1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Majorgeeks.com Support Forum Pwned?

Discussion in 'The Lounge' started by nlorntson, Mar 2, 2016.

Thread Status:
Not open for further replies.
  1. nlorntson

    nlorntson Private E-2

    [From Major Geeks Admin: This is a note to all who have received the email sent out by the owners of Major Geeks and find this thread. Please be aware that the email is legitimate and you should take the measures specified. ]


    I got this notification from "Have I been pwned"

    Breach: MajorGeeks
    Date of breach: 15 Nov 2015
    Number of accounts: 269,548
    Compromised data: Email addresses, IP addresses, Passwords, Usernames
    Description: In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.

    Is this true and if so, what has majorgeeks done to investigate and mitigate this hack attack?
     
    Last edited by a moderator: Mar 8, 2016
  2. brandonjones

    brandonjones Private E-2

    I received the same E-mail. If this is true, why where we not notified by MajorGeeks?
     
    thesmokingun likes this.
  3. imalive1459

    imalive1459 Private E-2

    Same question here.
     
  4. JDPCUS2013

    JDPCUS2013 Private First Class

    And the same question from me.

    Also, what do i now do about it?
     
  5. JDPCUS2013

    JDPCUS2013 Private First Class

    Yes, its true i went to https://haveibeenpwned.com/ and signed up for a Email telling me if i had been Pawned. Today i got a email saying i had https://haveibeenpwned.com/
    ----------------------------------------------------------------
    Breach: MajorGeeks
    Date of breach: 15 Nov 2015
    Number of accounts: 269,548
    Compromised data: Email addresses, IP addresses, Passwords, Usernames
    Description: In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.
    -------------------------------------------------------------------------------

    Go there an check if you have been Pawned by putting in your Email adress or signing up for a notification Email that will tell you if you have.
     
  6. Eldon

    Eldon Major Geek Extraordinaire

    pendantry likes this.
  7. JDPCUS2013

    JDPCUS2013 Private First Class

  8. JDPCUS2013

    JDPCUS2013 Private First Class

    Thank you for the prompt reply. :)

    If this is the case then i suggest M.G. contact https://haveibeenpwned.com/ and inform them of this.
     
    thesmokingun likes this.
  9. Eldon

    Eldon Major Geek Extraordinaire

    I am not checking this site https://haveibeenpwned.com/ because I don't know if it's just a ploy to collect email addresses.
    You are safe on MajorGeeks. The owners go to great lenghts to ensure that.
     
    pendantry likes this.
  10. JDPCUS2013

    JDPCUS2013 Private First Class

    It was in Computer Active Magazine in the U.K so it should be safe.
     
  11. LauraR

    LauraR MajorGeeks Super-Duper Administrator Staff Member

    I've sent and email to the owners. Hopefully they'll weigh in.
     
    Eldon and Kestrel13! like this.
  12. azume

    azume Guest

    haveibeenpwned.com is a legitimate website. It is operated by Troy Hunt, a Microsoft Most Valuable Professional & security researcher.
     
    MaxTurner and Kestrel13! like this.
  13. satrow

    satrow Major Geek Extraordinaire

    Some generic advice from MS:
    If you haven't followed the above yet, you should do so.
     
    katkat likes this.
  14. firestorm1

    firestorm1 Private E-2

    Thanks for the reassurance. I trust MajorGeeks but I changed my password just the same.
     
  15. katkat

    katkat Major kittykat

    It is unbelievable how many people use the same password for every account just because they say that way they can remember it.o_O

    ALL passwords should be changed often, no matter what the site.
     
    pendantry, Sgt. Tibbs and satrow like this.
  16. NWSunni

    NWSunni Private E-2

    It's a legitimate site. It has accurately reported hacks consistently and is an excellent resource. I just use desktop version of Passpack to have it create a 12 digit alpha, numeric, symbol password -- a unique one for every site.
     
    MaxTurner likes this.
  17. t001z

    t001z Private E-2

    First of all, https://haveibeenpwned.com/ has been around quite a while and is a legitimate security site, existing for no reason but to NOTIFY PEOPLE WHEN THEIR INFORMATION IS COMPROMISED. (see below for 3rd party references of the site)
    Secondly, Eldon, for you to represent MajorGeeks and to state that ANY hack where personal information was taken (and it was taken!) is a "minor issue" just scares me and tells me that you know nothing of computer security. This hack took place 3 1/2 months ago and instead of notifying members that their information was compromised you point to posts about new forum software - nothing about the hack itself? This stinks of trying to sweep it under the rug.

    The very least that MajorGeeks could have done is post an alert to everyone's account and send an email suggesting changes be made to passwords. I used to think of MajorGeeks as a place that actually cared about the people it offered its' services to, not loading files with malware, etc but this leak/breach and the ensuing 3 1/2 months of zero notification raises all of that into question.

