MyBB Community Forums

Hello,
The dabatase from my site got leaked a few months ago.

So when the site got back up, we asked to all the users to change their passwords.

Someone got into a Staff account today even if they changed his password and all. I was wondering if this is true because I heard this:

They still have the cookies from the old database so they can manage to still go into member's accounts.

I am wondering, are they cracking the passwords? Like I feel a bit lost and I would like to have explanations on why they can still get into people's accounts even if we changed our passwords and Emails.

Are you sure they still can't get in? They may still have access.

When you change a password - through MyBB, not by somehow mucking about with SQL queries, it should invalidate old cookies. Even if you set it to the same password you already had, the cookie changes.

You can verify this yourself; open a private window (or use two separate browsers, like firefox and chrome), make it so you're logged in both; change password in one, see if you're still logged in the other. You should be logged out.

If they have your database, and you do not change passwords, they can log in the forum just by using cookie; only the ACP has an additional protection and requires relogins regularly. But with the DB it is possible to bruteforce the password so - either the password was not changed after all (if you have backups, you can check the user table entry if the password/salt changed).

Run an update query on your database to change all passwords to an invalid hash (I like using the asterisk), set the salt to the empty string, and change all the login keys. This will force everyone to reset their password.

and it will lose you all members whose mail address is no longer valid

(2014-05-14, 02:30 PM)frostschutz Wrote: [ -> ]and it will lose you all members whose mail address is no longer valid

You say that as if it's a bad thing