Security Issues

[ConfusedCartman]

As many of you are aware, an anonymous party recently took advantage of a security hole in order to gain control of the site and prove a point. Now that we've sealed those leaks and reclaimed control, I'd like to be here to clarify a few questions and concerns you very likely have.

What was the extent of the damage?
At this point, we have no evidence to suggest that this was anything other than a skilled hacker making a point. He did not at any point ask us for money or information, and he quite willingly described both his methods and why they worked. I have since verified them with Aya042 (our resident server guy and code monkey) and sealed up the security holes, along with taking care of any other potential security concerns as well (for example, we have changed all of our server passwords, just to be safe). We have looked (and continue to look) and there is no evidence that any data, raw or encrypted, was downloaded, transferred, or otherwise accessed.

What about my passwords and other personally identifying information?
vBulletin 4 salts and md5 hashes all of its passwords. Even if the hacker downloaded the database containing the protected information (we have no reason to believe so), it would be next to impossible for him to retrieve and view one password - let alone all of them.

Even considering all of that, there is no evidence that the hacking was fueled by malicious intent. The hacker was happy to help point out the flaws in our system, and we have double-checked for any back doors or other potential loose ends (of which we have found none).

THAT SAID, because there is a (very) slight chance that your old password could be unsafe, we must recommend that you change your password here AND ON ANY OTHER SITES THAT SHARE IT. We doubt that your information was viewed or taken, but we cannot ignore the possibility, however small.

I'm a Donor. Is my payment information in danger?
Donors are safe. Even if the hacker managed to acquire our Paypal password (which we, again, have no evidence of), it's simply impossible to view a Donor's payment information through Paypal due to their (quite fantastic) security measures. Even by us. So you're safe.

I appreciate your help and openness, but I just don't trust LBPCentral with my information anymore.
We understand. So, for those looking to remove information from our servers, we are offering two services that you can take advantage of:

For Donors: if you have a subscription, PM us and we'll cancel it for you (even though all payment information is stored on Paypal's servers, not ours). If you're a one-time Donor, check your Paypal password and make sure it's not the same as your LBPCentral password. Aside from that, you'll be safe.

For everyone else: If you'd like us to remove your information from LBPCentral's servers and delete your account, send us a PM and we'll take care of it. Keep in mind: if you ask us to delete your account, that is exactly what we will do. Your account, including posts and other information tied to it, will be gone for good. Nothing has changed, we are still offering this service - we just want you to be fully aware of what it is you're asking us to do.

----------

If you have any other questions, feel free to post them here or PM them to me and I'll do my best to answer as promptly as I can. Thank you all for your patience.

[comishguy67]

Geez...and I thought anonymous was the only group to worry about...

Good to see nothing "very, very VERY" bad happened.

[JspOt]

Wow, nice hacker.

[Fang]

Tbh I haven't noticed at all D:

I'm glad everything's okay, but how was the site affected during the hacking...?

[Lady_Luck__777]

I would like to thank CC and Aya for such prompt attention to this.
Thank ya'll for handling this quickly and with minimal disturbance to the site and its members.
Also for keeping us informed via twitter and this post.
I think sometimes people forget you guys have real lives too.

[xtremesackboy]

Yes, for goodness sake, you are running this place voluntarily for us. You never had to make it in the first place! Thanks so much to all founders and admins for taking great care of the site and nurturing our creativity

[n00bsack•]

Thanks, CC and crew.

Although I don't necessarily agree with the method the hacker used to make his point, it does seem like we're better off now than we were before.

[Fishrock123]

If he was so willing to help, what did he want, anyways?

[Shadowcrazy]

If he was so willing to help, what did he want, anyways?

this...what was his intent/purpose for doing all of this? doesn't make any sense the way you describe him/her as openly helping you guys fix the very security he/she compromised.

[n00bsack•]

this...what was his intent/purpose for doing all of this? doesn't make any sense the way you describe him/her as openly helping you guys fix the very security he/she compromised.

This kind of activity is not unheard of in the cyber world. There are hackers out there that exploit security flaws for the sole purpose of pointing them out to the sys admin.

[Shadowcrazy]

This kind of activity is not unheard of in the cyber world. There are hackers out there that exploit security flaws for the sole purpose of pointing them out to the sys admin.

yeah but it's usually for a job or for money...in this case from what we know the hacker has received none of those...so what was the purpose?

[n00bsack•]

yeah but it's usually for a job or for money...in this case from what we know the hacker has received none of those...so what was the purpose?

Merely to make CC aware of the flaws in the site's security.

[Aya042]

If he was so willing to help, what did he want, anyways?

Based on his actions, I'd say mostly he just wanted some attention.

His secondary goal genuinely seemed to be to point out a security hole in the forum software, but the way he did it was highly invasive, almost certainly illegal, and had the side-effect of erasing the main forum index page which no doubt irritated anyone who was trying to use the forums at the time.

Not to mention he wasted about 10 hours of my time. :/

...that wasn't hacking, it was cracking...

Either term is valid, although some bigots argue otherwise.

Was it simply that it was when CC was busy and the person was impatient or what?

Pretty much.

He may have changed my comment. Yesterday it was "10 Wittle Gween Bars" Then today it was "Flabadab" Hrrrrrrrrmmmm?

Someone changed mine too. I swear to god it wasn't Mr. UltimateClay before.

The upgrade of the market system reintroduced a bug I'd patched out of the old version which sometimes reset user titles. I've patched it out again, so it shouldn't happen any more.

So I guess passwords were leaked.

FWIW, I'm fairly certain that he only accessed password hashes for administrative accounts, so if your username ain't green or blue, you're probably okay.

Still, it's probably a good idea to change your password anyway.

[Sackgirlsrule]

I'd like to say pretty much what Lady Luck said, I'd like to thank yall' as well.
You did it so quick considering you do have your own things going on in real life. Good job!!

[Tyranny68]

No wonder i couldnt get on the forums for days or do half the stuff i wanted to do, i thought someone had hacked the site, sad to see that and also hope they were dealt with accordingly, though it seems you guys have no idea who it was XD