Jump to content
  • Sign in to follow this  

    MoDaCo data breach: Full statement


    PaulOBrien

    Earlier today a number of users contacted us to inform us that data breach tracking site, haveibeenpwned.com, is notifying users of a data breach of the MoDaCo database.

    After initial investigations, we have determined that this report is correct - a dump of the MoDaCo database has been extracted by an unauthorised entity.

    First of all - we are of course very disappointed that this has happened, the security of your data is very important to us - I appreciate we've let you down in this regard but hope we can allay some concerns and do our best to rebuild your confidence starting now.

    MoDaCo runs on a market leading CMS, is regularly updated and runs on a server which too receives regular updates and security scans. We chose the CMS we use because it receives frequent security fixes and most importantly, stores passwords in a very secure Blowfish based form.

    In that regard, we think that passwords are well protected against unauthorised use, however a small amount of additional data (such as username and email address) are also included in the dump.

    We have determined that the breach is likely to have occurred by way of a compromised Administrator account. We have taken action to prevent this vector being accessible in this way in the future, for us it is a lesson learned, albeit in a very difficult way to stomach. We are also liaising with the CMS provider to determine additional ways to mitigate similar attacks going forward.

    Finally, should any users wish their data to be removed from MoDaCo, of course we will arrange for that to be completed. Should this be the case, please complete the 'Contact Us' form using the link at the bottom of every MoDaCo page. This will raise a support ticket to be actioned by the admin team.
      
    Once again, I offer my sincere apologies and ask for your understanding in this matter.

    Cheers,
      
    Paul

    Note: This message is also being sent immediately by email to all users.

    Edited by PaulOBrien

    Sign in to follow this  


    User Feedback

    Recommended Comments



    With reasonable assurance that passwords are protected, which it sounds like you are confident of, I feel a bit better about this. Appreciate you taking the time to address this. 

    • Upvote 1

    Share this comment


    Link to comment
    Share on other sites

    Can you expand a bit further on exactly how our passwords were hashed/protected? The email we got from haveibeenpwned indicated the passwords were salted MD5 rather than blowfish, as you state. Since Blowfish is actually an encryption algorithm and not a hashing algorithm your statement is a bit perplexing. Of course I will be changing my passwords any way but I would still like some further details.

    Share this comment


    Link to comment
    Share on other sites
    12 minutes ago, TRB01 said:

    Can you expand a bit further on exactly how our passwords were hashed/protected? The email we got from haveibeenpwned indicated the passwords were salted MD5 rather than blowfish, as you state. Since Blowfish is actually an encryption algorithm and not a hashing algorithm your statement is a bit perplexing. Of course I will be changing my passwords any way but I would still like some further details.

    I've been in contact with Invision who referred to Blowfish, and I also noted they mentioned it in this post - https://invisionpower.com/news/8747-40-login-handlers/ - as a replacement for the 'insecure' MD5.

    I have asked them to clarify.

    P

    Share this comment


    Link to comment
    Share on other sites

    How do we delete our accounts?  I'd like mine deleted, I've never used this site in my life, don't even remember signing up for it.

    Share this comment


    Link to comment
    Share on other sites

    Thanks for your explanation @PaulOBrien, unfortunately I only received a mail from haveibeenpwned regarding the breach. Hopefully the breach will not lead to further damage for all involved users. This again makes us think about passwords and good use of it. Time to step up my LastPass game.

    Share this comment


    Link to comment
    Share on other sites

    I'm also waiting on details. MD5 is bad. I just got into competitive password cracking and my crappy old rig and video card can crank out 1.3 billion MD5 hash values per second. Salted MD5 means they have to try to crack each hash value individually (if the salt is large enough) which helps, but not much for such a fast hash function.

    I hope Invision means "A hash function based on blowfish encryption" and not literally blowfish: the symmetric key block-cipher. Because anybody that gains access to your password database has a pretty good chance of getting the encryption key too at which point all of our passwords are now easily converted to plaintext in seconds. That also means that anybody using this software has access to all of their users' passwords because they have the key. That is not how you store login information. You salt the plaintext and use a cryptographically strong one-way hash function purpose-designed for password hashing to be slow to compute, that takes a significant amount of RAM, etc.

