Forum Security Alert: Important Information for All Forum Users

[Patrick Connor]

30 minutes ago, 1stn00b said:

So was this a case of "1234" password on administrator account or a social engineering attack ?

The admin password on the account in question was a random mix of upper and lower case letters and numbers, which the account holder had thought was unique to the forum account but was actually shared with another website who suffered a cyber attack. We have only discovered the shared nature of that password since the attack. We do take data protection seriously but this has shown up some weaknesses that we are addressing. Sorry again

[Archangel]

This is unacceptable. Although I blame the hackers more than Serif for the attack. Security online is a minefield of problems,  It is scary.

[jmwellborn]

I was one of the umpteen million people whose ADOBE accounts were hacked several years ago, including every bit of our information.  Had no idea until several WEEKS after the breach when I was finally notified.  Then we were offered a bandaid approach “in case,” plus the suggestion that we watch our bank accounts for an extended period.   Serif has notified us almost immediately with detailed information.   Just another very important reason why Serif has my unequivocal vote for One in a Million!  Thank you for letting us know so speedily.  Hopefully we will all watch our P’s and Q’s and send the bad guys to Junk/Trash.

[v_kyr]

8 hours ago, Patrick Connor said:

The admin password on the account in question was a random mix of upper and lower case letters and numbers, ...

Which is usually a common feasible practise for passwords with a length of >= 12, though mixing in also some special characters additionally to that scheme, is even better.

 

8 hours ago, Patrick Connor said:

... which the account holder had thought was unique to the forum account but was actually shared with another website who suffered a cyber attack. ...

Well, that's the unfortunate point here and probably a good example for people in general, why not to (re)use one and the same pwd among multiple sites.

Though honestly that's also of no absolute protection, since in IT there generally doesn't exist something like an absolute for sure granted protection. Unfortunately, there are always ways and means to compromise IT systems in one way or another.

In short, nobody is really protected from something like that and unfortunately it can happen to anyone in IT at any time (...one of Murphy's laws)!

[CH Trippe]

Thank you!  

 

[iuli]

First off, thank you for being once again completely transparent with the community. In these crazy times when thieves use more and more sophisticated means to scam, no one is safe. Who made the mistake or how is irrelevant; it can happen to anyone. What’s important is that we’re now aware of the attack and its possible fallout.

Secondly, I don’t know about other members but in 9 days since the cyber-attack took place, personally I see no spam/ phishing attempts. Of course I’ll continue to monitor my email activity for any possible fraudulent attempt — but so far so good.

Regards.

[ShelvsHOTpencil]

Why are you storing the IP address of users? 

[MichaDE]

3 hours ago, ShelvsHOTpencil said:

Why are you storing the IP address of users? 

Patrick answered the question earlier here:

On 4/13/2023 at 1:53 PM, Patrick Connor said:

(…)we use the IP address history to keep spamming to  minimum

 

[Patrick Connor]

It was only because of the IP address tools that this breach was discovered, as the hacker had tried to break into 3 other staff accounts before that morning. Without the IP address we may not have found the breach.

The IP address storage is also a core feature of the spam defense of these off the shelf forums, and not something that we can avoid 

[Affinityconfusesme]

I am in cybersecurity also and I find that 2fa is very effective tool against account cracking. It would have prevented this attack.

[Guest]

On 4/13/2023 at 9:54 PM, Patrick Connor said:

Technically perhaps they could access the database, but the admin logs and other security logs are very clear and show us that was not done, NO passwords were compromised. Furthermore, even if they had accessed the DB (and they did not) all passwords are hashed (not stored in plain text) so useless to a hacker.

Hello Patrick, there are two related but different issues here, (a) how your systems were compromised and (b) the impact to forum users based on our knowledge of what data was accessed. 

Would Affinity be sharing more details on exactly how the attacker was able to compromise your services, and what services were breached? I'm still not very clear about your statement - if they could access your database then they were already deep inside your systems. Your SIEM services that manage your audit logs themselves may have been subject to other types of changes, i.e., it may not be possible to tell authoritatively whether password hashes or other data such as credit card details were indeed accessed, or were not accessed, just by looking at your admin and security logs. 

Second, with regards to the impact on forum users, there would be a problem if users have reused passwords, whether or not password hashes were accessed. Most folks tend to reuse the same email address & password combinations (against good security hygiene) simply because it's convenient. This is not so much your issue, but a general comment on the state of cybersecurity hygiene today.

Thanks!
-Sam

[Affinityconfusesme]

they has the same kind of hack that colonial pipeline had in 2021 just google it.

[Catshill]

10 hours ago, Guest said:

Would Affinity be sharing more details on exactly how the attacker was able to compromise your services, and what services were breached?

For their own security I would desperately hope not.

[Patrick Connor]

34 minutes ago, BofG said:

Can you elaborate on this?...

Many peoples email addresses have been leaked in the past (See HaveIBeenPwned.com to see if your email or passwords have been compromised).

I suspect they came with a list of @serif.com email addresses and previously compromised passwords to see if they also gave access to the Affinity Forum accounts for those staff. 3 other accounts were tried and failed from the same IP address in the 10 minutes before the breach (these 3 accounts all locked after 3 failed password attempts). On the 4th staff account one of the compromised passwords seems to have got them access in less than 3 attempts.

With 3 failed attempts and lock (true of all accounts here) this forum cannot suffer from a brute force attack.

We have now implemented 2 factor authentication so a user cannot access an admin or moderator account without access to the authenticator application or to the actual email account of that address.

[Patrick Connor]

10 hours ago, Guest said:

Would Affinity be sharing more details on exactly how the attacker was able to compromise your services, and what services were breached?

