Go Back   English Forum Switzerland > Support > Support > Forum support  
Reply
 
Thread Tools Display Modes
  #41  
Old 15.01.2019, 17:27
Treverus's Avatar
Forum Legend
 
Join Date: Dec 2007
Location: Luxembourg
Posts: 11,882
Groaned at 301 Times in 257 Posts
Thanked 22,434 Times in 8,142 Posts
Treverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond repute
Re: 2019 Englishforum.ch User Database Security Breach

Quote:
View Post
As long as you don't use the same password for multiple sites/accounts (aka use common sense when online) then all they can do is log into englishforum and make naughty posts under your name if you don't change your password.

In a data breach anything stored on englishforum under your account is potentially accessible, such as your email address.
What he is saying is
1. Change your EF password NOW
2. If you were stupid enough to use the same password somewhere else, change it there ASAP as well


May I suggest to Bob/the Mod them/ the Local or whoever call the shots to send an email to all users and suggest them to change their credentials?
Reply With Quote
The following 4 users would like to thank Treverus for this useful post:
  #42  
Old 15.01.2019, 17:47
Forum Veteran
 
Join Date: Aug 2010
Location: Zürich
Posts: 516
Groaned at 4 Times in 3 Posts
Thanked 448 Times in 252 Posts
ThomasSSS has a reputation beyond reputeThomasSSS has a reputation beyond reputeThomasSSS has a reputation beyond reputeThomasSSS has a reputation beyond repute
Re: Englishforum security breach?

I'm going to point out that if there was a breach which hasn't been properly investigated and cleaned up, it is likely no effort for the hackers to re-download the password hashes. The only question is whether they will bother.

So if you change your password here, try to make it significantly harder to crack (longer, etc.). I would very much change your password anywhere else that you might have used your EF password, with extra urgency if the user name is the same or similar.

[It is hard to believe that the management is prepared to do any meaningful investigation or clean-up. Organizations so prepared tend to understand the importance of software updates, and how they are (much) cheaper than meaningful post-fail work.]
Reply With Quote
  #43  
Old 15.01.2019, 18:45
Administrator
 
Join Date: Mar 2008
Location: Munich
Posts: 214
Groaned at 44 Times in 24 Posts
Thanked 1,748 Times in 621 Posts
Editor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond repute
Re: 2019 Englishforum.ch User Database Security Breach

A mail will start going out tomorrow or the day after.

Other aspects of our "data-leak action plan" will also be implemented.

Full details will be posted here tomorrow morning.
Reply With Quote
The following 8 users would like to thank Editor Bob for this useful post:
This user groans at Editor Bob for this post:
  #44  
Old 15.01.2019, 18:59
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,296
Groaned at 276 Times in 182 Posts
Thanked 17,699 Times in 7,471 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: 2019 Englishforum.ch User Database Security Breach

Quote:
Truth be told is that such speeds only can be gotten if the to be hacked password is on the same machine if this has to happen over the internet it is going to be a much, much longer story, besides that nobody in his right mind would imho do such for an EF user password unless it is something very very personal. Such way of storing like EF does is for a site like EF to be deemed good enough.
that's not how it works. the database is likely compromised and the user data is typically copied so attacks can be run. i believe EF was actually compromised at least once already years ago, probably now new baddies have found and also downloaded the user DB since blackmail scams are easier and more lucrative now.
Reply With Quote
  #45  
Old 15.01.2019, 19:31
John_H's Avatar
Forum Legend
 
Join Date: May 2013
Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
John_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond repute
Re: Englishforum security breach?

If the actors have had the DB long enough to decrypt the passwords, they've had it long enough to also test if those passwords on various other sites.. Is it's all kinda after the fact now. These things don't take long.

So if you did re-use the EF password, change it everywhere and enable 2 factor auth on anything remotely important. There's not much you can or need to do, no panic.

Personally I have nothing in EF either public or in PM that I'm remotely interested in protecting.

If you are really worried, cover your webcam next time you're on prawnhub
Reply With Quote
The following 4 users would like to thank John_H for this useful post:
  #46  
Old 16.01.2019, 00:03
Forum Veteran
 
Join Date: Feb 2012
Location: Zürich
Posts: 937
Groaned at 3 Times in 3 Posts
Thanked 538 Times in 327 Posts
ChrisNeedsToKnow has a reputation beyond reputeChrisNeedsToKnow has a reputation beyond reputeChrisNeedsToKnow has a reputation beyond reputeChrisNeedsToKnow has a reputation beyond repute
Re: Englishforum security breach?

