Jump to content
You must now use your email address to sign in [click for more info] ×

Forum Security Alert: Important Information for All Forum Users


Recommended Posts

Just got a e-mail about what happened.

At this point I'm still shocked to this day Store account (which has our payment information) has no 2FA option.

About possible scam e-mails, will probably not even see those due to spam filters working well.

Link to comment
Share on other sites

This is part of the reason I use an email address that isn't that important for things like forums (it was already known by the adobe hack) and very rarely add anything of importance to my profile.   Unfortunately it is one of the pitfalls of being online and using 'off the shelf' forum software (I can understand from a cost perspective though) which might have bugs etc that are missed from time to time.

I'm also lucky in my ISP doesn't give away my location and it actually randomly changes within their infrastructure, at best they'll know which country I'm from.  My IP is likely getting pinged on a regular basis anyway and seeing as an IP is basically just a set of random numbers in a set layout any decent script kiddy could probably write a bit of software that does it all automatically.... but like others I'm not sure why it's needed to stored so long and why it's not limited to the first 3-6 digits (IP4 anyway)

However... I do hope this will make the forum admin side of things more secure, not sure on the software features but restrict access to key accounts to certain IP's, I'd hope 2 factor sign in (although I do know of android hacks which kind of makes that useless if it's mobile phone number though) was already on etc.

 

Like others I am more concerned that the store doesn't have 2fa, luckily I paid with paypal that DOES have 2fa, so it's not like they'll be able to get anything there....

 

As for the software sign in, you could have 2fa for the first sign in (optional for all sign in) and then create a digital token/key for that machine that takes into account specific hardware/software of the pc being used.  It's basically what Microsoft does with a new windows install/licence... they only bug you about usage if your license is invalid or your hardware has significant changes.

Link to comment
Share on other sites

  • Staff
1 minute ago, LSG501 said:

Like others I am more concerned that the store doesn't have 2fa, luckily I paid with paypal that DOES have 2fa, so it's not like they'll be able to get anything there....

2FA for the Affinity Store is now being developed and will be rolled out for the once it has passed testing.

 

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • Staff
53 minutes ago, Linkyop said:

It's sad a breach had to happened for you to finally add this to the Store.

Apparently development was already underway on 2FA on the Affinity store and is nearly ready for the testing phase. When I asked the web team about this yesterday they informed me. I should have known, but yes I see how it appears to others.

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

How do I delete my forum account and email from your database? I can't see any option to delete my forum account in the settings (I am using the mobile site). 

I am uncomfortable having my store account after this event. I would like to add my expectation that you will add two factor authentication as soon as possible. 

Link to comment
Share on other sites

  • Staff
34 minutes ago, Guest said:

How do I delete my forum account and email from your database? 

Email dataprotection@serif.com from the email address associated with this account, and state which account(s) you want to be deleted.

When an account has a lot of posts (like yours) you may be asked which of the 3 options you would like for your public posts.

  1. Delete the account and Completely remove all posts made by the user (which can make a mess of threads they have participated in, particularly if quoted)
  2. Delete the account and leave the posts attributed to the original account even though it has been deleted (lowest impact)
  3. Delete the account and anonymise the posts (such as has happened here )

image.png

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

12 minutes ago, Tomaso Marzano said:

I've just read the email. That's the reason why people should use email alias services and unique generated passwords. Data breaches happens every day.

All of those data breaches that happen every day are still completely unacceptable and 100% the fault of the company in charge of the data.  Yes, it would be nice if all end users understood best practices, but the fact of the matter is, many will always be less tech savvy than others and that's partly why regulations are so important.  Data operators have a duty of care.  Unfortunately, time and again, we find that many weren't taking that duty seriously enough.  Rarely do we get an unfiltered, completely truthful explanation for data breaches because it's in the data operator's interests to present a perspective that shows them in the best possible light.  Only when a regulator investigates (because a breach was particularly damaging) do we usually get the truth, and it's almost always more disturbing than the original explanation.

Link to comment
Share on other sites

Yep. They defiantly got my email address. The past 48 hours, my email services on my VPS was hit with a brut force attack using my email address.

Thanks for sending out this alert. I've been scratching my head on were this was stemming from.

Edited by Ken Sim
Link to comment
Share on other sites

On 4/13/2023 at 4:44 AM, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is in your account settings.

https://forum.affinity.serif.com/index.php?/settings/

The 2FA option is separate from the password. Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

You will then need to confirm the changes are being made by you using an authenticator application (this is also provided by many password managers). 

I see you are offering 2FA  with Google authenticator. Would be possible to use the internal 2FA Apple method instead?

It's in Settings/Passwords on both iPhone or iPad and generates a code as soon as you get there and choose the website which has a password saved there. 

