AnimeSuki Forums

Dr. Casey · 2014-05-12, 11:11

... fuck.

I'm glad that I no longer use a common password - that habit was something I stopped June 2010 after having all my accounts broken into by some kid. I just scanned through my private messages and I don't think there's anything too terribly sensitive in there, either.

milan kyuubi · 2014-05-12, 11:12

Quote:

Originally Posted by Krono

From what they described, the main thing is the hacker likely got people's username/email address/password combinations. They can use that to attempt to log in as you on other services where the same username/password combination is used. How problematic that would be depends on the services they succeed in logging in to.

Same name/password for other anime forums? Not that big a deal. Same name/password for Amazon/Apple? Big problem.

Thanks!

I don't have accounts for Amazon/Apple etc! The only site I ever registered, that has anything to do with money, was the one for WoW. And I have a unique user name/password/email (that I only use there) created just for that!

Wandering Soul · 2014-05-12, 11:29

I'm real lucky. I was actually recently thinking about changing some of my passwords to match to make them easier remember. Even then I haven't really registered with anything involving money so I wouldn't be in that much trouble.

KholdStare · 2014-05-12, 11:35

Hm, what I'm most confused about was, if the password was leaked in its encrypted form, then how was the mod account hijacked?

Either way, I'm quite glad my AS password (and even username) are different from most other sites I use, and I haven't sent any PMs recently.

In any case, I thank AS admins for their quick action to prevent any more serious problems.

Blaat · 2014-05-12, 11:35

Just spend some time changing various passwords on different sites.

Luckily the "show password" option in Firefox is a real timesaver. I know using the same password is so stupid but remembering various different passwords can be a pain.

Gary29 · 2014-05-12, 11:41

Quote:

Originally Posted by the one above all

I'm real lucky. I was actually recently thinking about changing some of my passwords to match to make them easier remember. Even then I haven't really registered with anything involving money so I wouldn't be in that much trouble.

I'd recommend a password manager like LastPass to make it easier to remember various secure passwords.

DragoMuseveni · 2014-05-12, 11:42

There are multiple ways to break a password . First will be keylloger . Second Rat tools . I hope that it won`t be needed the backup

***GHDpro*** · 2014-05-12, 11:43

Just a heads up: in agreement with other admins & mods I've decided the best thing is to have the server wiped & reinstalled. The backup that will be restored is about 2 weeks old.

However I'll try to keep the current user, post and threads table so that you don't need to change your password twice nor will we lose any posts. You will lose anything else changed in the meanwhile though, such as PMs, visitor messages and basically anything else that is not a regular post in a regular thread.

Our apologies for the inconvenience, but this is the only way we can be sure the attacker didn't leave anything behind.

Scorpiopt · 2014-05-12, 11:47

why isnt the password system and the forum database encrypted?

***GHDpro*** · 2014-05-12, 11:50

Quote:

Originally Posted by Scorpiopt

why isnt the password system and the account system encrypted?

The passwords are hashed and salted. But MD5 is hilariously easy to bruteforce crack these days. Unfortunately modifying the forum to use something more advanced is not easy as far as I know. The best defense is to simply not use the same password on any other site.

Scorpiopt · 2014-05-12, 11:51

Quote:

Originally Posted by GHDpro

The passwords are hashed and salted. But MD5 is hilariously easy to bruteforce crack these days. Unfortunately modifying the forum to use something more advanced is not easy as far as I know. The best defense is to simply not use the same password on any other site.

its not easy but its not the first time this happens so measures should had been implemented .
same with the database would had been secured in a more proper way.

Quote:

Originally Posted by GHDpro

The best defense is to simply not use the same password on any other site.

Sorry but this seens like an attempt to brush off responsibility with the forum security

DragoMuseveni · 2014-05-12, 11:54

Quote:

Originally Posted by Frailty

Does this mean that our passwords and other related stuff that uses the same e-mail we use here, might be compromised?

will changing our current e-mail used help?

