Jump to content
You must now use your email address to sign in [click for more info] ×

Forum Security Alert: Important Information for All Forum Users


Recommended Posts

56 minutes ago, SureWeb said:

I changed my password but didn't get promoted to turn on 2 factor auth

The 2FA option is separate from the password.  Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

It (currently) only mentions Google Authenticator.  I don't use Google Authenticator but I do use 1Password (though I'm still using the v7 app and haven't updated to their v8, which has been out for a while now).  I decided to take a gamble and try it here anyway - I was presented with a QR code and 1Password scanned it and it worked fine.  I've tested in in a private browser window in a different browser from the one I normally use and was prompted for what 1Password calls the one-time password and it worked as expected.

Since it also works in 1Password, it will probably also work in the equivalent Microsoft Authenticator app or any other similar 2FA apps that you might already be using - you may not have to change explicitly to Google Authenticator to get 2FA running, despite that being the only one listed.

—— Gary ——

Photo/Designer/Publisher: Affinity Store, v2.1.1 release

Mac mini (M1, 2020), 16GB/2TB, macOS Ventura 13.4.1(c) • MacBook Pro (Intel), macOS Ventura • Windows 10 via VMware Fusion • iOS: current release

Link to comment
Share on other sites

51 minutes ago, GaryLearnTech said:

Since it also works in 1Password, it will probably also work in the equivalent Microsoft Authenticator app or any other similar 2FA apps that you might already be using - you may not have to change explicitly to Google Authenticator to get 2FA running, despite that being the only one listed.

Google Authenticator uses the TOTP standard defined in RFC 6238. This means that whenever you read Google Authenticator, you can ALWAYS use any other 2FA app as long as it also adheres to the standard.

Link to comment
Share on other sites

  • Staff
8 hours ago, GaryLearnTech said:

The 2FA option is separate from the password.  Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

Thanks I've corrected my post on this 

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

Just got a e-mail about what happened.

At this point I'm still shocked to this day Store account (which has our payment information) has no 2FA option.

About possible scam e-mails, will probably not even see those due to spam filters working well.

Link to comment
Share on other sites

This is part of the reason I use an email address that isn't that important for things like forums (it was already known by the adobe hack) and very rarely add anything of importance to my profile.   Unfortunately it is one of the pitfalls of being online and using 'off the shelf' forum software (I can understand from a cost perspective though) which might have bugs etc that are missed from time to time.

I'm also lucky in my ISP doesn't give away my location and it actually randomly changes within their infrastructure, at best they'll know which country I'm from.  My IP is likely getting pinged on a regular basis anyway and seeing as an IP is basically just a set of random numbers in a set layout any decent script kiddy could probably write a bit of software that does it all automatically.... but like others I'm not sure why it's needed to stored so long and why it's not limited to the first 3-6 digits (IP4 anyway)

However... I do hope this will make the forum admin side of things more secure, not sure on the software features but restrict access to key accounts to certain IP's, I'd hope 2 factor sign in (although I do know of android hacks which kind of makes that useless if it's mobile phone number though) was already on etc.

 

Like others I am more concerned that the store doesn't have 2fa, luckily I paid with paypal that DOES have 2fa, so it's not like they'll be able to get anything there....

 

As for the software sign in, you could have 2fa for the first sign in (optional for all sign in) and then create a digital token/key for that machine that takes into account specific hardware/software of the pc being used.  It's basically what Microsoft does with a new windows install/licence... they only bug you about usage if your license is invalid or your hardware has significant changes.

Link to comment
Share on other sites

  • Staff
1 minute ago, LSG501 said:

Like others I am more concerned that the store doesn't have 2fa, luckily I paid with paypal that DOES have 2fa, so it's not like they'll be able to get anything there....

2FA for the Affinity Store is now being developed and will be rolled out for the once it has passed testing.

 

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • Staff
53 minutes ago, Linkyop said:

It's sad a breach had to happened for you to finally add this to the Store.

