Database Compromise and Why You Might Not be Able to Log In - Printable Version +- The VG Resource (https://www.vg-resource.com) +-- Forum: Main Content (https://www.vg-resource.com/forum-103.html) +--- Forum: News (https://www.vg-resource.com/forum-105.html) +--- Thread: Database Compromise and Why You Might Not be Able to Log In (/thread-26218.html) |
Database Compromise and Why You Might Not be Able to Log In - Petie - 11-18-2014 As some of you have probably noticed by now, everyone was logged out of the forum (and, by association, the sites) last night. This was a quick first measure in response to a database compromise we experienced the other day that I was just made aware of. Apparently, on the 14th, one of the MyBB developer's Github accounts was compromised and the attacker was able to run database backups on every single MyBB forum running the most recent version of the software (we were not specifically targeted here). These backups were then sent off to their IP. I have no way of knowing if the process actually completed, nor do I know the motivation of the attack, so I can only proceed by assuming it was malicious and that the attackers have a copy of our user table. What does this mean going forward? I am requiring ALL staff (both forum and site) to change their passwords immediately. I encourage everyone else to do the same, especially if you use your password here elsewhere as well. Passwords are stored in an encrypted state so it would take some work on the attacker's end to actually get something meaningful out of the data they have but it's still better to be safe than sorry. For more information about the attack, see this blog post on the MyBB site. Sorry for the late notice on this but I only just found out last night and couldn't actually sit down to write this up until this morning. If you have any questions or concerns, post them here. RE: Database Compromise and Why You Might Not be Able to Log In - Deathbringer - 11-18-2014 If anyone is having trouble logging in to change anything, just delete every cookie for the resource sites (vg, spriters, models, etc.). It was the only way I could get in. RE: Database Compromise and Why You Might Not be Able to Log In - Petie - 11-18-2014 Oops, sorry! I forgot to mention that in the original post. Thanks Deathbringer. RE: Database Compromise and Why You Might Not be Able to Log In - senjen - 11-18-2014 Just changed my password i wasn't compromised, but better to be safe than sorry. RE: Database Compromise and Why You Might Not be Able to Log In - psychospacecow - 11-18-2014 Question, is the thing that was hacked the forum or the main site accounts? RE: Database Compromise and Why You Might Not be Able to Log In - Petie - 11-18-2014 They are one and the same. Nothing was hacked in the sense that they have plain text passwords though. They got a dump of the users table which contains all of our user info but the passwords are encrypted (not to mention that this was a mass attack so they likely have thousands of database exports) so it's unlikely they've been able to actually access any accounts. It's still better to err on the side of caution though, which is why I recommend resetting your password. RE: Database Compromise and Why You Might Not be Able to Log In - psychospacecow - 11-18-2014 Is VGFacts in the same boat? RE: Database Compromise and Why You Might Not be Able to Log In - Petie - 11-18-2014 No. VGFacts was not affected by this exploit. This was purely by chance since none of us happened to log into the Admin CP while it was active. RE: Database Compromise and Why You Might Not be Able to Log In - DragonDePlatino - 11-18-2014 I should've though twice before deleting all of my cookies...I just lost ALL of my game files on Nitrome!!! But...what's done is done. Next time, would it be possible to get the logins working in a way that doesn't require one to delete all of their cookies? RE: Database Compromise and Why You Might Not be Able to Log In - Petie - 11-18-2014 You have the option to delete cookies from specific domains, though doing so varies by browser. I realize this information does you little good now, and I'm sorry you lost your game files, but in the future, only delete the cookies from *-resource.com should the need arise. RE: Database Compromise and Why You Might Not be Able to Log In - Garamonde - 11-18-2014 Changed my password, tally-ho. |