11-18-2014, 06:13 AM
As some of you have probably noticed by now, everyone was logged out of the forum (and, by association, the sites) last night. This was a quick first measure in response to a database compromise we experienced the other day that I was just made aware of. Apparently, on the 14th, one of the MyBB developer's Github accounts was compromised and the attacker was able to run database backups on every single MyBB forum running the most recent version of the software (we were not specifically targeted here). These backups were then sent off to their IP. I have no way of knowing if the process actually completed, nor do I know the motivation of the attack, so I can only proceed by assuming it was malicious and that the attackers have a copy of our user table.
What does this mean going forward? I am requiring ALL staff (both forum and site) to change their passwords immediately. I encourage everyone else to do the same, especially if you use your password here elsewhere as well. Passwords are stored in an encrypted state so it would take some work on the attacker's end to actually get something meaningful out of the data they have but it's still better to be safe than sorry.
For more information about the attack, see this blog post on the MyBB site.
Sorry for the late notice on this but I only just found out last night and couldn't actually sit down to write this up until this morning. If you have any questions or concerns, post them here.
What does this mean going forward? I am requiring ALL staff (both forum and site) to change their passwords immediately. I encourage everyone else to do the same, especially if you use your password here elsewhere as well. Passwords are stored in an encrypted state so it would take some work on the attacker's end to actually get something meaningful out of the data they have but it's still better to be safe than sorry.
For more information about the attack, see this blog post on the MyBB site.
Sorry for the late notice on this but I only just found out last night and couldn't actually sit down to write this up until this morning. If you have any questions or concerns, post them here.