Security issue

Kirill N · January 18, 2023

Hi,

I’m having a security issue with my website — over the past few days, at least 4 inactive accounts were hacked and used to post spam message.

I’m running a pretty old version (4.6.1) but unfortunately I’m not able to upgrade until next week—is there anything you would recommend doing in the meantime? Perhaps this is a known current issue.

Any help would be appreciated, thank you!

Luuuk · January 18, 2023

Hi,

The issue is discussed here:

Edited January 18, 2023 by Luuuk

Marc · January 18, 2023

I would ask first of all, what leads you to believe they were hacked? As you can see in the message above, it does seem dormant accounts were registered on a lot of sites, which were all posted from in the last few days.

PPlanet · January 18, 2023

5 minutes ago, Marc Stridgen said:

I would ask first of all, what leads you to believe they were hacked? As you can see in the message above, it does seem dormant accounts were registered on a lot of sites, which were all posted from in the last few days.

I wonder though, as one account of these on my site had a history of normal posting with 31 posts between February 2017 and August 2020. All posts are on topic. No spammer would go into that trouble.

Luuuk · January 18, 2023

@PPlanet

Actually one the spammers IP is classified as doing "brute force" attacks (scroll to the log sample) on many available forum platforms so it not only related to Invision.

Marc · January 18, 2023

29 minutes ago, PPlanet said:

I wonder though, as one account of these on my site had a history of normal posting with 31 posts between February 2017 and August 2020. All posts are on topic. No spammer would go into that trouble.

Not unless they actually had the password to an account of course. ie, it has been on a list from someone using the same password in multiple places. The best way to prevent this is to use 2 factor authentication, and force those users to change password

PPlanet · January 18, 2023

2 hours ago, Luuuk said:

@PPlanet

Actually one the spammers IP is classified as doing "brute force" attacks (scroll to the log sample) on many available forum platforms so it not only related to Invision.

Yes, I know it’s not exclusive to IPS. But I don’t think it’s a case of spammers creating accounts at different years and leaving them dormant until now. They are gaining access to someone else’s accounts. There was a failed attempt of brute force on my site where the legit owner of the account confirmed it wasn’t him. But I think that this scale of log ins across so many sites corresponds more to some dump of credentials somewhere.

1 hour ago, Marc Stridgen said:

Not unless they actually had the password to an account of course. ie, it has been on a list from someone using the same password in multiple places. The best way to prevent this is to use 2 factor authentication, and force those users to change password

I believe that’s the case, people using the same password across many sites, and there has been a leak in one of them.

That said, it has stopped on my site. I had like 5 cases in total. I forced those accounts to change passwords and banned the IP in question.

Luuuk · January 18, 2023

2 minutes ago, PPlanet said:

But I don’t think it’s a case of spammers creating accounts at different years and leaving them dormant until now. They are gaining access to someone else’s accounts.

Yes, we already know that the old previously legit accounts suddenly are "re-used" in the attack. As some of us confirmed many of those accounts are listed as compromised in the Have I Been Pwned database. So it looks that the spammers have in hands some data breach and run massively bots to match results. Personally I suspect that this attack could have something to do with the recent LastPass leak.

PPlanet · January 18, 2023

17 minutes ago, Luuuk said:

Yes, we already know that the old previously legit accounts suddenly are "re-used" in the attack.

Yes but I understood that Marc was saying that they had been created for this purpose (spam). Hence why I mentioned the case of one of my users with many posts from before whose account appears legit.

Luuuk · January 18, 2023

Well, I also understood that he suggests that those are spammers accounts from scratch (staying "on hold" for a long time). Not a case at all. Old legit accounts are being used.

BTW. I suggest to move this topic to the "Community Support" forum and merge it with the other topic.

teraßyte · January 18, 2023

@Luuuk Rather than LastPass it is most likely related to Twitter (200M accounts). I received an email about it a couple of weeks ago:

You've been pwned!

You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:

Breach:			Twitter (200M)
Date of breach:		1 Jan 2021
Number of accounts:	211,524,284
Compromised data:	Email addresses, Names, Social media profiles, Usernames

Edited January 18, 2023 by teraßyte

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

Security issue

Recommended Posts

Kirill N

Luuuk

Marc

PPlanet

Luuuk

Marc

PPlanet

Luuuk

PPlanet

Luuuk

teraßyte

Recently Browsing 0 members

More