androidforums.com: Important Notice - Security Breach - Update Your Password

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://androidforums.com/site-updates-announcements/580371-important-notice-security-breach.html#post4645422

I have some unfortunate news to pass along. Yesterday I was informed
by our sever/developer team that the server hosting androidforums.com
was compromised and the website's database was accessed. While the
breach is most likely harmless there are important and potential
pitfalls, and we want to provide as much helpful information to our
users as possible (without getting too technical).

The trust of our users is extremely important and several staff
members worked through the afternoon, evening, night, and morning to
ensure we're doing everything possible to regain complete security.

Here are the facts:

- The exploit used has been identified and resolved. The server has
been further hardened and extra "just in case" actions have been
taken.. and will continue to be taken.

- All code that resides in the database and the file system has been
thoroughly reviewed for malicious edits and uploads.

- No other sites in our network appear to have been accessed (we're
triple checking).

- The user table of AndroidForum's database was (at a minimum)
accessed. While we can't prove or disprove whether or not the data was
downloaded (due to the way the data was transferred), it's completely
possible.. and we've taken action assuming this is the case.

- Information in the user database includes: Unique ids, usernames,
emails, hashed (encoded) passwords, registration IP addresses,
usergroup memberships, infraction levels, last time online, last post
date, post count... as well as far less critical things like number of
PMs, visitor messages, last online dates, and some vbulletin options
set in your UserCP.

- Immediately following the incident, all ~100 staff were notified of
a pending password change - and all passwords to were changed to
random strings. Almost all are back in with new passwords. Because
gaining access to a staff member account could pose the biggest
threat, we first moved to secure these accounts.

What Probably Happened

This was, in our current opinion, most likely an e-mail harvesting
attempt. A spammer could theoretically attempt to bulk e-mail all AF
users with the user database. Luckily, GMail and similar e-mail
services offer a "spam" button that helps it to collectively identify
and automatically filter potential spam.

It's also absolutely possible that nothing of consequence happened.
There is some chance they did not get enough of the database to
matter, did this for fun to see if they could, or will not move
forward with any plans after finding out we're actively investigating.
This is a serious offense and you can best bet we are doing just that.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.