Ubuntu Forum compromised (how serious)

system · July 26, 2013, 8:24pm

How serious is this

I have an account with this website and use the same password for other things,does this mean I need to change the passwords on these other accounts ?

Mark_Greaves_PCNetSp · July 26, 2013, 9:58pm

According to Canonical the passwords were encrypted … so it’s up to you if you trust

a) that they’re telling the truth
and
b) that they won’t crack the encryption

Personally I’d change the password on at least your email address (if it uses the same password) … as that can be used to verify other things, such as a change to your banking password, etc.
and anything important (that uses the same login details) such as banking … really email and important sites should be on a different password anyway.

–

Degsy · July 27, 2013, 7:46am

I changed mine just to be on the safe side, can’t be too careful.

Degsy

Mark_Greaves_PCNetSp · July 27, 2013, 9:03am

Here’s an email I received from the SMF forum that illustrates the scale of the problem -

Dear valued community members,
On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admin accounts password was discovered, and from there further escalation wasn’t too difficult considering admin privileges can do just about anything.

Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being hacked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don’t know for sure if the hacker only downloaded the user tables or not, although that’s the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It’s best not to take the risk and gamble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.

Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.
Hundreds of websites have been hacked lately by using this method, so you are highly encouraged to change your passwords…

… And remember: don’t use the same password on multiple sites!
It helps to prevent hacks like this.

Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of hacking and help put a halt to the hacking spree that has affected hundreds, if not thousands, of websites already.

Any questions, please do feel free to ask.
Please stay on topic.

Kind regards,
Board of Directors
Simple Machines

system · July 27, 2013, 7:35pm

Sounds serious enough to me, it’s difficult to know it’s full implications but the PM thing is a worry, coincidentally my daughters hotmail account was compromised this week as well so for me it’s brought to the fore the importance of protecting privacy online if it’s even possible these days

Graeme

Mark_Greaves_PCNetSp · July 27, 2013, 10:34pm

It’s one of those strange issues … good practice says have a different password for each website, but we’re only human and can have difficulty remembering one let alone hundreds.

Personally I generally use 5

one (only used) for email

one (only used) for my account on here (as it’s an admin account)

one (only used) for the Peppermint forums (as it’s an admin account)

one (only used) for the Ubutu single login ← which is a stupid idea in the first place

and one I use “pretty much” for all the other things that don’t really matter … such as the SMF forum and some other forums.

OK, they may now have an email address of mine (but they can’t have the password), and possibly a password that may open some forums … so the worst they could do is log into some forums accounts that I rarely use.

My point is NEVER, EVER use your email account password for ANYTHING else … Use a separate password for important stuff … and one for everything else.

[EDIT]

Oh and I immediately changed the Ubuntu single login password, as that could have compromised the Peppermint repository.

–