phpBB attack

[Boardtalk]

What, why, who??!?

Good God!

Just saw the message a few moments ago after coming home from work!
This is terrible, hope there's not too much damage done.
Anyone with news on the subject?

Back in a bit, have to have dinner and start changing passwords... just in case.

[deejay_xb]

Downtime


(Update #2) On Sunday Dec. 14th, several of the web servers powering phpBB.com were compromised. Upon discovering the ongoing attack, we immediately took our network offline to perform a thorough investigation, which is continuing.

At this time, we would like to ask everyone to follow basic security protocol. If you were using your http://www.phpBB.com or area51.phpBB.com passwords anywhere else, please change them to unqiue ones.

Your personal phpBB Forums are NOT affected by the compromise of our servers.

We will be rebuilding our systems from the ground up and verifying the integrity of all data prior to coming back online. This process will likely take several days.

Further updates will be posted here when we have additional information.

If you need urgent assistance, please make use of the #phpbb IRC channel on Freenode. A web-based client is available at http://webchat.freenode.net.



- The phpBB Team


it's because of the stupid 3.1 update! they changed so many code and maybe left some "doors" opened by mistake! why they made an update so complex?!? 3.0.12 was simple and stable..

[martin123456]

More like a mysql attack hence change your password (security protocol my ass) chances are if you look on the right site your find a list of user's emails and passwords this was a common thing back in the day of yahoo booter sites.

They got owned and lists were put up on certain sites for every one to see.

[Oyabun1]

An attacker couldn't gain the passwords from a database attack because they aren't stored, only a hash of the password is.

[antonjw]

An attacker couldn't gain the passwords from a database attack because they aren't stored, only a hash of the password is.

Tapatalk was also compromised over the weekend, via some 3rd party plugin on their support forums.

The attackers installed a XenForo plugin which decrypts passwords, and they stole them.

[RMcGirr83]

Additionally, all logins on area51 between Dec. 12th and Dec. 15th were logged in plaintext

Wow!!!

[deejay_xb]

voodoo for phpbb because of the 3.1 update )

[Pete]

Additionally, all logins on area51 between Dec. 12th and Dec. 15th were logged in plaintext

Wow!!!

Yeah...

[Oyabun1]

The attackers installed a XenForo plugin which decrypts passwords, and they stole them.

Xenforo's hash isn't as good as phpBB's. They don't use phpass (or Bcrypt as phpbb.com and area51 have since 3.1)

There is an interesting comment [url=http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/?comments=1&post=28141599#comment-28141599]here[/url] regarding the Ars breach, which it is presumed was done in a similar way because it was done by the same people. Cracking phpBB passwords is not quick.

[martin123456]

Just as i said in my other post.

The attackers were able to obtain access to the phpBB.com and area51 databases

[RMcGirr83]

There is an interesting comment [url=http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/?comments=1&post=28141599#comment-28141599]here[/url] regarding the Ars breach, which it is presumed was done in a similar way because it was done by the same people. Cracking phpBB passwords is not quick.

These intrusions seem to be becoming more common and there really seems to be a systemic problem of people not taking security seriously (despite paying lots of lip service). Don't get me wrong, strong encryption on your database of user passwords is a very good thing. But not letting people get to that database in the first place is, in my opinion, even more important.

Emphasis in bold added by me.

[martin123456]

Nice reading (old post)

http://blog.sucuri.net/2013/09/security ... b-com.html

[steve]

I bet it was that necofem (spell check) developers account he seemed dodgy

[Allen42]

I don't know what's going on with the phpBB site and the Area51 development board? A major problem has initiated the security breach that the attackers were attempting to breach their security databases, and I need to prevent that from making a breach to our database of the phpBB site.

Remember that I'm a helper here and the phpBB forum.

[Lumpy Burgertushie]

why would you have a copy of the phpbb database? If you mean your own database of your own phpbb board then unless you are using the same username password for your database that you use to log in to phpbb you have nothing to worry about.
robert