March 2016 data breach

A place for members to ask moderators and admins any questions regarding forum rules and maybe even suggestions for the site!
Post Reply
Calculus
Global Admin
Posts: 5
Joined: Sun Mar 13, 2016 8:27 pm

March 2016 data breach

Post by Calculus »

If you used your Suikosource password at any other sites - even with a different username - please change it on those sites ASAP.

Shortly after the breach on Monday, March 14th, we disabled all Suikosource forum accounts’ passwords. You can use the “I forgot my password” link on the login page to get back into your account and set a new password. If you have trouble with the process, feel free to contact me (see below) or the Suikosource administrators.

With that out of the way, here’s some detailed Q&A about what happened. Feel free to stop reading here if you’re not interested.

Q: What happened? How did the attacker get in?

We believe the attacker guessed one forum administrator’s password, which (although not a common password) was not very strong. We’re not 100% certain when the attacker gained access, but the site’s logs and files show no signs of malicious activity until shortly before the attacker sent e-mail to all users on Monday, March 14th.

Q: What sensitive information did the attacker get?

Our best guess is that the attacker only had access to the forum’s administrative control panel, which means s/he would have had access to usernames and e-mail addresses.

However, we have to assume the worst: that the attacker could have gained access to the site’s database or to the underlying Web hosting account. If that happened, then the attacker would have had access to users’ hashed passwords, private messages, and locked boards.

Q: What’s a “hashed password?”

Passwords are stored after going through a “one-way” encryption algorithm that generates a unique “hash” from the password. Each time you log in, the site runs the password you submit through the same algorithm. If the same hash results, then it knows that you entered your original password.

Unfortunately, some older hashing implementations are vulnerable to attacks using dictionaries, which take a great deal of computing power to generate but can then be easily shared.

This means that if the attacker did gain access to the database, s/he will be able to determine some of the passwords, especially weaker ones. That’s why we’re requiring password resets, and strongly recommending that you reset your password anywhere else you used it.

Now, when you reset your password, it is hashed using the Bcrypt algorithm in a much more secure fashion.

Q: Who investigated this, and how? What are you doing to avoid future attacks?

I’m James Renken, the owner of Sandwich.Net. We’ve been Suikosource’s Web hosting provider for a very long time, but normally we’re only responsible for the lower layers of infrastructure that power the site. Vextor immediately contacted me after the attacker’s e-mail went out, and engaged our help in investigating and cleaning up after the breach.

I took a snapshot of the entire site, compared its state to the past 30 days’ worth of backups, and did a deep search for backdoors into the site that the attacker might have left. I reset all passwords and wiped out all session keys.

Vextor and I put the site behind CloudFlare, which provides an additional layer of security including a Web Application Firewall (WAF).

I and Suikosource’s administrators are still auditing the site’s many nooks and crannies for code that might be vulnerable to future attacks.

I also got HTTPS (SSL/TLS encryption) up and running for the site. Many pages don’t yet work properly under HTTPS, but I’m fixing that during the audit. Once that’s done, all unencrypted HTTP traffic will be redirected to HTTPS.

Q: What if I have more questions?

Feel free to post in the Information Section -> Forum Support board, or contact me at jrenken@sandwich.net.

Thanks for reading, and please accept all of our apologies for the trouble.
Post Reply