Forum Security Alert: Important Information for All Forum Users

[Patrick Connor]

This is a copy of the recent announcement made by Ash. This thread is unlocked so you you can ask about this incident

To all our forum members,

Unfortunately we have become aware that personal data relating to users of these forums may have been accessed from outside the company following a cyber attack on 6 April 2023. It appears that an administrator’s account was compromised, allowing access to our forum members list.

What data was accessed?

The data which may have been accessed is what is on your public forum profile (e.g. username, post count, reputation, joining date, etc.), but additionally includes your Email Address and Last Used IP Address which would ordinarily be private. Thankfully we can be sure it would not have been possible to access your forum account password so that has definitely not been compromised in this breach.

What information is available on your public profile depends on what you have previously given. You can view your profile by logging in to your account and clicking on your avatar in the top right-hand side.

Please be reassured that any information accessed does not include any financial data, purchase history, physical addresses, phone numbers or anything else held within your main Affinity account / AffinityID. The forum is a standalone system which is completely separate from your Affinity account.

We cannot tell what proportion of our forum members’ email addresses were accessed so we are making all members aware as a precaution.

We have reported this incident to the UK Information Commissioner’s Office (ICO) as well as taken immediate steps to make the forum system more secure to avoid this type of attack in future. 

What should you do?

We do not think you need to do anything, other than be mindful that this happened and to follow general advice around email and online account security.

One thing to be particularly diligent with is possible email “phishing” attempts. This will be when someone contacts you pretending to be us, requesting you change your password or give other account information to them. If you are concerned about any email being legitimate, don’t click any links in the email. If you wish to update any of your forum account details type forum.affinity.serif.com into your browser and log into your account from there to be sure.

Generally, if you do receive any suspicious email which you think could have originated via this breach (for example if an email you receive addresses you by your forum username) please let us know.

If you wish to make any such reports or have any further questions, then please contact us at dataprotection@serif.com. Full details of Serif’s Privacy Policy are available on our website https://affinity.serif.com/privacy/.

As well as this forum announcement we are notifying all forum members about this via email.

Customer data security is something we take extremely seriously and, while cyber attacks are an unfortunate reality of doing business today, we are incredibly sorry that your data may have been accessed in this way.

Sincerely,

Ashley Hewson (Managing Director) & Patrick Connor (Data Protection Officer)

[- S -]

Perhaps it would be better not to store IP addresses or location data in the first place?  Especially not for months like in the below page.

https://forum.affinity.serif.com/index.php?/settings/devices/

 

[Patrick Connor]

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is in your account settings.

https://forum.affinity.serif.com/index.php?/settings/

The 2FA option is separate from the password. Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

You will then need to confirm the changes are being made by you using an authenticator application (this is also provided by many password managers). 

[Patrick Connor]

22 minutes ago, N.P.M. said:

Perhaps make this a sticky warning bar on top of the fora like you did with the delay in replies after the release of version 2.

Yes, I think that would help, and have done that now. We felt we have to email everyone anyway as not many are browsing the forums regularly.

[Patrick Connor]

5 minutes ago, N.P.M. said:

When the used mail address is also the one used for the login for the store or the program registration is this going to be an issue that people should be aware of?

I cannot see how it would be. As passwords were not taken I am not sure how this is an issue more than watching out for emails from suspicious sources.

[Patrick Connor]

23 minutes ago, - S - said:

Perhaps it would be better not to store IP addresses or location data in the first place?  Especially not for months like in the below page.

https://forum.affinity.serif.com/index.php?/settings/devices/

Found it, the (default) setting is currently 365 days before it will prune device history and IP address history. I will decide what is better, but it won't be too short as we use the IP address history to keep spamming to  minimum

[v_kyr]

4 hours ago, Patrick Connor said:

... Thankfully we can be sure it would not have been possible to access your forum account password so that has definitely not been compromised in this breach.

Well if they got adminstration rights and thus could had probably access rights to querried the whole DB, then they could not only have got IDs, IP & Email addresses, but also full user forum reg datas. - Further, if people (forum users) also used the same account-data here in the Forum as for the Store, then the damage is even greater, especially if paying methods and bank card transfer data etc. has been stored together there in the Store DB then for/by users bought products!

[Patrick Connor]

19 minutes ago, v_kyr said:

Well if they got adminstration rights and thus could have probably access rights to querried the whole DB, then they could not only have got IDs, IP & Email addresses, but also full user forum reg datas. - Further, if people (forum users) also used the same account-data here in the Forum as for the Store, then the damage is even greater, especially if paying methods and bank card transfer data etc. has been stored together there in the Store DB then for/by users bought products!

