Jump to content

MoDaCo data breach: Full statement


Guest PaulOBrien

Recommended Posts

Guest PaulOBrien

Earlier today a number of users contacted us to inform us that data breach tracking site, haveibeenpwned.com, is notifying users of a data breach of the MoDaCo database.

After initial investigations, we have determined that this report is correct - a dump of the MoDaCo database has been extracted by an unauthorised entity.

First of all - we are of course very disappointed that this has happened, the security of your data is very important to us - I appreciate we've let you down in this regard but hope we can allay some concerns and do our best to rebuild your confidence starting now.

MoDaCo runs on a market leading CMS, is regularly updated and runs on a server which too receives regular updates and security scans. We chose the CMS we use because it receives frequent security fixes and most importantly, stores passwords in a very secure Blowfish based form.

In that regard, we think that passwords are well protected against unauthorised use, however a small amount of additional data (such as username and email address) are also included in the dump.

We have determined that the breach is likely to have occurred by way of a compromised Administrator account. We have taken action to prevent this vector being accessible in this way in the future, for us it is a lesson learned, albeit in a very difficult way to stomach. We are also liaising with the CMS provider to determine additional ways to mitigate similar attacks going forward.

Finally, should any users wish their data to be removed from MoDaCo, of course we will arrange for that to be completed. Should this be the case, please complete the 'Contact Us' form using the link at the bottom of every MoDaCo page. This will raise a support ticket to be actioned by the admin team.
  
Once again, I offer my sincere apologies and ask for your understanding in this matter.

Cheers,
  
Paul

Note: This message is also being sent immediately by email to all users.


View full item

Link to comment
Share on other sites

Guest nmayer79

With reasonable assurance that passwords are protected, which it sounds like you are confident of, I feel a bit better about this. Appreciate you taking the time to address this. 

Link to comment
Share on other sites

Can you expand a bit further on exactly how our passwords were hashed/protected? The email we got from haveibeenpwned indicated the passwords were salted MD5 rather than blowfish, as you state. Since Blowfish is actually an encryption algorithm and not a hashing algorithm your statement is a bit perplexing. Of course I will be changing my passwords any way but I would still like some further details.

Link to comment
Share on other sites

Guest PaulOBrien
12 minutes ago, TRB01 said:

Can you expand a bit further on exactly how our passwords were hashed/protected? The email we got from haveibeenpwned indicated the passwords were salted MD5 rather than blowfish, as you state. Since Blowfish is actually an encryption algorithm and not a hashing algorithm your statement is a bit perplexing. Of course I will be changing my passwords any way but I would still like some further details.

I've been in contact with Invision who referred to Blowfish, and I also noted they mentioned it in this post - https://invisionpower.com/news/8747-40-login-handlers/ - as a replacement for the 'insecure' MD5.

I have asked them to clarify.

P

Link to comment
Share on other sites

Guest maniac2003

Thanks for your explanation @PaulOBrien, unfortunately I only received a mail from haveibeenpwned regarding the breach. Hopefully the breach will not lead to further damage for all involved users. This again makes us think about passwords and good use of it. Time to step up my LastPass game.

Link to comment
Share on other sites

Guest perfectfire

I'm also waiting on details. MD5 is bad. I just got into competitive password cracking and my crappy old rig and video card can crank out 1.3 billion MD5 hash values per second. Salted MD5 means they have to try to crack each hash value individually (if the salt is large enough) which helps, but not much for such a fast hash function.

I hope Invision means "A hash function based on blowfish encryption" and not literally blowfish: the symmetric key block-cipher. Because anybody that gains access to your password database has a pretty good chance of getting the encryption key too at which point all of our passwords are now easily converted to plaintext in seconds. That also means that anybody using this software has access to all of their users' passwords because they have the key. That is not how you store login information. You salt the plaintext and use a cryptographically strong one-way hash function purpose-designed for password hashing to be slow to compute, that takes a significant amount of RAM, etc.

Link to comment
Share on other sites

So to wade in on the whole password/hashing thing, a few points:

"Blowfish" by itself would be a terrible idea, however derivatives of it are used in a lot of password hashing routines, such as bcrypt (Which is very secure), - it's slightly worrying that Invision hasn't specified the exact algorithm they're using, but hopefully they will clarify further and it is a genuine hashing routine.

That said, the post @PaulOBrien linked to above mentions that as of IPB v4, they're "migrating" to the still unknown cipher. What does that mean for users like me who signed up to the site many years prior? The password I used back in 2003 still works today and I have no idea if I have signed into the site since 2013 - how exactly did IPB do its migration? If they kept the old salted MD5's and waited for users to log in or change their passwords, that means a lot of users of the site have had their passwords completely exposed in this breach.

I would strongly recommend changing your passwords and never using the one associated with this site anywhere else. @PaulOBrien - I would advise you to force a password reset site-wide for all accounts, just to be safe. There are too many questions and too many unknowns to take any risk. Furthermore, even if people's passwords were protected by a strong algorithm like bcrypt, that by no means suggests they're unbreakable, it's just slow and has to be done one at a time. For sure, you need to change/reset all of your administrator/moderator accounts at the very least.