In the email I received, it showed an old password; not the one I currently use(d) (changed it again now, just to make sure).


I think I re-constructed one detail of the attack:


My old password was a bit silly and short; I haven't been using this short one for quite a while. I guess this pattern applies to many users: When we were "internet-novices", we all used crappy passwords. It didn't really matter. Over time, on average, people increased their password difficulty.


So my question would be: If they know an old password, does the forum software save all previously used passwords? I guess it must do just that, as data which isn't there can't be hacked.


Strange as this whole attack is, what scares me most is that these guys seem to have at least limited success:


https://www.blockchain.com/btc/addre...i2qUvyrjcsT44o


2 people seem to have paid up!


As silly as it is, I suggest an immediate email by admins to everyone, informing them about the scam urging everyone to ignore and not pay!
Reply With Quote
The following 3 users would like to thank ChrisNeedsToKnow for this useful post:
  #47  
Old 16.01.2019, 06:44
Administrator
 
Join Date: Mar 2008
Location: Munich
Posts: 214
Groaned at 44 Times in 24 Posts
Thanked 1,748 Times in 621 Posts
Editor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond repute
Re: Englishforum security breach?

This version of vBulletin does not save previously used passwords. It only saves a hash of the current password (algorithm described in my earlier post) and the date of the last password change. No software customisations have been made to the EF installation to save old passwords.

We're still investigating this. Further details coming late this morning. An email will also be sent to all users once we have more clarity.
Reply With Quote
The following 5 users would like to thank Editor Bob for this useful post:
This user groans at Editor Bob for this post:
  #48  
Old 16.01.2019, 08:11
Spinal's Avatar
Forum Veteran
 
Join Date: Dec 2016
Location: Zurich
Posts: 1,218
Groaned at 10 Times in 9 Posts
Thanked 1,114 Times in 503 Posts
Spinal has a reputation beyond reputeSpinal has a reputation beyond reputeSpinal has a reputation beyond reputeSpinal has a reputation beyond repute
Re: 2019 Englishforum.ch User Database Security Breach

Quote:
Truth be told is that such speeds only can be gotten if the to be hacked password is on the same machine if this has to happen over the internet it is going to be a much, much longer story, besides that nobody in his right mind would imho do such for an EF user password unless it is something very very personal. Such way of storing like EF does is for a site like EF to be deemed good enough.

Not entirely accurate - the vector discussed here (decrypting MD5 hashes, or finding collisions) is an offline attack.
I.e. download the password database (hashed) to your local machine and then try all possible combinations.

MD5 is actually considered deprecated for password hashing... but that's not really news.


Doing it "over the internet" as you suggest would imply attempting to brute force the login system, which (I hope) locks accounts after 3/5/10/whatever failed attempts. I hope.


For those asking what to do.


1. Look at www.haveibeenpwned.com - may shed some light
2. Change your password here
3. If you re-use your password ANYWHERE else, change that as well (to something else).
4. Use a password vault (I like lastpass) to manage, store, change, generate, etc your passwords. Enabled two-factor authentication in the vault.


If anyone is particularly interested, I have access to a few password dumps and can look these up (like haveibeenpwned, but with the password, at times). Happy to share (restricted) access, but would need to verify that you own that email address... let me think about it, not sure if sharing access adds value.



M.
Reply With Quote
The following 5 users would like to thank Spinal for this useful post:
  #49  
Old 16.01.2019, 08:29
Senior Member
 
Join Date: Feb 2008
Location: Ticino
Posts: 357
Groaned at 8 Times in 5 Posts
Thanked 375 Times in 174 Posts
paizuri is considered knowledgeablepaizuri is considered knowledgeablepaizuri is considered knowledgeable
Re: Englishforum security breach?

Quote:
View Post
Any password database is worthwhile to be hacked as there are just too many people which reuse passwords over different sites.

Reply With Quote
  #50  
Old 16.01.2019, 08:44
me.anon's Avatar
Forum Veteran
 
Join Date: Jan 2012
Location: thun
Posts: 2,137
Groaned at 40 Times in 29 Posts
Thanked 2,806 Times in 1,358 Posts
me.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
In the email I received, it showed an old password; not the one I currently use(d) (changed it again now, just to make sure).


I think I re-constructed one detail of the attack:


My old password was a bit silly and short; I haven't been using this short one for quite a while. I guess this pattern applies to many users: When we were "internet-novices", we all used crappy passwords. It didn't really matter. Over time, on average, people increased their password difficulty.

