Guest PaulOBrien Posted September 20, 2016 Report Share Posted September 20, 2016 Earlier today a number of users contacted us to inform us that data breach tracking site, haveibeenpwned.com, is notifying users of a data breach of the MoDaCo database. After initial investigations, we have determined that this report is correct - a dump of the MoDaCo database has been extracted by an unauthorised entity. First of all - we are of course very disappointed that this has happened, the security of your data is very important to us - I appreciate we've let you down in this regard but hope we can allay some concerns and do our best to rebuild your confidence starting now. MoDaCo runs on a market leading CMS, is regularly updated and runs on a server which too receives regular updates and security scans. We chose the CMS we use because it receives frequent security fixes and most importantly, stores passwords in a very secure Blowfish based form. In that regard, we think that passwords are well protected against unauthorised use, however a small amount of additional data (such as username and email address) are also included in the dump. We have determined that the breach is likely to have occurred by way of a compromised Administrator account. We have taken action to prevent this vector being accessible in this way in the future, for us it is a lesson learned, albeit in a very difficult way to stomach. We are also liaising with the CMS provider to determine additional ways to mitigate similar attacks going forward. Finally, should any users wish their data to be removed from MoDaCo, of course we will arrange for that to be completed. Should this be the case, please complete the 'Contact Us' form using the link at the bottom of every MoDaCo page. This will raise a support ticket to be actioned by the admin team. Once again, I offer my sincere apologies and ask for your understanding in this matter. Cheers, Paul Note: This message is also being sent immediately by email to all users. View full item Link to comment Share on other sites More sharing options...
Guest nmayer79 Posted September 20, 2016 Report Share Posted September 20, 2016 With reasonable assurance that passwords are protected, which it sounds like you are confident of, I feel a bit better about this. Appreciate you taking the time to address this. Link to comment Share on other sites More sharing options...
Guest TRB01 Posted September 20, 2016 Report Share Posted September 20, 2016 Can you expand a bit further on exactly how our passwords were hashed/protected? The email we got from haveibeenpwned indicated the passwords were salted MD5 rather than blowfish, as you state. Since Blowfish is actually an encryption algorithm and not a hashing algorithm your statement is a bit perplexing. Of course I will be changing my passwords any way but I would still like some further details. Link to comment Share on other sites More sharing options...
Guest PaulOBrien Posted September 20, 2016 Report Share Posted September 20, 2016 12 minutes ago, TRB01 said: Can you expand a bit further on exactly how our passwords were hashed/protected? The email we got from haveibeenpwned indicated the passwords were salted MD5 rather than blowfish, as you state. Since Blowfish is actually an encryption algorithm and not a hashing algorithm your statement is a bit perplexing. Of course I will be changing my passwords any way but I would still like some further details. I've been in contact with Invision who referred to Blowfish, and I also noted they mentioned it in this post - https://invisionpower.com/news/8747-40-login-handlers/ - as a replacement for the 'insecure' MD5. I have asked them to clarify. P Link to comment Share on other sites More sharing options...
Guest Posted September 20, 2016 Report Share Posted September 20, 2016 How do we delete our accounts? I'd like mine deleted, I've never used this site in my life, don't even remember signing up for it. Link to comment Share on other sites More sharing options...
Guest maniac2003 Posted September 20, 2016 Report Share Posted September 20, 2016 Thanks for your explanation @PaulOBrien, unfortunately I only received a mail from haveibeenpwned regarding the breach. Hopefully the breach will not lead to further damage for all involved users. This again makes us think about passwords and good use of it. Time to step up my LastPass game. Link to comment Share on other sites More sharing options...
Guest perfectfire Posted September 20, 2016 Report Share Posted September 20, 2016 I'm also waiting on details. MD5 is bad. I just got into competitive password cracking and my crappy old rig and video card can crank out 1.3 billion MD5 hash values per second. Salted MD5 means they have to try to crack each hash value individually (if the salt is large enough) which helps, but not much for such a fast hash function. I hope Invision means "A hash function based on blowfish encryption" and not literally blowfish: the symmetric key block-cipher. Because anybody that gains access to your password database has a pretty good chance of getting the encryption key too at which point all of our passwords are now easily converted to plaintext in seconds. That also means that anybody using this software has access to all of their users' passwords because they have the key. That is not how you store login information. You salt the plaintext and use a cryptographically strong one-way hash function purpose-designed for password hashing to be slow to compute, that takes a significant amount of RAM, etc. Link to comment Share on other sites More sharing options...