    For those who don't want to go to https://haveibeenpwned.com/ yourself, here is what it says:
    MajorGeeks: In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.
    Compromised data: Email addresses, IP addresses, Passwords, Usernames

    http://zd.net/1L6ISU7 - How to find out if your password has been stolen | ZDNet
    http://wboaref.com/go/45215/ - New website lets users check if their online credentials were exposed in hack attacks | PCWorld
    http://wboaref.com/go/51249/ - is haveibeenpwned.com a scam or legit | ScamAdvisor
    http://wboaref.com/go/26787/ - haveibeenpwned.com | WOT Reputation Scorecard (Web Of Trust)
     
    w3d, higrm and MaxTurner like this.
  18. t001z

    t001z Private E-2

  19. katkat

    katkat Major kittykat

    Did you read the link you posted? It says:
    ""We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.""
    I found the comment on the pcworld link you gave interesting where one poster said they created a new email account to test the site and it said that new 5 minute old email had been pwned 291 times. Of course no way to know how reliable the poster is.

     
    Last edited: Mar 3, 2016
  20. higrm

    higrm Private E-2

    Yes, I too would have expected a notification about the hack as soon as it was detected. Regardless of whether the stolen passwords were salted or not, it should be standard behavior to acknowledge the breach.
     
  21. Imandy Mann

    Imandy Mann Sergeant Major

    I have several email accounts and keep track of who I use each with. My account used for MG's and their disqus replies to news items has never had any strange activity. Checked it just now and it has 9 new messages from only contact which I also gave the account's info to. 3 spams from another company which I also gave it to but haven't move them to approved yet. SO after 2 1/2 months I have never received any funny mail. All names are ficticious so would be of little value anyhow!

    Go Geeks!
     
    Eldon and katkat like this.
  22. Corporal Punishment

    Corporal Punishment Administrator Staff Member

    Looking into it now - We'll respond when we know something solid.
     
    DavidGP and Eldon like this.
  23. t001z

    t001z Private E-2

    That link was from 2 years ago. It has nothing to do with the current breach. I don't know whether the article is simply pointing out that vBulletin was attacked and vBulletin is reporting that they are changing passwords or if MajorGeeks used vBulletin software and THEY forced users to change passwords. If it was the latter than they should have done the same action this time. If it was the former, they should have known that a password change is a bare minimum.
     
  24. katkat

    katkat Major kittykat

    You gave the link.
     
    Eldon, Caliban, dr.moriarty and 2 others like this.
  25. Imandy Mann

    Imandy Mann Sergeant Major

    That's funny. I did a belly laugh!
     
    katkat and Kestrel13! like this.
  26. t001z

    t001z Private E-2

    Yes because it sets a precedent or at a minimum should show that MG should know better.
     
  27. Corporal Punishment

    Corporal Punishment Administrator Staff Member

    t001z - We haven't used VB3 since November. So,like I said, I'm looking into it now. No hacker ever wrote me say "woot I have your user list" and the author of the article you reference hasn't contacted us either. I'm finding some of this out just like you.

    Is it possible? Yes. Everything is hack-able. We moved form VB3 due to its age and new hack attempts showing up. In that time frame we know that there was an exploit in uploaded user images. But that why we are here on xenforo software now.

    The VB3 software we had had over salted passwords long ago. Meaning even if you know the vb3 hash-- good luck. Should you change your password? - of course. even the slightest hint it should be changed. You should change it so often anyway. I am working on making xenforo force a password change now, but that functionality doesn't seem to be built in. I have contacted some support for that issue.

    There are 270K or so users. Some of those mails are well over 15 years old and odds are are no good anymore. If I try and bang out a bulk mail the reject will blacklist the IP and well -- no one will ever see it. So right now, that's not an option. I've made a call out ISP for their recommendation.

    All that said, the biggest risk here is that there would be a list of MajorGeeks users. hence someone would want to spam those users as if it were coming from MajorGeeks.

    So the best thing is to advise people to change their passwords. have a good AV program like BitDefender http://www.majorgeeks.com/files/details/bitdefender_free_edition.html and maybe add an anti-spam utility like spamfighter. http://www.majorgeeks.com/files/details/spamfighter.html

    No one takes personal security more seriously that me. Nor is the trust placed upon us when someone offers up their email to type questions here. I get it. So just as soon as possible, I promise, we will find the best way too reach out to 270K of our closest friends and force the password change
     
    DavidGP, higrm, Kestrel13! and 6 others like this.
  28. t001z

    t001z Private E-2

    Thank you for posting this information. I agree with what you said above and understand the dilemma of trying to email the old accounts. The part that got me "fired up" earlier was that I also got the email from haveibeenpwned.com and I come to the forums to change my password, etc and I come across the message from Eldon stating that the hack exposing user's information was a "minor issue". As a security professional, a statement like that (from someone who - like it or not - represents your site) is very distressing.
     
