Jipa331

Hello, I'm using the latest IPS version, 4.7.17, and my store supports two different currencies, USD and EUR. Before the update, when we pressed this currency toggle, it changed the prices to either Euro or USD. However, I've noticed that after the 4.7.17 update, it only works on the store's front page, which is "https://somedomain.com/store". It does not work on the store's category pages (e.g., https://somedomain.com/store/category/someproduct). When I click that button on store category pages, it does not happen anything. I remember that this function used to work on the store category pages as well (actually, it would redirect to the store's front page when we clicked it before). Please check this issue. I thought it happened with my custom theme only, but I checked with the default IPS theme, and the same issue occurred.

At the very least, even just looking at the posts in this thread, you can see that other people are already suffering from spam due to exposed passwords. Besides me, three or four of my friends who use the IPS platform are also struggling with spam and payment management issues due to exposed passwords. There are likely many IPS users who do not visit this forum frequently as well. The important thing here is not how many people are experiencing this issue. (Should action only be taken when a thousand or ten thousand people report the same problem?) Everyone is aware that many people's IDs and passwords have been exposed due to hacks on other large platforms (even Facebook was hacked). What I want to point out is that the current IPS lacks login security measures to block already exposed IDs and passwords. Two-factor authentication (2FA) and SMS verification are passive security methods that require users to set up and participate. Old accounts that have already left the forum cannot be protected with these login security methods since they no longer access the forum. One of the simple ways for the forum software itself to proactively protect users' logins is to add email verification. Many websites are already using such features for this purpose.

Continuing part of this thread... Actually this article is not about Spam post, but it is about Login Security option for IPS. Recently, many IPS forums have experienced hacking incidents where active user IDs were compromised, leading to spam posts and misuse of stored credit card information in the store. To prevent this, login security is crucial. However, the current IPS login security options are not sufficient. Although I believe these hacks are not directly obtained from IPS’s database but rather through already leaked ID and password combinations (probably), we still need to prepare for such risks. While 2 Factor Authentication (2FA) is effective, as I mentioned before, it does not protect the accounts of users who have not yet set up 2FA. Receiving a login verification code via SMS is another method, but it is paid, and users must pre-register their phone numbers to use it. Therefore, the most effective way to protect logins is to send a verification code to the email associated with the account during login and to have the user verify it (already many websites are using this login security method as you know). Users do not need to enter any additional information or settings in the forum; they just need to check their email to log in. This is more user-friendly. Some might argue that if the ID and password are exposed, their email login is also not secure. However, I disagree. Most users use email services from major platforms like Google and MSN, which send alert notifications to their apps or temporarily lock accounts if a login occurs from a different location or device. In this regard, email verification codes are deemed safer. Recently, a hacker approached me again, and I asked if they could access the ID and password for invisioncommunity.com. 10 minutes later, they sent me around few hundreds of Invision Community IDs and passwords along with proof of successful logins. (I have sent the leaked IDs and passwords to you via 1:1 message. @Marc Stridgen & @Jim M) Invision Community itself is not safe from such malicious login attempts. Please consider this update seriously.

Thanks!

Do you mean that it will be fixed when we update to the latest IPS version 4.7.16? or need to install something other? I'm not sure what is the Top-Left box other than Invision Community version.

Thanks for the suggestion. it would help to solve this issue. Where can I find this option in IPS ACP? (logout all users at once and request all of them to reset their PW)

Regarding this, They demanded money to avoid leaking my website's ID and password information. To test their capabilities, I asked if they could obtain the ID and password for three other random IPS-based websites. Within 10 minutes, they sent me the credentials for these sites, involving thousands of accounts for each. What's most alarming is that these ID and password combinations were indeed functional on other IPS websites. Even though it's not IPS's fault, there needs to be better login protection. The current 2FA system is insufficient for securing all accounts. Currently, members must manually register 2FA after logging into our website. Implementing email code verification at login would be a more effective method to protect all accounts.

Yes, I am aware that ID and passwords are not stored as plaintext in the database but are encrypted. It's possible that the hacker found various IPS sites using a different ID/PW saving tool and organized this information to send to me. However, there is a major flaw in the IPS login system. I know that 2-Factor Authentication (2FA) is available and can be enforced, but this is useless for people who have already left the website. A hacker could log in using the leaked ID and password and then register their own 2FA key. Like many other websites, why doesn't IPS require email-based code verification when logging in? If this were possible, it could securely protect all accounts, including those of people who no longer use the website.

My forum experienced the same issue. In my case, they weren't spamming articles (since only specific member groups can write articles on my forum), but they attempted to purchase products using the "saved credit card" information of genuine users. I've noticed that this can happen on many IPS websites. A few days ago, a hacker sent me a leaked list of IDs and passwords for my website, and I asked if they could obtain similar information for other IPS websites. They sent me leaked IDs and passwords for other IPS sites within 10 minutes. For me, this has been happening since March. Not sure whether this is the security problem related with IPS or not (I'm using the latest version of IPS now), but just want to report a similar issue with the above.

Ah I found a problem. I just miss typed on captcha setting. I thought captcha key can be used for different domains. Didn't know it was a unique for each domain.

Hello, I'm building a new forum using IPS, but I forgot how to add a "security check" to the sign-up page. My old forum had it, as does invisioncommunity.com, but the new forum does not have a sign-up captcha. I tried to check the options in ACP, but there was only an option to use a Captcha for spam post prevention. This is my new forum, and this is my old forum and https://invisioncommunity.com/ 's setting for Sign up Captcha It would be great if anyone recall my memory for this captcha setting.. Thanks!!

Hello, Is there any way to remove saved credit card info for all users at once? (on Stripe payment gateway) I know we can remove it one-by-one from ACP but want to clear all stored card information on all accounts. Any Idea?

Same opinion. Showing QR image is much easier to add token rather than typing security texts manually on Google Auth App.

Ye, Maybe I need to wait until Google or IPS fix this issue. Our users will cry, and tickets will be flooded even though they can see the "not able to scan" option. 😥

OMG, thanks! didn't know it