 

EDIT: I have just read through the comments of the IPB 4.0 page. @PaulOBrien you need to see this:

According to "Mark" from IPB, the stored hash is only upgraded as users log in:

Quote

They'll be converted as users log in.

They didn't do an in-place upgrade as it would be too slow. This means any users who have not logged in since Modaco upgraded to v4 have had their passwords exposed in this breach :(

 

Regarding the hash itself, it seems they're using http://php.net/crypt with CRYPT_BLOWFISH which is a proper hashing algorithm.

Edited by Kushan
Updated info
Link to comment
Share on other sites

Guest PaulOBrien

Thanks Kushan, that's useful information, I'm continuing to liase with Invision for the full details (and I'm going to check out the code also).

They have confirmed that, of course, they don't store passwords themselves at all and just the hashes, as you'd expect, I'm just awaiting confirmation on the upgrade process etc.

Should the conversion to bcrypt only be happening at login, I will certainly suggest that for the benefit of their other clients if nothing else, they should offer an option to manually convert!

P

Link to comment
Share on other sites

Guest digitaltoast

If it's any consolation, I got another email from haveibeepwned to alert me that I'm one of the 37 million affected by the data breach from 2012 which was dumped this month.

So it's not just you!

Link to comment
Share on other sites

Guest dreis911

First of all, thanks for the courage to admit your faults and failures and share your fears and disappointments... and for being on the hunt for a better solution (learning from what happened).

Second, I don't even reach the newbie level but some things I know and one of them is that "there's no such thing as a perfect security". If you have a lock there'll always be a key (legit or not).

Third, I just changed my PW without problems and I'm not worried. Why?

- As always, I try to give the less info possible to any site I subscribe (MoDaCo included). So if anything was stolen... pitty, but no worries.

- I don't repeat PWs. I use an algorithm of my own to create any PW so that every PW is different.

These are my thoughts on the subject. Thanks.

Link to comment
Share on other sites

Guest perfectfire

Like @Kushan said CRYPT_BLOWFISH is a legit password hashing function. Just be sure to set the cost parameter correctly. You don't want it to be too fast and you'll need to update the cost parameter over time as computers become more powerful.

Link to comment
Share on other sites

Guest alexdonald

Thank you for the open and honest statement, albeit in unfortunate and disappointing circumstances.

Thank you for the work you did many years ago that got me into flashing custom ROMs onto my android phones.

Please force a password reset on all users, I have just logged in for the first time in many, many years, and there was no need to renew my password. Although that cat is already truly out of the bag!

Link to comment
Share on other sites

Guest PaulOBrien
1 hour ago, alexdonald said:

Thank you for the open and honest statement, albeit in unfortunate and disappointing circumstances.

Thank you for the work you did many years ago that got me into flashing custom ROMs onto my android phones.

Please force a password reset on all users, I have just logged in for the first time in many, many years, and there was no need to renew my password. Although that cat is already truly out of the bag!

Noted, I am verifying the best way to do this!

P

Link to comment
Share on other sites

I changed my password after I got my email from haveibeenpwned, but this just highlights how people should / need to learn what a password database is, and start using them. Having a unique and randomly generated password for every site / application should be the norm now. Password databases aren't difficult to use, and there are plenty of cross-platform options, so you can easily access from windows / Apple / Android devices. Thanks for the quick response and responding to queries here.

Link to comment
Share on other sites

Guest PaulOBrien

A quick update on a few bits. I've been liaising with Invision following the breach as, while it's obviously a bit late for me to be able to do anything, I can hopefully help prevent the same thing happening at another property running the same platform. 

Re: bcrypt and Md5, the unfortunate upshot is that the system is indeed converting on login, so older user passwords remain in salted MD5 hashes. I can understand this from the perspective of both performance, changing the hash format is slow, and the fact that there is no store of the password itself, you would only be able to bcrypt the hash (but think that would work?). I've asked Invision to provide their users with a script to manually make this happen. 

In addition, there are a couple of other things that would be a good idea. The most obvious is 2 factor auth for admin accounts, but the function used to dump and steal the data in the admin panel also really doesn't need to be there. There should be a way to remove it completely. 

Again, I've fed this back and I think Invision have a duty to their paying customers to provide these changes.

Thanks again for your understanding and be assured I am doing my absolute best to deal with the situation as effectively as possible. 

P

Link to comment
Share on other sites

I have not had a email from Modaco about the data breach, I only found out myself by using haveibeenpwned site which I'm very disappointed about. Please remove my account and all details from your site and system. Thank you.

Link to comment
Share on other sites

Guest Voxpop2011

I came to the site today - not a regular visitor by any means - to find this statement.  Thank you for the frank disclosure and assurance that you are stepping up security.  I have changed my password, but in common with all the fora to which I belong, I never populate the 'about me' so there is nothing that can be compromised.

Link to comment
Share on other sites

  • 1 month later...
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.