    DavidGP and higrm like this.
  29. Eldon

    Eldon Major Geek Extraordinaire

    I did not say that.
    I said:
    If passwords were compromised, don't you think the hacker would target staff members first? That has not happened, and I still have the same password.
    Security is very important to the owners, as is the reputation of MajorGeeks Support Forums.
     
    pendantry likes this.
  30. Corporal Punishment

    Corporal Punishment Administrator Staff Member

    Both points are 100% valid. Any hack has t0 be taken seriously. But, MajorGeeks doesn't store info on users of any real value. Email is about it. No address, phone number, real name - etc. We've done that since day one just in case something like this happened. I don;t care how smart you think you are or how careful you go about things, the hacking community has proven that can compromise pretty much anything.
     
    DavidGP, Eldon and katkat like this.
  31. l0l

    l0l Private E-2

    As someone who logs and researches breaches on sites and helps them when attacked I just have to find it ironic you never noticed before. It's also funny as I sent an email to you over 6 months ago about this to warn you guys, As you were breached twice in 2015 not once.

    I was also the one to alert Troy Hunt/HIBP to the breached data as it had been posted on some hacking forums while also being traded/sold, Seeing as I never got a response to the message I sent last year which was sent to multiple site owner emails I thought Troy Hunt would be the best bet at getting the news out.

    Your database was breached May 31st 2015 and 12th November 2015.

    [​IMG]

    It's odd though how you moved to XenForo mere days after the November hack, You could have at least warned your users.

    What if these users used the accounts say on paypal? Or their online bank accounts?

    MD5 encryption was cracked years ago and yes vBulletin 3 salted hashes can be cracked, I have an old license to passwordspro which is a cpu based password cracker, I took the first 14 users from the leaked database and already have the logins to 4 users however these used the old default vB3 salts.

    I then took the staff list to this site and within 30 seconds I had the login to to an administrator account! No I haven't tried it as I am not a malicious user but if I was I could easily install a password logger within XenForo's template system. The next staff member after that was you, Yes your password was cracked within 10 minutes.

    Anyway, Now some advice so you can prevent future attacks.

    • Force reset all user passwords: https://xenforo.com/community/resources/force-password-change.3650/
    • Demote any old inactive staff accounts to normal users.
    • Remove admin access to the templates, Least those that don't need access.
    • Add htaccess protection to admin.php, Give each staff member their own user/pass this way you can tell if they're compromised.
    • Make sure all admin passwords are unique randomly generated one's.
    • Force all staff to enable Two Step Verification.
     
    higrm likes this.
  32. Corporal Punishment

    Corporal Punishment Administrator Staff Member

    I believe you are sincere and appreciate your efforts but I never received an email from you. I wish I had. Please feel free to email jim@ this site for anything in the future.

    We were looking into forums months knowing that VB3 was getting too old to use. In November there was a a hack attempt that allowed overwriting of images through the user uploads. That was why we moved systems then. Clearly these to things are related.

    Thanks for he force password change - I was surprise xenforo did not have any option for that.
     
    l0l likes this.
  33. l0l

    l0l Private E-2

    That's odd, I sent it to like 4 different emails i.e whois email that sort of thing pretty sure one was jim@ but it was ages ago and I can't seem to find which email I sent the message from.

    From the looks at the dump that was leaked you appear to have had a backdoor in the vBulletin database, But I would also check the whole server to be safe, more so files around those dates from my above post. It's very possible a PHP shell/Backdoor was left on the server somewhere.

    Not a problem on the forced pass change mod, If you need any other help XenForo wise or questions please feel free to email me (one under my profile.), I'm a XenForo user also with 4 licenses but I'll admit I am no expert haha.
     
  34. Corporal Punishment

    Corporal Punishment Administrator Staff Member

    My phone number is on the whois too. I highly appreciate those like yourself. No way I can be an expert on everything either - especially when the hacking groups out there now are soooo damn good. We need people like yourself watching our backs.

    The mod is installed for force passwords

    Please let me know if it is working. I wish it was more robust, like force every 30 days etc. Or a message as to why.

    As to emailing everyone -right now that is proving challenging from a mail perspective. basically the mails have to be exported and cleaned though a service for defunct addresses, then re-imported and sent. Gonna take a bit.
     
    DavidGP, satrow and l0l like this.
  35. Eldon

    Eldon Major Geek Extraordinaire

    It's working.
     
