|
spinvis
Stranger

Registered: 09/15/20
Posts: 587
|
shroomery hacked 2
#27278472 - 04/22/21 07:00 PM (2 years, 9 months ago) |
|
|
Sorry if this has been officially posted elsewhere, couldn't find it. But can an admin officially comment or announce on the hack. Details of what exactly happened, what did the hackers obtain, eg. IP logs, usernames, passwords, private messages, email addresses, etc...
And if the data and passwords were and are stored encrypted in the database, or plain text. The need to change your password, etc...
I wouldn't want to find out if that hacker post the database for sale next year and this site added to HaveIBeenPwned without being informed by an admin of the site first.
|
karri0n
Mind Traveller



Registered: 08/29/20
Posts: 698
Last seen: 15 days, 29 minutes
|
Re: shroomery hacked [Re: spinvis]
#27278502 - 04/22/21 07:34 PM (2 years, 9 months ago) |
|
|
I've also been interested in this info and unable to locate anything.
The hacker posted a message on the top of the page that he was selling the database and listed an email address people could buy it from.
The passwords are almost certainly hashed and encrypted, but I'm not sure about the PM's and whether LEO was interested in them.
It might be uncouth to put this on blast here in the forum, most sites would make a public announcement of the outcome of the breach, but that's up to the admins to decide.
If this shouldn't be public on the forum and a mod or admin felt like shooting a PM for reassurance after deleting, I'd sure appreciate it.
--------------------
Panaeolus Bisporus
|
Ythan
α( α )α


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 51 minutes, 4 seconds
|
Re: shroomery hacked [Re: karri0n] 38
#27278683 - 04/22/21 10:27 PM (2 years, 9 months ago) |
|
|
Sorry for not providing more timely details. We're still fixing bugs but things have slowed down enough I certainly should have replied already.
This is the second time we have been targeted by the same hacker. They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem. They found and downloaded a forgotten BB database backup from December 16, 2015.
The good news is, with data over 5 years old, the damage is somewhat limited. For the posters in this thread, your data wasn't in this dump and you weren't affected at all. No passwords are stored in our database, we use secure bcrypt hashes. And anyway, we have required a mandatory password change since then. So you don't really need to worry about your password being leaked. More of a concern is that non-secure PMs from 2015 and earlier could be viewed. If you used the secure PM functionality, those messages cannot be decrypted. And fortunately with such an old database dump, the statute of limitations has probably elapsed on anything that was said. But it's still embarrassing and inexcusable and I really regret that it happened.
The other thing of concern would be that e-mail addresses were contained in the leak, so for those who are still using the same address from 5 years ago, be on the lookout for unexpected messages claiming to be from the Shroomery. If someone already knows a site where you have an account, and your username, it's easier for them to spoof password phishing e-mails.
The reason for the extended downtime is that we had to update our entire web server to ensure the site was secure. Our old server was almost 6 years old and depended on numerous outdated software packages. We moved to a brand new server with fresh installs of everything. And of course we tested for and locked down the particular type of vulnerability that was used in this hack. In the future, we are looking at migrating to a fully managed solution where website security is continuously monitored and maintained by specialized staff, but that will be a long-term project.
I hope this gives a good explanation without turning into a wall of technical text. I'll be glad to answer any questions and again I just want to say how sorry I am for allowing this to happen, and how glad I am to be back.
|
Smartattack
C'mon man



Registered: 12/21/18
Posts: 3,775
Loc: A thought
|
Re: shroomery hacked [Re: Ythan] 1
#27278701 - 04/22/21 10:52 PM (2 years, 9 months ago) |
|
|
Quote:
Ythan said: Sorry for not providing more timely details. We're still fixing bugs but things have slowed down enough I certainly should have replied already.
This is the second time we have been targeted by the same hacker. They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem. They found and downloaded a forgotten BB database backup from December 16, 2015.
The good news is, with data over 5 years old, the damage is somewhat limited. For the posters in this thread, your data wasn't in this dump and you weren't affected at all. No passwords are stored in our database, we use secure bcrypt hashes. And anyway, we have required a mandatory password change since then. So you don't really need to worry about your password being leaked. More of a concern is that non-secure PMs from 2015 and earlier could be viewed. If you used the secure PM functionality, those messages cannot be decrypted. And fortunately with such an old database dump, the statute of limitations has probably elapsed on anything that was said. But it's still embarrassing and inexcusable and I really regret that it happened.
The other thing of concern would be that e-mail addresses were contained in the leak, so for those who are still using the same address from 5 years ago, be on the lookout for unexpected messages claiming to be from the Shroomery. If someone already knows a site where you have an account, and your username, it's easier for them to spoof password phishing e-mails.
The reason for the extended downtime is that we had to update our entire web server to ensure the site was secure. Our old server was almost 6 years old and depended on numerous outdated software packages. We moved to a brand new server with fresh installs of everything. And of course we tested for and locked down the particular type of vulnerability that was used in this hack. In the future, we are looking at migrating to a fully managed solution where website security is continuously monitored and maintained by specialized staff, but that will be a long-term project.
I hope this gives a good explanation without turning into a wall of technical text. I'll be glad to answer any questions and again I just want to say how sorry I am for allowing this to happen, and how glad I am to be back.
-------------------- * Smarts videos * Planet of the APES   I'm a fungal white supremacist.
|
Amanita86
OTD Keymaster


