How to force password change for some hacked accounts?

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
Harrison76
Registered User
Posts: 247
Joined: Wed Jul 12, 2017 7:25 am

How to force password change for some hacked accounts?

Post by Harrison76 »

recently we have had some accounts of users who haven't logged in for a while, who have been hacked: it seems that someone got hold of the credentials to spam. they are 5 or 6 accounts that we currently had to ban in order not to let the spam proliferate, but instead I would like to know if it would be possible to force these 5 or 6 users to update their passwords, so that if they ever do log in again someday they could do so, instead of finding themselves banned without knowing why. How can this be done in such cases? Thank you
User avatar
Scanialady
Registered User
Posts: 421
Joined: Thu Jan 17, 2013 7:09 pm
Location: Germany
Name: Annette
Contact:

Re: How to force password change for some hacked accounts?

Post by Scanialady »

change their passwords via ACP and change their user options to "force re-activation"
My 2 cents: Whether an extension is in the CDB says nothing about its quality. It is more important to read the support topics for it. Better to avoid authors who do not answer support questions themselves, who do not update their stuff, and who do not fix bugs for years.
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: How to force password change for some hacked accounts?

Post by warmweer »

Harrison76 wrote: Sun Jan 22, 2023 5:47 pm recently we have had some accounts of users who haven't logged in for a while, who have been hacked: it seems that someone got hold of the credentials to spam. they are 5 or 6 accounts that we currently had to ban in order not to let the spam proliferate, but instead I would like to know if it would be possible to force these 5 or 6 users to update their passwords, so that if they ever do log in again someday they could do so, instead of finding themselves banned without knowing why. How can this be done in such cases? Thank you
AFAIK there is no force password change feature.
But you can change the member's password so that he will need to request a new password (by mail).
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2348
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: How to force password change for some hacked accounts?

Post by P_I »

If an account has been hacked, how do you know that the person who has assumed control of the account hasn't changed the email address or taken control of the email account?

Any action you might take still has the potential to end up in the hands of the hacker, so nothing would change.

The only solution I can see is ban the account with a message there is a problem with the account and they need to contact the board admin. If they do contact you, you will need to figure out a means to validate their identity.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: How to force password change for some hacked accounts?

Post by warmweer »

P_I wrote: Sun Jan 22, 2023 6:43 pm ...
The only solution I can see is ban the account with a message there is a problem with the account and they need to contact the board admin. If they do contact you, you will need to figure out a means to validate their identity.
Yeah I thought about that also, but the identity validation part is the real hurdle.
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
Mannix_
Registered User
Posts: 1838
Joined: Sun Oct 25, 2015 2:56 pm
Name: Matt
Contact:

Re: How to force password change for some hacked accounts?

Post by Mannix_ »

I don't think spammers/hackers will bother with validation it will be a waste of time for them. They will just remove that username/password from their script and forget about it.
Did I helped You? Consider a donation.
New version of phpBB has been released? My styles aren't validated for it yet? Check my page for the latest downloads!
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26502
Joined: Fri Aug 29, 2008 9:49 am

Re: How to force password change for some hacked accounts?

Post by Mick »

Those are spammers not hackers, not the same thing. You could just change the password to something totally obscure and leave it alone. The spammer won’t be able to get back in (unless he’s got control of the email address but that’s unlikely) and if the real owner turns up he can request a password reset.
P_I wrote: Sun Jan 22, 2023 6:43 pmhow do you know that the person who has assumed control of the account hasn't changed the email address
User notes?
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
bikeridr
Registered User
Posts: 92
Joined: Wed Oct 14, 2020 9:19 pm

Re: How to force password change for some hacked accounts?

Post by bikeridr »

Mick wrote: Tue Jan 24, 2023 11:37 amUser notes?
How can I check "User notes"? I have one account that has clearly been hacked. I disabled the account (and deleted the hacked post), sent an email to the user, but it bounced. When checking the user account via ACP, the email looks fake. Is there a way I can see if the user (or hacker) has changed the email and thus email to a previously made email?
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: How to force password change for some hacked accounts?

Post by warmweer »

bikeridr wrote: Tue Jan 24, 2023 1:15 pmHow can I check "User notes"?
ACP > Maintenance > User logs
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
bikeridr
Registered User
Posts: 92
Joined: Wed Oct 14, 2020 9:19 pm

Re: How to force password change for some hacked accounts?

Post by bikeridr »

@warmweer, thank you.
djsupport
Registered User
Posts: 27
Joined: Tue Jul 25, 2006 7:56 pm
Contact:

Re: How to force password change for some hacked accounts?

Post by djsupport »

Can I ask is the spam your getting "best crypto pumps"?

I'm getting 10 or so accounts from varying accounts between 3 and 10+ years old some that have contributed to the forum at some point, some that have not. All legitimate email addresses still. I get a feeling they have A. Had their password compromised somewhere or there is a security bug in phpbb
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72339
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: How to force password change for some hacked accounts?

Post by KevC »

See this topic
viewtopic.php?t=2634776

It's not just phpBB boards. It's also been seen on wordpress and Vbulletin among others. They all seem to be very old accounts so likely they use the same username/password across multiple sites and somewhere there has been a compromise that has allowed access to those accounts still residing on phpBB boards.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
djsupport
Registered User
Posts: 27
Joined: Tue Jul 25, 2006 7:56 pm
Contact:

Re: How to force password change for some hacked accounts?

Post by djsupport »

Thanks KevC, Intially I searched a few weeks ago but this topic escaped me, cheers
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26502
Joined: Fri Aug 29, 2008 9:49 am

Re: How to force password change for some hacked accounts?

Post by Mick »

djsupport wrote: Mon Jan 30, 2023 10:40 amor there is a security bug in phpbb
No, it’s spamming.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
djsupport
Registered User
Posts: 27
Joined: Tue Jul 25, 2006 7:56 pm
Contact:

Re: How to force password change for some hacked accounts?

Post by djsupport »

KevC clarified, thanks Mick good to know...
Post Reply

Return to “[3.3.x] Support Forum”