Forum Hacked!

[Uwe]

Yes, the forum got hacked. No, we don't think it was a via a vulnerability in the forum software. The XenForo software was completely up-to-date. We're pretty confident the problem was "OpSec" -- an improperly secured account with Admin access. That has of course been remedied.

The first thing the criminal black-hats did was e-mail some of the users with a "donation request":

Hey [username] ([email address])! When I started Ross-Tech.com so long ago, I invisioned it to be a tool to help others in their journey through technical issues whether that be in college, university, or just work! I would love to keep this website free for anyone who needs help however it does cost quite a lot monthly to keep the website up and running. If you feel that you would like to support me and all the users at Ross-Tech.com, I encourage you to donate via the options below! All donations will be put towards Ross-Tech.com and all donators will recieve access to special giveaways, badges, ranks, etc. If you chose not to donate or wish to but are unable to it's perfectly fine, the website will still remain free just as it always has been.

So we put up a notice that is was a fake/scam. I suppose that angered them and things escalated from there.

Last night at 8:09 PM, I received the following PM from a legitimate user's account that has existed since 2014:

Hello, Uwe. We will make this short, we have the data of all 38,714 users on your website. This data includes but is not limited to; emails, usernames, userID's, IP Addresses, message count, etc. Now, all we need you to do is send $500 BTC to the address below and we will NOT release all of the aforementioned data. We all know the toll this could take on you and your company's reputation and we hope that you'll agree with us on this as we do not wish to release your information however we will if we do not receive the $500 USD in BTC. In the event you think we are 'bluffing', we have attached a small sample at the bottom of this message. Please take a moment to look at the data and ponder what steps you would like to take.

If you ban this account "[redacted]" or do not respond, we will take that as you are unwilling to pay the fee and we will release the information publicly.

We hope that you will make the right decision.

BTC Address - [redacted]

+SAMPLE+
[redacted]

And at 8:20 PM:

I see that you are currently online, you have 30 minutes to respond to this message.

Do not make us publicly reply with the above message, we are sure you would like to keep the data leak private from your users

At 8:41 PM, I replied:

8:41 PM:

$500 is not very much money, but this is a matter of principle.

NO.

Oh, and none of the passwords you have for either my account or my old test account are or ever have been correct.

-Uwe-

I shut down the account this was coming from, but at 9:05 PM, I received another PM from another legitimate user's account:

Hacker @ 9:05 PM:

You can ban all the accounts however we will keep doing this until we receive the money

At 9:06 PM, I replied:

I will NEVER reward your criminal behavior.

-Uwe-

And at 9:07 PM we shut down the entire forum.

[to be continued and this thread will be unlocked for replies when I'm done posting]

 

[Uwe]

OK, so what did they get?

Usernames, e-mail addresses, recent IP Addresses, message count.. Yep, they've got those. IMO, this is not a big deal. That's all more-or-less "public" information anyway.

I do not think they got passwords from here. Passwords here are not stored as plain text; they are salted and hashed (which is the modern standard) and in principle, it should not be possible for a hacker to un-do that.

I believe what happened is that they compared usernames and e-mail addresses against some "dark web" databases of previous hacks of other sites, which allowed them to compromise more accounts here, specifically those that used passwords that were previously compromised elsewhere.

There's a lesson to be learned here: Never re-use the same password across different sites! Yes, that means you need a zillion different passwords, preferably ones that are randomly generated, and you won't be able to remember them. Get and use a password manager of some sort. There are several good ones out there. I personally have not re-used passwords across different sites for almost 20 years now.

 

[Uwe]

Anyway, because we don't know how which or how many accounts were compromised, we though the best thing to do would be to reset all passwords here.

You may have gotten a password-reset e-mail. That was real.

If you didn't get one and/or need help getting back in here, please e-mail Support@Ross-Tech.com.

 

[Uwe]

I've probably missed something I had intended to write, but I didn't get much sleep last night, so I'll open the thread now. If anyone has questions, comments, or concerns, feel free to post 'em here.

-Uwe-

 

[stefdds]

We/I'm with you Uwe, let us know if there is anything else we can do (besides changing PW's, which I promptly did)!

 

[Dukedesmo]

Didn't receive any email, either asking for a donation or a password reset, how do I reset it?

 

[Uwe]

Didn't receive any email, either asking for a donation or a password reset, how do I reset it?

Is the hotmail address you used when you joined the forum still valid? We did get a large number of bounces, but I haven't had a chance to see if yours is one of them.

-Uwe-

 

[dannyboy485]

Takes strength of character to announce that forum was hacked literally a day after I joined (btw wasn't me) but you also saved more people from bigger issues

Respect Uwe!

 

[Bruce]

how do I reset it?

Open your profile by clicking on your avatar at the top of the page where is says your screen name.
Go to the password, enter your present password.
Then create a new password - enter it a second time.
Click Save.
Logout and then login using the new password.

 

[Dukedesmo]

Is the hotmail address you used when you joined the forum still valid? We did get a large number of bounces, but I haven't had a chance to see if yours is one of them.

-Uwe-

Yes, still good.

 

[patrickgn]

no problem. thanks for the transparency.

 

[Dukedesmo]

Open your profile by clicking on your avatar at the top of the page where is says your screen name.
Go to the password, enter your present password.
Then create a new password - enter it a second time.
Click Save.
Logout and then login using the new password.

It tells me my existing password is not correct, even though I am logged on by (presumably) using it?

 

[davisev5225]

It tells me my existing password is not correct, even though I am logged on by (presumably) using it?

Easy fix, just had the same issue myself. Log out of the forum, click the login button, use the "Forgot Password?" link in the login prompt.

 

[Dukedesmo]

Easy fix, just had the same issue myself. Log out of the forum, click the login button, use the "Forgot Password?" link in the login prompt.

Yes, that worked.

 

[PetrolDave]

Easy fix, just had the same issue myself. Log out of the forum, click the login button, use the "Forgot Password?" link in the login prompt.

Same here, all sorted now.

 

[AnotherRandomName]

Well, s*** happens. Thanks for the transparency and NOT giving in to their "ransom" demand.

Edit: Have we always been able to see other user's "VCDS Serial number" field? I've never noticed before

 

[Uwe]

Thanks for the transparency and NOT giving in to their "ransom" demand.

I appreciate the kind words.

Have we always been able to see other user's "VCDS Serial number" field? I've never noticed before

Yes, but the the "serial number" (for example yours: C?ID=526391) should generally just be a pointer into our internal customer database, which isn't actually a serial number and is meaningless/useless to anyone who doesn't work for Ross-Tech.

-Uwe-

 

[JMR]

Well, s*** happens. Thanks for the transparency and NOT giving in to their "ransom" demand.

Edit: Have we always been able to see other user's "VCDS Serial number" field? I've never noticed before

yeah..but that's not your real serial , iti is masked from what i understand , don't ask how i know that

 

[JMR]

At 9:06 PM, I replied:
And at 9:07 PM we shut down the entire forum.

I wonder if this hacker f&^@er has a VAG car and a VCDS . I d send him a space shuttle software update push to his VCDS if i were you

 

[Jef]

https://haveibeenpwned.com/