1. Download our Official Android App: Forums for Android!

Thread Status:
Not open for further replies.

Important Notice - Security Breach

Discussion in 'Site Updates & Announcements' started by Phases, Jul 10, 2012.

  1. godsdragon

    godsdragon Android Enthusiast
    Rank:
    None
    Points:
    38
    Posts:
    449
    Joined:
    Jan 28, 2010

    Jan 28, 2010
    449
    22
    38
    Male
    Retired
    Florida
    You guys and gals are doing a great job! and for that, I am grateful!

    You rock!!!
     

    Advertisement

  2. Xyro

    Xyro 4 8 15 16 23 42
    Moderator
    Rank:
     #17
    Points:
    1,433
    Posts:
    13,024
    Joined:
    Dec 1, 2009

    Dec 1, 2009
    13,024
    9,694
    1,433
    UK
    Googling 'My IP' from your phone/PC will show you it too, at the top of the results.

    Also worth noting is that your wireless router and your mobile data connection have different IP addresses.
     
  3. daenas

    daenas Newbie
    Rank:
    None
    Points:
    15
    Posts:
    24
    Joined:
    Jun 19, 2011

    Jun 19, 2011
    24
    0
    15
    Arizona
    Thanks for being on top of this so quickly! I just received an email from Nvidia about the very same thing on their forum passwords so I need to change another one shortly as well.
     
  4. Torisen

    Torisen Newbie
    Rank:
    None
    Points:
    16
    Posts:
    31
    Joined:
    Sep 11, 2011

    Sep 11, 2011
    31
    3
    16
    Home Banking Coordinator - Langley FCU
    Newport News, VA
    Glad I read this thread before freaking out lol. I had attempts of someone logging into my account and if I had not read this thread letting me know it was the app on my phone that was continuing to try and log in I would be in a little paranoid ball in a corner. Although, I might have figured it out by the IP address being used as well, which I also checked after reading this thread.

    I have to thank cNet for the heads up on this one.
     
  5. jbenham

    jbenham Android Enthusiast
    Rank:
    None
    Points:
    113
    Posts:
    574
    Joined:
    Dec 17, 2011

    Dec 17, 2011
    574
    142
    113
    Male
    Retired
    Northern Wisconsin
    I must have pushed a wrong button. :) I went to the CONTACT page and sent an email. It would have been from my gmail account. Basically I just wanted to verify that the emails were coming from you, so you can ignore it.

    Thanks mamawm! The ip address in the emails that were sent is my external address.
     
  6. knightresearch

    Rank:
    None
    Points:
    5
    Posts:
    7
    Joined:
    Sep 1, 2010

    Sep 1, 2010
    7
    0
    5
    St Paul, MN - USA
    You are correct. The pathetic "whoops, we're idiots" apology isn't enough! Thanks for giving the spammers my email address. Do you have 2-factor auththentication? Do you have a "strength meter" on your passwords? If Bank of America or American-Express had done this...do you think "whoops" would be enough?! Stop thinking your site is safe. Get professionals to audit your system, and stop the "once I get in the front door, I can do anything" mentality you run your site with.
     
  7. Rachel A

    Rachel A Android Expert
    Rank:
    None
    Points:
    213
    Posts:
    2,457
    Joined:
    Aug 11, 2010

    Aug 11, 2010
    2,457
    868
    213
    Female
    DBA & Developer
    In front of my S3
    Holy Jeez. I've lived through 2 hack attacks on a large financial system we ran with more security than I've been through before and the hackers still got in.

    There's no such thing as an impervious system - we get the site for free and you get all ungrateful about just how quickly they turned this thing around?

    I don't think you have the first clue as to how hard it is to run a secure website.

    Things wouldn't be so bad if users practiced safe security but they don't, and, as a result, people find other accounts compromised as a result.

    Stop whining and be thankful the admins worked as diligently as they did. My hats off to Phases and his team for an excellent job well done.
     
    jbenham likes this.
  8. phor11

    phor11 Newbie
    Rank:
    None
    Points:
    38
    Posts:
    23
    Joined:
    Dec 8, 2011

    Dec 8, 2011
    23
    16
    38
    They worked diligently to contain the breach and secure admin accounts, but I have to agree with some other posters that an email should have been sent out to users. It's been 3 days now and I just found out about it via a completely different site.

    In my case, it's not a huge deal because I use a different long/secure randomly generated password for every site so there's no way they could decrypt it in 3 days, and even if they did they couldn't do much of anything with it...

    But you KNOW there are people out there that don't visit the site every day and use the same password for multiple sites. A quick email blast about the intrusion would have gone (and would still go) a long way toward helping mitigate possible damages.
     
