MyBB.com Hacked, a word from Audentio Design

Saw this on facebook and since we have some mybb users here, I thought I should pass it along. cc: @Audentio

http://www.audentio.com/community/f...6-MyBB.com-Hacked-a-word-from-Audentio-Design

 

@Brandon.
According to Mybb.com

Damn, their passwords must of been easy. If they were with Namecheap, they would of received an alert that their account was being accessed.

 

They moved from namecheap to name.com

 

As most of you who will be reading this are aware, three days ago (beginning the 31st of May) the MyBB.com domain (along with our other domains) were hijacked by a group of hackers (we’re not going to identify them by name but they have been very vocal in claiming responsibility so you should have no problem finding them if you’re so inclined). They also tried to access our server and many other services we use.

At this stage we have access to all our systems back and are in the process of restoring services, however we’re pleased to say that we are also taking this opportunity to retool components of our website and upgrade our server infrastructure.

This blog post will probably be the first of many, but we’ll endeavor to keep you updated as much as possible regarding progress. At this stage we don’t expect all services to be online for at least a week while the new servers are configured and we prepare new components of our website, however this blog is obviously already online and the MyBB home page will be up very soon too.

The story to date

There are still a few missing pieces, but at this stage we have a pretty clear understanding of what happened. Contrary to what has been posted elsewhere, we do not believe social engineering was the culprit, although the hackers did try unsuccessfully to gain access to several of our accounts via this method.

The main incident that lead to the breach was a compromise of Chris’ personal Apple ID (iCloud, etc) account. From there, the hackers were able to reset passwords to our hosting and domain accounts. It’s still not clear how they got access to this account, however they also had numerous personal details about Chris, including contact details and knowledge of at least the last four numbers of his primary credit card.

Fortunately SoftLayer (our host) called Chris when his password was reset which alerted us to the situation unfolding and all public access to the server was shut off soon thereafter. As far we can tell they were not able to log into our server and do not have copies of our databases. We have been very pleased by the response we received from SoftLayer and without their vigilance the situation could have been far worse.

While Chris was trying to reset his passwords to NameCheap (our Domain Registrar at the time) and Apple ID accounts, the hackers even went as far as to remote wipe his iPhone via iCloud to prevent him from having 3G access. Unfortunately they successfully took control of Chris’s NameCheap account and redirected the domain to their defacement page, later we discovered they even tried to transfer the domain.

Unfortunately we did not get the expedited response from NameCheap that we would have hoped for given the severity of the situation, and it was about six hours before we got access to our account back. As a result we have already transferred MyBB.com to another domain registrar with better controls around account security.

Since then we have been planning the recovery effort, including taking the opportunity to improve our infrastructure. We will be moving to a new server setup, but given our security scare a few months ago we are also auditing the site software we use and only moving what we know is clean to the new server. More details on changes to the site are detailed further down this article.

With regard to why we were targeted, frankly we are baffled by the logic. The group identified MyBB as being targeted because one of our user’s runs an online forum dedicated to hacking. By this same analogy, if someone purchases a car and then uses it to run someone down or damage another’s property, then the manufacturer of the car should be responsible, which is obviously corrupted logic.

The group totes freedom as their cause but by attacking an Open Source project they are undermining freedom in every sense of the word. Anyone is free to download and use our software, no matter if you’re rich or poor, a nurse or a hacker, and the fact they targeted us for this is an utter contradiction of their reasoning.

As many MyBB users will know, we don’t even offer support on our community forums to hacking sites, and there are no exceptions. We can only conclude that attention and notoriety are their true motivations, and that their sense of ethics is a disgrace to the online community. We sincerely hope the perpetrators are brought to justice.

What we’re doing

First and foremost we have adopted two factor authentication wherever possible. As mentioned above, the domain names have already been transferred to a registrar offering two factor authentication, among other security features. We’ll also be adopting two factor authentication on our new servers, and to various internal services. The new servers should improve performance of our website, and CloudFlare has also been setup.

As you might have also noticed, this blog has already been moved from being a locally hosted WordPress installation to being hosted on WordPress.com, which should ensure it is accessible even when our servers are down. We are hoping to make a similar change to the wiki before services are fully restored and as previously announced, development will be moving to GitHub with 1.8. Our goal with moving services offsite is to improve availability, improve maintainability, reduce load on our servers and improve security.

Finally, although our website infrastructure did not contribute to the intrusion, we are reviewing the security of all our services prior to moving them to our new server to ensure our systems are as secure as they could be.

We thank everyone for their continued patience and support over this difficult time and hope to have everything back online soon.

Regards,
Chris, Tim, and the rest of the MyBB Team


Continue reading...

 

Following on from our We’ll be back soon post yesterday, I just wanted to provide an update on our recovery efforts as well as address a few of the commonly asked questions.
After a comprehensive investigation, including audits of all files on our existing servers as well as an analysis of server and website access logs, we’re happy to confidently say that we do not believe any of our servers were compromised, or our databases accessed.
As you’ve likely noticed, access to the MyBB Community Forums has now been restored. Because we don’t believe the MyBB database was compromised, we have opted to not require users to change their passwords on next login. If you’re having difficulty accessing the forums (for example, if it’s redirecting to www.mybb.com, or stylesheets aren’t loading correctly), then please clear your web browser cache and try again.
We’re working on restoring access to the MyBB Mods website as soon as we can, however expect the modifications site take another 24 hours before it can be pushed live.
Our team are also busy working on relaunching the official MyBB documentation, using GitHub Pages. We’re moving away from MediaWiki and wiki-based documentation primarily because we believe our efforts are best focused on maintaining our core website, forums and modifications site rather than managing a slew of third-party applications (this is the same reason why our blog is now powered by WordPress.com). Because GitHub Pages is directly backed to a Git repository, the entire community can still collaborate to our documentation using pull requests.
At this stage, we plan to discontinue the MyBB Ideas site. We believe that through great collaboration on the MyBB Community Forums in our MyBB 1.8 Feature Suggestions and MyBB 2.0 Feature Suggestions forums, together we can build even greater software. It also means there’s one less place to collect feedback from.
We’re taking an overly cautious process with the restoration. If we chose to, we could simply flick all services on again, and have the wiki, modifications site, etc live. Instead, even though we’re confident there was no breach of our servers, we’re still handling the situation if there were. Before anything is relaunched, we’re:

• Verifying access logs of the site to look for suspicious behavior
• Verifying the content of the sites by comparing them against previously taken backups (both onsite and offsite, and against backups taken recently and those taken weeks ago) and analysing each and every difference by hand
• Pushing the content of all websites to our new servers from an offline copy, instead of our old servers
• Verifying that all of our websites work behind CloudFlare, and implementing caching strategies in CloudFlare to give you even faster page loads

There’s also been a lot of discussion around what legal action we will be taking against those that have attacked us. At this stage, we believe our time and effort is better spent improving and educating users about security, and moving forward with the development of MyBB 1.8, MyBB 2.0, and our rebranding.
Again, we want to thank everyone for their support and patience and look forward to moving onwards and upwards!
Regards,
Chris, Tim, and the rest of the MyBB Team



Continue reading...