Posts: 52
Threads: 27
Joined: Aug 2014
Reputation:
0
Hello,
www.referraldirectoryforum.com was recently hacked and everything was deleted. We are now in the process of adding the backup back to the site. The other admin said he stole all emails, passwords, and information. Is there anyway he could have done that, or is it possible that he doesn't have access to all the passwords. Please tell me he doesn't..
Thanks!
Posts: 55
Threads: 10
Joined: Feb 2015
Reputation:
0
(2015-02-12, 01:28 AM)dfarmer2001 Wrote: Hello,
www.referraldirectoryforum.com was recently hacked and everything was deleted. We are now in the process of adding the backup back to the site. The other admin said he stole all emails, passwords, and information. Is there anyway he could have done that, or is it possible that he doesn't have access to all the passwords. Please tell me he doesn't..
Thanks!
He could have gotten all that but the passwords. Passwords are hidden even to admins of site. If you go to ACP and try to change a members password, it might show dots, or just ask you to change it, but won't supply you with their password.
Posts: 21,668
Threads: 5
Joined: Aug 2011
Reputation:
2,316
though stealing passwords is not a simple task, it can't be ruled out if the database was also stolen ..
Posts: 55
Threads: 10
Joined: Feb 2015
Reputation:
0
(2015-02-12, 02:12 AM).m. Wrote: though stealing passwords is not a simple task, it can't be ruled out if the database was also stolen ..
Ooooh. Didn't know that haha.
Posts: 52
Threads: 27
Joined: Aug 2014
Reputation:
0
(2015-02-12, 02:12 AM).m. Wrote: though stealing passwords is not a simple task, it can't be ruled out if the database was also stolen ..
According to the other admin of Referral Directory, the backup was stolen and that is the database. So I am guessing the passwords were stolen.. I am only hoping he doesn't have all the passwords..
Posts: 4,198
Threads: 137
Joined: Dec 2009
Reputation:
265
He has only the hash of passwords, not the plain text version of passwords. I still would recommend having all your members, particularly staff, change their passwords.
Posts: 2,557
Threads: 100
Joined: Feb 2007
Reputation:
304
He has hash and salt, and the MyBB password hashing system is in the sources.
So, it's possible (with enough time) to find a matching pass for a given hash & salt.
The only good protection now is to change the admins password and force the user to change their password.
Posts: 3,313
Threads: 192
Joined: May 2014
Reputation:
147
2015-02-12, 03:18 PM
(This post was last modified: 2015-02-12, 03:18 PM by Eldenroot.)
Thats why we need MyBB 1.8.4 with 2-way authentication really soon
Posts: 4,241
Threads: 113
Joined: Jan 2006
Reputation:
111
(2015-02-12, 03:18 PM)Eldenroot Wrote: Thats why we need MyBB 1.8.4 with 2-way authentication really soon That wouldn't help as all necessary information for 2FA is stored in the database as well.
Posts: 52
Threads: 27
Joined: Aug 2014
Reputation:
0
Okay well the staff is being required to change their passwords now. We have also created an announcement allowing everyone to know what has happened, and that they should change their passwords. An email, and PM will be sent to all users to make sure their privacy and account information is secure.
|