  36. l0l

    l0l Private E-2

    I didn't think to try the number sorry for that. And XenForo is a much more secure just never use anything from Brivium(.com) they're known pirates/hackers and got banned from XenForo's community.

    As for the forced pass reset every 30 days I am sure a plugin like that can be made, Try speaking to the guys at Audentio(.com) or PixelExit(.com) I use both their services and haven't had any issues.

    As for a mass mail, You could setup mailgun(.com) they offer 10,000 free emails per month and then charge $5/10,000 but the more you send the cheaper it'll get and you can even connect it to XenForo with SMTP meaning you don't need to export all the emails and check them.

    And the forced pass worked like @Eldon said before me.

    I would change any admin logins though by hand to be safe as this asks you to change pass first. Under the admin panel you can also put forced 2 step on accounts meaning all staff would need to use it which adds a second layer of protection on accounts. Just like google you can connect it via app/email and can export 10 backup codes.
     
    DavidGP likes this.
  37. Sgt. Tibbs

    Sgt. Tibbs Ultra Geek

    The force password change is there, but since I just changed mine a couple of days ago I thought I'd do an experiment... It will let you enter the exact same password as a "change".
     
    Imandy Mann likes this.
  38. Corporal Punishment

    Corporal Punishment Administrator Staff Member

    That's cool - I'll check it out. mail chimp doesn;t connect, or even integrate at any level.

    I don't care the cost, looking to get this out asap. I'm always leery about using something like that that connects directly. I'd rather have a list I create that I can delete when done.
     
    l0l likes this.
  39. Corporal Punishment

    Corporal Punishment Administrator Staff Member

    DOH!
     
    pendantry, Imandy Mann and Kestrel13! like this.
  40. l0l

    l0l Private E-2

    That's odd it shouldn't allow that but saying that I've never tried using the same pass on Xenforo.

    That's true, Best be secure.

    Also would it be possible to enable Multi Quote? Admin > Home > Options > Messages > tick "Enable Multi-Quote" and "Enable Select-to-Quote" url should look like admin.php?options/list/messageOptions thanks. :)
     
  41. satrow

    satrow Major Geek Extraordinaire

    Cut Eldon some slack, please. His involvement as Moderator here began some time after Xenforo was implemented, he shouldn't be expected to know about everything staff-side previous to that.
     
    pendantry, Mimsy, LauraR and 3 others like this.
  42. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I got the forced password change screen pop up, and couldn't log in, it would not accept my original password... after a series of failed attempts... I clicked the shortcut link on my browser for Majorgeeks and got straight back in..... ? I will do a password change manually I guess...
     
  43. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sent you an email Jim as I have a little problem.
     
  44. Imandy Mann

    Imandy Mann Sergeant Major

    I used the same to verify. If it is ever started to check to not re-use the same password I have a similar backup word. As long as there wasn't a history check of old passwords, I would just bounce back and forth. For people who have only 1 email the forced new password should give a feel of security. All should have a throw-away account so as not to mix their most needed traffic with more relaxed communications and surfing.
     
  45. Mimsy

    Mimsy Superior Imperial Queen of the MG Games Forum

    I changed my password and everything seems to work now.
     
  46. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi all

    While I have not had any issues re-passwords or account hacked I do take these things seriously as an ex-Microsoft MVP in Windows for 7yrs and on this forum for longer, we have changed the forum software as mentioned due to Vb being less secure and issues starting to arise last November, and I have typed up this quick guide on the Two-Step Authentication method that this forum software offers and its a wise choice http://forums.majorgeeks.com/index.php?threads/forum-logon-two-step-security.297268/

    On this thread issue I did check with that listed website and my email and username for this site was Good news — no pwnage found!

    That said I dont know where that hack listing came from and how real it is, I would think for me Jim (co-owner of Majorgeeks) will as I know he will dig out any issue.

    I agree with many in that being told up front of issues is wise but in the main we do that, maybe we dont send out an email to all users, we can learn from that, but we do normally notify on the forum for users that frequent the forum on a daily/weekly/Monthly basis.
     
    Last edited: Mar 5, 2016
    katkat likes this.
  47. ItsWendy

    ItsWendy MajorGeek

    I just changed my password due to the changes (the forum made me do it), then went looking for this thread, which I knew had to be here.

    Are we going to have to change passwords every 30 days? I hope not. I use a different password for every site myself.
     
  48. satrow

    satrow Major Geek Extraordinaire

    Ooops, tempus fugit eh?
     
    Eldon likes this.
  49. Eldon

    Eldon Major Geek Extraordinaire

    Help?
     
  50. Imandy Mann

    Imandy Mann Sergeant Major

    "Time flies"
     
    satrow and Eldon like this.
Thread Status:
Not open for further replies.

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds