Forum Security Alert: Important Information for All Forum Users

[Linkyop]

Just got a e-mail about what happened.

At this point I'm still shocked to this day Store account (which has our payment information) has no 2FA option.

About possible scam e-mails, will probably not even see those due to spam filters working well.

[Matterdor]

3 hours ago, Patrick Connor said:

Thanks I've corrected my post on this 

If you need information on the TOTP standard defined in RFC 6238, the algorithms are widely available and I can provide you with additional information. It's only about 20 lines of code IIRC.

[LSG501]

This is part of the reason I use an email address that isn't that important for things like forums (it was already known by the adobe hack) and very rarely add anything of importance to my profile.   Unfortunately it is one of the pitfalls of being online and using 'off the shelf' forum software (I can understand from a cost perspective though) which might have bugs etc that are missed from time to time.

I'm also lucky in my ISP doesn't give away my location and it actually randomly changes within their infrastructure, at best they'll know which country I'm from.  My IP is likely getting pinged on a regular basis anyway and seeing as an IP is basically just a set of random numbers in a set layout any decent script kiddy could probably write a bit of software that does it all automatically.... but like others I'm not sure why it's needed to stored so long and why it's not limited to the first 3-6 digits (IP4 anyway)

However... I do hope this will make the forum admin side of things more secure, not sure on the software features but restrict access to key accounts to certain IP's, I'd hope 2 factor sign in (although I do know of android hacks which kind of makes that useless if it's mobile phone number though) was already on etc.

 

Like others I am more concerned that the store doesn't have 2fa, luckily I paid with paypal that DOES have 2fa, so it's not like they'll be able to get anything there....

 

As for the software sign in, you could have 2fa for the first sign in (optional for all sign in) and then create a digital token/key for that machine that takes into account specific hardware/software of the pc being used.  It's basically what Microsoft does with a new windows install/licence... they only bug you about usage if your license is invalid or your hardware has significant changes.

[Patrick Connor]

1 minute ago, LSG501 said:

Like others I am more concerned that the store doesn't have 2fa, luckily I paid with paypal that DOES have 2fa, so it's not like they'll be able to get anything there....

2FA for the Affinity Store is now being developed and will be rolled out for the once it has passed testing.

 

[Linkyop]

It's sad a breach had to happen for you to finally add this to the Store.

[ljredux]

I wondered how long I would be able to keep this email account spam free when I created it over five years ago.  I'm surprised it lasted this long given the sheer number of contacts, so well done, I guess.  When I check https://haveibeenpwned.com/ in a few weeks, I expect Affinity to be the first name to appear on the list of shame.

[Patrick Connor]

53 minutes ago, Linkyop said:

It's sad a breach had to happened for you to finally add this to the Store.

Apparently development was already underway on 2FA on the Affinity store and is nearly ready for the testing phase. When I asked the web team about this yesterday they informed me. I should have known, but yes I see how it appears to others.

[Guest]

How do I delete my forum account and email from your database? I can't see any option to delete my forum account in the settings (I am using the mobile site). 

I am uncomfortable having my store account after this event. I would like to add my expectation that you will add two factor authentication as soon as possible. 

[Patrick Connor]

34 minutes ago, Guest said:

How do I delete my forum account and email from your database? 

Email dataprotection@serif.com from the email address associated with this account, and state which account(s) you want to be deleted.

When an account has a lot of posts (like yours) you may be asked which of the 3 options you would like for your public posts.

1. Delete the account and Completely remove all posts made by the user (which can make a mess of threads they have participated in, particularly if quoted)
2. Delete the account and leave the posts attributed to the original account even though it has been deleted (lowest impact)
3. Delete the account and anonymise the posts (such as has happened here )

[Tomaso Marzano]

I've just read the email. That's the reason why people should use email alias services and unique generated passwords. Data breaches happens every day.

[ljredux]

12 minutes ago, Tomaso Marzano said:

I've just read the email. That's the reason why people should use email alias services and unique generated passwords. Data breaches happens every day.

All of those data breaches that happen every day are still completely unacceptable and 100% the fault of the company in charge of the data.  Yes, it would be nice if all end users understood best practices, but the fact of the matter is, many will always be less tech savvy than others and that's partly why regulations are so important.  Data operators have a duty of care.  Unfortunately, time and again, we find that many weren't taking that duty seriously enough.  Rarely do we get an unfiltered, completely truthful explanation for data breaches because it's in the data operator's interests to present a perspective that shows them in the best possible light.  Only when a regulator investigates (because a breach was particularly damaging) do we usually get the truth, and it's almost always more disturbing than the original explanation.

[CH Trippe]

If we do receive a suspicious email purporting to be from Affinity (I haven't, yet)  --- to what email address should we report it?  Should  we forward the suspicious email? 

Thanks. 

