All forums user should reset their password

Chat about anything related to Linux Mint
User avatar
Eaglecat
Level 1
Level 1
Posts: 9
Joined: Thu Feb 25, 2016 10:39 am

Re: All forums user should reset their password

Post by Eaglecat » Mon Feb 29, 2016 8:43 pm

I am puzzled as to why I got this email to change my password. I only signed in as a new member on Feb 26th.

Has the site been hacked again since Feb 18th? Do I really need to change my password?

ciaobello
Level 1
Level 1
Posts: 21
Joined: Tue May 26, 2015 7:38 pm

Re: All forums user should reset their password

Post by ciaobello » Mon Feb 29, 2016 9:10 pm

If you created after they robbed/hacked the db you don't need to change anything.
In the other hand, what does it cost you to do so and start using a Program like KeePassX? :wink:
The team just remembers the users to avoid being responsible for a bigger disaster.

Kurt3162
Level 4
Level 4
Posts: 230
Joined: Wed Apr 02, 2014 2:05 pm

Re: All forums user should reset their password

Post by Kurt3162 » Mon Feb 29, 2016 10:16 pm

Note that the hack was on February 20th, and the notification emails were sent over a week later (I just got mine today, the 29th).
People having already changed their passwords (like myself) or registered after the date don't need do anything.

hlewis
Level 1
Level 1
Posts: 8
Joined: Mon Nov 26, 2012 9:08 pm

Forum Security

Post by hlewis » Mon Feb 29, 2016 10:49 pm

I reset my password, as requested. I assume you have cleaned up all the affected code/scripts, etc..

[deXter]
Level 1
Level 1
Posts: 2
Joined: Sat Apr 10, 2010 6:29 am

Re: All forums user should reset their password

Post by [deXter] » Mon Feb 29, 2016 11:27 pm

Question - if the site was hacked on the 18th/20th, why is the email being sent out only now?

victorsk
Level 2
Level 2
Posts: 66
Joined: Fri May 07, 2010 12:28 am

Re: All forums user should reset their password

Post by victorsk » Tue Mar 01, 2016 12:31 am

Clem,

PHP is notorious for having weak security and there are vulnerabilities to exploit with Apache server too. I suggest switching to Java-based forums, it will be a pain to switch but is worth it. If you don't believe me, check out this article:

http://www.veracode.com/four-out-of-fiv ... assessment

Also, I'm surprised your servers are not making use of SE Linux or grsec?

Good luck,
Victor.

User avatar
sdibaja
Level 5
Level 5
Posts: 682
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: All forums user should reset their password

Post by sdibaja » Tue Mar 01, 2016 12:35 am

ciaobello wrote:...
In the other hand, what does it cost you to do so and start using a Program like KeePassX? :wink:
....
I resist keeping sensitive data in the cloud, especially all of my passwords, just one password unlocks it all. Nothing is bullet proof.
BTW: KeePass got hacked a couple years ago... could happen again
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/

Kurt3162
Level 4
Level 4
Posts: 230
Joined: Wed Apr 02, 2014 2:05 pm

Re: All forums user should reset their password

Post by Kurt3162 » Tue Mar 01, 2016 12:44 am

victorsk wrote:PHP is notorious for having weak security and there are vulnerabilities to exploit with Apache server too. I suggest switching to Java-based forums, it will be a pain to switch but is worth it. If you don't believe me, check out this article:

http://www.veracode.com/four-out-of-fiv ... assessment

Also, I'm surprised your servers are not making use of SE Linux or grsec?
I don't know for sure, but I think I've heard they got pwned through WorldPress, which is indeed a liability.
Besides I don't think they have their own servers running behind the cupboard; They most likely have a hosting plan with a provider and the servers are pretty much professionally hardened. Of course if you go running leaky stuff on them, all bets are off... :roll:

User avatar
Eaglecat
Level 1
Level 1
Posts: 9
Joined: Thu Feb 25, 2016 10:39 am

Re: All forums user should reset their password

Post by Eaglecat » Tue Mar 01, 2016 12:46 am

[deXter] wrote:Question - if the site was hacked on the 18th/20th, why is the email being sent out only now?
A very good question. In particular, if they only got around to sending out the email today (I only received mine today), I think it would have avoided confusion and unnecessary concern to simply state in the email something like:

"If you a have either changed your password or joined the Linux Mint forum after "relevant date", then you can ignore this message."

