Important Notice - Security Breach

[MrAsian]

thanks for the update admin !

 

[Kamel]

Whoever hacked AF got my password and tried to access my account. That sux man!

I see that you got it all figured out, which is great. I did want to say being a programmer myself who has implemented user databases with salted password hashes, it is very unlikely that the hackers will be able to figure out the stored passwords. Honestly, it wouldn't even be worth their effort unless it was for a person who they specifically targeted.

Of course, this does depend on the complexity of the salt somewhat. Does anyone know if the hackers may have been able to determine what the salt was?

 

[trparky]

There is something that I'm involved with on the Internet that's been known to help stop exploits like this. It's kind of like a firewall/intrusion detection system for PHP scripts. It uses a series of rules to detect common exploit techniques used by hackers and has been known to stop SQL injection, cross-site scripting exploits, and remote code injection. It has been proven very effective in stopping the bad guys.

If you guys here want to know about it, contact me. I'll be glad to get you into contact with the lead developer.

When I was developing a site that stored passwords I remember making the password hash based on SHA512 with four pieces of random data along with the username and password as part of the the data that's hashed.

 

[srpurdy]

There is something that I'm involved with on the Internet that's been known to help stop exploits like this. It's kind of like a firewall/intrusion detection system for PHP scripts. It uses a series of rules to detect common exploit techniques used by hackers and has been known to stop SQL injection, cross-site scripting exploits, and remote code injection. It has been proven very effective in stopping the bad guys.

If you guys here want to know about it, contact me. I'll be glad to get you into contact with the lead developer.

When I was developing a site that stored passwords I remember making the password hash based on SHA512 with four pieces of random data along with the username and password as part of the the data that's hashed.

mod security ?
Atomic rules. (or the whole ASL suite)

To me it's pointless to run any website of any kind of user base without mod_security rules. I'm sure they already would have that. Although I don't actually run any site without it. even if it has 5 hits lol

But even a WAF is not perfect. There is a lot more to security than just a WAF and a Firewall, a secured kernel. disabling of services that are known to cause issues, and even the hardware on the data center end, Keeping software up to date as well of course. If with as much knowledge someone may have in security there is always ways to improve or learn things. If your not critical of that knowledge you have you can never move forward and learn more. People that have good practices and are not egoistical about being secure are better off.

I'm new here, but I run some fairly high traffic sites. Personally I think how it was handle was pretty good. I mean what really can they do after the fact. For anyone that runs a "Server" themselves and thinks that security is something that isn't an everyday job, then they don't know what they are doing, and for others complaining about the breach I assume are completely clueless.(They problably have one small site that know one will hack because it's pointless)

For a site with low traffic say 10K pageviews a month you might have 100's of attacks a month. If you get a million page views a month you now are in the 100,000 or more attacks per month. Bigger the site the more of a target the site is, and the more likely you'll get hit eventually. It's really expodentail. Best thing you can do is be on top of it with as much of the knowledge you have an keep learning and improving.

 

[Bigdog999]

I too have started seeing a lot of false attempts to enter the site after I changed my password.

 

[V.Lee]

I just happened to log in today and see this. (Yes an email might have gotten me here sooner, but I understand that the admin staff was a bit busy ).

Many thanks to the staff who are obviously working hard on addressing both the problem itself *and* the multiple comments here.

I did want to mention one thing which I wouldn't bring this up except for the timing. The other day I got an email from Facebook that "Your Facebook account was recently logged into from a computer, mobile device or other location you've never used before. For your protection, we've temporarily locked your account until you can review this activity and make sure no one is using your account without your permission.".

The reason I'm mentioning it is that the email was sent on 7/11 in the morning. Yes, same password (although not any more!). On line, FB brought up a map where it says the ip was located, and showed a map of Japan. (Which is pretty far from the mid-Atlantic where I am). I don't understand internet security or ips at all, so that part may not be meaningful. I'm just passing it along in case it means anything to those of you tracking this down.

 

[Trimbaud]

Still having problems related to the phandroid forum app. I uninstalled and reinstalled, as suggested-still can't log in that way.
Thanks for all the rest. Love the forum

 

[GirlFriday]

Wow..rude and arrogant much?

Newsflash. Yahoo was hacked. Twitter was hacked. LinkedIn was hacked. Amazon was hacked. Sony was hacked repeatedly. The largest credit card payment processor in the U.S. was hacked. It happens to the big boys too. I am a webmaster for about half a dozen sites. It's not an easy job and fighting hackers and spammers and idiotic script kiddies is quite a battle. There is no such thing as a hacker proof website. Period. All webmasters can do is work hard to stay one step ahead. Hackers are always creating new ways to do things and new exploits. It never ends.