    Share this comment


    Link to comment
    Share on other sites

    So to wade in on the whole password/hashing thing, a few points:

    "Blowfish" by itself would be a terrible idea, however derivatives of it are used in a lot of password hashing routines, such as bcrypt (Which is very secure), - it's slightly worrying that Invision hasn't specified the exact algorithm they're using, but hopefully they will clarify further and it is a genuine hashing routine.

    That said, the post @PaulOBrien linked to above mentions that as of IPB v4, they're "migrating" to the still unknown cipher. What does that mean for users like me who signed up to the site many years prior? The password I used back in 2003 still works today and I have no idea if I have signed into the site since 2013 - how exactly did IPB do its migration? If they kept the old salted MD5's and waited for users to log in or change their passwords, that means a lot of users of the site have had their passwords completely exposed in this breach.

    I would strongly recommend changing your passwords and never using the one associated with this site anywhere else. @PaulOBrien - I would advise you to force a password reset site-wide for all accounts, just to be safe. There are too many questions and too many unknowns to take any risk. Furthermore, even if people's passwords were protected by a strong algorithm like bcrypt, that by no means suggests they're unbreakable, it's just slow and has to be done one at a time. For sure, you need to change/reset all of your administrator/moderator accounts at the very least.

     

    EDIT: I have just read through the comments of the IPB 4.0 page. @PaulOBrien you need to see this:

    According to "Mark" from IPB, the stored hash is only upgraded as users log in:

    Quote

    They'll be converted as users log in.

    They didn't do an in-place upgrade as it would be too slow. This means any users who have not logged in since Modaco upgraded to v4 have had their passwords exposed in this breach :(

     

    Regarding the hash itself, it seems they're using http://php.net/crypt with CRYPT_BLOWFISH which is a proper hashing algorithm.

    Edited by Kushan
    Updated info

    Share this comment


    Link to comment
    Share on other sites

    Thanks Kushan, that's useful information, I'm continuing to liase with Invision for the full details (and I'm going to check out the code also).

    They have confirmed that, of course, they don't store passwords themselves at all and just the hashes, as you'd expect, I'm just awaiting confirmation on the upgrade process etc.

    Should the conversion to bcrypt only be happening at login, I will certainly suggest that for the benefit of their other clients if nothing else, they should offer an option to manually convert!

    P

    Share this comment


    Link to comment
    Share on other sites

    If it's any consolation, I got another email from haveibeepwned to alert me that I'm one of the 37 million affected by the data breach from 2012 which was dumped this month.

    So it's not just you!

    Share this comment


    Link to comment
    Share on other sites

    First of all, thanks for the courage to admit your faults and failures and share your fears and disappointments... and for being on the hunt for a better solution (learning from what happened).

    Second, I don't even reach the newbie level but some things I know and one of them is that "there's no such thing as a perfect security". If you have a lock there'll always be a key (legit or not).

    Third, I just changed my PW without problems and I'm not worried. Why?

    - As always, I try to give the less info possible to any site I subscribe (MoDaCo included). So if anything was stolen... pitty, but no worries.

    - I don't repeat PWs. I use an algorithm of my own to create any PW so that every PW is different.

    These are my thoughts on the subject. Thanks.

    Share this comment


    Link to comment
    Share on other sites

    Like @Kushan said CRYPT_BLOWFISH is a legit password hashing function. Just be sure to set the cost parameter correctly. You don't want it to be too fast and you'll need to update the cost parameter over time as computers become more powerful.

    Share this comment


    Link to comment
    Share on other sites

    Thank you for the open and honest statement, albeit in unfortunate and disappointing circumstances.

    Thank you for the work you did many years ago that got me into flashing custom ROMs onto my android phones.

    Please force a password reset on all users, I have just logged in for the first time in many, many years, and there was no need to renew my password. Although that cat is already truly out of the bag!

    Share this comment


    Link to comment
    Share on other sites
    1 hour ago, alexdonald said:

    Thank you for the open and honest statement, albeit in unfortunate and disappointing circumstances.

    Thank you for the work you did many years ago that got me into flashing custom ROMs onto my android phones.

    Please force a password reset on all users, I have just logged in for the first time in many, many years, and there was no need to renew my password. Although that cat is already truly out of the bag!

    Noted, I am verifying the best way to do this!

