I've used phpbb for a while, and want to thank the developers for their dedication and the high quality of their work. I know, there is that "Thank you, thank you, thank you!" topic but I figure it may not hurt to mention when I think of this.
I narrowly missed the downloading of this malicious file, so hope all the loopholes are fixed. The update notice caught my attention, which reads:
phpBB.com has never utilized the Cloudflare API and does not have the API key stored on our servers. Cloudflare thoroughly investigated the issue and is confident that security around their API key system has not been compromised.
I feel natural to think:
Since there is no wide spread report of people's Cloueflare APIs being misused, it's most likely that phpBB.com's Cloudflare API key was stolen.
Then did you check who have ever got chance to possess that key or the password (since it can be used to generate key)? Are their computers safe? Ie, are they updated with system patches and antivirus definitition, and most importantly, not hacked? Do some of them need to re-image their computer?
Since people do not really put their API keys to the server, so I thought the notice above may be better assuring if it says something like:
All computers that have ever possessed phpBB.com's Cloudflare API key or password are now confirmed to be safe.
This is because, sound security is layered. If we solely rely on the additional security measures provided by Cloudflare yet keep a hacked laptop with that key, then the hacker only need to break that new layer to repeat their attack.
What do you think? I know this post is moderated, you do not have to publish this post if you don't feel like, but I hope you will at least circulate around the relevant phpbb developers and take necessary steps.
Again, thanks for your hard work!