Technically perhaps they could access the database, but the admin logs and other security logs are very clear and show us that was not done, NO passwords were compromised. Furthermore, even if they had accessed the DB (and they did not) all passwords are hashed (not stored in plain text) so useless to a hacker.

[Patrick Connor]

Just now, LondonSquirrel said:

did they get the password hashes?

no

[v_kyr]

Just now, Patrick Connor said:

Technically perhaps, but the admin logs and other security logs show us that was not done. No passwords were compromised

Let's hope so! - Maybe you should also compare the affinity store user account datas with the forum user account datas and for those who match, inform people to change their account data accordingly for security reasons.

[JosueVivas]

Are the files we uploaded comprimised?

 

Thanks

 

[Patrick Connor]

4 minutes ago, JosueVivas said:

Are the files we uploaded comprimised?

No this below is the full extent of the information lost.

5 hours ago, Patrick Connor said:

The data which may have been accessed is what is on your public forum profile (e.g. username, post count, reputation, joining date, etc.), but additionally includes your Email Address and Last Used IP Address which would ordinarily be private.

However anyone can download the files in your public posts by visiting those posts. Files in your private messages are private and were not accesed.

[v_kyr]

1 hour ago, Patrick Connor said:

... all passwords are hashed (not stored in plain text) so useless to a hacker

Well it depends on how access to the DB is overall setup for admin & user logins, as one could if it's modeled that way, also access the DB via a pwd hash if that does match against a pwd hash in the database. Same as if say a plain text pwd would have been catched, that can always also be bcrypted and checked/verified against the hashes stored in the DB, in order to find the user dataset/record it matches for.

[Patrick Connor]

3 minutes ago, v_kyr said:

Well it depends on ......

Please stop worrying our users with semantics. That data was not accessed in this case and so the ins and outs of your comments are not up for discussion here.

[v_kyr]

OK, let's hope your Store DB and Admin access accounts there are now continuously monitored too in these unfortunately rampant times of cyber attacks.

[DrainBead]

Are you planning on adding Smartcard / YubiKey support? Great option to secure accounts.

[Patrick Connor]

11 minutes ago, DrainBead said:

Are you planning on adding Smartcard / YubiKey support? 

Sorry these are off the shelf forums and those are not an option, but I will monitor the future updates for improvements in this area

[MichaDE]

7 hours ago, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account.  

Could you add 2fa to the store, please? This would be more important to many customers, I guess.

[Patrick Connor]

47 minutes ago, MichaDE said:

Could you add 2fa to the store, please?

I will bring it up with the web team. Having it available as an option for you to turn on for your account sounds sensible to me. We would have to decide how to handle this when signing in from within the software too.

[walt.farrell]

10 minutes ago, Patrick Connor said:

We would have to decide how to handle this when signing in from within the software too.

Or, perhaps, whether it should apply at all when signing in from the software?

More broadly, what do we expect 2FA to protect? Can you do anything harmful to the Store account from within the Affinity applications?

[Patrick Connor]

Just now, walt.farrell said:

Or, perhaps, whether it should apply at all when signing in from the software?

Quite, hence the decision 😜

[SureWeb]

10 hours ago, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is offered when you try to modify your account settings.

https://forum.affinity.serif.com/index.php?/settings/

You will then need to confirm the changes are being made by you using an authenticator application (this is also provided by many password managers). 

I changed my password but didn't get promoted to turn on 2 factor auth

[GaryLearnTech]

56 minutes ago, SureWeb said:

I changed my password but didn't get promoted to turn on 2 factor auth

The 2FA option is separate from the password.  Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

It (currently) only mentions Google Authenticator.  I don't use Google Authenticator but I do use 1Password (though I'm still using the v7 app and haven't updated to their v8, which has been out for a while now).  I decided to take a gamble and try it here anyway - I was presented with a QR code and 1Password scanned it and it worked fine.  I've tested in in a private browser window in a different browser from the one I normally use and was prompted for what 1Password calls the one-time password and it worked as expected.

Since it also works in 1Password, it will probably also work in the equivalent Microsoft Authenticator app or any other similar 2FA apps that you might already be using - you may not have to change explicitly to Google Authenticator to get 2FA running, despite that being the only one listed.

[kaffeeundsalz]

51 minutes ago, GaryLearnTech said:

Since it also works in 1Password, it will probably also work in the equivalent Microsoft Authenticator app or any other similar 2FA apps that you might already be using - you may not have to change explicitly to Google Authenticator to get 2FA running, despite that being the only one listed.

Google Authenticator uses the TOTP standard defined in RFC 6238. This means that whenever you read Google Authenticator, you can ALWAYS use any other 2FA app as long as it also adheres to the standard.

[Patrick Connor]

8 hours ago, GaryLearnTech said:

The 2FA option is separate from the password.  Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

Thanks I've corrected my post on this