User avatar
sdibaja
Level 5
Level 5
Posts: 682
Joined: Sun May 08, 2011 12:57 pm
Location: Baja California, Mexico

Re: All forums user should reset their password

Post by sdibaja » Tue Mar 01, 2016 1:59 am

Eaglecat wrote:
[deXter] wrote:Question - if the site was hacked on the 18th/20th, why is the email being sent out only now?
A very good question. In particular, if they only got around to sending out the email today (I only received mine today), I think it would have avoided confusion and unnecessary concern to simply state in the email something like:

"If you a have either changed your password or joined the Linux Mint forum after "relevant date", then you can ignore this message."
February 28th, 2016 at 11:29 pm
Hope you’ll send e-mail notifications as soon as possible to everyone or else I don’t think you’ll doing serious job about it.

Edit by Clem: We will. As soon as the server was back up we tried to mass-email via phpbb. That failed, probably because of the huge number of accounts. We need to find a way to parse the list and send emails by bunch, hopefully without getting our MTA flagged as a spambot. It’s taking more time than I’d like and it’s been delayed because we’ve had to address other very sensitive issues at the very same time (deploying an update to detect hacked installations for instance), but it’s on our list and we’ll try to get it done asap.
Peter
Mate desktop https://mate-desktop.org/
Debian GNU/Linux operating system: https://cdimage.debian.org/images/unoff ... -firmware/

mjh_op
Level 1
Level 1
Posts: 8
Joined: Sun Feb 09, 2014 7:18 pm

Re: All forums user should reset their password

Post by mjh_op » Tue Mar 01, 2016 2:19 am

I've changed my password, but won't the attacker continue to try to crack the new one? If so, I'm as vulnerable as before, though with a stronger password.

At logon, my account is marked as having too many logon attempts and I have to use the Captcha. Does this stop the attacker from continued automated attempts at cracking my password?

Can I delete my account and sign up with a new user id, which will be harder for the attacker to obtain?

Better, can the logon be email/password rather than userid/password. Then the userids in the forum won't be useable for cracking passwords. I've changed my email address in my profile, but on reflection I doubt that makes any difference to security.

User avatar
Moem
Level 18
Level 18
Posts: 8876
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Forum Security

Post by Moem » Tue Mar 01, 2016 4:31 am

I'm not seeing a question in what you posted, but in case it helps: they have, in fact, replaced the whole forum. Different software that's more up to date.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

mivat
Level 1
Level 1
Posts: 19
Joined: Sun Jul 28, 2013 4:58 am

Re: All forums user should reset their password

Post by mivat » Tue Mar 01, 2016 5:43 am

sdibaja wrote:
ciaobello wrote:...
In the other hand, what does it cost you to do so and start using a Program like KeePassX? :wink:
....
I resist keeping sensitive data in the cloud, especially all of my passwords, just one password unlocks it all. Nothing is bullet proof.
BTW: KeePass got hacked a couple years ago... could happen again
You don't have to store your keywallet in a cloud. Also if your system is compromised it doesn't really matter if you used a wallet or not, you simply consider everything as compromised.
What's the alternative to a wallet? I want a secure (long) unique password for every site I use. And I wouldn't consider paper pencil as more secure.

@Linux Mint team, thanks for transparency, lot of businesses handle it much worse.
// I private message when logging in with a notification would make sense imo

re-pute.it
Level 1
Level 1
Posts: 10
Joined: Wed Oct 28, 2015 11:23 am
Location: Durham, UK
Contact:

Re: All forums user should reset their password

Post by re-pute.it » Tue Mar 01, 2016 7:12 am

I was able to connect to the forums over tor, however when I tried to change my password, I was blocked by Sucuri.

I hope that there is not going to be an ongoing policy of forcing users off the tor network? Please advise.