This is what it's required to set it up: If "serif.com" supports using a verification code, visit the website to obtain a setup key and enter it here. If the website offers a QR code, you can also long press it and choose "Open in Settings" to do this automatically.

And it would be awesome to have for the store as well!

Thanks 

Link to comment
Share on other sites

2 minutes ago, CH Trippe said:

If we do receive a suspicious email purporting to be from Affinity (I haven't, yet)  --- to what email address should we report it?  Should  we forward the suspicious email? 

  

On 4/13/2023 at 5:38 AM, Patrick Connor said:

Generally, if you do receive any suspicious email which you think could have originated via this breach (for example if an email you receive addresses you by your forum username) please let us know.

If you wish to make any such reports or have any further questions, then please contact us at dataprotection@serif.com

 

-- Walt
Designer, Photo, and Publisher V1 and V2 at latest retail and beta releases
PC:
    Desktop:  Windows 11 Pro, version 23H2, 64GB memory, AMD Ryzen 9 5900 12-Core @ 3.00 GHz, NVIDIA GeForce RTX 3090 

    Laptop:  Windows 11 Pro, version 23H2, 32GB memory, Intel Core i7-10750H @ 2.60GHz, Intel UHD Graphics Comet Lake GT2 and NVIDIA GeForce RTX 3070 Laptop GPU.
iPad:  iPad Pro M1, 12.9": iPadOS 17.4.1, Apple Pencil 2, Magic Keyboard 
Mac:  2023 M2 MacBook Air 15", 16GB memory, macOS Sonoma 14.4.1

Link to comment
Share on other sites

  • Staff
5 minutes ago, CH Trippe said:

If we do receive a suspicious email purporting to be from Affinity (I haven't, yet)  --- to what email address should we report it?  Should  we forward the suspicious email? 

dataprotection@serif.com please

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • Staff
1 hour ago, Batbel258 said:

Would be possible to use the internal 2FA Apple method instead?

These off the shelf forums do not offer that, no. apparently already work with that too, it just calls it Google

Edited by Patrick Connor
corrected incorrect info

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • Staff
30 minutes ago, Ken Sim said:

Yep. They defiantly got my email address. The past 48 hours, my email services on my VPS was hit with a brut force attack using my email address.

Thanks for sending out this alert. I've been scratching my head on were this was stemming from.

Sorry if this was the cause. I think you may find that your email address was widely available to spammers from other sources also.

Check using https://haveibeenpwned.com/

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

19 hours ago, Patrick Connor said:

I will bring it up with the web team. Having it available as an option for you to turn on for your account sounds sensible to me. We would have to decide how to handle this when signing in from within the software too.

This should be an URGENT change. I couldn't less about my Forum login.

Link to comment
Share on other sites

17 hours ago, GaryLearnTech said:

The 2FA option is separate from the password.  Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

It (currently) only mentions Google Authenticator.  I don't use Google Authenticator but I do use 1Password (though I'm still using the v7 app and haven't updated to their v8, which has been out for a while now).  I decided to take a gamble and try it here anyway - I was presented with a QR code and 1Password scanned it and it worked fine.  I've tested in in a private browser window in a different browser from the one I normally use and was prompted for what 1Password calls the one-time password and it worked as expected.

Since it also works in 1Password, it will probably also work in the equivalent Microsoft Authenticator app or any other similar 2FA apps that you might already be using - you may not have to change explicitly to Google Authenticator to get 2FA running, despite that being the only one listed.

I did the same for Apple iOS and worked. I guess once the system has the QR code you are good to go!

Link to comment
Share on other sites

12 minutes ago, Patrick Connor said:

Sorry if this was the cause. I think you may find that your email address was widely available to spammers from other sources also.

Check using https://haveibeenpwned.com/

Yeah I get that. My email was part of the past 20 breaches and every once in a while I get that random one time short-lived attack. But this was different and the timing is too close to overlook. This attack spanned two days hitting my email service every minute because my security locked out the attacker's IP.

Edited by Ken Sim
Link to comment
Share on other sites

On 4/13/2023 at 12:38 PM, Patrick Connor said:

 It appears that an administrator’s account was compromised, allowing access to our forum members list.

So was this a case of "1234" password on administrator account or a social engineering attack ?

Fedora Workstation 39

Link to comment
Share on other sites

On 4/13/2023 at 1:44 PM, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is in your account settings.

Just a little extra info for all Apple users that are wary of Google and data security - You don't need the Google software for 2FA, you can use the inbuild 2FA feature of Passwords :) 

Mac mini M1 / Ryzen 5600H & RTX3050 mobile / iPad Pro 1st - all with latest non beta release of Affinity

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.