Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: Kraken Kratom Red Vein Kratom   Left Coast Kratom Kratom Powder For Sale, Premium Bali Kratom Powder   PhytoExtractum Maeng Da Thai Kratom Leaf Powder

Jump to first unread post Pages: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Next >  [ show all ]
Invisiblespinvis
Stranger

Registered: 09/15/20
Posts: 587
shroomery hacked * 2
    #27278472 - 04/22/21 07:00 PM (2 years, 9 months ago)

Sorry if this has been officially posted elsewhere, couldn't find it. But can an admin officially comment or announce on the hack. Details of what exactly happened, what did the hackers obtain, eg. IP logs, usernames, passwords, private messages, email addresses, etc...

And if the data and passwords were and are stored encrypted in the database, or plain text. The need to change your password, etc...

I wouldn't want to find out if that hacker post the database for sale next year and this site added to HaveIBeenPwned without being informed by an admin of the site first.


Extras: Filter Print Post Top
Offlinekarri0n
Mind Traveller
Male User Gallery


Registered: 08/29/20
Posts: 698
Last seen: 15 days, 29 minutes
Re: shroomery hacked [Re: spinvis]
    #27278502 - 04/22/21 07:34 PM (2 years, 9 months ago)

I've also been interested in this info and unable to locate anything.

The hacker posted a message on the top of the page that he was selling the database and listed an email address people could buy it from.

The passwords are almost certainly hashed and encrypted, but I'm not sure about the PM's and whether LEO was interested in them.

It might be uncouth to put this on blast here in the forum, most sites would make a public announcement of the outcome of the breach, but that's up to the admins to decide.

If this shouldn't be public on the forum and a mod or admin felt like shooting a PM for reassurance after deleting, I'd sure appreciate it.


--------------------

Panaeolus Bisporus


Extras: Filter Print Post Top
OfflineYthanA
α••( ᐛ )α•—
Male User Gallery

Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 51 minutes, 4 seconds
Re: shroomery hacked [Re: karri0n] * 38
    #27278683 - 04/22/21 10:27 PM (2 years, 9 months ago)

Sorry for not providing more timely details. We're still fixing bugs but things have slowed down enough I certainly should have replied already.

This is the second time we have been targeted by the same hacker. They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem. They found and downloaded a forgotten BB database backup from December 16, 2015.

The good news is, with data over 5 years old, the damage is somewhat limited. For the posters in this thread, your data wasn't in this dump and you weren't affected at all. No passwords are stored in our database, we use secure bcrypt hashes. And anyway, we have required a mandatory password change since then. So you don't really need to worry about your password being leaked. More of a concern is that non-secure PMs from 2015 and earlier could be viewed. If you used the secure PM functionality, those messages cannot be decrypted. And fortunately with such an old database dump, the statute of limitations has probably elapsed on anything that was said. But it's still embarrassing and inexcusable and I really regret that it happened.

The other thing of concern would be that e-mail addresses were contained in the leak, so for those who are still using the same address from 5 years ago, be on the lookout for unexpected messages claiming to be from the Shroomery. If someone already knows a site where you have an account, and your username, it's easier for them to spoof password phishing e-mails.

The reason for the extended downtime is that we had to update our entire web server to ensure the site was secure. Our old server was almost 6 years old and depended on numerous outdated software packages. We moved to a brand new server with fresh installs of everything. And of course we tested for and locked down the particular type of vulnerability that was used in this hack. In the future, we are looking at migrating to a fully managed solution where website security is continuously monitored and maintained by specialized staff, but that will be a long-term project.

I hope this gives a good explanation without turning into a wall of technical text. I'll be glad to answer any questions and again I just want to say how sorry I am for allowing this to happen, and how glad I am to be back.


Extras: Filter Print Post Top
InvisibleSmartattack
C'mon man
 User Gallery


Registered: 12/21/18
Posts: 3,775
Loc: A thought
Re: shroomery hacked [Re: Ythan] * 1
    #27278701 - 04/22/21 10:52 PM (2 years, 9 months ago)

Quote:

Ythan said:
Sorry for not providing more timely details. We're still fixing bugs but things have slowed down enough I certainly should have replied already.

This is the second time we have been targeted by the same hacker. They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem. They found and downloaded a forgotten BB database backup from December 16, 2015.