Apparently development was already underway on 2FA on the Affinity store and is nearly ready for the testing phase. When I asked the web team about this yesterday they informed me. I should have known, but yes I see how it appears to others.

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

Sorry to hear that you have been breached. It's refreshing for a company to actually notify its users so quickly.

Although it says no stored data was compromised, now that these attackers have a list of people who use your software, it should really be advised to users to look out for targeted phishing attacks to gain access to Affinity store accounts.

This may seem obvious to some people, but for others, make sure that if you are logging into the Affinity site from any link (email, social post, advert), it is actually the Affinity site and not something with a similar-looking name and design set up to capture your details.

+1 for the 2 factor authentications suggetsions. To have this via a common multiplatform authenticator app would be most welcome.

Again, I applaud you for doing the right and legal thing by notifying us so quickly

Link to comment
Share on other sites

How do I delete my forum account and email from your database? I can't see any option to delete my forum account in the settings (I am using the mobile site). 

I am uncomfortable having my store account after this event. I would like to add my expectation that you will add two factor authentication as soon as possible. 

Link to comment
Share on other sites

  • Staff
34 minutes ago, Guest said:

How do I delete my forum account and email from your database? 

Email dataprotection@serif.com from the email address associated with this account, and state which account(s) you want to be deleted.

When an account has a lot of posts (like yours) you may be asked which of the 3 options you would like for your public posts.

  1. Delete the account and Completely remove all posts made by the user (which can make a mess of threads they have participated in, particularly if quoted)
  2. Delete the account and leave the posts attributed to the original account even though it has been deleted (lowest impact)
  3. Delete the account and anonymise the posts (such as has happened here )

image.png

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

12 minutes ago, Tomaso Marzano said:

I've just read the email. That's the reason why people should use email alias services and unique generated passwords. Data breaches happens every day.

All of those data breaches that happen every day are still completely unacceptable and 100% the fault of the company in charge of the data.  Yes, it would be nice if all end users understood best practices, but the fact of the matter is, many will always be less tech savvy than others and that's partly why regulations are so important.  Data operators have a duty of care.  Unfortunately, time and again, we find that many weren't taking that duty seriously enough.  Rarely do we get an unfiltered, completely truthful explanation for data breaches because it's in the data operator's interests to present a perspective that shows them in the best possible light.  Only when a regulator investigates (because a breach was particularly damaging) do we usually get the truth, and it's almost always more disturbing than the original explanation.

Link to comment
Share on other sites

Yep. They defiantly got my email address. The past 48 hours, my email services on my VPS was hit with a brut force attack using my email address.

Thanks for sending out this alert. I've been scratching my head on were this was stemming from.

Edited by Ken Sim
Link to comment
Share on other sites

On 4/13/2023 at 4:44 AM, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is in your account settings.

https://forum.affinity.serif.com/index.php?/settings/

The 2FA option is separate from the password. Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

You will then need to confirm the changes are being made by you using an authenticator application (this is also provided by many password managers). 

I see you are offering 2FA  with Google authenticator. Would be possible to use the internal 2FA Apple method instead?

It's in Settings/Passwords on both iPhone or iPad and generates a code as soon as you get there and choose the website which has a password saved there. 

This is what it's required to set it up: If "serif.com" supports using a verification code, visit the website to obtain a setup key and enter it here. If the website offers a QR code, you can also long press it and choose "Open in Settings" to do this automatically.

And it would be awesome to have for the store as well!

Thanks 

Link to comment
Share on other sites

2 minutes ago, CH Trippe said:

If we do receive a suspicious email purporting to be from Affinity (I haven't, yet)  --- to what email address should we report it?  Should  we forward the suspicious email? 

  

On 4/13/2023 at 5:38 AM, Patrick Connor said:

Generally, if you do receive any suspicious email which you think could have originated via this breach (for example if an email you receive addresses you by your forum username) please let us know.

