Philooo Posted May 1 Posted May 1 @Joel R - set up Word Filters for keywords DONE - Prepare and warn your moderator team. They can mark users as Spam DONE - Change your registration and security challenges (especially hcaptcha to the highest setting) DONE - Drink lots of alcohol 🥃 ALWAYS @Marc Stridgen - switching to email login ALMOST DONE (dual login enabled for some weeks before enabling email login, time to communicate with customers) Thank you very much to everybody
Stuart Silvester Posted May 1 Posted May 1 On 4/22/2024 at 7:21 AM, Svetozar Angelov said: Could you tell me how to log in to the forum? We have released a patch to address this issue. Please go to AdminCP > System > Support and apply the patch from the first/top left box. If you do not see an option to install the patch, you already have the latest release. Svetozar Angelov, Jim M and SeNioR- 2 1
marklcfc Posted May 1 Posted May 1 13 hours ago, Marc Stridgen said: @Philooo - Its worth noting here that switching to email login is advised, and has been for quite some time in your admin CP. If you are using display name, then half the login details are essentially already known. Still waiting on the benefit here given its the email address / password combo in these data breaches
Gary Posted May 2 Posted May 2 Updated with the latest patch and encountered no problems whatsoever, thanks @Stuart Silvester. 😎 SeNioR- 1
Marc Posted May 2 Posted May 2 9 hours ago, marklcfc said: Still waiting on the benefit here given its the email address / password combo in these data breaches Are you 100% sure of that? There are no lists anywhere where someone has used the same username? It is very very likely there are username, email, password combinations out there. SeNioR- 1
marklcfc Posted May 2 Posted May 2 2 hours ago, Marc Stridgen said: Are you 100% sure of that? There are no lists anywhere where someone has used the same username? It is very very likely there are username, email, password combinations out there. Just remember when it happened to me in the 123RF breach in 2020 it was the same email / password combo that was being used in many places
Jim M Posted May 2 Posted May 2 9 hours ago, marklcfc said: Just remember when it happened to me in the 123RF breach in 2020 it was the same email / password combo that was being used in many places Keep in mind, that is one instance out of many, many, many, many other breaches. Kind of like stating, all car accidents are the same 🙂 . Each breach is different than the next depending on the website and data the attacker obtains. More often than not username is stored and obtained, if it is available.
Svetozar Angelov Posted May 4 Posted May 4 On 5/1/2024 at 7:22 PM, Stuart Silvester said: We have released a patch to address this issue. Please go to AdminCP > System > Support and apply the patch from the first/top left box. If you do not see an option to install the patch, you already have the latest release. Thanks! I installed the patch.
Jipa331 Posted May 17 Posted May 17 Continuing part of this thread... Actually this article is not about Spam post, but it is about Login Security option for IPS. Recently, many IPS forums have experienced hacking incidents where active user IDs were compromised, leading to spam posts and misuse of stored credit card information in the store. To prevent this, login security is crucial. However, the current IPS login security options are not sufficient. Although I believe these hacks are not directly obtained from IPS’s database but rather through already leaked ID and password combinations (probably), we still need to prepare for such risks. While 2 Factor Authentication (2FA) is effective, as I mentioned before, it does not protect the accounts of users who have not yet set up 2FA. Receiving a login verification code via SMS is another method, but it is paid, and users must pre-register their phone numbers to use it. Therefore, the most effective way to protect logins is to send a verification code to the email associated with the account during login and to have the user verify it (already many websites are using this login security method as you know). Users do not need to enter any additional information or settings in the forum; they just need to check their email to log in. This is more user-friendly. Some might argue that if the ID and password are exposed, their email login is also not secure. However, I disagree. Most users use email services from major platforms like Google and MSN, which send alert notifications to their apps or temporarily lock accounts if a login occurs from a different location or device. In this regard, email verification codes are deemed safer. Recently, a hacker approached me again, and I asked if they could access the ID and password for invisioncommunity.com. 10 minutes later, they sent me around few hundreds of Invision Community IDs and passwords along with proof of successful logins. (I have sent the leaked IDs and passwords to you via 1:1 message. @Marc Stridgen & @Jim M) Invision Community itself is not safe from such malicious login attempts. Please consider this update seriously.
Jim M Posted May 17 Posted May 17 I have removed sensitive information from your post. You're welcome to create any Feedback topic with suggestions for future release. If you have information that you believe this to be a compromise, rather than just an individual obtaining already compromised credentials from another attack, please create a message to our accounts team here: https://invisioncommunity.com/contact-us
Management Matt Posted May 17 Management Posted May 17 59 minutes ago, Jipa331 said: Recently, many IPS forums have experienced hacking incidents where active user IDs were compromised, leading to spam posts and misuse of stored credit card information in the store. This is a fairly substantial claim, what evidence do you have to support this?
loccom Posted May 19 Posted May 19 A while back i was talking to a guy who uses the darkweb and buys account access to brands like Costa, Starbucks,netflix etc. They buy access to the account and take advantage of the points. For instance the account could have 5 free coffee's and they sell the account for £3.. 5 coffees for £3 is a good deal. Same situation kind of. They will sell lists of accounts which is probably come from a combination of user browser history and their email and the user using the same password everywhere. They probably use a tool to verify this data and make a nice tasty list to sell.
