We're glad to be back online and look forward to putting the events of the past week behind us.
First and foremost, your personal phpBB boards were not affected in any way by the compromise of our servers. If you experienced any errors, downtime, increase in spam posts, etc. during the past week, these events were unrelated. Please post in our support forums if you need any assistance.
On Sunday December 14th, we discovered that the server powering http://www.phpbb.com
had been compromised. We immediately brought our entire network offline and began a thorough investigation to determine exactly what happened.
We determined that on Friday December 12th, unauthorised access to the area51.phpbb.com server was obtained using credentials that had been stolen from a staff member via an outside source. To be clear, this was not done through a vulnerability in the phpBB software.
Code was added to record plaintext usernames and passwords to a log file. We have contacted the small group of people whose credentials were captured during the short period of time that the logger was active.
We believe that the user databases of both area51.phpbb.com and http://www.phpbb.com
were retrieved by the attackers. This includes your username, email address, and a PHPass hashed
version of your password. While the hashing algorithm makes it very difficult to obtain your plaintext password, the application of sufficient processing power makes it possible over time, particularly if you were using a weak password. We therefore advise all users to change your passwords on area51, phpBB.com, and on any other website where you may have been using them. Using unique passwords on all websites is a key component of good security practices.
Our server infrastructure was rebuilt from the ground up, ensuring that no malware remains. Additional components of phpBB.com will be coming online within the next few days. In due course, we plan to post a more detailed account of what was done in a blog
We apologise for the inconvenience this has caused and hope that you will continue to work with us to make phpBB better than ever.
The phpBB Team
Please discuss this announcement in the discussion topic