Kirill N Posted January 18, 2023 Share Posted January 18, 2023 Hi, I’m having a security issue with my website — over the past few days, at least 4 inactive accounts were hacked and used to post spam message. I’m running a pretty old version (4.6.1) but unfortunately I’m not able to upgrade until next week—is there anything you would recommend doing in the meantime? Perhaps this is a known current issue. Any help would be appreciated, thank you! Link to comment Share on other sites More sharing options...
Luuuk Posted January 18, 2023 Share Posted January 18, 2023 (edited) Hi, The issue is discussed here: Edited January 18, 2023 by Luuuk Kirill N 1 Link to comment Share on other sites More sharing options...
Marc Stridgen Posted January 18, 2023 Share Posted January 18, 2023 I would ask first of all, what leads you to believe they were hacked? As you can see in the message above, it does seem dormant accounts were registered on a lot of sites, which were all posted from in the last few days. Link to comment Share on other sites More sharing options...
PPlanet Posted January 18, 2023 Share Posted January 18, 2023 5 minutes ago, Marc Stridgen said: I would ask first of all, what leads you to believe they were hacked? As you can see in the message above, it does seem dormant accounts were registered on a lot of sites, which were all posted from in the last few days. I wonder though, as one account of these on my site had a history of normal posting with 31 posts between February 2017 and August 2020. All posts are on topic. No spammer would go into that trouble. Link to comment Share on other sites More sharing options...
Luuuk Posted January 18, 2023 Share Posted January 18, 2023 @PPlanet Actually one the spammers IP is classified as doing "brute force" attacks (scroll to the log sample) on many available forum platforms so it not only related to Invision. Link to comment Share on other sites More sharing options...
Marc Stridgen Posted January 18, 2023 Share Posted January 18, 2023 29 minutes ago, PPlanet said: I wonder though, as one account of these on my site had a history of normal posting with 31 posts between February 2017 and August 2020. All posts are on topic. No spammer would go into that trouble. Not unless they actually had the password to an account of course. ie, it has been on a list from someone using the same password in multiple places. The best way to prevent this is to use 2 factor authentication, and force those users to change password Link to comment Share on other sites More sharing options...
PPlanet Posted January 18, 2023 Share Posted January 18, 2023 2 hours ago, Luuuk said: @PPlanet Actually one the spammers IP is classified as doing "brute force" attacks (scroll to the log sample) on many available forum platforms so it not only related to Invision. Yes, I know it’s not exclusive to IPS. But I don’t think it’s a case of spammers creating accounts at different years and leaving them dormant until now. They are gaining access to someone else’s accounts. There was a failed attempt of brute force on my site where the legit owner of the account confirmed it wasn’t him. But I think that this scale of log ins across so many sites corresponds more to some dump of credentials somewhere. 1 hour ago, Marc Stridgen said: Not unless they actually had the password to an account of course. ie, it has been on a list from someone using the same password in multiple places. The best way to prevent this is to use 2 factor authentication, and force those users to change password I believe that’s the case, people using the same password across many sites, and there has been a leak in one of them. That said, it has stopped on my site. I had like 5 cases in total. I forced those accounts to change passwords and banned the IP in question. Link to comment Share on other sites More sharing options...
Luuuk Posted January 18, 2023 Share Posted January 18, 2023 2 minutes ago, PPlanet said: But I don’t think it’s a case of spammers creating accounts at different years and leaving them dormant until now. They are gaining access to someone else’s accounts. Yes, we already know that the old previously legit accounts suddenly are "re-used" in the attack. As some of us confirmed many of those accounts are listed as compromised in the Have I Been Pwned database. So it looks that the spammers have in hands some data breach and run massively bots to match results. Personally I suspect that this attack could have something to do with the recent LastPass leak. Link to comment Share on other sites More sharing options...
PPlanet Posted January 18, 2023 Share Posted January 18, 2023 17 minutes ago, Luuuk said: Yes, we already know that the old previously legit accounts suddenly are "re-used" in the attack. Yes but I understood that Marc was saying that they had been created for this purpose (spam). Hence why I mentioned the case of one of my users with many posts from before whose account appears legit. Link to comment Share on other sites More sharing options...
Luuuk Posted January 18, 2023 Share Posted January 18, 2023 Well, I also understood that he suggests that those are spammers accounts from scratch (staying "on hold" for a long time). Not a case at all. Old legit accounts are being used. BTW. I suggest to move this topic to the "Community Support" forum and merge it with the other topic. Link to comment Share on other sites More sharing options...
teraßyte Posted January 18, 2023 Share Posted January 18, 2023 (edited) @Luuuk Rather than LastPass it is most likely related to Twitter (200M accounts). I received an email about it a couple of weeks ago: You've been pwned! You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach: Breach: Twitter (200M) Date of breach: 1 Jan 2021 Number of accounts: 211,524,284 Compromised data: Email addresses, Names, Social media profiles, Usernames Edited January 18, 2023 by teraßyte Luuuk 1 Link to comment Share on other sites More sharing options...
Recommended Posts