If you wish to make any such reports or have any further questions, then please contact us at dataprotection@serif.com

 

-- Walt
Designer, Photo, and Publisher V1 and V2 at latest retail and beta releases
PC:
    Desktop:  Windows 11 Pro, version 23H2, 64GB memory, AMD Ryzen 9 5900 12-Core @ 3.00 GHz, NVIDIA GeForce RTX 3090 

    Laptop:  Windows 11 Pro, version 23H2, 32GB memory, Intel Core i7-10750H @ 2.60GHz, Intel UHD Graphics Comet Lake GT2 and NVIDIA GeForce RTX 3070 Laptop GPU.
iPad:  iPad Pro M1, 12.9": iPadOS 17.3, Apple Pencil 2, Magic Keyboard 
Mac:  2023 M2 MacBook Air 15", 16GB memory, macOS Sonoma 14.3.1

Link to comment
Share on other sites

  • Staff
5 minutes ago, CH Trippe said:

If we do receive a suspicious email purporting to be from Affinity (I haven't, yet)  --- to what email address should we report it?  Should  we forward the suspicious email? 

dataprotection@serif.com please

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • Staff
1 hour ago, Batbel258 said:

Would be possible to use the internal 2FA Apple method instead?

These off the shelf forums do not offer that, no. apparently already work with that too, it just calls it Google

Edited by Patrick Connor
corrected incorrect info

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • Staff
30 minutes ago, Ken Sim said:

Yep. They defiantly got my email address. The past 48 hours, my email services on my VPS was hit with a brut force attack using my email address.

Thanks for sending out this alert. I've been scratching my head on were this was stemming from.

Sorry if this was the cause. I think you may find that your email address was widely available to spammers from other sources also.

Check using https://haveibeenpwned.com/

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

19 hours ago, Patrick Connor said:

I will bring it up with the web team. Having it available as an option for you to turn on for your account sounds sensible to me. We would have to decide how to handle this when signing in from within the software too.

This should be an URGENT change. I couldn't less about my Forum login.

Link to comment
Share on other sites

40 minutes ago, ljredux said:

data breaches that happen every day are still completely unacceptable and 100% the fault of the company in charge of the data

I agree with a big BUT. Computer security is theoretical at best. I've been in this game for about 25 years now so am speaking with some experience. When one reads about companies like Solarwinds being hacked, and their whole business is computer security, it should be instructive to everyone that computer security pretty much does not exist. Your data at some company may have been compromised, and the company may not know about it.

Let's talk about encryption for a minute and you will see why this too is not a great silver bullet and why people misunderstand it when they say "just encrypt the data". 

25 years ago, roughly, DES was considered reasonably secure and was the default password encryption on UNIX machines. DES was then broken. Many of the UNIX systems went to MD5 (which was also used to authenticate BGP network announcements). MD5 was broken and is considered useless for serious security work. Many systems went over to SHA-1 encryption. SHA-1 is now considered broken. When I write UNIX or system here, many web sites/companies run their databases on UNIX/Linux systems, or use tools which have been derived from UNIX even if they aren't aware of it. I'm not being pedantic about UNIX. Can you see a pattern here? The recommended encryption algorithms of the time were eventually compromised.

If you encrypt data and want to be able to read that data (not just compare encrypted data with stored encrypted data) you have to be able to decrypt it too. That means somewhere the keys (for want of a better word) must exist to the data. Somebody at the company, some system administrator, could well have access to the data and/or the keys. You can take steps to mitigate this - keeping the keys on a separate system that fewer people have access to, and so on.

A company can only use the tools which are available. In my experience computer security is pretty much useless. You may say that it is unacceptable for data breaches to occur. The only way to solve this is to not have any data at all.

So you are right when you say these breaches happen every day. That's because computer security is hard. Anyone who thinks it is easy doesn't even begin to understand it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.