Jump to content

Important Security Notice


Kirrus

Recommended Posts

Today we detected that someone had managed to hack our theindiestone.com forums. We know, 100%, that they have the plain text username and password of the 444 people who have logged in since the 3rd August - the hacker exfiltrated them just before they were encoded (hashed). It’s also of course conceivable, although there’s no evidence of this, that they have the hashed and salted (ie. encoded) password of other forum users too.

 

As a precaution, we’ve broken the passwords of anyone who used the forums since the 3rd of August. Please use the following link to reset your password:

 

http://theindiestone.com/forums/index.php?/lostpassword/

 

For everyone else, we strongly recommend you change the password you use on the forums for good measure. If you use it anywhere else, you should change it there as well.

 

Our apologies for the inconvenience.

 

TIS

Link to comment
Share on other sites

6 minutes ago, Keepbro said:

You wonder why they bother? I mean except for all the hugely important security details that I regularly share on the TIS forums including all my credit card details and passwords for my ebay and steam accounts. 

 

 

People use the same passwords in multiple places still :(

Link to comment
Share on other sites

Yup.. password was unique to this site. No issues there (for me)

Quote

We know, 100%, that they have the plain text username and password of the 444 people who have logged in since the 3rd August - the hacker exfiltrated them just before they were encoded (hashed).

 

This sounds like they got access on 3rd Aug and just started logging things since then.

 

In any case (from perspective of someone running a web-server) I'm curious how you managed to detect them? (Might be able to share some advice on securing)

Edited by snipertyler
Link to comment
Share on other sites

5 minutes ago, snipertyler said:

Yup.. password was unique to this site. No issues there (for me)

 

This sounds like they got access on 3rd Aug and just started logging things since then.

 

In any case (from perspective of someone running a web-server) I'm curious how you managed to detect them?

 

 

Their exfiltration endpoint broke, and prompted visible errors. We actually run an internal integrity scan within the forums themselves that would've picked it up, but we only run that once every 6 months or so. I've been adding extra detection mechanisms since, (maldet, change monitoring) but it's a bit horse-bolted.

 

I'm probably going to look into restricting outbound HTTP(s), but that's something that'll take a while. I'll also look at getting https everywhere, but again, a while, plus low priority. We're not a big MITM target ;)

Link to comment
Share on other sites

Glad it was caught so soon.  Sometimes companies go for months without noticing, and then try to dodge confirmation that anything was actually taken. My forum "passwords" are generally not strong, and reused, because honestly, I'm not really that worried - worse case, someone gets my forum account banned.  That said, proper security is extremely complicated, and certainly I recommend physical storage of your passwords in something like a notepad, in a secure place, if you would rather not use a password manager. Personally, I don't like the idea of a single password to know all of my other passwords, but I admit it is convenient.

 

If your extremely paranoid about having your physical notepad password storage being read or stolen by someone, do a light encryption on it, something as simple as jumbling your passwords around can confound a determined thief for hours, plenty of time for you to notice it missing.

 

Example: 123456 password, into 435261. You only have to remember how you jumbled your password book.

Link to comment
Share on other sites

So to clarify: is it only the people who physically logged in after the 3rd of August then whose passwords are at definite risk? And not the people who are kept logged in with cookies?

 

Using the same password on things is what got my email hacked a few years ago. Some CoD4 clan website got hacked yeaaaaars down the line, and the prick who did it posted the results on the web (found it by Googling my email address out of boredom). At the time i thought the only way a password could be compromised is if someone "hacked" it (you know, like brute forcing it or whatever). Didn't occur to me a site could be hacked, so i figured it was fine just using a strong password everywhere :(

Link to comment
Share on other sites

1 hour ago, EllEzDee said:

So to clarify: is it only the people who physically logged in after the 3rd of August then whose passwords are at definite risk? And not the people who are kept logged in with cookies?

 

Using the same password on things is what got my email hacked a few years ago. Some CoD4 clan website got hacked yeaaaaars down the line, and the prick who did it posted the results on the web (found it by Googling my email address out of boredom). At the time i thought the only way a password could be compromised is if someone "hacked" it (you know, like brute forcing it or whatever). Didn't occur to me a site could be hacked, so i figured it was fine just using a strong password everywhere :(

 

Yup. Those who logged in after the 3rd are at risk, but the forums don't track logins. Therefore we broke the password of everyone who was active, so we were sure we forced a reset of the password of all those at risk.

Link to comment
Share on other sites

4 hours ago, kirrus said:

I'm not going to say more than I have already in this thread, and on reddit. I won't teach hacking skills.

 

I appreciate that. From what you've said, it sounds like they managed to get elevated permissions on a linux system, but I don't see how it would be any of the methods taught on that site. I understand you POV regarding talking about this on the forum, perhaps PM me for pointing me into the right direction?

Link to comment
Share on other sites

Im so lazy i just used the same password but changed a couple of letters.

Edit: Hack me i dare you i will unleash my 300 steam friends which at least 8 of them are hackers on you and i will find your IP and destroy you <3

Edited by Queen Glory
Link to comment
Share on other sites

  • nasKo unfeatured and unpinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...