question about the "Breach"

[ViRGE]

Did they get Soundmanred?

No, why do you ask?

 

[Soundmanred]

No, why do you ask?

He's my stalker.
http://forums.anandtech.com/showthread.php?t=2330965
It's REALLY creepy.
Says he knows where I live, etc.
http://forums.anandtech.com/showpost.php?p=35205292&postcount=19
And
http://forums.anandtech.com/showpost.php?p=35205300&postcount=21
It gets creepier:
http://forums.anandtech.com/showpost.php?p=35205307&postcount=24
I've reported it since I truly think he's unstable, but never heard anything.
He said I "threaten him with a gun":
http://forums.anandtech.com/showpost.php?p=35222042&postcount=14
I'm not a gun owner.
And then there's this:
http://forums.anandtech.com/showpost.php?p=35221815&postcount=226
Disturbing to say the least.

He thinks this is some long-brewing conspiracy theory stuff about the forums getting hacked.
http://forums.anandtech.com/showpost.php?p=35219089&postcount=1

 

[DrPizza]

Why would they take PMs if the only people who can read them are the owners?

I presume the reason they took the PMs is that they know that many people would have information in their PMs that would help the attacker link them to a real world person. For example: people participating in the FS/T forum very likely would have older PMs containing their name and address.

Consider that the majority of people online are very lazy when it comes to their own security - quite a few people - a significant percentage - use the same password across multiple sites. All they got here was user names and passwords. An automated script, and they can check gmail, yahoomail, etc., for the same username and password. That might not amount to much. But, armed with a REAL name, and password, lazy people under those conditions might find that their financial resources are now jeopardized.

I saw earlier that a few other vB forums have been hit; one for 1.4 million (I think that was the figure) accounts. Think about it - if you're doing all this running scripts, let's say that you link 1% of those accounts to a real name (and I think that's on the low side), and 25% of them are security lazy & use the same password on multiple sites (definitely on the low side) - that's a hell of a lot of bank accounts, logins at sites like Amazon, Paypal, Ebay, etc. Heck, just with the username on the forums, that's STILL a lot of logins at other sites for those who are too lazy to use different passwords.

So, let's say someone got my username here (DrPizza), along with a password of "abcdef" (really, someone used that here as a password) - then an automated script can try DrPizza, password "abcdef" at hundreds upon hundreds of sites in a matter of seconds. For a not so insignificant number of people, that's going to result in a scammer/hacker saying "jackpot!" to himself.

 

[Elixer]

Interestingly enough, that IP is in the same subnet as a attacker (91.236.116.145) who inserted a backdoor into a phpBB3 based forum.
Then they proceeded to use that server to attack another server and in that case, PM's were also gobbled.

 

[sao123]

well they potentially got my name and address presumably from my PM's in trading. Though i dont believe I used this password on any other sites... so im hoping nothing comes of this.

 

[ViRGE]

Interestingly enough, that IP is in the same subnet as a attacker (91.236.116.145) who inserted a backdoor into a phpBB3 based forum.
Then they proceeded to use that server to attack another server and in that case, PM's were also gobbled.

That IP is from a VPS host, so the entire range is potentially "evil" depending on who is renting any given slot.

 

[VirtualLarry]

I logged in, not by inputting my username and password, but via cookies, during that period.

Should I go through my PMs, and contact everyone whos contact details may have been stolen, or should I rely on them to come and read this thread?

I don't regularly delete PMs. I only deleted a few hundred a few weeks ago, because I had nearly hit my limit. Anyone who has traded with me in the last few years, potentially their name+address was stolen. Sorry people.

 

[ViRGE]

Larry, you're not on the list of accounts that had their passwords taken. But I have no idea whether you had your PMs taken.

 

[Rvenger]

Was I on the list?

 

[ViRGE]

Was I on the list?

No.

As a reminder, if you were on the list we reset your password. So if your password has not been reset, then you are not on the list.

 

[Turin39789]

I can't see the data breach message. Where can I find more information?

Turin39789, you do not have permission to access this page. This could be due to one of several reasons:

Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation

edit - If it helps I also haven't had access to Moderator Discussions.

 

[ViRGE]

I can't see the data breach message. Where can I find more information?



edit - If it helps I also haven't had access to Moderator Discussions.

The announcement was only up for 10 days. I'll repost it here for future reference.

Earlier today a moderator account was compromised, allowing a malicious third party to create a global announcement with an embedded script designed to harvest user names, passwords and PMs. The post was live from 8:35AM ET through 10:41AM ET (all on July 14th). The attack originated from an IP in Sweden (91.236.116.104) with all data being logged to a server from a shared virtual hosting provider. The aim of the attack seems to be to gain access to an Admin account, which wasn't successful.

In the process, anyone who was logged in and accessed the forums during this period had their stored PMs accessed by this script. In addition, any user who manually logged in had their user name and password accessed (141 total users). Upon discovering the breach we immediately contacted the host of the script and got them to remove all of the data gathered by the script. We also reset all passwords associated with accounts that were known to be compromised. If you try to login to your account and find that your password doesn't work, it was among those reset. Similarly, treat any sensitive information contained within your PMs as potentially compromised.

We strongly recommend changing passwords frequently and not using the same password for multiple accounts.

We are actively working with the hosting provider where the script was living to see if we can gather any more information about the parties who launched the attack.

 

[lect]

deleted.

 

[Sulaco]

So..did anything become of this? As in, a reliable lead as to the perp?

Not to play Sherlock here (and I'm not the first to think this), but I can't help but notice the attack reportedly originated in Sweden, right? Home to the infamous "JohnofSheffield", who was outed by the members for his fraudulence, raged against the members and the moderators/admins, and then gets banned.
A few days later, there's a site-wide attack on Anandtech.

Coincidence? Or...?

 

[ViRGE]

Coincidence. Sweden is merely where the server was rented from.

 

[sao123]

So was the announcement on 9/28 another example of this breach?
http://forums.anandtech.com/showthread.php?t=2345043

 

[Dude111]

It seems I was one of the 141. I just managed to get it sorted out, now.

Im sorry you had problems........ I havent been to Guru3D in awhile,ill login there and see if they have an announcement up...

Im sorry to everyone here on anandtech that had problems and lets hope IT DOESNT HAPPEN AGAIN!!

 

[gothamhunter]

Any news on the more recent "announcement"?

 

[allisolm]

Any news on the more recent "announcement"?

Nope. Sorry.