Simple Portal hacked June 24, 2016, 04:52:50 am Got this by emailQuoteDear SimplePortal community members,On 17 June 2016, we discovered that unauthorized access to our website and database had been obtained on 16 June 2016. We determined that the unauthorized access has been obtained using stolen credentials of a high-level user.We would like to make it clear that your personal SimplePortal installations were not affected in any way by this. We would like to assure you that your installations running the latest versions of SimplePortal and SMF should be safe. The unauthorized access was restricted to just our website.The hacker attempted to download our database, but as of yet we are not certain that it was successful. Regardless, it's possible that your usernames, emails and hashed passwords have been retrieved by the attacker.For this reason, we would like you to change your passwords for this website and we strongly advise you to change your passwords on any other website where you may have been using the same passwords. Using unique passwords on all websites is very important to prevent such attacks. Note that, if you had shared passwords using personal messaging system, they can no longer be considered safe and needs to be changed as well.To ensure the safety of our website, we have updated all the relevant credentials and rebuilt our installation from the ground up. We will implement stricter security policies in the coming days to make sure that such an unfortunate event does not happen again.We are truly sorry for what happened and we deeply apologize for the inconvenience this has caused. We hope that you will continue to support us to make SimplePortal a better portal solution for your forums.-The SimplePortal Team
Re: Simple Portal hacked Reply #2 – June 24, 2016, 07:28:37 am Quote from: meetdilip – June 24, 2016, 04:52:50 amQuoteWe determined that the unauthorized access has been obtained using stolen credentials of a high-level user.They made it sounds like it was easy to steal the said user's credentials or the said user was not carefull enough.I remember emanuele was just talking something about private repository for security patches.And if 2FA is good to prevent the stealing or reduce its risk, then it should be implemented.
Re: Simple Portal hacked Reply #3 – June 24, 2016, 08:07:23 am 2FA is in ElkArte 1.1 thanks to @TE One of the main issues with stolen SMF DB's is that the users password hash can be used as credentials on other SMF installs. Meaning if you used the same password on other SMF sites, the attacker does not need to "crack" the password as the hash can actually be used in some instances.Past that the old hash is not particularly expensive to compute, so you can run various attacks against a stolen db at a very high rate of speed = tasty to break = less time for users to change their passwords. More "expensive" cryptographic functions do slow the rate of iteration / discovery, but are just as susceptible to being cracked. Its also easy to target privileged users in the db to narrow the scope / work. A benefit is that it gives a bit more time to allow users to update their passwords (after a breach) as the cracking maybe 100 or 1000 or ..... times slower, but you are still looking at an insane number of iterations per min. For fun, I ran the list of 500 most common passwords against some of my site DB's and I had a ~4-5% success rate at password capture overnight. I've read articles where that number is much higher, approaching 10%Once a db is stolen its important to change your password, and since they will be stolen, its important to have 2FA
Re: Simple Portal hacked Reply #4 – June 24, 2016, 06:30:36 pm By the way, how do we use this 2FA like in here?
Modern, Free, Powerful