Official SMF support site's Security bridged and Passwords Stolen-- what does this mean to you as a user there?
I personally do not own an smf site of my own but was planning to get one since my oga at the top told me that it was completely free.
So I had to join their official support forum and was just alerted today via email about the bridge of their internal database security via one of their admin password.
I could remember when similar thing like this happened in a forum I once belonged to, my password was stolen and was used to post ridiculous things on African Most Populated and visited forum "nairaland.com".
With this development I was even afraid my account here will be h*cked being a moderator here.
So I will urge you to change your passwords in any site or services you have registered to using same credentials as the one you used on your Simple Machines Forum account as this will help reduce the possibility of h*ckers messing with your account or stealing from your friends and colleagues using your email account.
Here is the exact message I got from the smf team.
Dear valued community members,
On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the h*cks that were recently conducted at other websites, even though those sites used other software.
One of the admin accounts password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.
Unfortunately, we are 100% sure that our user database has been stolen.
As such we HIGHLY RECOMMEND, even implore you, to:
1.) Change your password on other websites you are using, if you use the same password there. This is very important to do, as it also will help prevent other websites being h*cked through your compromised password, if it is compromised.
2.) Change your password here on our website.
3.) If you use the password you use here anywhere else, say for example to login to your webhost, it is highly urged to change it.
4.) Please note that personal messages may have also been compromised. We don't know for sure if the h*cker only downloaded the user tables or not, although that's the only thing he/she is after. If they did: keep in mind that passwords you shared through PM should now be considered vulnerable. It's best not to take the risk and g*mble, and just change any password you shared through PM as well.
5.) Charter members, current and past, are encouraged to change ALL passwords if they ever sent any in to us. That would include FTP.
Please keep in mind:
This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this h*ck if you use different passwords.
The method used by the h*cker is that a database is downloaded from another h*cked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other h*cked site was successfully decrypted. As a result, the h*cker was able to login here with admin rights.
Hundreds of websites have been h*cked lately by using this method, so you are highly encouraged to change your passwords...
... And remember: don't use the same password on multiple sites!
It helps to prevent h*cks like this.
Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.
By changing your passwords, you will help ensure that other sites do not fall victim to this method of h*cking and help put a halt to the h*cking spree that has affected hundreds, if not thousands, of websites already.
Any questions, please do feel free to ask.
Please stay on topic.
Board of Directors
Announcement URL: http://www.simplemachines.org/community/index.php?topic=508232.new#new
Lets reason on this please