GET THE APP:  CURRENTLY HOT:   Android Fire TV Fire TV Forums HTC One M8 Moto 360

Android Forums Security Breach – Change Your Passwords, Penetration Tester Wanted

It seems like online security breaches are, unfortunately, just a sign of our times. Whether you’re Yahoo or Formspring — of which 450,000 passwords were recently exposed — it seems like online attacks are becoming ever more prevalent. It’s with that I regret to inform you that our own dedicated forums site, Android Forums, was recently the target of such an attack in which passwords may have been compromised.

There’s a lot of information here, and we want to make sure you guys know that our best men are on top of it, and that your security and trust are our top priority. I’ll let our Android Forums Community Manager “Phases” take it from here. He’s got all the deets, but first — make a short trip on over to Android Forums and change your password. Also, we are looking for a penetration tester that can help us with an audit. If you fit the bill, drop us an email at security@androidforums.com and our pubkey can be found here: Android Forums PGP Key

Done? Cool. You may continue…

I have some unfortunate news to pass along. Yesterday I was informed by our sever/developer team that the server hosting androidforums.com was compromised and the website’s database was accessed. While the breach is most likely harmless there are important and potential pitfalls, and we want to provide as much helpful information to our users as possible (without getting too technical).

The trust of our users is extremely important and several staff members worked through the afternoon, evening, night, and morning to ensure we’re doing everything possible to regain complete security.

Here are the facts:

- The exploit used has been identified and resolved. The server has been further hardened and extra “just in case” actions have been taken.. and will continue to be taken.

- All code that resides in the database and the file system has been thoroughly reviewed for malicious edits and uploads.

- No other sites in our network appear to have been accessed (we’re triple checking).

- The user table of AndroidForum’s database was (at a minimum) accessed. While we can’t prove or disprove whether or not the data was downloaded (due to the way the data was transferred), it’s completely possible.. and we’ve taken action assuming this is the case.

- Information in the user database includes: Unique ids, usernames, emails, hashed (encoded) and salted passwords, registration IP addresses, usergroup memberships, infraction levels, last time online, last post date, post count… as well as far less critical things like number of PMs, visitor messages, last online dates, and some vbulletin options set in your UserCP.

- Immediately following the incident, all ~100 staff were notified of a pending password change – and all passwords to were changed to random strings. Almost all are back in with new passwords. Because gaining access to a staff member account could pose the biggest threat, we first moved to secure these accounts.

What Probably Happened

This was, in our current opinion, most likely an e-mail harvesting attempt. A spammer could theoretically attempt to bulk e-mail all AF users with the user database. Luckily, GMail and similar e-mail services offer a “spam” button that helps it to collectively identify and automatically filter potential spam.

It’s also absolutely possible that nothing of consequence happened. There is some chance they did not get enough of the database to matter, did this for fun to see if they could, or will not move forward with any plans after finding out we’re actively investigating. This is a serious offense and you can best bet we are doing just that.

What Could Happen?

We take matters like these incredibly seriously and want to make sure you’re warned of ALL the possibilities, regardless of how slim the chances. You can never be too safe, so we’re asking you to consider the possibilities and protect accordingly.

- This could be someone who is upset with us who hopes to use the information against staff

- With username, email, and IP information, a skilled hacker could pretend to be other users.

- They could blackmail us and threaten to publish the information publicly.

- Knowing your IP one can get a general idea of where you are located in the world, though most your IPs are dynamic and will change before too long anyway.

- With a username and hashed password one could open a session with accounts on other sites that use the same credentials – if they gain file level access to that site first. These were salted passwords which adds to the complexity, but nonetheless we recommend playing it safe.

What should you do?

Although we’re confident the threat is neutralized it is still highly recommended that you change your password here and on other sites where you use the same username/password. This can be done while logged in through your UserCP, or using the “forgot your password?” page if logged out. You can also contact me via PM orContact Form and we will help you if you need.

No website wants to make an announcement like this. I assure you we, as the Neverstill Team, could not apologize profusely enough. Websites come under attack all time time – and sometimes the bad guys make it in. Unfortunately for us, yesterday was our time. We have been attacked before but never breached, and please know we are going to continue to do everything in our power to ensure it doesn’t happen again.

If you have any questions please let us know – we will do our best to answer them. I will leave this thread open for discussion as long as it remains productive.