Quote:

Originally Posted by Scorpiopt

its not easy but its not the first time this happens so measures should had been implemented .
same with the database would had been secured in a more proper way.

This is the problem with vbulletin , when you have acces on the md5 files you can find out whatever password you want with a little patience .
The database in what kind of encryption it is if you can tell me?

Krono · 2014-05-12, 11:55

Quote:

Originally Posted by milan kyuubi

Thanks!

I don't have accounts for Amazon/Apple etc! The only site I ever registered, that has anything to do with money, was the one for WoW. And I have a unique user name/password/email (that I only use there) created just for that!

Yeah, that's the main threat. Thinking on it though, the other big threat is if you were using the same password to log into the forum, as you use to log into the email address you had on file with the forum. I don't think many people do that because of the obvious security problems of using the same password for your email as you do everywhere else. But if they can get into your email account, they can reset the password for any accounts associated with that email account. Again, how damaging that would be would depend on what services were associated with that email address.

Quote:

Originally Posted by KholdStare

Hm, what I'm most confused about was, if the password was leaked in its encrypted form, then how was the mod account hijacked?

They aren't sure. From what they describe, the mod account being hijacked was the starting point. My guess would be the inactive mod used the same username password on another site that got hacked, and their inactivity meant they didn't change their password here. Once they had the higher level account log in, they were able to start compromising the forum and grab the encrypted passwords.

Quote:

Originally Posted by GHDpro

Just a heads up: in agreement with other admins & mods I've decided the best thing is to have the server wiped & reinstalled. The backup that will be restored is about 2 weeks old.

However I'll try to keep the current user, post and threads table so that you don't need to change your password twice nor will we lose any posts. You will lose anything else changed in the meanwhile though, such as PMs, visitor messages and basically anything else that is not a regular post in a regular thread.

Our apologies for the inconvenience, but this is the only way we can be sure the attacker didn't leave anything behind.

Sounds reasonable. Hopefully there won't be any issues retaining posts, as that would be the main thing to worry about losing.

Scorpiopt · 2014-05-12, 11:58

Database can be encrypted in a different way than the passwords ( not sure if possible under vbulletin ) the fact that the forum is also using an old version of vBulletin doesn't make things better

DragoMuseveni · 2014-05-12, 12:01

Quote:

Originally Posted by Scorpiopt

Database can be encrypted in a different way than the passwords ( not sure if possible under vbulletin ) the fact that the forum is also using an old version of vBulletin doesn't make things better

Even the new version , V5 of bulletin still does have this way of encryption so blame vbulletin .
The database i`m not sure but it can be encrypted in other ways

Scorpiopt · 2014-05-12, 12:02

If vbulletin is shitty (witch it is ) i suggest you guys move to xenforo , its way better in terms of security and faster

DragoMuseveni · 2014-05-12, 12:04

That means all comments and rest must be deleted . No . I suggest that , if i recall corectly , to enable erase accounts after 4-5 years of inactivity

Gary29 · 2014-05-12, 12:08

Quote:

Originally Posted by DragoMuseveni

That means all comments and rest must be deleted . No . I suggest that , if i recall corectly , to enable erase accounts after 4-5 years of inactivity

Posts can actually be imported, but the bigger issue would be things like the social groups and galleries.

Scorpiopt · 2014-05-12, 12:08

Quote:

Originally Posted by DragoMuseveni

That means all comments and rest must be deleted . No . I suggest that , if i recall corectly , to enable erase accounts after 4-5 years of inactivity

Yes and passwords would have to be reset again( most of the forum posts etc can be moved to xenforo)
IT would be a pain and the site would be down for a week but the move would be beneficial in terms of security , forum speed and features

***NightWish*** · 2014-05-12, 12:09

Quote:

Originally Posted by Scorpiopt

why isnt the password system and the forum database encrypted?

The database itself isn't encrypted because the forum software was never written that way. Even the current version doesn't encrypt the database. I'm not sure which version of the database started supporting encryption, but the forum software authors probably wouldn't have done it even if it had been an option earlier, simply because they wanted to support a wide range of database versions.

