README: Change your password.
Posted: 23 Feb 2012, 17:49
So, as mentioned here, the site was hacked a few days ago.
As far as we've seen, the hack was automated and based on a Wordpress PHP vulnerability. The hack injected some code into each PHP file on this site. The injected code attempted to cause your browsers to download a fake antivirus. I've personally pored over logs and our databases for signs of tampering and seen nothing since our repairs. Also, I've asked some people with deep knowledge of the topic to take a look, and they've seen nothing further.
We've been working hard to restore security. Part of running a secure site is full disclosure - this post. As far as we know, the database containing user information was not downloaded, although the hacking software could certainly have accessed our database. Further, we do not store your passwords in the clear, rather they are MD5 hashed. So if the attacker downloaded all the passwords, they would still have to get through the hashes to see your passwords. And frankly, for a measly PHPBB site, the value of your accounts simply doesn't justify that kind of work.
That said, in the interest of security going forward, this is a good time to change your password. It's easy to do. Please do so. Thanks.
As far as we've seen, the hack was automated and based on a Wordpress PHP vulnerability. The hack injected some code into each PHP file on this site. The injected code attempted to cause your browsers to download a fake antivirus. I've personally pored over logs and our databases for signs of tampering and seen nothing since our repairs. Also, I've asked some people with deep knowledge of the topic to take a look, and they've seen nothing further.
We've been working hard to restore security. Part of running a secure site is full disclosure - this post. As far as we know, the database containing user information was not downloaded, although the hacking software could certainly have accessed our database. Further, we do not store your passwords in the clear, rather they are MD5 hashed. So if the attacker downloaded all the passwords, they would still have to get through the hashes to see your passwords. And frankly, for a measly PHPBB site, the value of your accounts simply doesn't justify that kind of work.
That said, in the interest of security going forward, this is a good time to change your password. It's easy to do. Please do so. Thanks.