Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

Another site where I hang out frequently, a photography site, is about to make a switch to a new server for space reasons but also they are moving to a new/different forum software program, XenForo. Have you guys looked into this or any other forum software as an option to moving beyond vBulletin, which has apparently been the source of problems lately here and yes, definitely on other forums? On the other forum, one of the admins noted that it has been very interesting seeing how many other forums have been making the switch away from vB, which, while in its heyday was the "gold standard," for various reasons sadly is considered that no more. Something the Admins team here might want to take under consideration......
 
Blackened said:
someone hacked my best buy acct this morning and placed an order, got it cleared up, but wonder if there's a connection?
Click to expand...

I'm not trying to deflect blame, but let's not forget we're not the only recent password breach on the internet:

Adobe: 38 million username, password credit cards
PR Newswire: username / passwords
Cupid Media: 42 million username / passwords
vBulletin.com - 400,000 username / email / password

But ya, if you used the same password on both MR and BestBuy, it's possible.

arn

----------
Clix Pix said:
Another site where I hang out frequently, a photography site, is about to make a switch to a new server for space reasons but also they are moving to a new/different forum software program, XenForo. Have you guys looked into this or any other forum software as an option to moving beyond vBulletin, which has apparently been the source of problems lately here and yes, definitely on other forums? On the other forum, one of the admins noted that it has been very interesting seeing how many other forums have been making the switch away from vB, which, while in its heyday was the "gold standard," for various reasons sadly is considered that no more. Something the Admins team here might want to take under consideration......
Click to expand...

We've looked and are still looking at Xenforo.

Xenforo is still maturing. It's not easy to switch.

arn
 
I hear you on that! The admins at the other forum have been testing XenForo and putting it through its paces for the past couple of months (on a "mirror site") and are only now about ready to go ahead and make the big change on the actual forum. From what I've seen of their comments regarding it, they feel that XenForo seems to be somewhat of a smoother transition from vB than some other programs might have been, but of course even after they go live with it and implement it there will still be some things which will need to be worked out. Glad to know that you guys are looking at XenForo and other options!
 
I got the email last night... and this happened on the 11th? You need to teach your mail service/webhost about distribution lists... that's just ridiculous...

I'm not angry... I didn't even know I had an account here. Turns out I hadn't logged into it either for over 4 years... I also have no idea WHY I have an account here...

Had hoped it explained how someone found my yahoo and gmail accounts that were attempted hacked a few weeks ago, but no, they're not registered here. Those two accounts have also not been used publicly for a very long time, which makes it even weirder that someone would try hacking them. I don't use them for any website that requires a login, I simply don't trust webbased email for anything remotely secure.
 
metalbunny said:
I got the email last night... and this happened on the 11th? You need to teach your mail service/webhost about distribution lists... that's just ridiculous...
Click to expand...

For reference, Arn posted here and here advising that it isn't easy sending 800,000+ emails at once. They have to stagger and trickle them out which is why it took so long for you to get yours.
 
Blackened said:
someone hacked my best buy acct this morning and placed an order, got it cleared up, but wonder if there's a connection?
Click to expand...

Yes.
If you get your car stolen, remember to post an update here. MR will probably offer a refund, since there may be a connection there too.
 
grof-e said:
So this happened on Nov 11th and I only received an email today - 10 days later!
Click to expand...

For reference, Arn posted here and here advising that it isn't easy sending 800,000+ emails at once. They have to stagger and trickle them out which is why it took so long for you to get yours.
 
Doubly Screwed

So I want to delete my account, go to the Control Panel and there is NO WAY to do that (that I can see). Try the "contact us" and that leads to a "invalid redirect" message, meaning I can NOT contact you.


WTF?
 
Thread Name: "MacRumors Forums: Security Leak"
Headline: "MacRumors Forums Security Leak: Please read our notice about a possible security leak on MacRumors Forums"

Well which is it?
 
Señor said:
Thread Name: "MacRumors Forums: Security Leak"
Headline: "MacRumors Forums Security Leak: Please read our notice about a possible security leak on MacRumors Forums"

Well which is it?
Click to expand...

Try: actual security leak.
 
And the spam pours in...

Well, the spam is pouring in from this breach. Both sent from the very old address I had on this site.

If this helps anyone with this issue:

Subject: T-Mobile MMS Service
Return-Path: Adrian0e355@w8n4iam.com

Subject: Baidu Antivirus: Important System Update - requires immediate action
Return-Path: Valerie82a@portaprop.com
 
Earendil said:
The link appears to be dead. Could you summarize what you found and what you think the MR staff can do about it, and what they should do about it?
Click to expand...

The guy was paying 5 and 10 bucks a piece for passwords and posting the hashes. There were probably 80 passwords in that thread and the newest posts were today. He is proactively obtaining the actual passwords for $$$ and I would think MR could at least send notices to these sites to ask them to either remove his account or disallow what he is doing on some level.

