Jump to content

AlliedModders Data Breach

JantsoP
By JantsoP
in Tech News
 Share
Posted

Last night the following annoucment went live to their forums

This week we discovered a data breach that affects all our registered users.

On June 7th we discovered some anomalous files on our webserver, and began investigating where they came from. From what we can tell, on March 16th, an administrator's account was accessed by an unidentified attacker. The attacker used an obscure feature in the forum control panel to upload arbitrary code to our webserver. Then, the attacker downloaded a portion of the forum database. The breached data contained three pieces of information:
* Account names
* E-mail addresses
* Hashed passwords
* Last login IP address

Unfortunately our forum software (vBulletin) used a password hashing scheme that is considered insecure by modern standards. We are therefore recommending that all our users change their passwords as soon as possible. If your AlliedModders password was used on other services, we recommend that you change your password on those services as well.

We do not believe the attacker compromised our systems in a way that would expose private messages, plaintext passwords, real names, or otherwise intercept private traffic. We also believe the March 16th incident was isolated in nature. Nonetheless, it is serious enough to warrant immediate action.

We are deeply apologetic for this incident - it's a black mark on what had been a perfect track record for over ten years. As a result we've attempted to identify and address each of the weaknesses that contributed to this attack. In particular:
* We have modified vBulletin to use more secure password hashing (bcrypt, instead of md5).
* We are now restricting the privileges of all administrator accounts.
* We have restricted vBulletin's file system privileges and added intrusion detection.

Again, we apologize for the inconvenience. If you have any questions, please contact us at security@alliedmods.net.

-David Anderson

 

Well its kinda odd why they still use old vBulletin if they know that security sucks. Also they broke the one rule wich you must obey when doing websites. Prepare for the worst case scenario.

 

Source: https://forums.alliedmods.net/announcement.php?f=59&a=49

Link to comment
https://linustechtips.com/topic/165213-alliedmodders-data-breach/
Share on other sites
Link to post
Share on other sites
Posted

They broke another rule.. Never hash passwords.. Rainbow tables make md5 hashes pointless.. Unless it is for file verification..

CPU: i7 4770k | GPU: Sapphire 290 Tri-X OC | RAM: Corsair Vengeance LP 2x8GB | MTB: GA-Z87X-UD5HCOOLER: Noctua NH-D14 | PSU: Corsair 760i | CASE: Corsair 550D | DISPLAY:  BenQ XL2420TE


Firestrike scores - Graphics: 10781 Physics: 9448 Combined: 4289


"Nvidia, Fuck you" - Linus Torvald

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×