The good news is, with data over 5 years old, the damage is somewhat limited. For the posters in this thread, your data wasn't in this dump and you weren't affected at all. No passwords are stored in our database, we use secure bcrypt hashes. And anyway, we have required a mandatory password change since then. So you don't really need to worry about your password being leaked. More of a concern is that non-secure PMs from 2015 and earlier could be viewed. If you used the secure PM functionality, those messages cannot be decrypted. And fortunately with such an old database dump, the statute of limitations has probably elapsed on anything that was said. But it's still embarrassing and inexcusable and I really regret that it happened.

The other thing of concern would be that e-mail addresses were contained in the leak, so for those who are still using the same address from 5 years ago, be on the lookout for unexpected messages claiming to be from the Shroomery. If someone already knows a site where you have an account, and your username, it's easier for them to spoof password phishing e-mails.

The reason for the extended downtime is that we had to update our entire web server to ensure the site was secure. Our old server was almost 6 years old and depended on numerous outdated software packages. We moved to a brand new server with fresh installs of everything. And of course we tested for and locked down the particular type of vulnerability that was used in this hack. In the future, we are looking at migrating to a fully managed solution where website security is continuously monitored and maintained by specialized staff, but that will be a long-term project.

I hope this gives a good explanation without turning into a wall of technical text. I'll be glad to answer any questions and again I just want to say how sorry I am for allowing this to happen, and how glad I am to be back.





:rockon:


--------------------
* Smarts videos :teacher:
* :thumbup: Planet of the APES:thumbup:
 
I'm a fungal white supremacist.


Extras: Filter Print Post Top
InvisibleAmanita86
OTD Keymaster
 User Gallery

Registered: 09/26/12
Posts: 89,464
Loc: hades
Re: shroomery hacked [Re: Ythan] * 10
    #27278706 - 04/22/21 10:56 PM (2 years, 9 months ago)

Quote:

Ythan said:
More of a concern is that non-secure PMs from 2015 and earlier could be viewed.




My dick pics are going to be everywhere now..:picard:


--------------------
:mushroom2:Orange clock, pencil:bouncysmoke:
"They threw me off the hay truck about noon...":fishing:
:mushroom2:*Mark 15:34:levitate::mushroom2::blueninja:
Gam zeh ya’avor...:sunny:


Extras: Filter Print Post Top
InvisibleAshtray161
SettledNomad
Other


Registered: 03/21/21
Posts: 4,503
Loc: Rugby, England
Re: shroomery hacked [Re: Amanita86] * 1
    #27278710 - 04/22/21 11:01 PM (2 years, 9 months ago)

Quote:

Amanita86 said:
Quote:

Ythan said:
More of a concern is that non-secure PMs from 2015 and earlier could be viewed.




My dick pics are going to be everywhere now..:picard:




Ive already bought them all, you can send bitcoins to the address PMed to you inorder to have them released to you or they will be posted like, literally everywhere bruh. you have 24 seconds to decide.


--------------------
(You Know What Time It Is)
Major Issues in the Psychedelic Movement: https://www.shroomery.org/forums/showflat.php/Number/27677086:elmo:
"You never have to prove the fool a fool, just let them speak."
Please, be an adult. Get vaccinated. Dont use psychedelics as an excuse. Dont come at me with some hippy dippy nonsense, GO GET VACCINATED.
Be Gay, Do Crime 161 1312


Extras: Filter Print Post Top
InvisibleMelliferous
πŸŒ΅πŸ„πŸŒ΅πŸ„πŸŒ΅
 Unread Journal

Registered: 10/01/20
Posts: 1,053
Re: shroomery hacked [Re: Ythan] * 1
    #27278712 - 04/22/21 11:04 PM (2 years, 9 months ago)

Quote:

Ythan said:
They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem.



Pretty clever -- glad it's fixed. :grin:


--------------------


"No, I don't worry. I tell you, I am a man who believed that I died 20 years ago, and I live like a man who is dead already. I have no fear, whatsoever, of anybody or anything."