Jipa331 Posted May 19 Posted May 19 On 5/18/2024 at 5:28 AM, Matt said: This is a fairly substantial claim, what evidence do you have to support this? At the very least, even just looking at the posts in this thread, you can see that other people are already suffering from spam due to exposed passwords. Besides me, three or four of my friends who use the IPS platform are also struggling with spam and payment management issues due to exposed passwords. There are likely many IPS users who do not visit this forum frequently as well. The important thing here is not how many people are experiencing this issue. (Should action only be taken when a thousand or ten thousand people report the same problem?) Everyone is aware that many people's IDs and passwords have been exposed due to hacks on other large platforms (even Facebook was hacked). What I want to point out is that the current IPS lacks login security measures to block already exposed IDs and passwords. Two-factor authentication (2FA) and SMS verification are passive security methods that require users to set up and participate. Old accounts that have already left the forum cannot be protected with these login security methods since they no longer access the forum. One of the simple ways for the forum software itself to proactively protect users' logins is to add email verification. Many websites are already using such features for this purpose.
Marc Posted May 20 Posted May 20 12 hours ago, Jipa331 said: At the very least, even just looking at the posts in this thread, you can see that other people are already suffering from spam due to exposed passwords. Besides me, three or four of my friends who use the IPS platform are also struggling with spam and payment management issues due to exposed passwords. There are likely many IPS users who do not visit this forum frequently as well. I still find the claim Someone can misuse card details to be a very alarmist sentence. Card details are not stored on the platform in any way. Nobody could log in, and get your details to use elsewhere or on another account for example. 12 hours ago, Jipa331 said: The important thing here is not how many people are experiencing this issue. (Should action only be taken when a thousand or ten thousand people report the same problem?) Everyone is aware that many people's IDs and passwords have been exposed due to hacks on other large platforms (even Facebook was hacked). What I want to point out is that the current IPS lacks login security measures to block already exposed IDs and passwords. Two-factor authentication (2FA) and SMS verification are passive security methods that require users to set up and participate. Old accounts that have already left the forum cannot be protected with these login security methods since they no longer access the forum. One of the simple ways for the forum software itself to proactively protect users' logins is to add email verification. Many websites are already using such features for this purpose. Feel free to request new features in our feedback area. We have no problem with that, and encourage as much. This is however, not a security flaw in our platform. Its actually a security flaw elsewhere (they got the passwords from somewhere), and flaw in that the users themselves are using the same user/pass combinations. I'm incredibly confused by your statement on 2FA. If you set up google authenticator for example, yes it requires the user to participate. However it also requires a user to participate to verify using email. You can enforce users to set this up. In the case of old users who have not logged in, you could also enforce password changes for those user, which will send an email to enforce a password change, invalidating all passwords for those users. The tools are indeed there to do this. I understand they aren't the tools you personally would like, however they are present for you to use. We fully understand you would like to see changes on that. We love the thoughts our users come up with at times. Nobody at all has dismissed your suggestion. What is not going to happen though, is even if we decide to add something of this nature, we are not going to add a new method of logging into the software overnight. I'm sure you can appreciate very quickly making large changes in account security is what causes security issues in the first place? Matt and Jim M 2
Management Matt Posted May 20 Management Posted May 20 It's always worth ensuring you cover the basics when doing a security review, and this includes: - Ensuring you are using the very latest version of Invision Community. We have a bug bounty program running where people can test the security of our platform and report weaknesses, this has led to several improvements over the years. Likewise, we also receive reports from security professionals who let us know about potential vulnerabilities, and these are fixed and new versions released in a very timely manner. We do tag releases with a security notice when applicable in our release notes. This is also communicated to your AdminCP. - Consider multi-factor authentication. If you have signed up for an online service, the chances are your email/username and password has been leaked. You can check with "Have I been pwned". Using multi-factor authentication means that even if someone had your username and password from another service and you re-use the same password across multiple platforms, then they could still not log in. I recommend that everyone does this for those with AdminCP access. - Always use a unique password for each site you sign up to. Use a password manager (built into iOS, or tools like 1Password) to keep track of them. Consider changing your password every few months. - Review those with AdminCP access and do not grant it lightly. If you can log into the AdminCP and edit themes and languages, you can add code that can execute any PHP command. It is largely why the AdminCP code has different session management, a different login form and a different URL. It is a very powerful tool. - Review your logs regularly, especially the admin log in logs and actions to ensure there is nothing remiss inside. Gary 1
Recommended Posts