Get off your high horse.

No, these things don't just "happen". Admins put up with it because they know they are ultimately the ones who failed.

This is negligence on androidforums part; and, are the real people to blame. Can you imagine if large bank websites were also this insecure; and, asking all their online customers go change their passwords? Then.. customers just saying... oh well, these things just happen.

There's the argument that user passwords should be complex enough for the hash not to be brute forced hacked; but, really, it should never get to that point.

I've lost complete respect for the person/people responsible for maintaining this website. Hopefully, they know better than to list androidforums.com on their resumes.

 

[OKara]

Thanks for the heads up re the breach guys, just wish you could send a email out to everybody so we can get the changes done before further damage if any.
I never share same pass on accounts but know many people does and would be important if everyone could change their passwords before attempts are made on other forums and websites.
All the best and keep on with the work.

 

[jcash3]

I just received this email:

Android Forums noreply@androidforums.com
12:14 PM (8 minutes ago)

to me

Dear jcash3,

Someone has tried to log into your account on Android Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: {mod removal}

All the best,
Android Forums


Being that I haven't logged on in a while... I wonder how many times they were in my account.

 

[Unforgiven]

jcash, chances are you have an app on your phone trying to connect to AF. Update your login credentials on anything that connects (e.g. the official AF app, Tapatalk, Forum Runner, etc.) and it should take care of it.

 

[jcash3]

jcash, chances are you have an app on your phone trying to connect to AF. Update your login credentials on anything that connects (e.g. the official AF app, Tapatalk, Forum Runner, etc.) and it should take care of it.

That IP address isn't the same as what is on my phone...

 

[jcash3]

Not to mention I just got another notification saying the same thing. The only app that I have is the Phandroid app, and I don't have any login information saved in it.

 

[Phases]

Uninstall the Phandroid App and see what that does..

 

[jcash3]

Uninstall the Phandroid App and see what that does..

Just did that, looks like that may be the problem. I opened the app and go another notification. Didn't know that it had saved my info.

 

[Phases]

It's notorious for that bug. I expect you'll be good now.

 

[Xyro]

I just received this email:

Android Forums noreply@androidforums.com
12:14 PM (8 minutes ago)

to me

Dear jcash3,

Someone has tried to log into your account on Android Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: (removed)

All the best,
Android Forums


Being that I haven't logged on in a while... I wonder how many times they were in my account.

You've posted from very similar IPs from Verizon in the past, so it's most likely you were assigned that at some point recently. I'm sure that it will be the same case for you as with everyone else before, that an android app is to blame, so please check to make sure your apps have your updated password and then see if more emails arrive.

So far all cases of these login attempts have been users' own phones attempting to log in with old passwords

 

[jcash3]

Seems to have resolved my problem. Thanks for the help.

 

[Xyro]

Seems to have resolved my problem. Thanks for the help.

Glad to hear it

 

[rootbrain]

The fact you stepped up to it and admitted the problem openly gives me confidence that you have and are doing what is necessary to prevent it from happening again.

Thanks for your diligence and HONESTY.

Quite refreshing....:smokingsomb:

 

[GirlFriday]

Good grief! Take the time to read the darn thread or at least search it!!

I just received this email:

Android Forums noreply@androidforums.com
12:14 PM (8 minutes ago)

to me

Dear jcash3,

Someone has tried to log into your account on Android Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: {mod removal}

All the best,
Android Forums


Being that I haven't logged on in a while... I wonder how many times they were in my account.

 

[EarlyMon]

Good grief! Take the time to read the darn thread or at least search it!!

It's ok.

We don't mind folks asking whatever they need or want to get this all sorted.

For everything else, there's always the trunk monkey.

 

[chrisluger2012]

Thanks for the hard work which you have done for US

 

[bris1112]

The email account associated with my androidforums account was compromised on 7/11/12. I started to receive failed delivery status emails for those spam attempts from my account to dead email addresses.

I was notified of the spam by a person in my address book. Embarrassing.

I had not logged into the forum in some time and did so today at random. I agree with some of the previous posters that an email from this site informing me of the breach would have helped.

 

[Phases]

The email account associated with my androidforums account was compromised on 7/11/12. I started to receive failed delivery status emails for those spam attempts from my account to dead email addresses.

I was notified of the spam by a person in my address book. Embarrassing.

I had not logged into the forum in some time and did so today at random. I agree with some of the previous posters that an email from this site informing me of the breach would have helped.

Thank you for the report - passing it up to Rob.

Unless that password is what you use for your gmail account - they wouldn't (shouldn't?) be related. If it is.. it is my understanding the way the passwords are salted it would be really hard or not possible to crack that password, but I'm not 100% on that. Need to hear from the server/developer team.