No All the information is in this thread. I have held nothing back,

10 hours ago, Guest said:

if they could access your database then they were already deep inside your systems.

No, that is not how these forums work. They are hosted on their own servers with accounts 100% independent from any other systems.

10 hours ago, Guest said:

it may not be possible to tell authoritatively whether password hashes or other data such as credit card details were indeed accessed, or were not accessed, just by looking at your admin and security logs

The forums do not store any credit card details, as I explained repeatedly, and this is unhelpful to suggest we are missing something from the comprehensive admin logs which we have studied in detail before submitting our official completed report to the ICO.

10 hours ago, Guest said:

Second, with regards to the impact on forum users, there would be a problem if users have reused passwords, whether or not password hashes were accessed. Most folks tend to reuse the same email address & password combinations (against good security hygiene) simply because it's convenient. This is not so much your issue, but a general comment on the state of cybersecurity hygiene today.

Agreed, hence us telling all users by email, as this is effectively how they gained access to our forums in the first place.

[AiDon]

I would like to say thanks for letting us know that it happened and the data that may have been compromised.

IP addresses are no issue as your provider will allocate a new fixed IP if necessary but I always recommend dynamic, as for the email it just adds to the spam.

Once again thanks to Affinity for coming forward and warning us of this compromise.

 

[Inkipolony]

I shall change the email address for a start.

[ShelvsHOTpencil]

Thank you for clarifying the need for collecting up address. However as mentioned above I would love to see 2fa implemented. And should I worry for my ip address leaking.

I can’t help but feel like I got a target on my back. Other than being vigilant, should I do anything else?

[Patrick Connor]

On 4/17/2023 at 8:24 PM, ShelvsHOTpencil said:

And should I worry for my ip address leaking.

No, most applications on your phone send your actual location constantly, your IP isn't very useful information.

On 4/17/2023 at 8:24 PM, ShelvsHOTpencil said:

I would love to see 2fa implemented.

2FA is implemented here already. It can be turned on under your account settings > privacy. 

It is also coming to the Affinity Store accounts soon

On 4/17/2023 at 8:24 PM, ShelvsHOTpencil said:

Other than being vigilant, should I do anything else?

Not really, vigilance regarding emails you receive is always recommend.

[debraspicher]

1 hour ago, ShelvsHOTpencil said:

Thank you for clarifying the need for collecting up address. However as mentioned above I would love to see 2fa implemented. And should I worry for my ip address leaking.

I can’t help but feel like I got a target on my back. Other than being vigilant, should I do anything else?

Data leaks are very common. It's an annoying hassle, but unique passwords are the only way to limit the scope of damage. If you have a secure location at home to lock up things, they do sell password books online that people can pencil in login details (per website/company). Most people don't follow this advice though. Anyway, much of our info is already out there in other ways.

When we sign up for anything online, there's always a chance that the service provider sells your info. It's difficult to track back to that signup unless you use a burner acct to narrow down which sites are doing this. I'd say appox 50-75% of signups do resell. (Edit: If you've typed out your email anywhere online publicly, it will also be scrapped by a bot, that's the other method...) I run my own email server, so I can just create a pop up alias that dumps into my main inbox for individual providers if I suspect they may sell my info. When I see that it's coming from that address, I can delete or block it easily and the mail server errors will usually get that alias scrubbed. Most of my signups go into a spam address anyway, since I already know that most sites can't be trusted.

It's not going to be a company like Serif that does the reselling of info. Usually a smaller website/web company that needs the bucks to keep their business running (since adblockers killed their revenue). I say all this to say, if you receive a significant amount of SPAM, your info is already out there in circulation. A vast majority of the SPAM that makes its way into our inboxes comes from the reselling of our information. So filtering what you sign up for is important. I recommend to use a spam acct for non-essential things. Even Amazon sellers we buy things from don't think twice to lift this information and use it to send us ads, etc. I receive phishing emails and "you have been hacked" stuff on a daily basis in droves for my spam accounts. In all the languages I speak. So unless we live on a digital island and we never sign up for anything, our info is being circulated in some way.

IPs are not as important unless you don't want anyone to know even your approximate location (usually city or nearby town). If that matters to you, use a VPN. Back in the day, some websites would actually display it publicly for tracking/accountability as a deterrent from trolls/users with multiple accts. IPs need tracking by server admins to prevent not just SPAM, but other forms of cyber attacks.

IPs are considered public information. When we email someone, our IP address may be going out with our emails. Depends on the provider and if we are using an external email client. Look up "email headers" and how to find IP-related info. You can easily spot out of country scammers this way by doing a geolocation lookup on the IP once you figure out which is the Sender IP...

[Nana]

@Patrick Connor, any reason why we can enable 2FA on the forum account but not on the store account? One would consider the store account needing more protection as it's linked with licenses and personal details including postal addresses.

[carl123]

24 minutes ago, Nana said:

@Patrick Connor, any reason why we can enable 2FA on the forum account but not on the store account? One would consider the store account needing more protection as it's linked with licenses and personal details including postal addresses.

Reread Patrick's last post in this thread

[Patrick Connor]

4 hours ago, Nana said:

any reason why we can enable 2FA on the forum account but not on the store account?

the forums are off the shelf and have this already available. The Affinity Accounts/Store are propriety software and everything needs writing and testing ourselves, so takes time and consideration

[Patrick Connor]

@AdrianoCahete

To delete your forum account simply send an email to DataProtection@serif.com from the email address associated with your forum account. If you also want any personal data deleted (for example any Affinity Store account), state that in the email too.

[Anmalo]

Password is the SAME on STORE and FORUM ! Not working for me with 2 separated passwords into Chrom with Passwordmanager.

I have changes my password!!

 

When i change here password, the STORE pw will be change to.
Why you say i not the same?

regards