Go Back   English Forum Switzerland > Support > Support > Forum support  
Reply
 
Thread Tools Display Modes
  #81  
Old 17.01.2019, 10:54
TypeR's Avatar
Newbie 1st class
 
Join Date: May 2016
Location: Basel
Posts: 10
Groaned at 0 Times in 0 Posts
Thanked 9 Times in 7 Posts
TypeR has no particular reputation at present
Re: Englishforum security breach?

Quote:
View Post
Another article about the same:

https://www.wired.com/story/collecti...unts-passwords

They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.

Reaffirms our suspicion that this was an old leak that is only now being put to misuse.

Doesn't clear EF of responsibility though. We're still working on this.
I guess mainly non-profit forums with no one on top of the security or life-cycle of the different component (webserver, db, etc) are/will be at risk.
Reply With Quote
  #82  
Old 17.01.2019, 11:07
Ace1's Avatar
A modal singularity
 
Join Date: Sep 2011
Location: Morgins, VS (and Alsace)
Posts: 9,137
Groaned at 369 Times in 240 Posts
Thanked 15,621 Times in 6,745 Posts
Ace1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Another article about the same:

https://www.wired.com/story/collecti...unts-passwords

They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.
But not responsible for the two or three cases reported here, as this list is released by, and is the core of, the checking website already mentioned multiple times, which does not list EF user names or passwords.

I'm inclined to believe that EF has not been compromised in any way, but that insisting on periodic password changes to counter leaks of data, possibly including reused passwords, from other places is clearly a good idea and almost certainly a sufficient response to the existing threat.
Reply With Quote
  #83  
Old 17.01.2019, 11:14
curley's Avatar
Forum Legend
 
Join Date: Oct 2006
Location: canton ZH
Posts: 12,233
Groaned at 200 Times in 166 Posts
Thanked 13,888 Times in 7,202 Posts
curley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond repute
Re: Englishforum security breach?

A passwordof mine that was mentioned in one of these black-mail-emails is commented as << no pwnage found>> on have I been pwned.

I only checked it because it was obviously "outed" already.
And my old EF password was also "green" = not pwned..
Reply With Quote
  #84  
Old 18.01.2019, 08:38
Banned
 
Join Date: Oct 2007
Location: CH
Posts: 10,918
Groaned at 2,041 Times in 1,124 Posts
Thanked 5,139 Times in 3,246 Posts
omtatsat omtatsat omtatsat omtatsat omtatsat
Re: Englishforum security breach?

check here for breaches

https://haveibeencompromised.com/

Here's what I got

"Your email has been discovered in 2 different data breaches:

Adobe
MajorGeeks"
Reply With Quote
The following 2 users would like to thank omtatsat for this useful post:
  #85  
Old 18.01.2019, 09:38
gbn's Avatar
gbn gbn is offline
Forum Legend
 
Join Date: Dec 2005
Location: Zuri Oberland
Posts: 2,750
Groaned at 109 Times in 74 Posts
Thanked 2,398 Times in 1,124 Posts
gbn has a reputation beyond reputegbn has a reputation beyond reputegbn has a reputation beyond reputegbn has a reputation beyond reputegbn has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
check here for breaches

https://haveibeencompromised.com/

Here's what I got

"Your email has been discovered in 2 different data breaches:

Adobe
MajorGeeks"
also don't forget https://haveibeenpwned.com/
Reply With Quote
  #86  
Old 18.01.2019, 15:57
Sean Connery's Avatar
Forum Legend
 
Join Date: Nov 2011
Location: Zurich
Posts: 5,373
Groaned at 58 Times in 54 Posts
Thanked 7,257 Times in 3,269 Posts
Sean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond repute
Re: Englishforum security breach?