. . .
Without revealing it, was the password very short or likely to have been on one of the lists of the 100 or so worst passwords e.g. https://www.symantec.com/connect/blo...words-all-time

I guess if all the victims had "bad" passwords, that does indicate a dictionary type attack on a file of encrypted passwords, rather than malware on a server which monitored users' login attempts.

If I understand correctly, an 8 character password is, with 2 character salt, effectively 10 characters. According to this (dated 2017) a single 10 character password of sufficiently complexity) could keep a super computer buy for up to 3 years: https://thycotic.force.com/support/s...ord-Complexity
__________________
If you have difficulties with a post which contains a link to a site in one of the Swiss languages, use Google Translate or your own favourite translating browser.
Reply With Quote
  #51  
Old 16.01.2019, 09:25
John_H's Avatar
Forum Legend
 
Join Date: May 2013
Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
John_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Without revealing it, was the password very short or likely to have been on one of the lists of the 100 or so worst passwords e.g. https://www.symantec.com/connect/blo...words-all-time

I guess if all the victims had "bad" passwords, that does indicate a dictionary type attack on a file of encrypted passwords, rather than malware on a server which monitored users' login attempts.

If I understand correctly, an 8 character password is, with 2 character salt, effectively 10 characters. According to this (dated 2017) a single 10 character password of sufficiently complexity) could keep a super computer buy for up to 3 years: https://thycotic.force.com/support/s...ord-Complexity
However.. In the real world the attacker would use a dictionary/rule based attack and simply skim off the low hanging fruit, using a cheap laptop and and an hour. That would generally yield enough hits to merit crafting the scam email etc.
You know, 10.000 accounts from EF, 500 results from the dictionary attack. 2 people pay the ransom.. Nice days work.

Super computers and the like are only the stuff of high value targeted attacks.

Edit the dictionaries used contain millions of word / number / character combinations - "P@ssw0rd" is really no more secure than "password" in this case.
Reply With Quote
The following 3 users would like to thank John_H for this useful post:
  #52  
Old 16.01.2019, 10:25
Mica's Avatar
Forum Veteran
 
Join Date: Oct 2007
Location: Zurich
Posts: 854
Groaned at 1 Time in 1 Post
Thanked 1,106 Times in 488 Posts
Mica has a reputation beyond reputeMica has a reputation beyond reputeMica has a reputation beyond reputeMica has a reputation beyond reputeMica has a reputation beyond repute
Re: Englishforum security breach?

My 2 cents: Use a password manager with 2FA and unique passwords for each site.
Reply With Quote
  #53  
Old 16.01.2019, 10:47
Forum Veteran
 
Join Date: Mar 2010
Location: Greater Zürich Area
Posts: 938
Groaned at 119 Times in 76 Posts
Thanked 712 Times in 395 Posts
EPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputation
Re: 2019 Englishforum.ch User Database Security Breach

Quote:
View Post

1. Look at www.haveibeenpwned.com - may shed some light
How can I be sure that this website is not another scam to collect existing passwords?

I would not type in my actual password here...
Reply With Quote
This user would like to thank EPMike for this useful post:
  #54  
Old 16.01.2019, 10:49
roegner's Avatar
Moderately Dutch
 
Join Date: May 2011
Location: Zurich
Posts: 10,752
Groaned at 357 Times in 298 Posts
Thanked 13,219 Times in 6,233 Posts
roegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond reputeroegner has a reputation beyond repute
Re: 2019 Englishforum.ch User Database Security Breach

Quote:
View Post
How can I be sure that this website is not another scam to collect existing passwords?

I would not type in my actual password here...
You do not have to, it only checks on the email address
Reply With Quote
The following 3 users would like to thank roegner for this useful post:
  #55  
Old 16.01.2019, 10:56
Forum Veteran
 
Join Date: Mar 2010
Location: Greater Zürich Area
Posts: 938
Groaned at 119 Times in 76 Posts
Thanked 712 Times in 395 Posts
EPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputation
Re: Englishforum security breach?

Quote:
View Post
How can I be sure that this website is not another scam to collect existing passwords?

I would not type in my actual password here...
Quote:
View Post
You do not have to, it only checks on the email address
they also offer the functionality to check your password: https://haveibeenpwned.com/Passwords
Reply With Quote
This user would like to thank EPMike for this useful post:
  #56  
Old 16.01.2019, 11:03
JagWaugh's Avatar
RIP
 
Join Date: Apr 2009
Location: Eglisau
Posts: 7,272
Groaned at 47 Times in 46 Posts
Thanked 14,131 Times in 5,506 Posts
JagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond repute
Re: Englishforum security breach?

I just changed my password from 1234 to 123456abc.

