Majorgeeks.com Support Forum Pwned?

[From Major Geeks Admin: This is a note to all who have received the email sent out by the owners of Major Geeks and find this thread. Please be aware that the email is legitimate and you should take the measures specified. ]


I got this notification from "Have I been pwned"

Breach: MajorGeeks
Date of breach: 15 Nov 2015
Number of accounts: 269,548
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Description: In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.

Is this true and if so, what has majorgeeks done to investigate and mitigate this hack attack?

 

I received the same E-mail. If this is true, why where we not notified by MajorGeeks?

 

Same question here.

 

And the same question from me.

Also, what do i now do about it?

 

Yes, its true i went to https://haveibeenpwned.com/ and signed up for a Email telling me if i had been Pawned. Today i got a email saying i had https://haveibeenpwned.com/
----------------------------------------------------------------
Breach: MajorGeeks
Date of breach: 15 Nov 2015
Number of accounts: 269,548
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Description: In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.
-------------------------------------------------------------------------------

Go there an check if you have been Pawned by putting in your Email adress or signing up for a notification Email that will tell you if you have.

 

The 'hack' was a minor issue.
The owners acquired and implemented new forum software and everything is great. Have a look over here.
http://forums.majorgeeks.com/index....orum-suggestions-and-questions-thread.295868/
http://forums.majorgeeks.com/index.php?threads/major-geeks-general-how-to-new-forums.295862/

Your email addresses, passwords & usernames have not been compromised.

 

Thank you for the prompt reply.

If this is the case then i suggest M.G. contact https://haveibeenpwned.com/ and inform them of this.

 

I am not checking this site https://haveibeenpwned.com/ because I don't know if it's just a ploy to collect email addresses.
You are safe on MajorGeeks. The owners go to great lenghts to ensure that.

 

It was in Computer Active Magazine in the U.K so it should be safe.

 

haveibeenpwned.com is a legitimate website. It is operated by Troy Hunt, a Microsoft Most Valuable Professional & security researcher.

 

Some generic advice from MS:

If you haven't followed the above yet, you should do so.

 

Thanks for the reassurance. I trust MajorGeeks but I changed my password just the same.

 

It is unbelievable how many people use the same password for every account just because they say that way they can remember it.

ALL passwords should be changed often, no matter what the site.

 

It's a legitimate site. It has accurately reported hacks consistently and is an excellent resource. I just use desktop version of Passpack to have it create a 12 digit alpha, numeric, symbol password -- a unique one for every site.

 

First of all, https://haveibeenpwned.com/ has been around quite a while and is a legitimate security site, existing for no reason but to NOTIFY PEOPLE WHEN THEIR INFORMATION IS COMPROMISED. (see below for 3rd party references of the site)
Secondly, Eldon, for you to represent MajorGeeks and to state that ANY hack where personal information was taken (and it was taken!) is a "minor issue" just scares me and tells me that you know nothing of computer security. This hack took place 3 1/2 months ago and instead of notifying members that their information was compromised you point to posts about new forum software - nothing about the hack itself? This stinks of trying to sweep it under the rug.

The very least that MajorGeeks could have done is post an alert to everyone's account and send an email suggesting changes be made to passwords. I used to think of MajorGeeks as a place that actually cared about the people it offered its' services to, not loading files with malware, etc but this leak/breach and the ensuing 3 1/2 months of zero notification raises all of that into question.

For those who don't want to go to https://haveibeenpwned.com/ yourself, here is what it says:

MajorGeeks: In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.
Compromised data: Email addresses, IP addresses, Passwords, Usernames​

http://zd.net/1L6ISU7 - How to find out if your password has been stolen | ZDNet
http://wboaref.com/go/45215/ - New website lets users check if their online credentials were exposed in hack attacks | PCWorld
http://wboaref.com/go/51249/ - is haveibeenpwned.com a scam or legit | ScamAdvisor
http://wboaref.com/go/26787/ - haveibeenpwned.com | WOT Reputation Scorecard (Web Of Trust)

 

https://www.facebook.com/majorgeeksdotcom/posts/684488554902100 - almost exactly 2 years earlier you post on Facebook about vBulletin being hacked, but nothing about yours being hacked.
Maybe now would be a good time to notify members that their information has been compromised, you think?

 

Did you read the link you posted? It says:
""We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.""
I found the comment on the pcworld link you gave interesting where one poster said they created a new email account to test the site and it said that new 5 minute old email had been pwned 291 times. Of course no way to know how reliable the poster is.

 

Yes, I too would have expected a notification about the hack as soon as it was detected. Regardless of whether the stolen passwords were salted or not, it should be standard behavior to acknowledge the breach.

 

I have several email accounts and keep track of who I use each with. My account used for MG's and their disqus replies to news items has never had any strange activity. Checked it just now and it has 9 new messages from only contact which I also gave the account's info to. 3 spams from another company which I also gave it to but haven't move them to approved yet. SO after 2 1/2 months I have never received any funny mail. All names are ficticious so would be of little value anyhow!

Go Geeks!

 

That link was from 2 years ago. It has nothing to do with the current breach. I don't know whether the article is simply pointing out that vBulletin was attacked and vBulletin is reporting that they are changing passwords or if MajorGeeks used vBulletin software and THEY forced users to change passwords. If it was the latter than they should have done the same action this time. If it was the former, they should have known that a password change is a bare minimum.

