Important Notice - Security Breach

[godsdragon]

You guys and gals are doing a great job! and for that, I am grateful!

You rock!!!

 

[Xyro]

To those who are still receiving the emails about someone trying to access your account, PLEASE, PLEASE, go to Google play and download the free app Network Info II. Once you launch it touch IP at the top of the screen and it will obtain your external IP address . This is the IP address used by your internet service provider. You will most likely find that this is the same IP address trying to access your account.

Googling 'My IP' from your phone/PC will show you it too, at the top of the results.

Also worth noting is that your wireless router and your mobile data connection have different IP addresses.

 

[daenas]

Thanks for being on top of this so quickly! I just received an email from Nvidia about the very same thing on their forum passwords so I need to change another one shortly as well.

 

[Torisen]

Glad I read this thread before freaking out lol. I had attempts of someone logging into my account and if I had not read this thread letting me know it was the app on my phone that was continuing to try and log in I would be in a little paranoid ball in a corner. Although, I might have figured it out by the IP address being used as well, which I also checked after reading this thread.

I have to thank cNet for the heads up on this one.

 

[jbenham]

That post was directed at djb28, as he posted his IP too (although I edited it out).

Did you PM the IP from your email to one of the other moderators to check? I didn't get it and don't see any reports from you.

I must have pushed a wrong button. I went to the CONTACT page and sent an email. It would have been from my gmail account. Basically I just wanted to verify that the emails were coming from you, so you can ignore it.

Thanks mamawm! The ip address in the emails that were sent is my external address.

 

[knightresearch]

Oh damn how much I hate you guys now.

I only registered on these forums because of your "greed" policies - hiding info and download links from unregistered users.

Not only do you lock up information posted on your forums (kudos to the android openness spirit), you also don't bother patching the forums against knows exploits.

But hey, thank you for leaking my info to spammers / thiefs. Luckily I use separate passwords for public forums and my main sensitive accounts.

And I find out about this from major news sites? I guess you didn't bother sending a mass email to your user list either.

Lesson of the day - don't make people register if you are amateurs in security.

You are correct. The pathetic "whoops, we're idiots" apology isn't enough! Thanks for giving the spammers my email address. Do you have 2-factor auththentication? Do you have a "strength meter" on your passwords? If Bank of America or American-Express had done this...do you think "whoops" would be enough?! Stop thinking your site is safe. Get professionals to audit your system, and stop the "once I get in the front door, I can do anything" mentality you run your site with.

 

[Rachel A]

You are correct. The pathetic "whoops, we're idiots" apology isn't enough! Thanks for giving the spammers my email address. Do you have 2-factor auththentication? Do you have a "strength meter" on your passwords? If Bank of America or American-Express had done this...do you think "whoops" would be enough?! Stop thinking your site is safe. Get professionals to audit your system, and stop the "once I get in the front door, I can do anything" mentality you run your site with.

Holy Jeez. I've lived through 2 hack attacks on a large financial system we ran with more security than I've been through before and the hackers still got in.

There's no such thing as an impervious system - we get the site for free and you get all ungrateful about just how quickly they turned this thing around?

I don't think you have the first clue as to how hard it is to run a secure website.

Things wouldn't be so bad if users practiced safe security but they don't, and, as a result, people find other accounts compromised as a result.

Stop whining and be thankful the admins worked as diligently as they did. My hats off to Phases and his team for an excellent job well done.

 

[phor11]

There's no such thing as an impervious system - we get the site for free and you get all ungrateful about just how quickly they turned this thing around?

Stop whining and be thankful the admins worked as diligently as they did. My hats off to Phases and his team for an excellent job well done.

They worked diligently to contain the breach and secure admin accounts, but I have to agree with some other posters that an email should have been sent out to users. It's been 3 days now and I just found out about it via a completely different site.

In my case, it's not a huge deal because I use a different long/secure randomly generated password for every site so there's no way they could decrypt it in 3 days, and even if they did they couldn't do much of anything with it...

But you KNOW there are people out there that don't visit the site every day and use the same password for multiple sites. A quick email blast about the intrusion would have gone (and would still go) a long way toward helping mitigate possible damages.

 

[Frisco]

No, it wasn't me, and no I'm not mad at anyone here. :smokingsomb:



Meanwhile, I just got a screen obscuring "phandroid" ad, the content being (copy/paste quote):

]o 0 ' ?xL"W + 8 Mi @ v1 5N Ab N U b\ C s $ I U t B) " $ N1 Xn ] E%K Sh @ lt I^ ; 3 VL w! ⑇ 1 ؉ Se

 

[TVictory]

No, it wasn't me, and no I'm not mad at anyone here. :smokingsomb:



Meanwhile, I just got a screen obscuring "phandroid" ad, the content being (copy/paste quote):

]o 0 ' ?xL"W + 8 Mi @ v1 5N Ab N U b\ C s $ I U t B) " $ N1 Xn ] E%K Sh @ lt I^ ; 3 VL w! ⑇ 1 ؉ Se

 

[DenverRalphy]

There's no such thing as an impervious system - we get the site for free and you get all ungrateful about just how quickly they turned this thing around?

Somewhat correct.

The fallacy in your logic though, is that the breach was through a "known exploit". That's an administrative failure, plain and simple. You patch a known exploit before it is used, and not put it off until damage is done. Site administrators should be checking daily for patches and issuing those patches immediately.

After the breach, the administrators should have notified every registered user immediately. Not to do so is irresponsible and lazy.

Your argument that since the forums are provided as a free service is unfounded. Requiring personal and sensitive information to use the free service also places a reasonable assumption of obligation and responsibility upon the service provider to react, mitigate, and inform. An "oopsie, protect yourself!" statement does not fulfill that obligation.

