All forums user should reset their password

Chat about anything related to Linux Mint
Post Reply
User avatar
clem
Level 12
Level 12
Posts: 4111
Joined: Wed Nov 15, 2006 8:34 am
Contact:

All forums user should reset their password

Post by clem » Mon Feb 29, 2016 10:37 am

INTRODUCTION

The following message was sent to all account users:
Hello,

You are receiving this message because you have an account registered on forums.linuxmint.com:

Username: USERNAME
Email: EMAIL

The Linux Mint forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted (hashed and salted) copy of your password from the forum database.

If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

Please also take the time to change your forums.linuxmint.com account password.

For any queries or questions related to this incident, please visit the following topic:

viewtopic.php?f=60&t=217506

We apologize for any inconvenience to the Linux Mint community, thank you for your understanding.

The Linux Mint administration team.
And this topic is dedicated to their queries and questions.

FAQ

Can the hackers decrypt my password?

No, but they can "find" it by brute-force with a tool which encrypts millions of common keywords and passwords and compares the result with your encrypted password.

How long would it take for the hackers to decrypt my password?

They're hashed and salted, but that only slows them down if your password is complex. Depending on its complexity it can take from a few seconds to a thousands of years.

When were the forums hacked?

An attack was detected on Feb 20th. During the analysis of the intrusion, it was later confirmed that a previous attack had been undetected on Feb 18th.

According to sources and interviews of the attackers, the first attack was on Jan 20th. We couldn't however confirm this information.

According to haveibeenpwned.com, 51% of the accounts had already had their details, email or passwords leaked from attacks previously done on other websites:

To check, please visit: https://haveibeenpwned.com

How were the forums hacked?

By lack of hardening on the server. The hackers used the forums software to upload a PHP backdoor which gave them a local www-data shell. From there they were able to access the database.

What is being done to prevent this in the future?

One key aspect is the uniqueness and the complexity of the passwords. If your password is complex, it's harder to crack. If your password is unique, it doesn't matter that much if it gets cracked.

This attack raised awareness and hopefully will make our users use unique passwords.

The settings were modified on the forums and they now require stronger passwords.

On the servers themselves, the team worked day and night to harden as many aspects as possible. Each website is now running on its very own server. All websites are now behind a strict firewall and the presence of malware is monitored by a security firm. Many restrictions were placed on apache and php to restrict their scope and privileges. All automated backups were reviewed. Https was implemented to prevent man-in-the-middle attacks.
Last edited by karlchen on Mon Feb 29, 2016 5:27 pm, edited 1 time in total.
Reason: stickied for a month, so it will be retrieved easily
Image

User avatar
clem
Level 12
Level 12
Posts: 4111
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: All forums user should reset their password

Post by clem » Mon Feb 29, 2016 11:43 am

It's going to take a few hours for all the emails to be sent... about 10.000 were sent so far, not even a 10th. We also don't know how some of the mail hosts will react to that many emails being sent towards them. I hope they won't reject them blindly or place them in people's spam box.
Image

User avatar
Moem
Level 18
Level 18
Posts: 8876
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: All forums user should reset their password

Post by Moem » Mon Feb 29, 2016 12:11 pm

thumbsup.jpg
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Andrew33
Level 4
Level 4
Posts: 462
Joined: Fri Mar 26, 2010 12:58 pm
Location: Maple Heights, Ohio Republic USA
Contact:

Re: All forums user should reset their password

Post by Andrew33 » Mon Feb 29, 2016 12:50 pm

Thank you Clem....much appreciated :)

Habitual
Level 13
Level 13
Posts: 4870
Joined: Sun Nov 21, 2010 8:31 pm
Location: 0.0.0.0

Re: All forums user should reset their password

Post by Habitual » Mon Feb 29, 2016 1:02 pm

Are we testing a new "feature" or have we been hit again?

Code: Select all

LinuxMInt Passwords Today 3
Hackers 0 # ?

User avatar
Sector11
Level 3
Level 3
Posts: 175
Joined: Mon Nov 22, 2010 10:33 am

Re: All forums user should reset their password

Post by Sector11 » Mon Feb 29, 2016 1:04 pm

Thank you Clem. Got my email notification of this. Password change coming today. I might also add I use unique passwords everywhere never using the same one twice.

Good luck in the future.


@ Habitual - upside down avatar? OK, this threw you for a loop right?
Using: BunsenLabs based on Debian Stable.
Conky PitStop

staubi
Level 1
Level 1
Posts: 4
Joined: Tue Jan 22, 2013 11:58 am

Re: All forums user should reset their password

Post by staubi » Mon Feb 29, 2016 2:05 pm

Maybe I'm blind, but I can't find a link to change my password...

...neither can I find a link to delete the account...

Anyone can help?

User avatar
Radish
Level 4
Level 4
Posts: 316
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish » Mon Feb 29, 2016 2:10 pm

I got my email a few minutes ago. It was delivered into my Inbox in Thunderbird (great!).

However, I should point out that since the new forum went online any email notifications from the forums concerning threads that I am subscribed to get delivered into my Junk folder. With the old forum this never happened to me - those notifications always went to my Inbox. There is something strange happening now that is causing notification emails from subscribed topics to be delivered into Junk, and not to the Inbox. I'm scratching my head on this one. I can't see what the difference is between the "Important security notice" going into my Inbox and the "Topic reply notification" emails being delivered to Junk. Both of these types of email are from admin AT linuxmint DOT com. Why are they being delivered to different boxes?
Last edited by Radish on Mon Feb 29, 2016 2:22 pm, edited 2 times in total.
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.