Edited by Melliferous (04/22/21 11:05 PM)


Extras: Filter Print Post Top
InvisibleAmanita86
OTD Keymaster
 User Gallery

Registered: 09/26/12
Posts: 89,464
Loc: hades
Re: shroomery hacked [Re: Ashtray161] * 4
    #27278715 - 04/22/21 11:06 PM (2 years, 9 months ago)

I’m owning it, send them everywhere!:rocketcrotch:


:freewilly:


--------------------
:mushroom2:Orange clock, pencil:bouncysmoke:
"They threw me off the hay truck about noon...":fishing:
:mushroom2:*Mark 15:34:levitate::mushroom2::blueninja:
Gam zeh ya’avor...:sunny:


Extras: Filter Print Post Top
Offlineverum subsequentis
seeker of truth
I'm a teapot User Gallery


Registered: 03/22/16
Posts: 8,732
Last seen: 1 year, 7 months
Re: shroomery hacked [Re: Amanita86]
    #27278743 - 04/22/21 11:30 PM (2 years, 9 months ago)

Do you know who the hacker is? If so, do you know what they were actually after?


Extras: Filter Print Post Top
InvisibleFiery
Sword of Fire
Other User Gallery

Registered: 12/24/12
Posts: 36,574
Re: shroomery hacked [Re: Amanita86]
    #27278753 - 04/22/21 11:40 PM (2 years, 9 months ago)

Quote:

Amanita86 said:
Quote:

Ythan said:
More of a concern is that non-secure PMs from 2015 and earlier could be viewed.




My dick pics are going to be everywhere now..





Mine too.

And also that one time I cybered with this super hot chick and then come to find out later it was a dude :smbfacepalm:


Hey - that was you- wasn't it?







Anyways- thanks for all the hard work Ythan! and the rest of the team as well. I know everyone is happy the site is back up.

I for one don't take it for granted.

:fuckyeah:



Stay safe people incase the hacker decides to come back! And watch out with those dick pick :pm:


Extras: Filter Print Post Top
InvisibleFiery
Sword of Fire
Other User Gallery

Registered: 12/24/12
Posts: 36,574
Re: shroomery hacked [Re: verum subsequentis]
    #27278757 - 04/22/21 11:44 PM (2 years, 9 months ago)

Quote:

verum subsequentis said:
Do you know who the hacker is? If so, do you know what they were actually after?




I was curious as well. I know they went on Reddit and were demanding a reply to an email from Mike- and then asking for money AFTER the hack took place or something along those lines. 


Was it about money? Or what?


And what country did the hack originate from?


Did you guys ever find out who it was or where they were from or what the beef was? It almost seemed personal from the Reddit thing before it got deleted- but I really don't know.


Extras: Filter Print Post Top
OfflineYthanA
α••( ᐛ )α•—
Male User Gallery

Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 51 minutes, 4 seconds
Re: shroomery hacked [Re: verum subsequentis] * 5
    #27278761 - 04/22/21 11:48 PM (2 years, 9 months ago)

Quote:

verum subsequentis said:
Do you know who the hacker is? If so, do you know what they were actually after?




It doesn't appear to be anyone associated with the site. It looks like someone from Indonesia. They want money, but they decline to participate in our bug bounty program for responsible security disclosure. They claim they've been burned in the past by disclosing bugs and not being paid, so instead they're trying the extortion route. Unfortunately we're not willing to pay for bugs disclosed in this manner.


Extras: Filter Print Post Top
Offlineverum subsequentis
seeker of truth
I'm a teapot User Gallery


Registered: 03/22/16
Posts: 8,732
Last seen: 1 year, 7 months
Re: shroomery hacked [Re: Ythan]
    #27278768 - 04/22/21 11:57 PM (2 years, 9 months ago)

I know several folks that are convinced that it's time to move on. Care to comment?


Extras: Filter Print Post Top
OfflinemndfreezeMDiscordReddit
Shroomery Secret Service
Other User Gallery


Folding@home Statistics
Registered: 04/22/02
Posts: 20,529
Loc: PuppetMasterFlash
Last seen: 18 hours, 41 minutes
Re: shroomery hacked [Re: verum subsequentis]
    #27278773 - 04/23/21 12:07 AM (2 years, 9 months ago)

:archiebunker:


--------------------
Nothing says love like grannies prolapsed anus!

quote]Urb said:
I know... Its fucked up... Ill fix it minyana..[/quote]


Extras: Filter Print Post Top
OfflineYthanA
α••( ᐛ )α•—
Male User Gallery

Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands Flag
Last seen: 51 minutes, 4 seconds
Re: shroomery hacked [Re: verum subsequentis] * 6
    #27278787 - 04/23/21 12:16 AM (2 years, 9 months ago)

Quote:

verum subsequentis said:
I know several folks that are convinced that it's time to move on. Care to comment?