Could do better:

https://www.ssllabs.com/ssltest/anal...nglishforum.ch
https://www.htbridge.com/ssl/?id=10kJemKw

Why oh why run SSLv3? POODLE.....supported SMH

And vBulletin has been blighted over the years with flaws. I would expect there are tools to lift the mySQL database that script kiddies can use. Look: https://thehackernews.com/2017/12/vb...m-hacking.html

Simple advice. Get your own domain from a provider that supports wildcards. Use a different xxx@yourdomain.com each time and use a password manager to create random passwords for each. That way you know spam and leak origins. You also insulate yourself against your passwords being used against you on other sites (but I guess the bad guys don't know and probably try the combination anyway).
Reply With Quote
This user would like to thank Sean Connery for this useful post:
  #87  
Old 18.01.2019, 16:34
curley's Avatar
Forum Legend
 
Join Date: Oct 2006
Location: canton ZH
Posts: 12,233
Groaned at 200 Times in 166 Posts
Thanked 13,888 Times in 7,202 Posts
curley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Could do better:

https://www.ssllabs.com/ssltest/anal...nglishforum.ch
https://www.htbridge.com/ssl/?id=10kJemKw

Why oh why run SSLv3? POODLE.....supported SMH

And vBulletin has been blighted over the years with flaws. I would expect there are tools to lift the mySQL database that script kiddies can use. Look: https://thehackernews.com/2017/12/vb...m-hacking.html

Simple advice. Get your own domain from a provider that supports wildcards. Use a different xxx@yourdomain.com each time and use a password manager to create random passwords for each. That way you know spam and leak origins. You also insulate yourself against your passwords being used against you on other sites (but I guess the bad guys don't know and probably try the combination anyway).
Hey, long time ...

Last paragraph: To do this for every website one ever logs on - doesn't that border on paranoia?

Still, you meade me realize I set up a separate email-address for EF but not for my bank etc.
Reply With Quote
  #88  
Old 18.01.2019, 16:38
Sean Connery's Avatar
Forum Legend
 
Join Date: Nov 2011
Location: Zurich
Posts: 5,373
Groaned at 58 Times in 54 Posts
Thanked 7,257 Times in 3,269 Posts
Sean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Hey, long time ...

Last paragraph: To do this for every website one ever logs on - doesn't that border on paranoia?

Still, you meade me realize I set up a separate email-address for EF but not for my bank etc.
Be paranoid, assume what you give to any site will be stolen.

Your bank should be giving you a username of their choosing, require a password and then something else. If they want you to log in using your email, get another bank.
Reply With Quote
This user would like to thank Sean Connery for this useful post:
  #89  
Old 18.01.2019, 16:44
curley's Avatar
Forum Legend
 
Join Date: Oct 2006
Location: canton ZH
Posts: 12,233
Groaned at 200 Times in 166 Posts
Thanked 13,888 Times in 7,202 Posts
curley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Be paranoid, assume what you give to any site will be stolen.

Your bank should be giving you a username of their choosing, require a password and then something else. If they want you to log in using your email, get another bank.
No they do give a specific username, that's right.
Reply With Quote
  #90  
Old 18.01.2019, 16:47
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,320
Groaned at 278 Times in 184 Posts
Thanked 17,735 Times in 7,488 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Last paragraph: To do this for every website one ever logs on - doesn't that border on paranoia?
nope. it's basic internet security. it's not even a big deal as the browser or system password manager will store the details for you.
Reply With Quote
  #91  
Old 18.01.2019, 19:47
aSwissInTheUS's Avatar
Forum Legend
 
Join Date: Nov 2007
Location: Zurich area
Posts: 12,786
Groaned at 99 Times in 88 Posts
Thanked 19,577 Times in 8,681 Posts
aSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
A passwordof mine that was mentioned in one of these black-mail-emails is commented as << no pwnage found>> on have I been pwned.

I only checked it because it was obviously "outed" already.
And my old EF password was also "green" = not pwned..
There is more, a lot more. Next to a 2 - 3 year old Collection #1, there are other Collections.

https://krebsonsecurity.com/2019/01/...-is-years-old/
Reply With Quote
This user would like to thank aSwissInTheUS for this useful post:
  #92  
Old 18.01.2019, 20:02
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
Be paranoid, assume what you give to any site will be stolen.
Yes, but one should also wonder how much one would care if an certain account or email is stolen.

I'm pretty good with such security, but for EF I just use general stuff since there is no harm to me in whatever way would something happen to it.

Last edited by EdwinNL; 18.01.2019 at 21:21.
Reply With Quote
  #93  
Old 18.01.2019, 22:59
Squeeeez's Avatar
Forum Veteran
 
Join Date: Feb 2011
Location: Frauenfeld
Posts: 989
Groaned at 2 Times in 2 Posts
Thanked 954 Times in 437 Posts
Squeeeez has a reputation beyond reputeSqueeeez has a reputation beyond reputeSqueeeez has a reputation beyond reputeSqueeeez has a reputation beyond reputeSqueeeez has a reputation beyond repute
Re: Englishforum security breach?

So... with an old, leaky vBulletin version, won't we just feed the hekorz' dictionaries if we all change our passwords now?
Reply With Quote
  #94  
Old 19.01.2019, 05:06
Corbets's Avatar
Forum Legend
 
Join Date: Mar 2007
Location: DK - previously Zug
Posts: 3,328
Groaned at 169 Times in 123 Posts
Thanked 6,707 Times in 2,237 Posts
Corbets has a reputation beyond reputeCorbets has a reputation beyond reputeCorbets has a reputation beyond reputeCorbets has a reputation beyond reputeCorbets has a reputation beyond reputeCorbets has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Another article about the same:

https://www.wired.com/story/collecti...unts-passwords

They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.

Reaffirms our suspicion that this was an old leak that is only now being put to misuse.

Doesn't clear EF of responsibility though. We're still working on this.
I have to say, Iím happy with the transparency I saw from the admin team on this one. Some people (rather childishly) expected you to have all the answers right away, but I like the fact that you were open about what you knew and didnít, and provided fairly regular updates until you had a better idea of what was going on.

Kudos, from someone who knows how difficult it is to manage a potential breach.
Reply With Quote
The following 6 users would like to thank Corbets for this useful post:
  #95  
Old 19.01.2019, 09:38
Sean Connery's Avatar
Forum Legend
 
Join Date: Nov 2011
Location: Zurich
Posts: 5,373
Groaned at 58 Times in 54 Posts
Thanked 7,257 Times in 3,269 Posts
Sean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond reputeSean Connery has a reputation beyond repute
Re: Englishforum security breach?

Read Troy: https://www.troyhunt.com/self-hosted...ting-services/

He's the one who maintains the haveibeenpwnd site.

Long story short, security is hard, most won't get it right. You're not going to give CHF 1000 to some random person to "look after" for you so why ever assume some faceless person on the Internet can. This is a general observation and not finger-pointing.

I agree with Corbets. The fact that EB admitted something happened and trued to answer what he could based on what he knows and the skills he has is good.

I use LastPass. It makes life easier. There are lots of similar products out there. Use them.
Reply With Quote
The following 2 users would like to thank Sean Connery for this useful post:
  #96  
Old 19.01.2019, 10:24
Ace1's Avatar
A modal singularity
 
Join Date: Sep 2011
Location: Morgins, VS (and Alsace)
Posts: 9,137
Groaned at 369 Times in 240 Posts
Thanked 15,621 Times in 6,745 Posts
Ace1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
So... with an old, leaky vBulletin version, won't we just feed the hekorz' dictionaries if we all change our passwords now?
It's still not certain that there was a breach at all. EB's best guess is that it may have been from 2012. I don't think he'll mind me sharing this:

Quote:
It does not appear to be a new breach. In other words, the data was not stolen recently. I'm still working to figure out the exact date, but it's possible it happened as long ago as 2012.
So the password change is a no-brainer. Together with the purging of thousands of old dormant accounts and diligent application of security patches I'm happy with theLocal's response to this and feel reassured that we're not at any particular risk.
Reply With Quote
  #97  
Old 19.01.2019, 10:49
robBob's Avatar
Forum Legend
 
Join Date: Mar 2012
Location: Zurich
Posts: 2,678
Groaned at 52 Times in 39 Posts
Thanked 2,499 Times in 1,343 Posts
robBob has a reputation beyond reputerobBob has a reputation beyond reputerobBob has a reputation beyond reputerobBob has a reputation beyond reputerobBob has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
No they do give a specific username, that's right.

So your user login name at your bank in not Curley?
Reply With Quote
  #98  
Old 19.01.2019, 10:59
robBob's Avatar
Forum Legend
 
Join Date: Mar 2012
Location: Zurich
Posts: 2,678
Groaned at 52 Times in 39 Posts
Thanked 2,499 Times in 1,343 Posts
robBob has a reputation beyond reputerobBob has a reputation beyond reputerobBob has a reputation beyond reputerobBob has a reputation beyond reputerobBob has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
The following security notice is being distributed.

It will be emailed to all users shortly, and is additionally available here: englishforum.ch/security

==

On 13th and 15th January 2019 two users of englishforum.ch reported receiving extortionist emails. These emails revealed their password for English Forum Switzerland written in clear text. The emails went on to threaten these users with blackmail and demanded payment via cryptocurrency.

In both cases the revealed passwords were old. This leads us to believe that an old copy of the English Forum database is circulating in the wild. Although all passwords are stored in encrypted format, it is possible that some weaker passwords from that leaked version of the database have been recently decrypted.

If you receive such an email, DO NOT pay the ransom.

Instead, change your password on englishforum.ch. And if you used the same password on any other site, change it there too. Although not essential, we would also appreciate receiving a copy of the email at security@englishforum.ch so that we can better track the extent of the attack.

In an abundance of caution, we will force a reset of all user passwords sometime during 16th/17th January 2019. All users will be emailed this security notice. Furthermore, all dormant accounts, those which have not logged in since 01.01.17, will be permanently deleted. The posts from deleted accounts will remain published but labelled as authored by "Guest". A small handful of dormant accounts will be preserved for historical community reasons.

We will also inform the relevant data protection authorities of this suspected breach, and then proceed to upgrade our vBulletin forum software to the latest version. Although we don't know of any security hole in our server, the upgraded vBulletin version should close any unknown holes. This upgrade will take some weeks. Progress will be shared here and on the discussion forum.

If you prefer to delete your account, please send a brief request via email to security@englishforum.ch. Your account and all personal data will be permanently deleted. Public posts of deleted accounts will remain online, but labelled as authored by "Guest". For other enquiries relating to information privacy and security on English Forum Switzerland, you can also email us at that address.

Strange! I didn't receive the above!
Reply With Quote
The following 3 users would like to thank robBob for this useful post:
  #99  
Old 19.01.2019, 14:55
Medea Fleecestealer's Avatar
Forum Legend
 
Join Date: Jul 2011
Location: Switzerland
Posts: 21,921
Groaned at 400 Times in 308 Posts
Thanked 16,879 Times in 9,517 Posts
Medea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Strange! I didn't receive the above!
Me neither.
Reply With Quote
  #100  
Old 19.01.2019, 15:22
Belgianmum's Avatar
Forum Legend
 
Join Date: Jan 2010
Location: Neuch‚tel
Posts: 12,679
Groaned at 205 Times in 182 Posts
Thanked 20,720 Times in 8,533 Posts
Belgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond reputeBelgianmum has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Strange! I didn't receive the above!
Quote:
View Post
Me neither.
Nor me.
Reply With Quote
The following 3 users would like to thank Belgianmum for this useful post:
Reply

Tags
englishforum hack, password stolen, security breach, security password hack




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security breach: avoid buying online and using ATMs [Heartbleed Vulnerability] olygirl TV/internet/telephone 27 07.06.2014 15:10
A security breach happened at [fill in the blank aSwissInTheUS Daily life 1 21.05.2014 18:44
Major security breach at LinkedIn Castro TV/internet/telephone 13 07.06.2012 17:17
US issued card holders take note ( security breach issue ) jrspet International affairs/politics 1 31.03.2012 14:54
Guardian Jobs in UK - Security Breach transition International affairs/politics 0 26.10.2009 13:51


All times are GMT +2. The time now is 07:33.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0