secure, keyloggers, browser exploits and so on should inform this approach to password management.
how to reactivate your account here IF you can't loginUse the »
/forgot password function to obtain a password reset URL by email you can use to select your new site password.
In the case where your email of record is @dslr.net then please contact the site by email and tell us your login name and your @dslr.net email address, so we can get you back in.
Once logged in again you have the option of deleting your account if you wish to do so, please visit »
/join and look at the bottom of that page.
------------------------------------------------------------------
If you've received an email, it pointed you to this topic.
If you got the email, your password will have also been changed by the system.
***
If you haven't got the email and your password still works (has not changed), you are not part of the intrusion. All emails went out at the same time, wednesday/thursday. ***
You can recover the new password by using: »
/forgotyou can change it (if you are logged in) by using »
/prof/passwdIn brief: an sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs. The ones they obtained were basically random. So they cover the entire 10 year history of the membership but sprinkled randomly. Some are very old accounts, some are new accounts, some inactive or deleted.
I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts.
If your email/password was revealed (you received the alert email, or have discovered your login password has been changed by us already), all you need to do is think of what OTHER sites you use allow logins using your registered email address here, and your original site password.
Many sites require a username of some kind and a password, so even if you use the same password, risks are low that you will have an immediate issue. For example, you cannot login to ebay with an email and a password. Online banking, etrade and so on also require account numbers and passwords.
Some sites especially EMAIL services like GMAIL, and PAYPAL, FACEBOOK allow login by email and password. If you are in the habit of sharing the same password among many sites, then the people with the data can login as you. So you should secure your access to those sites by changing your password immediately. Your first priority would be your email account if the password was shared with it.
It is unclear how much data the logged intrusion requested actually reached them - the site was quite unresponsive during the attack - and whether that data is being used yet. I'm going on a worst case scenario here.
It is also unclear whether the emails obtained will be spammed, or just searched for high value targets such as paypal, gmail, google docs.
Older inactive accounts involved are also being notified by email now, although the older the account, the less likely the email is still current, or the password they used is still useful.
Obviously having both an sql injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can.
My apology for any stress this causes. If you are like me you've also got the PSN network issue hanging over your head as well
Judging from the replies to the initial email the impact is varied some people used a unique email or unique password for the site, others use the same password everywhere and have to be more careful.
You can see from the news:
»
news.google.com/news/mor ··· CJdugm6Mthat SQL injection attacks are rampant on the net right now.
Having "low" and "high" value passwords, or a password 'system' or some kind is good insurance against events like these.