Hello everyone,
We're glad to be back online and look forward to putting the events of the past week behind us.
First and foremost, your personal phpBB boards were not affected in any way by the compromise of our servers. If you experienced any errors, downtime, increase in spam posts, etc. during the past week, these events were unrelated. Please post in our support forums if you need any assistance.
On Sunday December 14th, we discovered that the server powering
http://www.phpbb.com had been compromised. We immediately brought our entire network offline and began a thorough investigation to determine exactly what happened.
We determined that on Friday December 12th, unauthorised access to the area51.phpbb.com server was obtained using credentials that had been stolen from a staff member via an outside source. To be clear, this was not done through a vulnerability in the phpBB software.
Code was added to record plaintext usernames and passwords to a log file. We have contacted the small group of people whose credentials were captured during the short period of time that the logger was active.
We believe that the user databases of both area51.phpbb.com and
http://www.phpbb.com were retrieved by the attackers. This includes your username, email address, and a
PHPass hashed version of your password. While the hashing algorithm makes it very difficult to obtain your plaintext password, the application of sufficient processing power makes it possible over time, particularly if you were using a weak password.
We therefore advise all users to change your passwords on area51, phpBB.com, and on any other website where you may have been using them. Using unique passwords on all websites is a key component of good security practices.
Our server infrastructure was rebuilt from the ground up, ensuring that no malware remains. Additional components of phpBB.com will be coming online within the next few days. In due course, we plan to post a more detailed account of what was done in a
blog post.
We apologise for the inconvenience this has caused and hope that you will continue to work with us to make phpBB better than ever.
Lovingly yours,
The phpBB Team
----
Please discuss this announcement in the
discussion topic