-Phases, Rob, and the Neverstill Team

UPDATE: I forgot to mention. If you are using any Android applications (Tapatalk, Phandroid App) to access the forum they will not register the password change and may flood your email with “someone has tried to access your account” emails. Unfortunately the only advice I have for that is to uninstall/re-install the app, if you cannot change your password from within.

 




  • TVictory

    I will be watching this thread for comments to address any questions.

    ~Vic

    Lead Web Developer
    Neverstill Media

    • zim2704

      it says to uninstall any apps that would use the password and could cause a flood of emails stating wrong password used. I have done so and still am getting emails every 15-30 minutes about somebody trying to access my account. Anyway to relieve this? Or do I just need to delete my account?

  • KeIIer

    How did this get posted on theverge nearly 3 hours before you guys posted it?

    • http://stevealbright.com Steve Albright

      It was posted on Android Forums yesterday.

      • KeIIer

        Ah ok I never check android forums.

      • root4life

        i understand posting on the forums first as to the member of it were of it were affected not the readers of the site but still. reading this however does give me more peace of mind since i was unaware of this. thank you phandroid for looking out

        • http://stevealbright.com Steve Albright

          It’s a big subject to post about… it takes longer to make sure all the facts are right and provide the information you deserve to know… other sites have it easy to post this information when they are just saying it happened and its not their site. Keep in mind… the passwords are salted, then hashed so the file is useless but we still respect the situation the way it should be respected.

          • root4life

            “other sites have it easy to post this information when they are just saying it happened and its not their site” i couldn’t agree more and hey at least you all did post something cause i couldn’t find anything on yahoo about their site getting hacked. so in retrospect i was lil fast to be so harsh about my post. appreciate your responses

  • Biohaz7331

    Wow it’s too bad that stuff like this happens. I understand wanting to see what you can do but it is not fair to thousands of users on the web.

  • veccster

    I just want to say that it is pretty awesome that you guys are very on top of this matter. It happens to the best companies (and governments) out there but most try to keep it quiet. I respect you for that.
    Keep up the good work!

    • TVictory

      thanks!

  • root4life

    my only concern is that i read about this about 5 or 6 o’ clock on another site and your just now posting about it on your own. I’m a member and a big fan go phandroid but you all should have posted this sooner, just my opinion

    • http://stevealbright.com Steve Albright

      This was posted yesterday on AndroidForums.com.

      • root4life

        yeah i just read your other comment about that. thank you and everyone.

  • Robert Manser

    Thank you for being honest with us:-) :-) :-) This is why I like this site, app, forum, and everyone involved in it and will turn my ad support on because if it really helps phandroid keep running then its worth it to me….

  • Dvrcowboy

    Penetration tester heh heh heh

    • Alexander Ramirez

      “Let’s test this one out. *grunt….. GRUNT……* Yup, the security on this one is pretty tight.”

  • apple fascist

    Weren’t you guys making fun of sony back in the day? Lol

    • CiDhed

      The difference was that Sony handled their incident horribly.

      These things happen and this is the correct type of response and action.

  • wickets

    thanks for the update

  • Perplexicles

    bummer

  • DannyB2

    Changing password is a very good idea.

    Too bad there is no obvious way to actually do so. So I guess I can’t change it.

    Oh, and while I’m ranting . . . the reason (other than today) that I don’t post here, or even read any comments here is because of how Disqust doesn’t seem to work on FireFox for me anymore and hasn’t for several months.

    • DannyB2

      After some digging I found a direct link to my control panel to reset the password.

  • ouch1976

    No worries guys, though it might be a good idea to send a PM to every user on AF. I saw the banner yesterday but thought it was an advertisement. So a PM would be a direct notice to all users. I don’t know if it’s possible, but it seems like a good idea to me. Otherwise, keep up the good work and thanks for the heads up!

  • outkastz

    For the record. Salted md5 isn’t too difficult to “crack” given that the password can be found in a password list type dictionary.

    Assuming they were good enough to “hack” in to the db, I’d assume they are just as capable of reversing the hash. Sooo many tools to do this these days.

  • zim2704

    Just got a email stating somebody tried to get into my account and failed. Lucky I changed my password as soon as I saw this post.

  • bwinger79

    Not to be a dick, but if your “best men” were on top of it, you wouldnt have been compromised by a known exploit in the first place….right??

  • No_Nickname90

    Oh my gosh!! There going to get my password that I use on blog websites. If ppL want it, you can have it. LoL!! I mean that’s my simple password. I don’t care if you have it. I’m smart enough to separate my passwords across different websites.

    But thanks for the insite anyways.