Every single registered user should have been notified immediately. I can't believe a mass notification STILL hasn't been sent. I'm sure there are still many users who aren't yet aware of the breach.

[edit] Forgot to mention.. If for whatever reason a mass email couldn't be sent (doubtful), all user logins should have been suspended until after an important MOTD was read, and the user forced change their password.

 

[Rachel A]

Like I say, I've lived through this - and millions of dollars were at risk. We had two factor authentication in place and patches deployed on all servers on a regular basis. We were diligent. We worked hard. It still happened. And you cannot begin to imagine the grief and heartache we went through investigating the incident.

Until you've experienced this you cannot even begin to fathom what it's like on the other end. The fact that the admins took whatever action they did and contained it is to be commended.

Yeah, it's crappy it happened. Yeah it's a pain in the arse. Yeah it sucks. But like it or not, it IS a free site. It's hard to keep your eye on the ball 24/7 when you run a site like this. We had oodles of eyes on servers and the buggers still broke through.

As for notifications, there could be any # of reasons why they were not sent out. I've been in situations were my accounts were compromised and more data potentially stolen and I've still to receive official notification from at least one of them.

 

[lucids]

if i try change the password i just get a database error and invalid token error???

The change worked but there is obviously a problem as i got database error page when posting this message!

 

[Xyro]

Somewhat correct.

The fallacy in your logic though, is that the breach was through a "known exploit". That's an administrative failure, plain and simple. You patch a known exploit before it is used, and not put it off until damage is done. Site administrators should be checking daily for patches and issuing those patches immediately.

Phases did not mention any kind of previously known exploit. What he did say was that the exploit had been identified after the fact.

- The exploit used has been identified and resolved.

 

[agentc13]

The fallacy in your logic though, is that the breach was through a "known exploit". That's an administrative failure, plain and simple. You patch a known exploit before it is used, and not put it off until damage is done. Site administrators should be checking daily for patches and issuing those patches immediately.

After the breach, the administrators should have notified every registered user immediately. Not to do so is irresponsible and lazy.

Where did you get that it was a "known exploit"? All I have seen said that they know how it was done, and remidied that exploit immediately.

From the OP:

- The exploit used has been identified and resolved. The server has been further hardened and extra "just in case" actions have been taken.. and will continue to be taken.

 

[lucids]

I came here by accident while looking for something but would have appreciated an email informing me of the breach. i don't understand why this cant be done I would have come and changed password immediately not a few days later.

 

[DenverRalphy]

Phases did not mention any kind of previously known exploit. What he did say was that the exploit had been identified after the fact.

Where did you get that it was a "known exploit"? All I have seen said that they know how it was done, and remidied that exploit immediately.

From the OP:

The original post has been edited. At one point it specifically stated "unknown intruders using a known exploit". Believe who you will, but the original statement has been posted around the Web.

Regardless.. The damage control was mishandled.

 

[jbenham]

I found out about it right here on July 10.

(July 10, 2012) Important Notice - Security Breach - Update Your Password - Click for Details

 

[dautley]

Where did you get that it was a "known exploit"? All I have seen said that they know how it was done, and remidied that exploit immediately.

From the OP:

A press release on slashdot.org said it was a known exploit:
"Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"

And to be honest it could have been up to a day before we were notified, Phases own words:
"I have some unfortunate news to pass along. Yesterday I was informed by our sever/developer team that the server hosting androidforums.com was compromised"

Just passing that along because you asked.

 

[El Presidente]

A press release on slashdot.org said it was a known exploit:
"Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"

I don't know where they've got that from because Phases doesn't mention "known exploit" in any of the edits.

 

[Xyro]

The original post has been edited. At one point it specifically stated "unknown intruders using a known exploit". Believe who you will, but the original statement has been posted around the Web.

I found that slashdot article you said that you read, which includes the exact quote you mentioned. They took that quote from a zdnet article, which cites its source as our Phandroid article, which quotes Phases' post in its entirety as you see it now. Clearly zdnet have misrepresented the situation.

Having checked the edit log on Phases' post, that paragaph has not been edited whatsoever since the first draft.

It's an unfortunate situation, certainly. And I'm pretty annoyed too, to be honest (don't forget, I'm not being paid to be biassed here, nor being paid whatsoever ). But please, lets not misrepresent the situation by believing a third hand account of the problem rather than the quote from the site's administrator.

 

[dautley]

But please, lets not misrepresent the situation by believing a third hand account of the problem rather than the quote from the site's administrator.

I 100% agree! Just passing along what's out there so the staff knows where some of the posts in this thread are coming from.

 

[Phases]

I never said known exploit. That's a fact. Not sure where it came from but it didn't come from me.

As for the rest of the feedback - well, it is appreciated and understood, but I need to talk with others on the team about this one before I give a proper response.

Thanks..

 

[DosDawg]

well its unfortunate that you guys have to spend your time on such events. seems that as long as there is an available internet connection, we are forced to deal with such nuisances in our environments.

loved the thorough post of the notification, and you guys do a great job with the information you provide on this site, and are very effective with handling all posts and requests.

I am a fan of this site.

 

[GirlFriday]

Thank you for the notification and quick response. Unfortunately these things happen. There is no such thing as a hacker proof site. I'm sorry there are so many lazy people on this site though. This thread would be only half as long if it weren't for the people who couldn't be bothered to read through the thread or search and asked "are passwords salted and/or hashed" over and over and who reported the "x amount of attempts to log in to my account what gives?" OVER and OVER. You admins must have the patience of saints to put up with it.