Jump to content
You must now use your email address to sign in [click for more info] ×

Forum Security Alert: Important Information for All Forum Users


Recommended Posts

17 hours ago, GaryLearnTech said:

The 2FA option is separate from the password.  Look at the "Security and Privacy" option immediately below the Password option in the Settings sidebar menu.

It (currently) only mentions Google Authenticator.  I don't use Google Authenticator but I do use 1Password (though I'm still using the v7 app and haven't updated to their v8, which has been out for a while now).  I decided to take a gamble and try it here anyway - I was presented with a QR code and 1Password scanned it and it worked fine.  I've tested in in a private browser window in a different browser from the one I normally use and was prompted for what 1Password calls the one-time password and it worked as expected.

Since it also works in 1Password, it will probably also work in the equivalent Microsoft Authenticator app or any other similar 2FA apps that you might already be using - you may not have to change explicitly to Google Authenticator to get 2FA running, despite that being the only one listed.

I did the same for Apple iOS and worked. I guess once the system has the QR code you are good to go!

Link to comment
Share on other sites

12 minutes ago, Patrick Connor said:

Sorry if this was the cause. I think you may find that your email address was widely available to spammers from other sources also.

Check using https://haveibeenpwned.com/

Yeah I get that. My email was part of the past 20 breaches and every once in a while I get that random one time short-lived attack. But this was different and the timing is too close to overlook. This attack spanned two days hitting my email service every minute because my security locked out the attacker's IP.

Edited by Ken Sim
Link to comment
Share on other sites

On 4/13/2023 at 12:38 PM, Patrick Connor said:

 It appears that an administrator’s account was compromised, allowing access to our forum members list.

So was this a case of "1234" password on administrator account or a social engineering attack ?

Fedora Workstation 37

Link to comment
Share on other sites

On 4/13/2023 at 1:44 PM, Patrick Connor said:

Please be aware, if you want to add extra security to your forum account, that you can (optionally) turn on 2 factor authentication on your account. The option is in your account settings.

Just a little extra info for all Apple users that are wary of Google and data security - You don't need the Google software for 2FA, you can use the inbuild 2FA feature of Passwords :) 

Mac mini M1 / Ryzen 5600H & RTX3050 mobile / iPad Pro 1st - all with latest non beta release of Affinity

Link to comment
Share on other sites

  • Staff
30 minutes ago, 1stn00b said:

So was this a case of "1234" password on administrator account or a social engineering attack ?

The admin password on the account in question was a random mix of upper and lower case letters and numbers, which the account holder had thought was unique to the forum account but was actually shared with another website who suffered a cyber attack. We have only discovered the shared nature of that password since the attack. We do take data protection seriously but this has shown up some weaknesses that we are addressing. Sorry again

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

I was one of the umpteen million people whose ADOBE accounts were hacked several years ago, including every bit of our information.  Had no idea until several WEEKS after the breach when I was finally notified.  Then we were offered a bandaid approach “in case,” plus the suggestion that we watch our bank accounts for an extended period.   Serif has notified us almost immediately with detailed information.   Just another very important reason why Serif has my unequivocal vote for One in a Million!  Thank you for letting us know so speedily.  Hopefully we will all watch our P’s and Q’s and send the bad guys to Junk/Trash.


24" iMAC Apple M1 chip, 8-core CPU, 8-core GPU, 16 GB unified memory, 1 TB SSD storage, Ventura 13.6.  Photo, Publisher, Designer 1.10.5, and 2.3.
MacBook Pro 13" 2020, Apple M1 chip, 16GB unified memory, 256GB  SSD storage
,  Ventura 13.6.   Publisher, Photo, Designer 1.10.5, and 2.1.1.  
 iPad Pro 12.9 2020 (4th Gen. IOS 16.6.1); Apple pencil.  
Wired and bluetooth mice and keyboards.9_9

Link to comment
Share on other sites

8 hours ago, Patrick Connor said:

The admin password on the account in question was a random mix of upper and lower case letters and numbers, ...

Which is usually a common feasible practise for passwords with a length of >= 12, though mixing in also some special characters additionally to that scheme, is even better.

 

8 hours ago, Patrick Connor said:

... which the account holder had thought was unique to the forum account but was actually shared with another website who suffered a cyber attack. ...

Well, that's the unfortunate point here and probably a good example for people in general, why not to (re)use one and the same pwd among multiple sites.

