Kirrus Posted August 18, 2016 Share Posted August 18, 2016 Today we detected that someone had managed to hack our theindiestone.com forums. We know, 100%, that they have the plain text username and password of the 444 people who have logged in since the 3rd August - the hacker exfiltrated them just before they were encoded (hashed). It’s also of course conceivable, although there’s no evidence of this, that they have the hashed and salted (ie. encoded) password of other forum users too. As a precaution, we’ve broken the passwords of anyone who used the forums since the 3rd of August. Please use the following link to reset your password: http://theindiestone.com/forums/index.php?/lostpassword/ For everyone else, we strongly recommend you change the password you use on the forums for good measure. If you use it anywhere else, you should change it there as well. Our apologies for the inconvenience. TIS Jason132, MadDan, Keshash and 1 other 4 Link to comment Share on other sites More sharing options...
Keepbro Posted August 18, 2016 Share Posted August 18, 2016 You wonder why they bother? I mean except for all the hugely important security details that I regularly share on the TIS forums including all my credit card details and passwords for my ebay and steam accounts. Pann and Kirrus 2 Link to comment Share on other sites More sharing options...
Kirrus Posted August 18, 2016 Author Share Posted August 18, 2016 6 minutes ago, Keepbro said: You wonder why they bother? I mean except for all the hugely important security details that I regularly share on the TIS forums including all my credit card details and passwords for my ebay and steam accounts. People use the same passwords in multiple places still Link to comment Share on other sites More sharing options...
Peetfighter Posted August 18, 2016 Share Posted August 18, 2016 4 minutes ago, kirrus said: People use the same passwords in multiple places still I can tell you that the password I used before this was unique as well as the one I'm using now. Strats and blindcoder 2 Link to comment Share on other sites More sharing options...
nasKo Posted August 18, 2016 Share Posted August 18, 2016 1 minute ago, Peetfighter said: I can tell you that the password I used before this was unique as well as the one I'm using now. You're the exception that proves the rule. Link to comment Share on other sites More sharing options...
Kai42 Posted August 18, 2016 Share Posted August 18, 2016 ffs Link to comment Share on other sites More sharing options...
$SCREAMER$ Posted August 18, 2016 Share Posted August 18, 2016 Aww fuck I have to change EVERY single password I use for everything. Fuuuuuuucckkkkk Link to comment Share on other sites More sharing options...
snipertyler Posted August 19, 2016 Share Posted August 19, 2016 (edited) Yup.. password was unique to this site. No issues there (for me) Quote We know, 100%, that they have the plain text username and password of the 444 people who have logged in since the 3rd August - the hacker exfiltrated them just before they were encoded (hashed). This sounds like they got access on 3rd Aug and just started logging things since then. In any case (from perspective of someone running a web-server) I'm curious how you managed to detect them? (Might be able to share some advice on securing) Edited August 19, 2016 by snipertyler Link to comment Share on other sites More sharing options...
Kirrus Posted August 19, 2016 Author Share Posted August 19, 2016 5 minutes ago, snipertyler said: Yup.. password was unique to this site. No issues there (for me) This sounds like they got access on 3rd Aug and just started logging things since then. In any case (from perspective of someone running a web-server) I'm curious how you managed to detect them? Their exfiltration endpoint broke, and prompted visible errors. We actually run an internal integrity scan within the forums themselves that would've picked it up, but we only run that once every 6 months or so. I've been adding extra detection mechanisms since, (maldet, change monitoring) but it's a bit horse-bolted. I'm probably going to look into restricting outbound HTTP(s), but that's something that'll take a while. I'll also look at getting https everywhere, but again, a while, plus low priority. We're not a big MITM target snipertyler 1 Link to comment Share on other sites More sharing options...
nightmare Posted August 19, 2016 Share Posted August 19, 2016 let's encrypt baby! https://letsencrypt.org/ Link to comment Share on other sites More sharing options...
DramaSetter Posted August 19, 2016 Share Posted August 19, 2016 Maybe it's a sign that it is time to finally release the updated animation? hunger john, Bughunter66, DresdenBBQ and 1 other 4 Link to comment Share on other sites More sharing options...
nightmare Posted August 19, 2016 Share Posted August 19, 2016 36 minutes ago, DramaSetter said: Maybe it's a sign that it is time to finally release the updated animation? nope, ... NPC's! dennisb001 and hunger john 2 Link to comment Share on other sites More sharing options...
