Just a few minutes ago, I received the following letter in my email:
“geocrasher,
I’m writing to let you know that on November 10th a vulnerability in our
forum software allowed a hacker to gain access to the server hosting our
community. We have no evidence of any personal data being stolen (nor do
we store any on our forums!) but as a precautionary measure we are
forcing all users to reset their passwords. The next time you attempt to
log in, please select the “Forgot Your Password?” link below and follow the steps.
https://forums.malwarebytes.
We’ve also migrated our community away from our servers and onto a
service hosted by Invision Power Board. They know their software best
and as vulnerabilities are discovered, they can patch them more quickly.
I personally apologize for the inconvenience and if you have any
questions, do not hesitate to contact me directly at
mkleczynski@malwarebytes.org.
Marcin”
There’s several lessons that can be learned in this:
1) Never use the same password twice. The same password used at a hacked site, used elsewhere, is asking for your accounts to be compromised. I’ve seen it happen.
2) Keep your site software up to date. Whether you’re using Invision Power Board, WordPress, Magento, Drupal, or some other solution: Keep it updated!
3) If you can’t properly manage your security, hire someone who can
Marcin fessed up here, which is nice. But it never should have happened. You’d think that a company like Malwarebytes would keep things updated, but phrases like “They know their software best
and as vulnerabilities are discovered, they can patch them more quickly” lead me to believe that this breach was due to a vulnerability that Malwarebytes didn’t patch quick enough, even though the updates were available.
So if it can happen to Malwarebytes, it can happen to you. Keep your software updated!
1 comments
The exploit came out the night before it was used. It wasn’t given straight to Invision and the exploit along with a working script was distributed on a very large security mailing list. MANY IPB forums were compromised. Even more are still vulnerable.
This is not an issue with passwords. It’s an issue with the forum software itself.
Looking into IPB, it looks like this happens all the time with their software. Now that they’ve moved it into their cloud, those customers should be the first to be patched.