Though honestly that's also of no absolute protection, since in IT there generally doesn't exist something like an absolute for sure granted protection. Unfortunately, there are always ways and means to compromise IT systems in one way or another.

In short, nobody is really protected from something like that and unfortunately it can happen to anyone in IT at any time (...one of Murphy's laws)!

☛ Affinity Designer 1.10.8 ◆ Affinity Photo 1.10.8 ◆ Affinity Publisher 1.10.8 ◆ OSX El Capitan
☛ Affinity V2.3 apps ◆ MacOS Sonoma 14.2 ◆ iPad OS 17.2

Link to comment
Share on other sites

First off, thank you for being once again completely transparent with the community. In these crazy times when thieves use more and more sophisticated means to scam, no one is safe. Who made the mistake or how is irrelevant; it can happen to anyone. What’s important is that we’re now aware of the attack and its possible fallout.

Secondly, I don’t know about other members but in 9 days since the cyber-attack took place, personally I see no spam/ phishing attempts. Of course I’ll continue to monitor my email activity for any possible fraudulent attempt — but so far so good.

Regards.

StudioLink 256gb 11’ M1 iPad Pro

iPadOS 17 Public Beta 1

iPad Magic Keyboard

Link to comment
Share on other sites

3 hours ago, ShelvsHOTpencil said:

Why are you storing the IP address of users? 

Patrick answered the question earlier here:

On 4/13/2023 at 1:53 PM, Patrick Connor said:

(…)we use the IP address history to keep spamming to  minimum

 

Greetings from Germany

Micha

Please excuse my bad english. I learned it at school over thirty years ago. If you don't use it (regularly), you'll loose it.

Windows 10 & iPadOS: Affinity Suite (v1 and v2), all Workbooks (v1, german language), some content-packages

Link to comment
Share on other sites

  • Staff

It was only because of the IP address tools that this breach was discovered, as the hacker had tried to break into 3 other staff accounts before that morning. Without the IP address we may not have found the breach.

The IP address storage is also a core feature of the spam defense of these off the shelf forums, and not something that we can avoid 

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

I am in cybersecurity also and I find that 2fa is very effective tool against account cracking. It would have prevented this attack.

Lenovo IdeaPad 5 Ryzen 7 5700U Rx Vega 8 graphics 

16GB RAM (15.3 usable) 

Affinity Photo 1.10.6

Affinity photo 2 2.3.1 Affinity Designer 2 2.3.1 Affinity Publisher 2 2.3.1 on Windows 11 Pro version 23H2

Beta builds as they come out.

canon 80d| sigma 18-200mm F3.5-6.3 DC MACRO OS HSM | Tamron SP AF 28-75mm f/2.8 XR Di LD | Canon EF-S 10-18mm f/4.5-5.6 IS STM Autofocus APS-C Lens, Black

 

Link to comment
Share on other sites

On 4/13/2023 at 9:54 PM, Patrick Connor said:

Technically perhaps they could access the database, but the admin logs and other security logs are very clear and show us that was not done, NO passwords were compromised. Furthermore, even if they had accessed the DB (and they did not) all passwords are hashed (not stored in plain text) so useless to a hacker.

Hello Patrick, there are two related but different issues here, (a) how your systems were compromised and (b) the impact to forum users based on our knowledge of what data was accessed. 

Would Affinity be sharing more details on exactly how the attacker was able to compromise your services, and what services were breached? I'm still not very clear about your statement - if they could access your database then they were already deep inside your systems. Your SIEM services that manage your audit logs themselves may have been subject to other types of changes, i.e., it may not be possible to tell authoritatively whether password hashes or other data such as credit card details were indeed accessed, or were not accessed, just by looking at your admin and security logs. 

Second, with regards to the impact on forum users, there would be a problem if users have reused passwords, whether or not password hashes were accessed. Most folks tend to reuse the same email address & password combinations (against good security hygiene) simply because it's convenient. This is not so much your issue, but a general comment on the state of cybersecurity hygiene today.

Thanks!
-Sam

Link to comment
Share on other sites

they has the same kind of hack that colonial pipeline had in 2021 just google it.

