Sucks about the forums, its never cool to get hacked. but starting fresh is sometimes the best thing to do. I wonder if it was the forum software that had a exploit in it.. have you guys thought about getting different software? I've been a fan of Invision's feel and look.. don't know how secure it is as its been a while since I've seen it. the other down side is you have to pay for it. =/ anyhow glad you guys are back up =)
I am so glad too, outside of the forums, I have no way to contact other xen members and it was driving my crazy. I am so happy it is back up, and I am totally in love with Jeb right now.
I looked at invision and while it had some nice features I hated the admin stuff... besides it's a pain forum like VB which we already paid for so it didn't make much sense to move to that unless it had something to offer we really wanted. I told dash I'd buy it if we wanted to switch though... I am not sure how they got in, it looks like it was subdreamer at first, but it could have been vb since we were a few updates behind... I found a lot of the holes they created but I couldn't be sure I hadn't missed some, so this was the safest way...
I don't like that I have to change all my passwords. What kind of bored-fuck would hack a game forum, anyway?
I think you should be fine, Vanguard. I use pretty much the same password for everything except maybe a couple games or other forums and I haven't run into anything.
So do I, which is exactly what makes it dangerous if some asshole has a list of our passwords somewhere.
Meh, I have nothing really to lose. A 16 DT on AoC, and a 55 commander on CoD. Both I can get back in a couple days
Probably someone with something against XoO. As for my password, everything I care about already has a different password. And of the things I don't care about, I can only see the hacker finding my yahoo account from here. But I doubt they want it.
I would just change your passwords as you log in... but anything like game accounts or banks or email I would change asap. It might not be an issue, but some of the scripts did appear to be able to download the database. It's possible they didn't get to that, but the ability was there. I am no longer going to set any forum passwords to those that I also use for emails or or online games or anything like that.
Isn't the passwords encrypted anyway though? I helped run a few forums and not even database admins could see the passwords. I'm sure its still possible (and in peoples best interest to change their passwords), I mean if someone wants them they WILL get them, its just a matter of time.. but for some reason I would doubt they would waste the time as I would think it would take hours/days/weeks per password to crack. Unless they believe someone would use the same account name/password for a game? That there might be sufficient reason to spend the time to hack passwords.
I don't believe the XoO forum passwords were encrypted. I recall the admins changing a banned members password or something once or twice.
I've run a forum before and you can't see them but you can give them a new password And the main reason someone would attack a gaming forum is for game passwords or they don't like us for some reason
the passwords ARE encrypted. and no the admin CANNOT read them even directly from the database. HOWEVER, the admin CAN assign a new one he knows then tell it to the user.
also, it is UNLIKELY, although not impossible, that the entry was made through vb. the running version was 3.6.4 and had all the patches for html and sql injections already in it. the versions after that addressed XSS flaw (3.6.8 pl1), CSRF flaw (3.6.10) and additional features, like support for Safari 3.0 on Windows (not security related fixes). both flaws would require an admin to go to a third party site and do something like submit a form webpage to start a hack. i doubt that happened. based on the notices i get from vb, those are the only 2 security patches issued after the version we were running. however, there WAS a known security issue with the Groups Communce plugin. i doubt it has ever been fixed adequately, even though we updated it to the "fixed" version last October. whenever you add plugins to a system there is always a possiblity of adding bad code.