  9. Frisco

    Frisco =Luceat Lux Vestra=
    Rank:
    None
    Points:
    1,343
    Posts:
    22,476
    Joined:
    Jan 19, 2010

    No, it wasn't me, and no I'm not mad at anyone here. :smokingsomb:

    :D

    Meanwhile, I just got a screen obscuring "phandroid" ad, the content being (copy/paste quote):

    ]o 0 ' ?xL"W + 8 Mi @ v1 5N Ab N U b\ C s $ I U t B) " $ N1 Xn ] E%K Sh @ lt I^ ; 3 VL w! ⑇ 1 ؉ Se
     
  10. TVictory

    TVictory Well-Known Member
    Rank:
    None
    Points:
    88
    Posts:
    160
    Joined:
    Aug 18, 2010

    Aug 18, 2010
    160
    256
    88
     
  11. DenverRalphy

    DenverRalphy Android Enthusiast
    Rank:
    None
    Points:
    53
    Posts:
    439
    Joined:
    May 1, 2010

    May 1, 2010
    439
    85
    53
    Aurora CO
    Somewhat correct.

    The fallacy in your logic though, is that the breach was through a "known exploit". That's an administrative failure, plain and simple. You patch a known exploit before it is used, and not put it off until damage is done. Site administrators should be checking daily for patches and issuing those patches immediately.

    After the breach, the administrators should have notified every registered user immediately. Not to do so is irresponsible and lazy.

    Your argument that since the forums are provided as a free service is unfounded. Requiring personal and sensitive information to use the free service also places a reasonable assumption of obligation and responsibility upon the service provider to react, mitigate, and inform. An "oopsie, protect yourself!" statement does not fulfill that obligation.

    Every single registered user should have been notified immediately. I can't believe a mass notification STILL hasn't been sent. I'm sure there are still many users who aren't yet aware of the breach.

    [edit] Forgot to mention.. If for whatever reason a mass email couldn't be sent (doubtful), all user logins should have been suspended until after an important MOTD was read, and the user forced change their password.
     
    lucids and heero884 like this.
  12. Rachel A

    Rachel A Android Expert
    Rank:
    None
    Points:
    213
    Posts:
    2,457
    Joined:
    Aug 11, 2010

    Aug 11, 2010
    2,457
    868
    213
    Female
    DBA & Developer
    In front of my S3
    Like I say, I've lived through this - and millions of dollars were at risk. We had two factor authentication in place and patches deployed on all servers on a regular basis. We were diligent. We worked hard. It still happened. And you cannot begin to imagine the grief and heartache we went through investigating the incident.

    Until you've experienced this you cannot even begin to fathom what it's like on the other end. The fact that the admins took whatever action they did and contained it is to be commended.

    Yeah, it's crappy it happened. Yeah it's a pain in the arse. Yeah it sucks. But like it or not, it IS a free site. It's hard to keep your eye on the ball 24/7 when you run a site like this. We had oodles of eyes on servers and the buggers still broke through.

    As for notifications, there could be any # of reasons why they were not sent out. I've been in situations were my accounts were compromised and more data potentially stolen and I've still to receive official notification from at least one of them.
     
  13. lucids

    lucids Well-Known Member
    Rank:
    None
    Points:
    43
    Posts:
    186
    Joined:
    Jul 3, 2010

    Jul 3, 2010
    186
    25
    43
    if i try change the password i just get a database error and invalid token error???

    The change worked but there is obviously a problem as i got database error page when posting this message!
     
  14. Xyro

    Xyro 4 8 15 16 23 42
    Moderator
    Rank:
     #17
    Points:
    1,433
    Posts:
    13,024
    Joined:
    Dec 1, 2009

    Dec 1, 2009
    13,024
    9,694
    1,433
    UK
    Phases did not mention any kind of previously known exploit. What he did say was that the exploit had been identified after the fact.

     
    EarlyMon and El Presidente like this.
  15. agentc13

    agentc13 Daleks Über Alles
    Rank:
    None
    Points:
    923
    Posts:
    7,916
    Joined:
    Aug 31, 2011

    Aug 31, 2011
    7,916
    5,482
    923
    Skaro
    Where did you get that it was a "known exploit"? All I have seen said that they know how it was done, and remidied that exploit immediately.

    From the OP:
     
    EarlyMon and El Presidente like this.
  16. lucids

    lucids Well-Known Member
    Rank:
    None
    Points:
    43
    Posts:
    186
    Joined:
    Jul 3, 2010

    Jul 3, 2010
    186
    25
    43
    I came here by accident while looking for something but would have appreciated an email informing me of the breach. i don't understand why this cant be done I would have come and changed password immediately not a few days later.
     