Thanks,
Mark
http://www.re-pute.it _/ _/ _/ a laptop with ethics to be proud of

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: All forums user should reset their password

Post by Cosmo. » Tue Mar 01, 2016 7:20 am

mjh_op wrote:I've changed my password, but won't the attacker continue to try to crack the new one? If so, I'm as vulnerable as before, though with a stronger password.
If you move through the Internet, you are in the risk of getting the victim of an attack. Here (the LM forum) or anywhere.
But there have been changes made to make the forum more safe, So you are not "as vulnerable as before".
mjh_op wrote:At logon, my account is marked as having too many logon attempts and I have to use the Captcha. Does this stop the attacker from continued automated attempts at cracking my password?
The captcha is not intended, but a not yet solved configuration problem.
mjh_op wrote:Can I delete my account and sign up with a new user id, which will be harder for the attacker to obtain?
This will not enhance your safety in any way.
mjh_op wrote:Better, can the logon be email/password rather than userid/password.
I doubt that. The main part is the password. With up to 30 characters and at best with randomly generated signs (practically only usable with a password manager) cracking the password would need more time, than it is practically doable for an attacker.
If I would change anything (as admin) I would - if technically with the software doable - raise the upper limit for the password.
A delay between 2 login attempts (even only one ore a few seconds) could be a security enhancement (but only if the current login problem is solved).

But as long as users exist, who choose something like "password", "secret" or "qwerty" for the password, this is all theoretical.

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: All forums user should reset their password

Post by xenopeek » Tue Mar 01, 2016 7:36 am

re-pute.it wrote:I hope that there is not going to be an ongoing policy of forcing users off the tor network?
Before we switched to Sucuri it was also the case that some connections from VPNs, proxies, or Tor exit nodes were blocked at times because those were known sources of spam. Speaking as a forum team member only; it's more important to keep the forum free from spam for all users than it is for you to be able to visit the Linux Mint forums anonymously. The volume of spam (adult content, illegal material, fake goods, phishing attempts, scams, malware links, and so on) is such that without such blocks in place the forum would become unusable.
Image

Barny
Level 1
Level 1
Posts: 6
Joined: Thu Sep 26, 2013 5:59 am

Linux Mint Forum compromised email

Post by Barny » Tue Mar 01, 2016 7:58 am

Hi

I received this email supposedly from Linux Mint Forums. How true is this or just a scam.

The Linux Mint forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted (hashed and salted) copy of your password from the forum database.

If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

Please also take the time to change your forums.linuxmint.com account password.

For any queries or questions related to this incident, please visit the following topic:

viewtopic.php?f=60&t=217506

We apologize for any inconvenience to the Linux Mint community, thank you for your understanding.

The Linux Mint administration team.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: Linux Mint Forum compromised email

Post by Cosmo. » Tue Mar 01, 2016 8:06 am

It is true and intended that you got it. Follow the link in the mail (or in your full quote).

Barny
Level 1
Level 1
Posts: 6
Joined: Thu Sep 26, 2013 5:59 am

Re: Linux Mint Forum compromised email

Post by Barny » Tue Mar 01, 2016 8:14 am

When my name isn't stated at the start of an email, I would never follow a link in such an email. I see when I tried to login, it tells me I have tried too many times and I have to submit a puzzle, which I obviously have or I wouldn't be writing this.

This is the first time I have visited this site for well over a year, so definitely not me trying to login.

User avatar
karlchen
Level 20
Level 20
Posts: 10842
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Linux Mint Forum compromised email

Post by karlchen » Tue Mar 01, 2016 8:25 am

Barny wrote:I would never follow a link in such an email.
Basically correct approach!
Nonetheless, this is one of the very few exceptions where no kind of fraud has been intended.
This is the thread which you were asked to visit:
All forums user should reset their password
As you have already changed your forum password once after the hack, there should be no need to change it again so soon. Of course, you are free to change it in regular intervals nonetheless.
I see when I tried to login, it tells me I have tried too many times and I have to submit a puzzle
This currently happens to a lot of us. We enter the correct logon credentials. Nonetheless we are directed to the captcha login page and have to enter our login credentials plus solve the captcha. Decided to consider it a kind of challenge for the moment.
It will be fixed some day to our amazement. And we are going to miss it. :wink:
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.22a 64-bit
Ubuntu 18.04.2 32-bit Mate Desktop, Total Commander 9.22a 32-bit
Windows? - 1 window in every room

Post Reply

Return to “Chat about Linux Mint”