MacRumors Forums Downtime - Security Issue

[arn]

Hi all,

As you might have noticed, MacRumors forums were down over the past day. Yesterday, we were hacked. We detected it relatively quickly, but are still going through the logs with a 3rd party security company.

The hack appears to be the same as this one: http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/ though we seem to have detected it as it was happening.

We restored the forum from backups from before the incident.

I'll fill you in more as we get more information back, as it's still early. But it's safest to assume at least part of the user table was taken, which means usernames, email addresses, and hashed passwords.

What that means is you should

1) change your password on MacRumors and
2) make sure you aren't using that password anywhere else. In general, it's best practice to use a unique password everywhere you go.

If you have problems changing your password - Contact Us

We'll send out an email too and update this thread later too. I'm very sorry for the inconvenience.
arn

 

[annk]

I imagine it was a hard day at the office today and yesterday arn, welcome back.

 

[S.B.G]

For some reason my current password wouldn't let me log on and I had to use the reset password link and change it. Not a problem for me since I was going to change it anyway.

If there is anything I might be able to do to help, let me know.

 

[maflynn]

Great job in getting it back up.

----------

For some reason my current password wouldn't let me log on and I had to use the reset password link and change it. Not a problem for me since I was going to change it anyway.

If there is anything I might be able to do to help, let me know.

I'm sure arn globally changed all passwords so you would have to reset it - SOP for such hacks.

 

[d4rkc4sm]

inside job?

 

[iWeekend]

Great job in getting it back up.

----------



I'm sure arn globally changed all passwords so you would have to reset it - SOP for such hacks.

No, I changed mine manually just now. ymmv.



Glad MR is back up!

 

[DollaTwentyFive]

Is this why yesterday, my iPad was asking me for authentication of my username and password in a pop-up window? Something that I had never seen before. I was already signed in, so I didn't enter my user info.

 

[webbuzz]

Is this why yesterday, my iPad was asking me for authentication of my username and password in a pop-up window? Something that I had never seen before. I was already signed in, so I didn't enter my user info.

Doubt it. It was probably iTunes or iCloud.

 

[theheadguy]

What that means is you should
1) change your password on MacRumors and
2) make sure you aren't using that password anywhere else. In general, it's best practice to use a unique password everywhere you go.

Sorry this happened, Arn. It's probably prudent to put this as an alert on the front page. It's more important than 'Retina iPad Mini Now on Sale'.

edit: Thanks, it was the right thing to do.

 

[Jessica Lares]

*Sigh* Another day, another password to change.

If we delete PMs, do they still stay stored in the database?

 

[arn]

For some reason my current password wouldn't let me log on and I had to use the reset password link and change it. Not a problem for me since I was going to change it anyway.

If there is anything I might be able to do to help, let me know.

all moderator/admin passwords for forcibly reset.

arn

----------

*Sigh* Another day, another password to change.

If we delete PMs, do they still stay stored in the database?

pretty sure they are removed from the db.

arn

 

[S.B.G]

Doubt it. It was probably iTunes or iCloud.

There was in fact an issue with what he described yesterday, just before the site was taken offline.

 

[MacNut]

Was this related to the server issues or something different entirely?

 

[firedept]

Good to be back. Definitely was a tough day at office for Arn. Hope you are a little more relaxed today. Can not imagine this was an easy fix for you.

 

[Giuly]

I know as much as everybody else here how much people dislike user interface changes, but how about upgrading to vBulletin 5?

Just an idea.

 

[Menel]

I know as much as everybody else here how much people dislike user interface changes, but how about upgrading to vBulletin 5?

Just an idea.

If it has any risk of messing up their stellar mobile interface. No!

 

[TheAppleFairy]

It was tough having the forum down during the launch of the new ipad mini but we survived.

Password has been changed, thanks for the heads up. I actually have a different password for everything and a good way of remembering them all. If I do forget I have 1Password to help me out.

 

[LostSoul80]

It was a breach in vBulletin accessible via a privileged account.
This means someone got a password of a staff member with at least moderator privileges, and used his privileges to inject a banal malicious code prompting users to enter their passwords, even if they were already logged in.

If you happened to search for new posts yesterday, you would have seen a Test announcement appearing forum wide. It was posted by a moderator of these forums.


If you don't have inserted your password in the prompt, there is no reason to change it now. Passwords are saved salted and hashed.

 

[Giuly]

If it has any risk of messing up their stellar mobile interface. No!

vBulletin 5 has a mobile interface built-in, and it's kind of simian. I mean similar.

 

[arn]

sorry. had to repair a mysql table. hopefully were back.

----------

It was a breach in vBulletin accessible via a privileged account.
This means someone got a password of a staff member with at least moderator privileges, and used his privileges to inject a banal malicious code prompting users to enter their passwords, even if they were already logged in.

If you happened to search for new posts yesterday, you would have seen a Test announcement appearing forum wide. It was posted by a moderator of these forums.


If you don't have inserted your password in the prompt, there is no reason to change it now. Passwords are saved salted and hashed.

It was a little more complicated than that, and it's not necessarily just if you typed your password in. They were escalating and trying to get shell access on the server.

arn

 

[needfx]

welcome back, good job handling it

Just for info, some of yesterday's user posts missing, some of mine too

 

[Peace]

Glad stuff is back up. This happens with PHP..One of the downsides.

 

[rmwebs]

@arn Can I ask - I know you're still on vB 3.x but have you patched it to use a better password hash than MD5 and/or SHA1? I only ask as if you've not people need to know that basically users passwords WILL be retrieved (reversing MD5 and SHA1 strings takes a matter of seconds).

----------

Glad stuff is back up. This happens with PHP..One of the downsides.

It's not a PHP problem. It's a poor/dated code problem. PHP is perfectly fine if you write it correctly.

 

[Goftrey]

The downtime must've mucked something up - my thread just vanished. Was there prior to the downtime. Now it's gone.

 

[rmwebs]

The downtime must've mucked something up - my thread just vanished. Was there prior to the downtime. Now it's gone.

Yeah all of my posts from yesterday are missing too. I guess they reverted to a backup to be on the safe side (i.e not risking there being malicious code injected anywhere).