Guest Kushan Posted September 21, 2016 Report Share Posted September 21, 2016 (edited) So to wade in on the whole password/hashing thing, a few points: "Blowfish" by itself would be a terrible idea, however derivatives of it are used in a lot of password hashing routines, such as bcrypt (Which is very secure), - it's slightly worrying that Invision hasn't specified the exact algorithm they're using, but hopefully they will clarify further and it is a genuine hashing routine. That said, the post @PaulOBrien linked to above mentions that as of IPB v4, they're "migrating" to the still unknown cipher. What does that mean for users like me who signed up to the site many years prior? The password I used back in 2003 still works today and I have no idea if I have signed into the site since 2013 - how exactly did IPB do its migration? If they kept the old salted MD5's and waited for users to log in or change their passwords, that means a lot of users of the site have had their passwords completely exposed in this breach. I would strongly recommend changing your passwords and never using the one associated with this site anywhere else. @PaulOBrien - I would advise you to force a password reset site-wide for all accounts, just to be safe. There are too many questions and too many unknowns to take any risk. Furthermore, even if people's passwords were protected by a strong algorithm like bcrypt, that by no means suggests they're unbreakable, it's just slow and has to be done one at a time. For sure, you need to change/reset all of your administrator/moderator accounts at the very least. EDIT: I have just read through the comments of the IPB 4.0 page. @PaulOBrien you need to see this: According to "Mark" from IPB, the stored hash is only upgraded as users log in: Quote They'll be converted as users log in. They didn't do an in-place upgrade as it would be too slow. This means any users who have not logged in since Modaco upgraded to v4 have had their passwords exposed in this breach :( Regarding the hash itself, it seems they're using http://php.net/crypt with CRYPT_BLOWFISH which is a proper hashing algorithm. Edited September 21, 2016 by Kushan Updated info Link to comment Share on other sites More sharing options...
Guest PaulOBrien Posted September 21, 2016 Report Share Posted September 21, 2016 Thanks Kushan, that's useful information, I'm continuing to liase with Invision for the full details (and I'm going to check out the code also). They have confirmed that, of course, they don't store passwords themselves at all and just the hashes, as you'd expect, I'm just awaiting confirmation on the upgrade process etc. Should the conversion to bcrypt only be happening at login, I will certainly suggest that for the benefit of their other clients if nothing else, they should offer an option to manually convert! P Link to comment Share on other sites More sharing options...
Guest PaulOBrien Posted September 21, 2016 Report Share Posted September 21, 2016 An additional point to note is that I've asked Invision for 2 factor on admin accounts previously, I'll be reiterating the need for this. P Link to comment Share on other sites More sharing options...
Guest digitaltoast Posted September 21, 2016 Report Share Posted September 21, 2016 If it's any consolation, I got another email from haveibeepwned to alert me that I'm one of the 37 million affected by the data breach from 2012 which was dumped this month. So it's not just you! Link to comment Share on other sites More sharing options...
Guest dreis911 Posted September 21, 2016 Report Share Posted September 21, 2016 First of all, thanks for the courage to admit your faults and failures and share your fears and disappointments... and for being on the hunt for a better solution (learning from what happened). Second, I don't even reach the newbie level but some things I know and one of them is that "there's no such thing as a perfect security". If you have a lock there'll always be a key (legit or not). Third, I just changed my PW without problems and I'm not worried. Why? - As always, I try to give the less info possible to any site I subscribe (MoDaCo included). So if anything was stolen... pitty, but no worries. - I don't repeat PWs. I use an algorithm of my own to create any PW so that every PW is different. These are my thoughts on the subject. Thanks. Link to comment Share on other sites More sharing options...
Guest perfectfire Posted September 21, 2016 Report Share Posted September 21, 2016 Like @Kushan said CRYPT_BLOWFISH is a legit password hashing function. Just be sure to set the cost parameter correctly. You don't want it to be too fast and you'll need to update the cost parameter over time as computers become more powerful. Link to comment Share on other sites More sharing options...