I clicked the link again and it worked. Weird.

Example of what I am talking about:
 

Attachments

  • Screen shot 2013-11-22 at 4.01.36 PM.png
    Screen shot 2013-11-22 at 4.01.36 PM.png
    144.6 KB · Views: 137
  • Screen shot 2013-11-22 at 4.03.16 PM.png
    Screen shot 2013-11-22 at 4.03.16 PM.png
    30.5 KB · Views: 115
Lucky736 said:
The guy was paying 5 and 10 bucks a piece for passwords and posting the hashes. There were probably 80 passwords in that thread and the newest posts were today. He is proactively obtaining the actual passwords for $$$ and I would think MR could at least send notices to these sites to ask them to either remove his account or disallow what he is doing on some level.

I clicked the link again and it worked. Weird.

Example of what I am talking about:
Click to expand...

I checked our database from before for ~10 of those hashes. none of them appear. so they aren't from MacRumors

arn
 
I have been having a weird activity with my phone number and ATT account since this security breach. Basically someone trying to mess with my account. Anyone else got weird survey phone calls from "AT&T"? then I received texts talking about a change to my account with a PIN and other weird things....
 
Lucky736 said:
Thank You for replying. Got those links from an earlier post in this thread.
Click to expand...

It's worth noting that at least one of those hashes is an SHA-1 hash. Also, all the characters after the ":" in the posted hashes are the salt used - the ones like "Found" and "admin" and "yahoo123."

So whoever this guy is, he's gotten passwords from many different sites. I assume he's targeting admin-level accounts in his pay-for-passwords postings.
 
1337day.com is a SCAM

I'm posting here because 1337day.com claims to have done the macrumors breach. 1337day is a SCAM.

1337day.com is a scam site. They do not have the 0days they are selling for.

Their address is http://blockchain.info/address/1AWqYR4CCP5j9GEqMNk8b3ZNPPfG5Jniu1

As you can see I purchased the vBulletin 0day with this transaction:

vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execute (0day)

https://blockchain.info/tx/2380e1187dac2c76ddf7430ecf5a0573bc415f595f01e46796c8acf201cfb4f6

I received an email from admin@1337day.com asking for jabber or skype. Here's our logs: (timestamps removed for my anonymity)


1337day
here

joshzerlan@jwchat.org
ok, so what about the vBulletin 0day?

1337day
Hello

joshzerlan@jwchat.org
Hi

1337day
Bro please tomorrow , at the moment i back home
today or tomorrow

joshzerlan@jwchat.org
what's with the youtube video saying you scammed someone over the MS office 0day?

1337day
I waited for you all day
this man make video to get stuff for free
many kids idiots

joshzerlan@jwchat.org
okay, when will you be able to disclose it?
(not sure what time zone you are in)

1337day
today

joshzerlan@jwchat.org
ok. I'll be available here. thanks

1337day
respect
add me

joshzerlan@jwchat.org
added

1337day
you use windows?

joshzerlan@jwchat.org
no
you responsible for macrumors?

1337day
yes
you want database?)

joshzerlan@jwchat.org
that wasn't done through a 0day
that was done through XSS

1337day
no)

joshzerlan@jwchat.org
http://gyazo.com/dc04ae4ecd2ff1eb0a43191f6778369c

1337day
)
my screen)
do you want this database?

joshzerlan@jwchat.org
it would make me
more comfortable if i know you actually have a 0day

1337day
3 btc and i give you database)
interest?

joshzerlan@jwchat.org
show me some proof first

1337day
proof? you send me 10 btc and you want proof?

joshzerlan@jwchat.org
you want me to send more

joshzerlan@jwchat.org
so?
you don't have the 0day.


1337day
and?

joshzerlan@jwchat.org
posting about scam reports on all the forums now
i'll make sure the #2 search result for 1337day is a scam report

1337day
show me

-----

As you can see, they claim responsibility for the MacRumors attack when it was done by someone using the name 'lol'. That attack was through compromising a moderator account, and making a XSS announcement. The actual hacker of MacRumors has said 1337 didn't do **** with proof:

http://gyazo.com/dc04ae4ecd2ff1eb0a43191f6778369c

1337day are scammers - do not pay them.
 
arn said:
We've looked and are still looking at Xenforo.

Xenforo is still maturing. It's not easy to switch.

arn
Click to expand...

Please please please don't even consider xenforo, it is absolutely garbage, avforums.com has just moved to it and it has completely ruined it.
 
Z3man said:
Please please please don't even consider xenforo, it is absolutely garbage, avforums.com has just moved to it and it has completely ruined it.
Click to expand...

ya. no one takes kindly to changing software. it's a massive change.

arn
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back