I don't blame them for thinking that. It's always disconcerting when a site where you're a member suffers a security breach, and we've had a couple over the past few years. I will say that over our 24 year history, our track record has not been as bad as recent events would lead you to believe. We always offer complete transparency about what happened. We continue to work to secure the site with the knowledge we have gained. And we're making plans to migrate to a platform where security is professionally managed for us. For people who are not comfortable being associated with the site, we've always made all mycology-related information available without requiring an account, so you can still browse our resources anonymously. But I would also caution people that whether they're participating on the Shroomery or any other site, if they're discussing sensitive topics, it would be wise to conduct themselves as if they could be subject to a data breach at any time and make use of tools like encryption and VPNs or TOR to help preserve their privacy. There are many ways that data can fall into the wrong hands, and if anything good can come of this incident maybe it will remind someone to take precautions that protect them later.


Extras: Filter Print Post Top
OfflineLoaded Shaman
Psychophysiologist
Male User Gallery


Registered: 03/02/15
Posts: 8,006
Loc: Now O'Clock
Last seen: 27 days, 21 hours
Re: shroomery hacked [Re: Ythan]
    #27278791 - 04/23/21 12:21 AM (2 years, 9 months ago)

Quote:

Ythan said:
Sorry for not providing more timely details. We're still fixing bugs but things have slowed down enough I certainly should have replied already.

This is the second time we have been targeted by the same hacker. They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem. They found and downloaded a forgotten BB database backup from December 16, 2015.

The good news is, with data over 5 years old, the damage is somewhat limited. For the posters in this thread, your data wasn't in this dump and you weren't affected at all. No passwords are stored in our database, we use secure bcrypt hashes. And anyway, we have required a mandatory password change since then. So you don't really need to worry about your password being leaked. More of a concern is that non-secure PMs from 2015 and earlier could be viewed. If you used the secure PM functionality, those messages cannot be decrypted. And fortunately with such an old database dump, the statute of limitations has probably elapsed on anything that was said. But it's still embarrassing and inexcusable and I really regret that it happened.

The other thing of concern would be that e-mail addresses were contained in the leak, so for those who are still using the same address from 5 years ago, be on the lookout for unexpected messages claiming to be from the Shroomery. If someone already knows a site where you have an account, and your username, it's easier for them to spoof password phishing e-mails.

The reason for the extended downtime is that we had to update our entire web server to ensure the site was secure. Our old server was almost 6 years old and depended on numerous outdated software packages. We moved to a brand new server with fresh installs of everything. And of course we tested for and locked down the particular type of vulnerability that was used in this hack. In the future, we are looking at migrating to a fully managed solution where website security is continuously monitored and maintained by specialized staff, but that will be a long-term project.

I hope this gives a good explanation without turning into a wall of technical text. I'll be glad to answer any questions and again I just want to say how sorry I am for allowing this to happen, and how glad I am to be back.




This makes total sense! Thank you for taking the time to type this out, as I'm sure this is all you're being asked since Shroomery reappeared. I appreciate your hard work to maintain this sanctuary for us!

:sunny::heart:

Also:

Quote:

Ythan said:
Quote:

verum subsequentis said:
I know several folks that are convinced that it's time to move on. Care to comment?




I don't blame them for thinking that. It's always disconcerting when a site where you're a member suffers a security breach, and we've had a couple over the past few years. I will say that over our 24 year history, our track record has not been as bad as recent events would lead you to believe. We always offer complete transparency about what happened. We continue to work to secure the site with the knowledge we have gained. And we're making plans to migrate to a platform where security is professionally managed for us. For people who are not comfortable being associated with the site, we've always made all mycology-related information available without requiring an account, so you can still browse our resources anonymously. But I would also caution people that whether they're participating on the Shroomery or any other site, if they're discussing sensitive topics, it would be wise to conduct themselves as if they could be subject to a data breach at any time and make use of tools like encryption and VPNs or TOR to help preserve their privacy. There are many ways that data can fall into the wrong hands, and if anything good can come of this incident maybe it will remind someone to take precautions that protect them later.




