Page 1 of 7

All forums user should reset their password

Posted: Mon Feb 29, 2016 10:37 am
by clem
INTRODUCTION

The following message was sent to all account users:
Hello,

You are receiving this message because you have an account registered on forums.linuxmint.com:

Username: USERNAME
Email: EMAIL

The Linux Mint forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted (hashed and salted) copy of your password from the forum database.

If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

Please also take the time to change your forums.linuxmint.com account password.

For any queries or questions related to this incident, please visit the following topic:

viewtopic.php?f=60&t=217506

We apologize for any inconvenience to the Linux Mint community, thank you for your understanding.

The Linux Mint administration team.
And this topic is dedicated to their queries and questions.

FAQ

Can the hackers decrypt my password?

No, but they can "find" it by brute-force with a tool which encrypts millions of common keywords and passwords and compares the result with your encrypted password.

How long would it take for the hackers to decrypt my password?

They're hashed and salted, but that only slows them down if your password is complex. Depending on its complexity it can take from a few seconds to a thousands of years.

When were the forums hacked?

An attack was detected on Feb 20th. During the analysis of the intrusion, it was later confirmed that a previous attack had been undetected on Feb 18th.

According to sources and interviews of the attackers, the first attack was on Jan 20th. We couldn't however confirm this information.

According to haveibeenpwned.com, 51% of the accounts had already had their details, email or passwords leaked from attacks previously done on other websites:

To check, please visit: https://haveibeenpwned.com

How were the forums hacked?

By lack of hardening on the server. The hackers used the forums software to upload a PHP backdoor which gave them a local www-data shell. From there they were able to access the database.

What is being done to prevent this in the future?

One key aspect is the uniqueness and the complexity of the passwords. If your password is complex, it's harder to crack. If your password is unique, it doesn't matter that much if it gets cracked.

This attack raised awareness and hopefully will make our users use unique passwords.

The settings were modified on the forums and they now require stronger passwords.

On the servers themselves, the team worked day and night to harden as many aspects as possible. Each website is now running on its very own server. All websites are now behind a strict firewall and the presence of malware is monitored by a security firm. Many restrictions were placed on apache and php to restrict their scope and privileges. All automated backups were reviewed. Https was implemented to prevent man-in-the-middle attacks.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 11:43 am
by clem
It's going to take a few hours for all the emails to be sent... about 10.000 were sent so far, not even a 10th. We also don't know how some of the mail hosts will react to that many emails being sent towards them. I hope they won't reject them blindly or place them in people's spam box.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 12:11 pm
by Moem
thumbsup.jpg

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 12:50 pm
by Andrew33
Thank you Clem....much appreciated :)

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 1:02 pm
by Habitual
Are we testing a new "feature" or have we been hit again?

Code: Select all

LinuxMInt Passwords Today 3
Hackers 0 # ?

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 1:04 pm
by Sector11
Thank you Clem. Got my email notification of this. Password change coming today. I might also add I use unique passwords everywhere never using the same one twice.

Good luck in the future.


@ Habitual - upside down avatar? OK, this threw you for a loop right?

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:05 pm
by staubi
Maybe I'm blind, but I can't find a link to change my password...

...neither can I find a link to delete the account...

Anyone can help?

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:10 pm
by Radish
I got my email a few minutes ago. It was delivered into my Inbox in Thunderbird (great!).

However, I should point out that since the new forum went online any email notifications from the forums concerning threads that I am subscribed to get delivered into my Junk folder. With the old forum this never happened to me - those notifications always went to my Inbox. There is something strange happening now that is causing notification emails from subscribed topics to be delivered into Junk, and not to the Inbox. I'm scratching my head on this one. I can't see what the difference is between the "Important security notice" going into my Inbox and the "Topic reply notification" emails being delivered to Junk. Both of these types of email are from admin AT linuxmint DOT com. Why are they being delivered to different boxes?

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:15 pm
by Sector11
staubi wrote:Maybe I'm blind, but I can't find a link to change my password...

...neither can I find a link to delete the account...

Anyone can help?
Top right of the page, click on your name, in the drop down list select: User Control Panel

Then: Profile > Edit Account Settings

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:18 pm
by Radish
staubi wrote:Maybe I'm blind, but I can't find a link to change my password
To change your password do the following:

1) Login to the forums.
2) Once logged in look at the top right-hand corner of the webpage - there you will see an icon with your username and a drop-down arrow next to that.
3) Click on the drop-down arrow and select "User Control Panel".
4) In the User Control Panel click on the "Profile" tab.
5) When the Profile tab opens click on "Edit Account Settings". Now will see how to change your password.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:22 pm
by Sector11
@ Radish

Interesting, I'me using Claws-mail and everything is working fine - the notice for the "Change password" came to my Inbox - that then another came pointing me to staubi's post (we crossed each other in posting) and checking my email now I see a notice of another email here - yours. All in my inbox.

Maybe you need to check your settings. :)

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:24 pm
by bperrybap
How about adding multi-factor authentication to the login?
Something like Google Authenticator, or a text message OTP.
It marginalizes the value of a cracked password.

--- bill

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:25 pm
by Radish
Hi Sector11,

No it can't be my settings I've been using the same settings for months - haven't change a thing. My guess is this is something to do with the emails. (As said this never happened to me with the old forum.)

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:27 pm
by xenopeek
staubi wrote:I can't find a link to change my password...
Assuming you are logged in, direct link to where you can change your password: ucp.php?i=ucp_profile&mode=reg_details
staubi wrote:...neither can I find a link to delete the account...
If you want your account deleted (or deactivated), please email us at admin@linuxmint.com from the email address associated with your account. Mind that if you used that email address on other websites and you either have the same password there or the personal information on your account could make guessing your other passwords easier, please change your passwords on those other websites asap. Deleting (or deactivating) your account only prevents attackers from potentially gaining access to your account here, not from using the already stolen information.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 2:43 pm
by Sector11
@ Radish

Well, it was worth a shot ... mine is working as advertised, but then, different mail client.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 3:12 pm
by shieling
I've changed my password, and now EVERY time I login it states that I have exceeded my logion attempts and I have to fill out the CAPTCHA! Surely this can't be right?

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 3:47 pm
by Cosmo.
Radish wrote:notification emails from subscribed topics to be delivered into Junk, and not to the Inbox.
Mark all of those false positive mails and press shift-J. This will mark them as no junk and does train the junk filter of TB.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 4:07 pm
by killer de bug
shieling wrote:I've changed my password, and now EVERY time I login it states that I have exceeded my logion attempts and I have to fill out the CAPTCHA! Surely this can't be right?
It's a known problem that we are all facing. Be patient, it will be solved in the future. The team is aware of this.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 4:24 pm
by Radish
Cosmo. wrote:Mark all of those false positive mails and press shift-J.
Thanks Cosmo. I've been marking them as "Not Junk" for the past few days now. However, TB's help page says that it takes up to a week for TB learn that these are Not Junk. Now I'm just marking, and marking, and marking, and waiting. :(

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 4:34 pm
by Cosmo.
It depends from the current content of the junk filter database. How often are the words in the mail already noted a junk, how often as good.

One could clear an old junk database but I do not recommend this.

What you can do and might probably help: Go into one (or several) folder where you have only non-junk mails. Marl all mails and press shift-J, this might increase the learning speed of the junk filter.