MacRumors Forums Downtime - Security Issue

Discussion in 'Site and Forum Feedback' started by arn, Nov 12, 2013.

  1. arn, Nov 12, 2013
    Last edited: Nov 12, 2013

    arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #1
    Hi all,

    As you might have noticed, MacRumors forums were down over the past day. Yesterday, we were hacked. We detected it relatively quickly, but are still going through the logs with a 3rd party security company.

    The hack appears to be the same as this one: http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/ though we seem to have detected it as it was happening.

    We restored the forum from backups from before the incident.

    I'll fill you in more as we get more information back, as it's still early. But it's safest to assume at least part of the user table was taken, which means usernames, email addresses, and hashed passwords.

    What that means is you should

    1) change your password on MacRumors and
    2) make sure you aren't using that password anywhere else. In general, it's best practice to use a unique password everywhere you go.

    If you have problems changing your password - Contact Us

    We'll send out an email too and update this thread later too. I'm very sorry for the inconvenience.
    arn
     
  2. annk Administrator

    annk

    Staff Member

    Joined:
    Apr 18, 2004
    Location:
    Somewhere over the rainbow
    #2
    I imagine it was a hard day at the office today and yesterday arn, welcome back.
     
  3. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #3
    For some reason my current password wouldn't let me log on and I had to use the reset password link and change it. Not a problem for me since I was going to change it anyway.

    If there is anything I might be able to do to help, let me know.
     
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #4
    Great job in getting it back up.

    ----------

    I'm sure arn globally changed all passwords so you would have to reset it - SOP for such hacks.
     
  5. iWeekend macrumors regular

    Joined:
    Nov 28, 2012
    #6
    No, I changed mine manually just now. ymmv.



    Glad MR is back up!
     
  6. DollaTwentyFive macrumors 6502a

    Joined:
    Nov 11, 2010
    Location:
    Parts Unknown
    #7
    Is this why yesterday, my iPad was asking me for authentication of my username and password in a pop-up window? Something that I had never seen before. I was already signed in, so I didn't enter my user info.
     
  7. webbuzz macrumors 65816

    webbuzz

    Joined:
    Jul 24, 2010
    #8
    Doubt it. It was probably iTunes or iCloud.
     
  8. theheadguy, Nov 12, 2013
    Last edited: Nov 13, 2013

    theheadguy macrumors 65816

    Joined:
    Apr 26, 2005
    Location:
    california
    #9
    Sorry this happened, Arn. It's probably prudent to put this as an alert on the front page. It's more important than 'Retina iPad Mini Now on Sale'.

    edit: Thanks, it was the right thing to do.
     
  9. Jessica Lares macrumors G3

    Jessica Lares

    Joined:
    Oct 31, 2009
    Location:
    Near Dallas, Texas, USA
    #10
    *Sigh* Another day, another password to change.

    If we delete PMs, do they still stay stored in the database?
     
  10. arn thread starter macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #11
    all moderator/admin passwords for forcibly reset.

    arn

    ----------

    pretty sure they are removed from the db.

    arn
     
  11. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #12
    There was in fact an issue with what he described yesterday, just before the site was taken offline.
     
  12. MacNut macrumors Core

    MacNut

    Joined:
    Jan 4, 2002
    Location:
    CT
    #13
    Was this related to the server issues or something different entirely?
     
  13. firedept, Nov 12, 2013
    Last edited: Nov 12, 2013

    firedept macrumors 603

    firedept

    Joined:
    Jul 8, 2011
    Location:
    Somewhere!
    #14
    Good to be back. Definitely was a tough day at office for Arn. Hope you are a little more relaxed today. Can not imagine this was an easy fix for you.
     
  14. Giuly macrumors 68040

    Giuly

    #15
    I know as much as everybody else here how much people dislike user interface changes, but how about upgrading to vBulletin 5?

    Just an idea.
     
  15. Menel macrumors 603

    Menel

    Joined:
    Aug 4, 2011
    Location:
    ATL
    #16
    If it has any risk of messing up their stellar mobile interface. No!
     
  16. TheAppleFairy macrumors 68020

    TheAppleFairy

    Joined:
    Mar 28, 2013
    Location:
    The Clinton Archipelago unfortunately
    #17
    It was tough having the forum down during the launch of the new ipad mini but we survived.

    Password has been changed, thanks for the heads up. I actually have a different password for everything and a good way of remembering them all. If I do forget I have 1Password to help me out.
     
  17. LostSoul80 macrumors 68020

    LostSoul80

    Joined:
    Jan 25, 2009
    #18
    It was a breach in vBulletin accessible via a privileged account.
    This means someone got a password of a staff member with at least moderator privileges, and used his privileges to inject a banal malicious code prompting users to enter their passwords, even if they were already logged in.

    If you happened to search for new posts yesterday, you would have seen a Test announcement appearing forum wide. It was posted by a moderator of these forums.


    If you don't have inserted your password in the prompt, there is no reason to change it now. Passwords are saved salted and hashed.
     
  18. Giuly macrumors 68040

    Giuly

    #19
    vBulletin 5 has a mobile interface built-in, and it's kind of simian. I mean similar.
     
  19. arn thread starter macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #20
    sorry. had to repair a mysql table. hopefully were back.

    ----------

    It was a little more complicated than that, and it's not necessarily just if you typed your password in. They were escalating and trying to get shell access on the server.

    arn
     
  20. needfx, Nov 12, 2013
    Last edited: Nov 12, 2013

    needfx macrumors 68040

    needfx

    Joined:
    Aug 10, 2010
    Location:
    macrumors apparently
    #21
    welcome back, good job handling it

    Just for info, some of yesterday's user posts missing, some of mine too
     
  21. Peace macrumors Core

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #22
    Glad stuff is back up. This happens with PHP..One of the downsides.
     
  22. rmwebs macrumors 68040

    Joined:
    Apr 6, 2007
    #23
    @arn Can I ask - I know you're still on vB 3.x but have you patched it to use a better password hash than MD5 and/or SHA1? I only ask as if you've not people need to know that basically users passwords WILL be retrieved (reversing MD5 and SHA1 strings takes a matter of seconds).

    ----------

    It's not a PHP problem. It's a poor/dated code problem. PHP is perfectly fine if you write it correctly.
     
  23. Goftrey macrumors 68000

    Goftrey

    Joined:
    May 20, 2011
    Location:
    Wales, UK
    #24
    The downtime must've mucked something up - my thread just vanished. Was there prior to the downtime. Now it's gone.
     
  24. rmwebs macrumors 68040

    Joined:
    Apr 6, 2007
    #25
    Yeah all of my posts from yesterday are missing too. I guess they reverted to a backup to be on the safe side (i.e not risking there being malicious code injected anywhere).
     

Share This Page