Guest James Posted September 21, 2016 Report Share Posted September 21, 2016 Woah... first time contact with Modaco for years, unfortunately under bad circumstances. Link to comment Share on other sites More sharing options...
Guest alexdonald Posted September 22, 2016 Report Share Posted September 22, 2016 Thank you for the open and honest statement, albeit in unfortunate and disappointing circumstances. Thank you for the work you did many years ago that got me into flashing custom ROMs onto my android phones. Please force a password reset on all users, I have just logged in for the first time in many, many years, and there was no need to renew my password. Although that cat is already truly out of the bag! Link to comment Share on other sites More sharing options...
Guest PaulOBrien Posted September 22, 2016 Report Share Posted September 22, 2016 1 hour ago, alexdonald said: Thank you for the open and honest statement, albeit in unfortunate and disappointing circumstances. Thank you for the work you did many years ago that got me into flashing custom ROMs onto my android phones. Please force a password reset on all users, I have just logged in for the first time in many, many years, and there was no need to renew my password. Although that cat is already truly out of the bag! Noted, I am verifying the best way to do this! P Link to comment Share on other sites More sharing options...
Guest goatee Posted September 22, 2016 Report Share Posted September 22, 2016 I changed my password after I got my email from haveibeenpwned, but this just highlights how people should / need to learn what a password database is, and start using them. Having a unique and randomly generated password for every site / application should be the norm now. Password databases aren't difficult to use, and there are plenty of cross-platform options, so you can easily access from windows / Apple / Android devices. Thanks for the quick response and responding to queries here. Link to comment Share on other sites More sharing options...
Guest PaulOBrien Posted September 23, 2016 Report Share Posted September 23, 2016 A quick update on a few bits. I've been liaising with Invision following the breach as, while it's obviously a bit late for me to be able to do anything, I can hopefully help prevent the same thing happening at another property running the same platform. Re: bcrypt and Md5, the unfortunate upshot is that the system is indeed converting on login, so older user passwords remain in salted MD5 hashes. I can understand this from the perspective of both performance, changing the hash format is slow, and the fact that there is no store of the password itself, you would only be able to bcrypt the hash (but think that would work?). I've asked Invision to provide their users with a script to manually make this happen. In addition, there are a couple of other things that would be a good idea. The most obvious is 2 factor auth for admin accounts, but the function used to dump and steal the data in the admin panel also really doesn't need to be there. There should be a way to remove it completely. Again, I've fed this back and I think Invision have a duty to their paying customers to provide these changes. Thanks again for your understanding and be assured I am doing my absolute best to deal with the situation as effectively as possible. P Link to comment Share on other sites More sharing options...
Guest Posted September 23, 2016 Report Share Posted September 23, 2016 I have not had a email from Modaco about the data breach, I only found out myself by using haveibeenpwned site which I'm very disappointed about. Please remove my account and all details from your site and system. Thank you. Link to comment Share on other sites More sharing options...
Guest Voxpop2011 Posted September 24, 2016 Report Share Posted September 24, 2016 I came to the site today - not a regular visitor by any means - to find this statement. Thank you for the frank disclosure and assurance that you are stepping up security. I have changed my password, but in common with all the fora to which I belong, I never populate the 'about me' so there is nothing that can be compromised. Link to comment Share on other sites More sharing options...
Guest MickJack Posted September 25, 2016 Report Share Posted September 25, 2016 Just doing my occasional lookin, so changed my password. No email from Modaco or haveibeenpwned. mick Link to comment Share on other sites More sharing options...
Guest Posted September 28, 2016 Report Share Posted September 28, 2016 I've sent in an email since a week ago but my account still not deleted, anyone? Link to comment Share on other sites More sharing options...
Guest PaulOBrien Posted September 29, 2016 Report Share Posted September 29, 2016 Hi, I am working through them, you will receive an email confirmation when this is done. P Link to comment Share on other sites More sharing options...
Guest bladebuddy Posted October 4, 2016 Report Share Posted October 4, 2016 Delete are account after its been breached sounds like shutting the rabbit hutch after the rabbit has gone. Link to comment Share on other sites More sharing options...
Guest wadewood Posted December 3, 2016 Report Share Posted December 3, 2016 Please delete my account or tell me how I do that. Link to comment Share on other sites More sharing options...
Recommended Posts