  17. DenverRalphy

    DenverRalphy Android Enthusiast
    Rank:
    None
    Points:
    53
    Posts:
    439
    Joined:
    May 1, 2010

    May 1, 2010
    439
    85
    53
    Aurora CO


    The original post has been edited. At one point it specifically stated "unknown intruders using a known exploit". Believe who you will, but the original statement has been posted around the Web.

    Regardless.. The damage control was mishandled.
     
  18. jbenham

    jbenham Android Enthusiast
    Rank:
    None
    Points:
    113
    Posts:
    574
    Joined:
    Dec 17, 2011

    Dec 17, 2011
    574
    142
    113
    Male
    Retired
    Northern Wisconsin
  19. dautley

    dautley Android Expert
    Rank:
     #70
    Points:
    253
    Posts:
    1,823
    Joined:
    Jul 23, 2010

    Jul 23, 2010
    1,823
    500
    253
    Dickson, TN.
    A press release on slashdot.org said it was a known exploit:
    "Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"

    And to be honest it could have been up to a day before we were notified, Phases own words:
    "I have some unfortunate news to pass along. Yesterday I was informed by our sever/developer team that the server hosting androidforums.com was compromised"

    Just passing that along because you asked.
     
  20. El Presidente

    El Presidente Beware The Milky Pirate!
    VIP Member
    Rank:
    None
    Points:
    3,118
    Posts:
    32,107
    Joined:
    Jan 3, 2011

    Jan 3, 2011
    32,107
    24,090
    3,118
    Scotland
    I don't know where they've got that from because Phases doesn't mention "known exploit" in any of the edits. :thinking:
     
    dautley likes this.
  21. Xyro

    Xyro 4 8 15 16 23 42
    Moderator
    Rank:
     #17
    Points:
    1,433
    Posts:
    13,024
    Joined:
    Dec 1, 2009

    Dec 1, 2009
    13,024
    9,694
    1,433
    UK
    I found that slashdot article you said that you read, which includes the exact quote you mentioned. They took that quote from a zdnet article, which cites its source as our Phandroid article, which quotes Phases' post in its entirety as you see it now. Clearly zdnet have misrepresented the situation.

    Having checked the edit log on Phases' post, that paragaph has not been edited whatsoever since the first draft.

    It's an unfortunate situation, certainly. And I'm pretty annoyed too, to be honest (don't forget, I'm not being paid to be biassed here, nor being paid whatsoever :p). But please, lets not misrepresent the situation by believing a third hand account of the problem rather than the quote from the site's administrator.
     
    EarlyMon and dautley like this.
  22. dautley

    dautley Android Expert
    Rank:
     #70
    Points:
    253
    Posts:
    1,823
    Joined:
    Jul 23, 2010

    Jul 23, 2010
    1,823
    500
    253
    Dickson, TN.
    I 100% agree! Just passing along what's out there so the staff knows where some of the posts in this thread are coming from. :)
     
    El Presidente and Xyro like this.
  23. Phases

    Phases NO LONGER ADMIN
    Thread Starter
    Rank:
    None
    Points:
    1,503
    Posts:
    9,075
    Joined:
    Sep 9, 2008

    Sep 9, 2008
    9,075
    20,640
    1,503
    Male
    IT
    Nashville, TN
    I never said known exploit. That's a fact. Not sure where it came from but it didn't come from me.

    As for the rest of the feedback - well, it is appreciated and understood, but I need to talk with others on the team about this one before I give a proper response.

    Thanks..
     
  24. DosDawg

    DosDawg Lurker
    Rank:
    None
    Points:
    6
    Posts:
    4
    Joined:
    Jul 12, 2012

    Jul 12, 2012
    4
    1
    6
    well its unfortunate that you guys have to spend your time on such events. seems that as long as there is an available internet connection, we are forced to deal with such nuisances in our environments.

    loved the thorough post of the notification, and you guys do a great job with the information you provide on this site, and are very effective with handling all posts and requests.

    I am a fan of this site.
     
    EarlyMon likes this.
  25. GirlFriday

    GirlFriday Member
    Rank:
    None
    Points:
    18
    Posts:
    97
    Joined:
    Mar 20, 2012

    Mar 20, 2012
    97
    13
    18
    Female
    Publicist, Personal Assistant and All around Girl
    Thank you for the notification and quick response. Unfortunately these things happen. There is no such thing as a hacker proof site. I'm sorry there are so many lazy people on this site though. This thread would be only half as long if it weren't for the people who couldn't be bothered to read through the thread or search and asked "are passwords salted and/or hashed" over and over and who reported the "x amount of attempts to log in to my account what gives?" OVER and OVER. You admins must have the patience of saints to put up with it.
     

Share This Page

Loading...