The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.
If you downloaded either the 3.2.2 full package or the 3.2.1 -> 3.2.2 automatic updater package between the hours of 12:02 PM UTC and 15:03 PM UTC on January 26th, you received an archive modified with a malicious payload.
During the course of our investigation, we were able to take steps that should render the malicious code completely inoperable. However, in the unlikely event that multiple versions of the packages exist or that something was missed, we are choosing to leave nothing to chance.
As the packages were live for only three hours, we believe that a very small number of users are affected. We therefore ask that you perform the following steps so that we may render personalized assistance:
- If you believe that you have a malicious package, please email it to firstname.lastname@example.org so that we can check it against the version we obtained. We will likewise let you know if it is affected. You may also use the SHA256 checksum found on the downloads page to verify its validity. Do not use the potentially affected package.
- If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code.
- The downloads currently available on the downloads page are safe. If you have any doubts whatsoever, download a fresh copy.
Our investigation is ongoing and we will provide additional information as it becomes available.
The phpBB Team
You may discuss this announcement in it discussion topic.