Adding encryption in a secure way to the forum, at this point, would be a mammoth undertaking even for the people who control the code base, let alone us. We're not in a position to do it securely. It would be quicker to replace the software with something newer, assuming there is something out there that does make use of database level encryption. As far as I know xenforo (which was started by the people who originally wrote this version of vBulletin!) does not do database encryption either.

Technical limitations aside, it wouldn't have helped in this case as the attack compromised the forum software itself. At that point they would have had the same keys the forum uses, so would have been able to query the user information in the same way. Might have taken longer, doing the decryption, but it wouldn't change things much.

2014-05-12, 11:29	Link #43
Wandering Soul Senior Member Join Date: Oct 2013 Location: America	I'm real lucky. I was actually recently thinking about changing some of my passwords to match to make them easier remember. Even then I haven't really registered with anything involving money so I wouldn't be in that much trouble. __________________

2014-05-12, 11:35	Link #44
KholdStare ISML Technical Staff Graphic Designer Join Date: Dec 2006 Location: Phoenix, AZ Age: 35	Hm, what I'm most confused about was, if the password was leaked in its encrypted form, then how was the mod account hijacked? Either way, I'm quite glad my AS password (and even username) are different from most other sites I use, and I haven't sent any PMs recently. In any case, I thank AS admins for their quick action to prevent any more serious problems. __________________ Kholdy's MAL, ISML Chat, Saimoe Blog, Saimoe Wiki

2014-05-12, 11:35	Link #45
Blaat Senior Member Join Date: Apr 2004	Just spend some time changing various passwords on different sites. Luckily the "show password" option in Firefox is a real timesaver. I know using the same password is so stupid but remembering various different passwords can be a pain. __________________ MyAnimeList

2014-05-12, 11:42	Link #47
DragoMuseveni True Dragon Join Date: Nov 2013 Location: Riding on Great Red head Age: 28	There are multiple ways to break a password . First will be keylloger . Second Rat tools . I hope that it won`t be needed the backup __________________

2014-05-12, 12:04	Link #57
DragoMuseveni True Dragon Join Date: Nov 2013 Location: Riding on Great Red head Age: 28	That means all comments and rest must be deleted . No . I suggest that , if i recall corectly , to enable erase accounts after 4-5 years of inactivity __________________

2014-05-12, 11:11	Link #41
Dr. Casey Senior Member Join Date: Nov 2007 Location: Tennessee Age: 36	... fuck. I'm glad that I no longer use a common password - that habit was something I stopped June 2010 after having all my accounts broken into by some kid. I just scanned through my private messages and I don't think there's anything too terribly sensitive in there, either.

2014-05-12, 11:43	Link #48
*GHDpro* Administrator Administrator Join Date: Jan 2001 Location: Netherlands Age: 45	Just a heads up: in agreement with other admins & mods I've decided the best thing is to have the server wiped & reinstalled. The backup that will be restored is about 2 weeks old. However I'll try to keep the current user, post and threads table so that you don't need to change your password twice nor will we lose any posts. You will lose anything else changed in the meanwhile though, such as PMs, visitor messages and basically anything else that is not a regular post in a regular thread. Our apologies for the inconvenience, but this is the only way we can be sure the attacker didn't leave anything behind.

2014-05-12, 11:47	Link #49
Scorpiopt Senior Member Join Date: Nov 2010	why isnt the password system and the forum database encrypted?

2014-05-12, 11:58	Link #54
Scorpiopt Senior Member Join Date: Nov 2010	Database can be encrypted in a different way than the passwords ( not sure if possible under vbulletin ) the fact that the forum is also using an old version of vBulletin doesn't make things better

2014-05-12, 12:02	Link #56
Scorpiopt Senior Member Join Date: Nov 2010	If vbulletin is shitty (witch it is ) i suggest you guys move to xenforo , its way better in terms of security and faster