Forum Issues

[the.derp]

The past couple of days have seen the forums with an issue.  Someone broke into a few admin accounts and decided to ban every user and then break the forums.  We have done what we can, but we need you to do something.

Change your passwords now.  And make sure it is secure.

Good password guidelines:
http://www.microsoft.com/security/online-privacy/passwords-create.aspx

[JF]

I suggest people tell their friends that use CG about this ASAP.

[Nicknero]

Whoever is doing this isn't to smart though.

Anyways, I already change my password of course.

[Lil_Killa]

Very sad, there are so many haters in this world  :'(.

[CrazyNinja]

Hopefully this won't happen again.  I changed my password already as well.  Any ideas on who it was?

[Technical Abbreviations]

Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues

[Adrian ?NoRagrets]

Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues

Either it's:

a) Some douche who had access to privileged information.

b) -snipped so we don't give people ideas-

I doubt very much that it's b. 

[smt]

Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues

from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot

[Somone77]

My assumption was a lot of RTLK's scripts for handling bans were completely insecure and required no authentication, only a steamID.

If he actually followed the new developer guidelines instead of assuming he's above them, as usual, that wouldn't be a problem. It's most likely that it was a type of SQL injection.

[smt]

you should switch back to mysql 4, no one takes the time to find table names them selves

oh and why are people being asked to change their passwords? smf hashes/salts them?

[Somone77]

It only uses the salt under specific circumstances. The hash for SMF is sha1(username+password) which should be nearly impossible to get just through has tables.

And about mysql, we have no options coming to that and downgrading to an old version is a idiotic decision to just practicing better coding habits.

[smt]

meh, this is why i dont like smf, im sure if you know what you're doing its secure, but the fact the database info is (defaultly) stored as plaintext in the files is pretty eeghh

[alaskan thunderfuck]

Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues

from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot

admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter

what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.

[Martinerrr]

Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues

from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot

admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter

what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.

If nothing was compromised, why are we being told to change our passwords?

[Adrian ?NoRagrets]

Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues

from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot

admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter

what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.

If nothing was compromised, why are we being told to change our passwords?

Using the SMF adminCP, assuming these admins had access to it, you can backup any sql table. And yes SMT, passwords are salted and hashed, but they can still be bruted.