Lenovo IdeaPad 5 Ryzen 7 5700U Rx Vega 8 graphics 

16GB RAM (15.3 usable) 

Affinity Photo 1.10.6

Affinity photo 2 2.3.1 Affinity Designer 2 2.3.1 Affinity Publisher 2 2.3.1 on Windows 11 Pro version 23H2

Beta builds as they come out.

canon 80d| sigma 18-200mm F3.5-6.3 DC MACRO OS HSM | Tamron SP AF 28-75mm f/2.8 XR Di LD | Canon EF-S 10-18mm f/4.5-5.6 IS STM Autofocus APS-C Lens, Black

 

Link to comment
Share on other sites

On 4/16/2023 at 6:32 AM, Patrick Connor said:

the hacker had tried to break into 3 other staff accoun

 

On 4/14/2023 at 5:35 PM, Patrick Connor said:

The admin password on the account in question was a random mix of upper and lower case letters and numbers, which the account holder had thought was unique to the forum account but was actually shared with another website who suffered a cyber attack.

Can you elaborate on this? Were multiple admin account passwords used on this other compromised website?

I don't understand why the hacker would try and breach other accounts without any such weakness. It would be a waste of time to switch to brute forcing other passwords.

Link to comment
Share on other sites

  • Staff
34 minutes ago, BofG said:

Can you elaborate on this?...

Many peoples email addresses have been leaked in the past (See HaveIBeenPwned.com to see if your email or passwords have been compromised).

I suspect they came with a list of @serif.com email addresses and previously compromised passwords to see if they also gave access to the Affinity Forum accounts for those staff. 3 other accounts were tried and failed from the same IP address in the 10 minutes before the breach (these 3 accounts all locked after 3 failed password attempts). On the 4th staff account one of the compromised passwords seems to have got them access in less than 3 attempts.

With 3 failed attempts and lock (true of all accounts here) this forum cannot suffer from a brute force attack.

We have now implemented 2 factor authentication so a user cannot access an admin or moderator account without access to the authenticator application or to the actual email account of that address.

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • Staff
10 hours ago, Guest said:

Would Affinity be sharing more details on exactly how the attacker was able to compromise your services, and what services were breached?

No All the information is in this thread. I have held nothing back,

10 hours ago, Guest said:

if they could access your database then they were already deep inside your systems.

No, that is not how these forums work. They are hosted on their own servers with accounts 100% independent from any other systems.

10 hours ago, Guest said:

it may not be possible to tell authoritatively whether password hashes or other data such as credit card details were indeed accessed, or were not accessed, just by looking at your admin and security logs

The forums do not store any credit card details, as I explained repeatedly, and this is unhelpful to suggest we are missing something from the comprehensive admin logs which we have studied in detail before submitting our official completed report to the ICO.

10 hours ago, Guest said:

Second, with regards to the impact on forum users, there would be a problem if users have reused passwords, whether or not password hashes were accessed. Most folks tend to reuse the same email address & password combinations (against good security hygiene) simply because it's convenient. This is not so much your issue, but a general comment on the state of cybersecurity hygiene today.

Agreed, hence us telling all users by email, as this is effectively how they gained access to our forums in the first place.

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

I would like to say thanks for letting us know that it happened and the data that may have been compromised.

IP addresses are no issue as your provider will allocate a new fixed IP if necessary but I always recommend dynamic, as for the email it just adds to the spam.

Once again thanks to Affinity for coming forward and warning us of this compromise.

 

Both PC’s Win 11 x64 System with Intuos Pen & Touch 
PC1 ASUS ROG Strix - AMD Ryzen 9 6900X CPU @ 3.3GHz. 32GB RAM

- GPU 1: AMD Radeon integrated. GPU 2: NVIDIA RTX 3060, 6GB
PC2 HP Pavilion - 
Intel® Core™ i7-7700HQ CPU @ 2.80GHz (8 CPUs), 16GB RAM
 - GPU 1: Intel HD Graphics 630, GPU 2: NVIDIA GTX1050, 4GB

iPad (8th Gen) 2020

 

Link to comment
Share on other sites

  • Staff
On 4/17/2023 at 8:24 PM, ShelvsHOTpencil said:

And should I worry for my ip address leaking.

No, most applications on your phone send your actual location constantly, your IP isn't very useful information.

On 4/17/2023 at 8:24 PM, ShelvsHOTpencil said:

I would love to see 2fa implemented.

2FA is implemented here already. It can be turned on under your account settings > privacy

It is also coming to the Affinity Store accounts soon

On 4/17/2023 at 8:24 PM, ShelvsHOTpencil said:

Other than being vigilant, should I do anything else?

Not really, vigilance regarding emails you receive is always recommend.

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.