:kenthumbup:


--------------------



"Real knowledge is to know the extent of one’s ignorance." β€” Confucius


Extras: Filter Print Post Top
InvisibleFeasoghorm

Registered: 10/24/18
Posts: 4,384
Re: shroomery hacked [Re: Ythan] * 4
    #27278801 - 04/23/21 12:52 AM (2 years, 9 months ago)

Your a king among stoned peasants, Ythan. Thanks for all that you do.


Extras: Filter Print Post Top
InvisibleAshtray161
SettledNomad
Other


Registered: 03/21/21
Posts: 4,503
Loc: Rugby, England
Re: shroomery hacked [Re: Feasoghorm]
    #27278820 - 04/23/21 02:20 AM (2 years, 9 months ago)

Hopefully people disclosing anything interesting enough to perk up ears their op sec is good enough to at least use a VPN lol


--------------------
(You Know What Time It Is)
Major Issues in the Psychedelic Movement: https://www.shroomery.org/forums/showflat.php/Number/27677086:elmo:
"You never have to prove the fool a fool, just let them speak."
Please, be an adult. Get vaccinated. Dont use psychedelics as an excuse. Dont come at me with some hippy dippy nonsense, GO GET VACCINATED.
Be Gay, Do Crime 161 1312


Extras: Filter Print Post Top
InvisibleAsante
Mage
Male User Gallery

Registered: 02/06/02
Posts: 86,795
Re: shroomery hacked [Re: Ythan] * 1
    #27278833 - 04/23/21 02:38 AM (2 years, 9 months ago)

PM sent!


--------------------
Omnicyclion.org
higher knowledge starts here


Extras: Filter Print Post Top
Offlinechristopera
Stranger
 User Gallery

Registered: 10/13/17
Posts: 14,201
Last seen: 2 hours, 30 minutes
Re: shroomery hacked [Re: Ythan] * 1
    #27278923 - 04/23/21 05:48 AM (2 years, 9 months ago)

I moved my site to a fully managed hosting package about a year ago and it means I pay significantly more annually. About 300% more in fact. I was extremely apprehensive to make the change as I am running a business and overhead is overhead. That said, it was totally worth it. My site is more reliable, much faster, and when I have issues I just tell them to fix it and continue about my life. Honestly, I should have moved to a managed solution like 5 years earlier.


--------------------
Enjoy the process of your search without succumbing to the pressure of the result.

A Dorito is pizza, change my mind.

Bank and Union with The Shroomery at the Zuul on The internet - now with %'s and things

I’m sorry it had to be me.


Extras: Filter Print Post Top
Jump to top Pages: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Next >  [ show all ]

Shop: Kraken Kratom Red Vein Kratom   Left Coast Kratom Kratom Powder For Sale, Premium Bali Kratom Powder   PhytoExtractum Maeng Da Thai Kratom Leaf Powder


Similar ThreadsPosterViewsRepliesLast post
* shroomery hacks? ChromeCrow 1,763 5 10/06/02 02:13 PM
by Dobie
* Hacked? Anonymous 1,498 10 07/19/03 10:24 PM
by matts
* Downtime at the shroomery 3DSHROOM 1,189 4 03/12/04 11:40 AM
by Papaver
* Just a thought to bring in some shroomery money... GabbaDjS 2,731 18 06/04/02 10:07 AM
by GabbaDj
* Folding@Home suggestion to the shroomery. MAIA 3,936 2 03/19/02 06:02 PM
by ChromeCrow
* Downtime on The Shroomery
( 1 2 all )
geokillsA 7,740 39 03/11/04 05:46 AM
by Loki
* The Shroomery T-Shirt Contest!
( 1 2 3 4 5 6 7 all )
ThorA 43,581 130 11/01/01 04:25 AM
by Jared
* Why does the shroomery crash so often anyway? BLuEFroG 1,766 10 03/02/04 11:50 AM
by Lightningfractal

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Ythan, Thor, Seuss, geokills
13,261 topic views. 0 members, 0 guests and 1 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.022 seconds spending 0.005 seconds on 14 queries.