[Ken Sim]

Yep. They defiantly got my email address. The past 48 hours, my email services on my VPS was hit with a brut force attack using my email address.

Thanks for sending out this alert. I've been scratching my head on were this was stemming from.

Edited April 14, 2023 by Ken Sim

[Batbel258]

On 4/13/2023 at 4:44 AM, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is in your account settings.

https://forum.affinity.serif.com/index.php?/settings/

The 2FA option is separate from the password. Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

You will then need to confirm the changes are being made by you using an authenticator application (this is also provided by many password managers). 

I see you are offering 2FA  with Google authenticator. Would be possible to use the internal 2FA Apple method instead?

It's in Settings/Passwords on both iPhone or iPad and generates a code as soon as you get there and choose the website which has a password saved there. 

This is what it's required to set it up: If "serif.com" supports using a verification code, visit the website to obtain a setup key and enter it here. If the website offers a QR code, you can also long press it and choose "Open in Settings" to do this automatically.

And it would be awesome to have for the store as well!

Thanks 

[walt.farrell]

2 minutes ago, CH Trippe said:

If we do receive a suspicious email purporting to be from Affinity (I haven't, yet)  --- to what email address should we report it?  Should  we forward the suspicious email? 

  

On 4/13/2023 at 5:38 AM, Patrick Connor said:

Generally, if you do receive any suspicious email which you think could have originated via this breach (for example if an email you receive addresses you by your forum username) please let us know.

If you wish to make any such reports or have any further questions, then please contact us at dataprotection@serif.com

 

[Patrick Connor]

5 minutes ago, CH Trippe said:

If we do receive a suspicious email purporting to be from Affinity (I haven't, yet)  --- to what email address should we report it?  Should  we forward the suspicious email? 

dataprotection@serif.com please

[Patrick Connor]

1 hour ago, Batbel258 said:

Would be possible to use the internal 2FA Apple method instead?

These off the shelf forums do not offer that, no. apparently already work with that too, it just calls it Google

Edited April 14, 2023 by Patrick Connor
corrected incorrect info

[Patrick Connor]

30 minutes ago, Ken Sim said:

Yep. They defiantly got my email address. The past 48 hours, my email services on my VPS was hit with a brut force attack using my email address.

Thanks for sending out this alert. I've been scratching my head on were this was stemming from.

Sorry if this was the cause. I think you may find that your email address was widely available to spammers from other sources also.

Check using https://haveibeenpwned.com/

[Batbel258]

32 minutes ago, Patrick Connor said:

These off the shelf forums do not offer that, no.

Good news: the QR code created for Google -goes straight to the website password I created  on my device and works   with the iOS as said in Settings/Passwords

[henryg]

19 hours ago, Patrick Connor said:

I will bring it up with the web team. Having it available as an option for you to turn on for your account sounds sensible to me. We would have to decide how to handle this when signing in from within the software too.

This should be an URGENT change. I couldn't less about my Forum login.

[Batbel258]

17 hours ago, GaryLearnTech said:

The 2FA option is separate from the password.  Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

It (currently) only mentions Google Authenticator.  I don't use Google Authenticator but I do use 1Password (though I'm still using the v7 app and haven't updated to their v8, which has been out for a while now).  I decided to take a gamble and try it here anyway - I was presented with a QR code and 1Password scanned it and it worked fine.  I've tested in in a private browser window in a different browser from the one I normally use and was prompted for what 1Password calls the one-time password and it worked as expected.

Since it also works in 1Password, it will probably also work in the equivalent Microsoft Authenticator app or any other similar 2FA apps that you might already be using - you may not have to change explicitly to Google Authenticator to get 2FA running, despite that being the only one listed.

I did the same for Apple iOS and worked. I guess once the system has the QR code you are good to go!

[Ken Sim]

12 minutes ago, Patrick Connor said:

Sorry if this was the cause. I think you may find that your email address was widely available to spammers from other sources also.

Check using https://haveibeenpwned.com/

Yeah I get that. My email was part of the past 20 breaches and every once in a while I get that random one time short-lived attack. But this was different and the timing is too close to overlook. This attack spanned two days hitting my email service every minute because my security locked out the attacker's IP.

Edited April 14, 2023 by Ken Sim

[JH1]

Affinity Team,

 

Please add a 2FA / Authenticator option to our store accounts. I am not seeing that option under any of the menu links.

Appreciate the effort to secure things. 

[1stn00b]

On 4/13/2023 at 12:38 PM, Patrick Connor said:

 It appears that an administrator’s account was compromised, allowing access to our forum members list.

So was this a case of "1234" password on administrator account or a social engineering attack ?

[Tia Lapis]

On 4/13/2023 at 1:44 PM, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is in your account settings.

Just a little extra info for all Apple users that are wary of Google and data security - You don't need the Google software for 2FA, you can use the inbuild 2FA feature of Passwords