Would a data leak contain old user emails?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 6:17 pm

Hey, not a technical person here, just a user on a forum with a question. If a PHPBB board were to be compromised somehow, and a data leak of usernames / passwords / emails etc. happened, would that be likely to contain old user emails too, or only current ones? Any info would be much appreciated.

User avatar
3Di
Former Team Member
Posts: 14053
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Would a data leak contain old user emails?

Post by 3Di » Wed Aug 14, 2019 6:25 pm

Only 1 email per user is stored in the USERS TABLE.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Re: Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 6:28 pm

Oh okay, so I know old emails are stored somewhere because they still show on profiles to admin when they're changed, but a hacker would presumably have to dig deeper to expose that?

User avatar
david63
Registered User
Posts: 16401
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Would a data leak contain old user emails?

Post by david63 » Wed Aug 14, 2019 6:52 pm

MacbethRepents wrote:
Wed Aug 14, 2019 6:28 pm
I know old emails are stored somewhere because they still show on profiles to admin when they're changed,
Please show an example as in a "normal" phpBB installation there is nowhere to store any "old" email addresses.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Re: Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 6:55 pm

Hey, sorry, I'm just an end user of a forum not a PHPBB operator. I just know that in the forum I'm talking about, Admin can see previous email changes when they view the profile of a user. Is this not a standard PHPBB feature? If it is, could it be exposed in a data leak, I guess is what I'm saying.

User avatar
david63
Registered User
Posts: 16401
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Would a data leak contain old user emails?

Post by david63 » Wed Aug 14, 2019 7:10 pm

MacbethRepents wrote:
Wed Aug 14, 2019 6:55 pm
Is this not a standard PHPBB feature?
No
MacbethRepents wrote:
Wed Aug 14, 2019 6:55 pm
If it is, could it be exposed in a data leak
Youn would need to ask the owner of the board that question
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Re: Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 7:19 pm

Okay, thanks for the help!

User avatar
warmweer
Registered User
Posts: 2611
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Would a data leak contain old user emails?

Post by warmweer » Wed Aug 14, 2019 7:21 pm

MacbethRepents wrote:
Wed Aug 14, 2019 6:55 pm
Hey, sorry, I'm just an end user of a forum not a PHPBB operator. I just know that in the forum I'm talking about, Admin can see previous email changes when they view the profile of a user. Is this not a standard PHPBB feature? If it is, could it be exposed in a data leak, I guess is what I'm saying.
That´s probably in the users log. When a user changes the email address, it is logged. But as far as I remember, it´s not directly visible in the profile itself but only after clicking the link for the user log.
My board's not broken, it just went peculiar

MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Re: Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 7:52 pm

warmweer wrote:
Wed Aug 14, 2019 7:21 pm
MacbethRepents wrote:
Wed Aug 14, 2019 6:55 pm
Hey, sorry, I'm just an end user of a forum not a PHPBB operator. I just know that in the forum I'm talking about, Admin can see previous email changes when they view the profile of a user. Is this not a standard PHPBB feature? If it is, could it be exposed in a data leak, I guess is what I'm saying.
That´s probably in the users log. When a user changes the email address, it is logged. But as far as I remember, it´s not directly visible in the profile itself but only after clicking the link for the user log.
Interesting. Would this be likely to be exposed in a data breach then?

User avatar
3Di
Former Team Member
Posts: 14053
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Would a data leak contain old user emails?

Post by 3Di » Wed Aug 14, 2019 8:03 pm

Yeah, that's in the user logs and potentially can read if you own the DB.
User “tester_10” changed email
» from “tester_103di@example.com” to “new_tester_103di@example.com
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Re: Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 8:07 pm

Okay, good to know, thank you.

Edit: Well, I say that, probably bad to know if it comes up, but you know what I mean.

Edit Edit: Is there any way to erase a user log?

User avatar
warmweer
Registered User
Posts: 2611
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

AC

Post by warmweer » Wed Aug 14, 2019 8:32 pm

MacbethRepents wrote:
Wed Aug 14, 2019 8:07 pm
Edit Edit: Is there any way to erase a user log?
Yes, via the ACP, but new entries appear all the time.
What you're really asking is: Is there a way to stop logging? and the answer is YES, but that would require quite a bit of editing.
Also if there's a data breach, phpBB isn't what I would be worrying about.
My board's not broken, it just went peculiar

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69294
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Would a data leak contain old user emails?

Post by KevC » Wed Aug 14, 2019 8:38 pm

What's the bigger picture here? The sort of breach you're talking about would come from an admin having a simple password. If that's not the case then you're worrying about nothing. Security of the database is down to your hosts and if they're reputable and you're paying them money to look after everything that should be fine as well.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Re: Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 8:39 pm

So it's a existing specific log I'd like to erase, not all logs going forward, can any admin do this in the ACP?

Would you be able to post up instructions so I could request it from an admin?

MacbethRepents
Registered User
Posts: 11
Joined: Wed Aug 14, 2019 6:03 pm

Re: Would a data leak contain old user emails?

Post by MacbethRepents » Wed Aug 14, 2019 8:41 pm

KevC wrote:
Wed Aug 14, 2019 8:38 pm
What's the bigger picture here? The sort of breach you're talking about would come from an admin having a simple password. If that's not the case then you're worrying about nothing. Security of the database is down to your hosts and if they're reputable and you're paying them money to look after everything that should be fine as well.
Oh okay, so not the kind of thing you'd reach with an exploit? Thank you.

Post Reply

Return to “phpBB Discussion”