 

You gave the link.

 

That's funny. I did a belly laugh!

 

Yes because it sets a precedent or at a minimum should show that MG should know better.

 

Thank you for posting this information. I agree with what you said above and understand the dilemma of trying to email the old accounts. The part that got me "fired up" earlier was that I also got the email from haveibeenpwned.com and I come to the forums to change my password, etc and I come across the message from Eldon stating that the hack exposing user's information was a "minor issue". As a security professional, a statement like that (from someone who - like it or not - represents your site) is very distressing.

 

I did not say that.
I said:

If passwords were compromised, don't you think the hacker would target staff members first? That has not happened, and I still have the same password.
Security is very important to the owners, as is the reputation of MajorGeeks Support Forums.

 

As someone who logs and researches breaches on sites and helps them when attacked I just have to find it ironic you never noticed before. It's also funny as I sent an email to you over 6 months ago about this to warn you guys, As you were breached twice in 2015 not once.

I was also the one to alert Troy Hunt/HIBP to the breached data as it had been posted on some hacking forums while also being traded/sold, Seeing as I never got a response to the message I sent last year which was sent to multiple site owner emails I thought Troy Hunt would be the best bet at getting the news out.

Your database was breached May 31st 2015 and 12th November 2015.



It's odd though how you moved to XenForo mere days after the November hack, You could have at least warned your users.

What if these users used the accounts say on paypal? Or their online bank accounts?

MD5 encryption was cracked years ago and yes vBulletin 3 salted hashes can be cracked, I have an old license to passwordspro which is a cpu based password cracker, I took the first 14 users from the leaked database and already have the logins to 4 users however these used the old default vB3 salts.

I then took the staff list to this site and within 30 seconds I had the login to to an administrator account! No I haven't tried it as I am not a malicious user but if I was I could easily install a password logger within XenForo's template system. The next staff member after that was you, Yes your password was cracked within 10 minutes.

Anyway, Now some advice so you can prevent future attacks.

• Force reset all user passwords: https://xenforo.com/community/resources/force-password-change.3650/
  
• Demote any old inactive staff accounts to normal users.
  
• Remove admin access to the templates, Least those that don't need access.
  
• Add htaccess protection to admin.php, Give each staff member their own user/pass this way you can tell if they're compromised.
  
• Make sure all admin passwords are unique randomly generated one's.
• Force all staff to enable Two Step Verification.

 

That's odd, I sent it to like 4 different emails i.e whois email that sort of thing pretty sure one was jim@ but it was ages ago and I can't seem to find which email I sent the message from.

From the looks at the dump that was leaked you appear to have had a backdoor in the vBulletin database, But I would also check the whole server to be safe, more so files around those dates from my above post. It's very possible a PHP shell/Backdoor was left on the server somewhere.

Not a problem on the forced pass change mod, If you need any other help XenForo wise or questions please feel free to email me (one under my profile.), I'm a XenForo user also with 4 licenses but I'll admit I am no expert haha.

 

It's working.

 

I didn't think to try the number sorry for that. And XenForo is a much more secure just never use anything from Brivium(.com) they're known pirates/hackers and got banned from XenForo's community.

As for the forced pass reset every 30 days I am sure a plugin like that can be made, Try speaking to the guys at Audentio(.com) or PixelExit(.com) I use both their services and haven't had any issues.

As for a mass mail, You could setup mailgun(.com) they offer 10,000 free emails per month and then charge $5/10,000 but the more you send the cheaper it'll get and you can even connect it to XenForo with SMTP meaning you don't need to export all the emails and check them.

And the forced pass worked like @Eldon said before me.

I would change any admin logins though by hand to be safe as this asks you to change pass first. Under the admin panel you can also put forced 2 step on accounts meaning all staff would need to use it which adds a second layer of protection on accounts. Just like google you can connect it via app/email and can export 10 backup codes.

 

The force password change is there, but since I just changed mine a couple of days ago I thought I'd do an experiment... It will let you enter the exact same password as a "change".

 

That's odd it shouldn't allow that but saying that I've never tried using the same pass on Xenforo.

That's true, Best be secure.

Also would it be possible to enable Multi Quote? Admin > Home > Options > Messages > tick "Enable Multi-Quote" and "Enable Select-to-Quote" url should look like admin.php?options/list/messageOptions thanks.

 

Cut Eldon some slack, please. His involvement as Moderator here began some time after Xenforo was implemented, he shouldn't be expected to know about everything staff-side previous to that.

 

I used the same to verify. If it is ever started to check to not re-use the same password I have a similar backup word. As long as there wasn't a history check of old passwords, I would just bounce back and forth. For people who have only 1 email the forced new password should give a feel of security. All should have a throw-away account so as not to mix their most needed traffic with more relaxed communications and surfing.

 

I changed my password and everything seems to work now.

 

I just changed my password due to the changes (the forum made me do it), then went looking for this thread, which I knew had to be here.

Are we going to have to change passwords every 30 days? I hope not. I use a different password for every site myself.

 

Ooops, tempus fugit eh?

 

Help?

 

"Time flies"