DramaSetter Posted August 19, 2016 Share Posted August 19, 2016 4 hours ago, nightmare said: nope, ... NPC's! Who believes in anything at all output NPCs? Link to comment Share on other sites More sharing options...
makkenhoff Posted August 19, 2016 Share Posted August 19, 2016 Glad it was caught so soon. Sometimes companies go for months without noticing, and then try to dodge confirmation that anything was actually taken. My forum "passwords" are generally not strong, and reused, because honestly, I'm not really that worried - worse case, someone gets my forum account banned. That said, proper security is extremely complicated, and certainly I recommend physical storage of your passwords in something like a notepad, in a secure place, if you would rather not use a password manager. Personally, I don't like the idea of a single password to know all of my other passwords, but I admit it is convenient. If your extremely paranoid about having your physical notepad password storage being read or stolen by someone, do a light encryption on it, something as simple as jumbling your passwords around can confound a determined thief for hours, plenty of time for you to notice it missing. Example: 123456 password, into 435261. You only have to remember how you jumbled your password book. Link to comment Share on other sites More sharing options...
Kirrus Posted August 19, 2016 Author Share Posted August 19, 2016 9 hours ago, nightmare said: let's encrypt baby! https://letsencrypt.org/ I'm quite aware what let's encrypt is, I've been using it personally since before it was open to public use It's likely we'll use it to help provide certs, but as I say, SSL has not been, and is not, a priority yet. Link to comment Share on other sites More sharing options...
Keshash Posted August 19, 2016 Share Posted August 19, 2016 I'm glad I've made most of passwords unique last week. Still, it's strange that they've targeted game forum. Even my grandma has unique password for important things. Link to comment Share on other sites More sharing options...
Strats Posted August 19, 2016 Share Posted August 19, 2016 Phew! Glad that my password for this was and is unique. Thanks for letting now about this so soon you guys! Link to comment Share on other sites More sharing options...
Geras Posted August 19, 2016 Share Posted August 19, 2016 (edited) I had a shitty password here which I believe I use on one or two other forums. Not a big deal. Edited August 19, 2016 by Geras Link to comment Share on other sites More sharing options...
EllEzDee Posted August 21, 2016 Share Posted August 21, 2016 So to clarify: is it only the people who physically logged in after the 3rd of August then whose passwords are at definite risk? And not the people who are kept logged in with cookies? Using the same password on things is what got my email hacked a few years ago. Some CoD4 clan website got hacked yeaaaaars down the line, and the prick who did it posted the results on the web (found it by Googling my email address out of boredom). At the time i thought the only way a password could be compromised is if someone "hacked" it (you know, like brute forcing it or whatever). Didn't occur to me a site could be hacked, so i figured it was fine just using a strong password everywhere Link to comment Share on other sites More sharing options...
Kirrus Posted August 21, 2016 Author Share Posted August 21, 2016 1 hour ago, EllEzDee said: So to clarify: is it only the people who physically logged in after the 3rd of August then whose passwords are at definite risk? And not the people who are kept logged in with cookies? Using the same password on things is what got my email hacked a few years ago. Some CoD4 clan website got hacked yeaaaaars down the line, and the prick who did it posted the results on the web (found it by Googling my email address out of boredom). At the time i thought the only way a password could be compromised is if someone "hacked" it (you know, like brute forcing it or whatever). Didn't occur to me a site could be hacked, so i figured it was fine just using a strong password everywhere Yup. Those who logged in after the 3rd are at risk, but the forums don't track logins. Therefore we broke the password of everyone who was active, so we were sure we forced a reset of the password of all those at risk. Link to comment Share on other sites More sharing options...
cool daddy shark Posted August 22, 2016 Share Posted August 22, 2016 I couldn't login so I had to reset. What the fuck. Link to comment Share on other sites More sharing options...
penman Posted August 29, 2016 Share Posted August 29, 2016 I just finished studying hacksplaining.com and remembered seeing this. I'm curious, how does this kind of an attack work? Link to comment Share on other sites More sharing options...
Kirrus Posted August 29, 2016 Author Share Posted August 29, 2016 4 hours ago, penman said: I just finished studying hacksplaining.com and remembered seeing this. I'm curious, how does this kind of an attack work? I'm not going to say more than I have already in this thread, and on reddit. I won't teach hacking skills. daMastaChef 1 Link to comment Share on other sites More sharing options...
penman Posted August 29, 2016 Share Posted August 29, 2016 4 hours ago, kirrus said: I'm not going to say more than I have already in this thread, and on reddit. I won't teach hacking skills. I appreciate that. From what you've said, it sounds like they managed to get elevated permissions on a linux system, but I don't see how it would be any of the methods taught on that site. I understand you POV regarding talking about this on the forum, perhaps PM me for pointing me into the right direction? Link to comment Share on other sites More sharing options...
DresdenBBQ Posted August 29, 2016 Share Posted August 29, 2016 (edited) Im so lazy i just used the same password but changed a couple of letters. Edit: Hack me i dare you i will unleash my 300 steam friends which at least 8 of them are hackers on you and i will find your IP and destroy you <3 Edited August 29, 2016 by Queen Glory Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now