    P

    Share this comment


    Link to comment
    Share on other sites

    I changed my password after I got my email from haveibeenpwned, but this just highlights how people should / need to learn what a password database is, and start using them. Having a unique and randomly generated password for every site / application should be the norm now. Password databases aren't difficult to use, and there are plenty of cross-platform options, so you can easily access from windows / Apple / Android devices. Thanks for the quick response and responding to queries here.

    Share this comment


    Link to comment
    Share on other sites

    A quick update on a few bits. I've been liaising with Invision following the breach as, while it's obviously a bit late for me to be able to do anything, I can hopefully help prevent the same thing happening at another property running the same platform. 

    Re: bcrypt and Md5, the unfortunate upshot is that the system is indeed converting on login, so older user passwords remain in salted MD5 hashes. I can understand this from the perspective of both performance, changing the hash format is slow, and the fact that there is no store of the password itself, you would only be able to bcrypt the hash (but think that would work?). I've asked Invision to provide their users with a script to manually make this happen. 

    In addition, there are a couple of other things that would be a good idea. The most obvious is 2 factor auth for admin accounts, but the function used to dump and steal the data in the admin panel also really doesn't need to be there. There should be a way to remove it completely. 

    Again, I've fed this back and I think Invision have a duty to their paying customers to provide these changes.

    Thanks again for your understanding and be assured I am doing my absolute best to deal with the situation as effectively as possible. 

    P

    Share this comment


    Link to comment
    Share on other sites

    I have not had a email from Modaco about the data breach, I only found out myself by using haveibeenpwned site which I'm very disappointed about. Please remove my account and all details from your site and system. Thank you.

    Share this comment


    Link to comment
    Share on other sites

    I came to the site today - not a regular visitor by any means - to find this statement.  Thank you for the frank disclosure and assurance that you are stepping up security.  I have changed my password, but in common with all the fora to which I belong, I never populate the 'about me' so there is nothing that can be compromised.

    Share this comment


    Link to comment
    Share on other sites

    Please delete my account and any personal information including email address from your records.

    Share this comment


    Link to comment
    Share on other sites



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Social

  • Topics

  • Posts

    • can you please tell me how you signed the zip file because with zipsigner it doesnt work 😕 says footer error in recovery Greetings
    • Hello. I've been using this smartphone since 2016, I went through the official upgrade to Android 5.1.1 and then to 6.0.1. Long story short I'm now with TWRP 3.2.3-0 and Lineage 14.1 (Android 7.1.2). I found some interesting bugs: one is that if you have low battery, about to self power off, and you switch on the torch, it stays on even after the phones is powered off, and you can't turn it off whatsoever, except plugging in the charger and switch on the phone again I guess, but I didn't try it. The matter is that if you let the torch on to let the battery discharge completely, and the light goes off, when you charge it again and switch on the phone you can't switch on the torch anymore, even tho the system claims is on, it doesn't beam any light from the flash led. The only way to "reset" this status is to open the phone, removing the back cover, unscrew 3 screws that hold a tiny bar and manually disconnect the battery (most rightside connector) and then reconnect it. Not even holding the power button helps. Another bug is that if you turn on the phone, and then, without putting it on stand-by, check with some kind of cpu monitoring app the cpu cores activity, the less powerful cores of the A53 are awake and running. If you put the phone in stand by and then re-awake it up, they are always on sleep or "disconnected" or similar status. Even tho it seems that this doesn't affect performance, so it seems that they doesn't show correct running status but still works. Last but the most important: the phone THROTTLES at room temperature!!! If you try a cpu intensive app, the cores throttles at 800 MHz or less, and if it heats more it goes down even to 200 MHz stuttering everything! I don't know if it gots bad thermal spread design or is it a thermal sensor bug, since in system monitor apps it shows temperature above 49~50 in idle while room temp is 20 to 23 °C and over 67-68 while running full calculations! Can anybody confirm or else suggest me some solutions to these issues? Thanks.
    • It worked well on my liquid a1 (running custom rogers rom). Should work on any acer based 2.2 roms I think. But I cant guarantee 😉 use at own risk.
    • I have experience this fine product by Honor. There are some features which are competing with expense mobile companies as well.I'm looking forward to buy honor 20 pro for some latest updated version of it.      
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.