Page 1 of 2

Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 1:32 pm
by P_I
Making the news is XKCD Forum Hacked – Over 562,000 Users’ Account Details Leaked.
As mentioned, XKCD uses phpBB, a free and open-source forum and bulletin board software built in the PHP programming software.

However, at this moment it's unclear if XKCD was using an older version of the forum software vulnerable to a security flaw or the attackers exploited any previously undiscovered flaw in phpBB to extract the data unauthorisedly.

Besides this, even if XKCD was running over phpBB version 3.1 and later, which uses more secure BCRYPT hashing algorithm, it's possible that the passwords for early users of the XKCD forum were encrypted via the older, less secure MD5 hashing method.
I recognize it is probably still early in the investigation of what happened and why.

However, other than the standard recommendations to make sure that boards are keeping up-to-date on software releases, are there any other lessons that can be learned from this news?

Added: I wonder how many XKCD users are using 'correctbatterystaplehorse' as their password?
Source:
Image

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 1:56 pm
by david63
What I don't like in these cases is the sensationalism "forums being hacked".

We have no knowledge as to what has happened in this case but my guess would be that someone, somehow has gained access to the server via a "backdoor" and accessed the database that way rather than via the software.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 2:01 pm
by P_I
david63 wrote:
Wed Sep 04, 2019 1:56 pm
What I don't like in these cases is the sensationalism "forums being hacked".

We have no knowledge as to what has happened in this case but my guess would be that someone, somehow has gained access to the server via a "backdoor" and accessed the database that way rather than via the software.
That would be my original uneducated guess as well as there are many ways to be “breach” security is software systems.

Even if the breach came via a backdoor, how can/should a phpBB administrator make sure that any data gathered is not easily readable or useable?

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 2:06 pm
by david63
P_I wrote:
Wed Sep 04, 2019 2:01 pm
ow can/should a phpBB administrator make sure that any data gathered is not easily readable or useable?
Lock the backdoor - that is why you need a good sysadmin

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 3:45 pm
by John connor
Shodan knows all. https://www.shodan.io/host/104.196.146.194

They could start by reading my advice on at least using Ninjafirewall and how to stay hidden behind CloudFlare. For a free CloudFlare account you can't beat it.

Certainly can't find my origin IP no matter how hard you try. I know all the tricks. I don't even use remote uploaded avatars or Gravatars and there is no MX record pointing to my server IP. They pay me 500 bones and I'll secure their butt.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 3:49 pm
by John connor
Something else one needs to do is go here and enter ALL of your email addresses. That way if a database gets leaked you'll know about it.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 3:52 pm
by John connor
P_I wrote:
Wed Sep 04, 2019 1:32 pm

Added: I wonder how many XKCD users are using 'correctbatterystaplehorse' as their password?
Source:
Image






Keepass shows that first password as 63 bits. But I guess that's Keepass' own algorithm.

Good passwords come from easy to remember song lyrics. Like, It'samansmansWorld3321@#&

Of course don't use that now because it will now be added to a wordlist. :lol:

All of my computers are encrypted and the password is well over 30 characters and committed to memory. :lol:

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Sep 04, 2019 9:22 pm
by Marshalrusty
We've been in communication with them since the date of the incident and have offered our assistance. There is no evidence that the phpBB software was compromised. As they were running a version earlier than phpBB 3.1.11, old hashes were not updated with bcrypt for accounts where users had not logged in since their update to phpBB 3.1 from the version previously installed. More recent versions of phpBB re-hash all old hashes during the update.

I won't say any more here until they've had a chance to complete their investigation and post a statement.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Thu Sep 05, 2019 12:05 am
by Lady_G
John connor wrote:
Wed Sep 04, 2019 3:45 pm
Shodan knows all. https://www.shodan.io/host/104.196.146.194

They could start by reading my advice on at least using Ninjafirewall and how to stay hidden behind CloudFlare. For a free CloudFlare account you can't beat it.

Certainly can't find my origin IP no matter how hard you try. I know all the tricks. I don't even use remote uploaded avatars or Gravatars and there is no MX record pointing to my server IP. They pay me 500 bones and I'll secure their butt.
Good suggestion. Readers of this topic should use this opportunity to check their own board with Shodan.
Marshalrusty wrote:
Wed Sep 04, 2019 9:22 pm
More recent versions of phpBB re-hash all old hashes during the update.
That's good to know, thanks.

Update: Post edited to revise comments regarding Shodan. See below.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Thu Sep 05, 2019 2:53 am
by P_I
Marshalrusty wrote:
Wed Sep 04, 2019 9:22 pm
We've been in communication with them since the date of the incident and have offered our assistance. There is no evidence that the phpBB software was compromised. As they were running a version earlier than phpBB 3.1.11, old hashes were not updated with bcrypt for accounts where users had not logged in since their update to phpBB 3.1 from the version previously installed. More recent versions of phpBB re-hash all old hashes during the update.

I won't say any more here until they've had a chance to complete their investigation and post a statement.
Thanks for the information. From my perspective it is helpful to know about the password hashes being updated if a board is running the current phpBB version.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Thu Sep 05, 2019 3:00 am
by 3Di
P_I wrote:
Thu Sep 05, 2019 2:53 am
From my perspective it is helpful to know about the password hashes being updated if a board is running the current phpBB version.
That's done via its cron-job, which is enabled starting from 3.1.11.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Fri Sep 06, 2019 12:17 am
by John connor
Lady_G wrote:
Thu Sep 05, 2019 12:05 am
Use this opportunity to check your own board with Shodan.
You honestly think I didn't? I have an account at Shodan and use it all the time. I've even emailed websites about their CVEs. Some listen others don't.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Fri Sep 06, 2019 12:59 am
by Lady_G
Sorry, that was a misunderstanding. My comment was intended for readers of this topic to check their own boards. I have revised my post.

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Oct 23, 2019 8:29 pm
by Freitag
Marshalrusty wrote:
Wed Sep 04, 2019 9:22 pm
I won't say any more here until they've had a chance to complete their investigation and post a statement.
Has there been any more information forthcoming about since then?

Re: Lessons to be learned from XKCD forums being hacked

Posted: Wed Oct 23, 2019 8:53 pm
by Lumpy Burgertushie
apparently not. that most likely means that it had nothing at all to do with phpbb.

therefore, we don't need to worry about it.

robert