User avatar
Sector11
Level 3
Level 3
Posts: 175
Joined: Mon Nov 22, 2010 10:33 am

Re: All forums user should reset their password

Post by Sector11 » Mon Feb 29, 2016 2:15 pm

staubi wrote:Maybe I'm blind, but I can't find a link to change my password...

...neither can I find a link to delete the account...

Anyone can help?
Top right of the page, click on your name, in the drop down list select: User Control Panel

Then: Profile > Edit Account Settings
Using: BunsenLabs based on Debian Stable.
Conky PitStop

User avatar
Radish
Level 4
Level 4
Posts: 316
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish » Mon Feb 29, 2016 2:18 pm

staubi wrote:Maybe I'm blind, but I can't find a link to change my password
To change your password do the following:

1) Login to the forums.
2) Once logged in look at the top right-hand corner of the webpage - there you will see an icon with your username and a drop-down arrow next to that.
3) Click on the drop-down arrow and select "User Control Panel".
4) In the User Control Panel click on the "Profile" tab.
5) When the Profile tab opens click on "Edit Account Settings". Now will see how to change your password.
Last edited by Radish on Mon Feb 29, 2016 2:32 pm, edited 1 time in total.
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.

User avatar
Sector11
Level 3
Level 3
Posts: 175
Joined: Mon Nov 22, 2010 10:33 am

Re: All forums user should reset their password

Post by Sector11 » Mon Feb 29, 2016 2:22 pm

@ Radish

Interesting, I'me using Claws-mail and everything is working fine - the notice for the "Change password" came to my Inbox - that then another came pointing me to staubi's post (we crossed each other in posting) and checking my email now I see a notice of another email here - yours. All in my inbox.

Maybe you need to check your settings. :)
Using: BunsenLabs based on Debian Stable.
Conky PitStop

bperrybap
Level 1
Level 1
Posts: 4
Joined: Mon Jul 04, 2011 12:39 am

Re: All forums user should reset their password

Post by bperrybap » Mon Feb 29, 2016 2:24 pm

How about adding multi-factor authentication to the login?
Something like Google Authenticator, or a text message OTP.
It marginalizes the value of a cracked password.

--- bill

User avatar
Radish
Level 4
Level 4
Posts: 316
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish » Mon Feb 29, 2016 2:25 pm

Hi Sector11,

No it can't be my settings I've been using the same settings for months - haven't change a thing. My guess is this is something to do with the emails. (As said this never happened to me with the old forum.)
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.

User avatar
xenopeek
Level 24
Level 24
Posts: 23957
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: All forums user should reset their password

Post by xenopeek » Mon Feb 29, 2016 2:27 pm

staubi wrote:I can't find a link to change my password...
Assuming you are logged in, direct link to where you can change your password: ucp.php?i=ucp_profile&mode=reg_details
staubi wrote:...neither can I find a link to delete the account...
If you want your account deleted (or deactivated), please email us at admin@linuxmint.com from the email address associated with your account. Mind that if you used that email address on other websites and you either have the same password there or the personal information on your account could make guessing your other passwords easier, please change your passwords on those other websites asap. Deleting (or deactivating) your account only prevents attackers from potentially gaining access to your account here, not from using the already stolen information.
Image

User avatar
Sector11
Level 3
Level 3
Posts: 175
Joined: Mon Nov 22, 2010 10:33 am

Re: All forums user should reset their password

Post by Sector11 » Mon Feb 29, 2016 2:43 pm

@ Radish

Well, it was worth a shot ... mine is working as advertised, but then, different mail client.
Using: BunsenLabs based on Debian Stable.
Conky PitStop

shieling
Level 1
Level 1
Posts: 4
Joined: Fri May 30, 2014 9:08 am

Re: All forums user should reset their password

Post by shieling » Mon Feb 29, 2016 3:12 pm

I've changed my password, and now EVERY time I login it states that I have exceeded my logion attempts and I have to fill out the CAPTCHA! Surely this can't be right?

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: All forums user should reset their password

Post by Cosmo. » Mon Feb 29, 2016 3:47 pm

Radish wrote:notification emails from subscribed topics to be delivered into Junk, and not to the Inbox.
Mark all of those false positive mails and press shift-J. This will mark them as no junk and does train the junk filter of TB.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: All forums user should reset their password

Post by killer de bug » Mon Feb 29, 2016 4:07 pm

shieling wrote:I've changed my password, and now EVERY time I login it states that I have exceeded my logion attempts and I have to fill out the CAPTCHA! Surely this can't be right?
It's a known problem that we are all facing. Be patient, it will be solved in the future. The team is aware of this.
If it ain't broke, fix it until it is.

User avatar
Radish
Level 4
Level 4
Posts: 316
Joined: Sun May 12, 2013 11:20 pm

Re: All forums user should reset their password

Post by Radish » Mon Feb 29, 2016 4:24 pm

Cosmo. wrote:Mark all of those false positive mails and press shift-J.
Thanks Cosmo. I've been marking them as "Not Junk" for the past few days now. However, TB's help page says that it takes up to a week for TB learn that these are Not Junk. Now I'm just marking, and marking, and marking, and waiting. :(
Mint 17.3 x64 Cinnamon - Rosa
When stating what version of Mint you are using remember to include the "Edition". Is it "Cinnamon", "Mate", "KDE" or "XFCE"? This helps others help you.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: All forums user should reset their password

Post by Cosmo. » Mon Feb 29, 2016 4:34 pm

It depends from the current content of the junk filter database. How often are the words in the mail already noted a junk, how often as good.

One could clear an old junk database but I do not recommend this.

What you can do and might probably help: Go into one (or several) folder where you have only non-junk mails. Marl all mails and press shift-J, this might increase the learning speed of the junk filter.

Post Reply

Return to “Chat about Linux Mint”