(Now I just have to change all my other online accounts, as well as my bank cards and I'll be done.)

Glad I saw this thread in time...
Reply With Quote
The following 3 users would like to thank JagWaugh for this useful post:
  #57  
Old 16.01.2019, 11:08
Administrator
 
Join Date: Mar 2008
Location: Munich
Posts: 214
Groaned at 44 Times in 24 Posts
Thanked 1,748 Times in 621 Posts
Editor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond repute
Re: Englishforum security breach?

The following security notice is being distributed.

It will be emailed to all users shortly, and is additionally available here: englishforum.ch/security

==

On 13th and 15th January 2019 two users of englishforum.ch reported receiving extortionist emails. These emails revealed their password for English Forum Switzerland written in clear text. The emails went on to threaten these users with blackmail and demanded payment via cryptocurrency.

In both cases the revealed passwords were old. This leads us to believe that an old copy of the English Forum database is circulating in the wild. Although all passwords are stored in encrypted format, it is possible that some weaker passwords from that leaked version of the database have been recently decrypted.

If you receive such an email, DO NOT pay the ransom.

Instead, change your password on englishforum.ch. And if you used the same password on any other site, change it there too. Although not essential, we would also appreciate receiving a copy of the email at security@englishforum.ch so that we can better track the extent of the attack.

In an abundance of caution, we will force a reset of all user passwords sometime during 16th/17th January 2019. All users will be emailed this security notice. Furthermore, all dormant accounts, those which have not logged in since 01.01.17, will be permanently deleted. The posts from deleted accounts will remain published but labelled as authored by "Guest". A small handful of dormant accounts will be preserved for historical community reasons.

We will also inform the relevant data protection authorities of this suspected breach, and then proceed to upgrade our vBulletin forum software to the latest version. Although we don't know of any security hole in our server, the upgraded vBulletin version should close any unknown holes. This upgrade will take some weeks. Progress will be shared here and on the discussion forum.

If you prefer to delete your account, please send a brief request via email to security@englishforum.ch. Your account and all personal data will be permanently deleted. Public posts of deleted accounts will remain online, but labelled as authored by "Guest". For other enquiries relating to information privacy and security on English Forum Switzerland, you can also email us at that address.
Reply With Quote
The following 9 users would like to thank Editor Bob for this useful post:
  #58  
Old 16.01.2019, 11:15
Forum Veteran
 
Join Date: Mar 2010
Location: Greater Zürich Area
Posts: 938
Groaned at 119 Times in 76 Posts
Thanked 712 Times in 395 Posts
EPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputation
Re: 2019 Englishforum.ch User Database Security Breach

Quote:
View Post
How can I be sure that this website is not another scam to collect existing passwords?

I would not type in my actual password here...
just found the answer on their site

Quote:
How do I know the site isn't just harvesting searched email addresses?
You don't, but it's not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you're concerned about the intent or security, don't use it.
Reply With Quote
This user would like to thank EPMike for this useful post:
  #59  
Old 16.01.2019, 11:16
slammer's Avatar
Forum Legend
 
Join Date: Jul 2009
Location: Lummerland
Posts: 5,281
Groaned at 143 Times in 100 Posts
Thanked 9,123 Times in 3,455 Posts
slammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post

If you are really worried, cover your webcam next time you're on prawnhub

"Prawnhub" Now THAT is a disturbing visual.
Reply With Quote
  #60  
Old 16.01.2019, 11:17
Guest
 
Posts: n/a
Re: 2019 Englishforum.ch User Database Security Breach

Quote:
View Post
How can I be sure that this website is not another scam to collect existing passwords?

I would not type in my actual password here...
You can see in his blogpost why the passwords entered there are indeed safe.

https://www.troyhunt.com/ive-just-la...yandkanonymity

You can verify this in your browser console, the password is never sent over the network to his server, all of the sensitive data never leaves your browser.
Reply With Quote
The following 2 users would like to thank for this useful post:
Reply

Tags
englishforum hack, password stolen, security breach, security password hack




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security breach: avoid buying online and using ATMs [Heartbleed Vulnerability] olygirl TV/internet/telephone 27 07.06.2014 15:10
A security breach happened at [fill in the blank aSwissInTheUS Daily life 1 21.05.2014 18:44
Major security breach at LinkedIn Castro TV/internet/telephone 13 07.06.2012 17:17
US issued card holders take note ( security breach issue ) jrspet International affairs/politics 1 31.03.2012 14:54
Guardian Jobs in UK - Security Breach transition International affairs/politics 0 26.10.2009 13:51


All times are GMT +2. The time now is 15:58.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0