Registered: 09/26/12
Posts: 89,464
Loc: hades
|
Re: shroomery hacked [Re: Ythan] 10
#27278706 - 04/22/21 10:56 PM (2 years, 9 months ago) |
|
|
Quote:
Ythan said: More of a concern is that non-secure PMs from 2015 and earlier could be viewed.
My dick pics are going to be everywhere now..
--------------------
Orange clock, pencil "They threw me off the hay truck about noon..."
*Mark 15:34  Gam zeh yaβavor...
|
Ashtray161
SettledNomad



Registered: 03/21/21
Posts: 4,503
Loc: Rugby, England
|
Re: shroomery hacked [Re: Amanita86] 1
#27278710 - 04/22/21 11:01 PM (2 years, 9 months ago) |
|
|
Quote:
Amanita86 said:
Quote:
Ythan said: More of a concern is that non-secure PMs from 2015 and earlier could be viewed.
My dick pics are going to be everywhere now..
Ive already bought them all, you can send bitcoins to the address PMed to you inorder to have them released to you or they will be posted like, literally everywhere bruh. you have 24 seconds to decide.
--------------------
(You Know What Time It Is) Major Issues in the Psychedelic Movement: https://www.shroomery.org/forums/showflat.php/Number/27677086 "You never have to prove the fool a fool, just let them speak." Please, be an adult. Get vaccinated. Dont use psychedelics as an excuse. Dont come at me with some hippy dippy nonsense, GO GET VACCINATED. Be Gay, Do Crime 161 1312
|
Melliferous
π΅ππ΅ππ΅


Registered: 10/01/20
Posts: 1,053
|
Re: shroomery hacked [Re: Ythan] 1
#27278712 - 04/22/21 11:04 PM (2 years, 9 months ago) |
|
|
Quote:
Ythan said: They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem.
Pretty clever -- glad it's fixed.
--------------------
      "No, I don't worry. I tell you, I am a man who believed that I died 20 years ago, and I live like a man who is dead already. I have no fear, whatsoever, of anybody or anything."
Edited by Melliferous (04/22/21 11:05 PM)
|
Amanita86
OTD Keymaster


Registered: 09/26/12
Posts: 89,464
Loc: hades
|
|
Iβm owning it, send them everywhere!
--------------------
Orange clock, pencil "They threw me off the hay truck about noon..."
*Mark 15:34  Gam zeh yaβavor...
|
verum subsequentis
seeker of truth



Registered: 03/22/16
Posts: 8,732
Last seen: 1 year, 7 months
|
Re: shroomery hacked [Re: Amanita86]
#27278743 - 04/22/21 11:30 PM (2 years, 9 months ago) |
|
|
Do you know who the hacker is? If so, do you know what they were actually after?
|
Fiery
Sword of Fire


Registered: 12/24/12
Posts: 36,574
|
Re: shroomery hacked [Re: Amanita86]
#27278753 - 04/22/21 11:40 PM (2 years, 9 months ago) |
|
|
Quote:
Amanita86 said:
Quote:
Ythan said: More of a concern is that non-secure PMs from 2015 and earlier could be viewed.
My dick pics are going to be everywhere now..
Mine too.
And also that one time I cybered with this super hot chick and then come to find out later it was a dude 
Hey - that was you- wasn't it?
Anyways- thanks for all the hard work Ythan! and the rest of the team as well. I know everyone is happy the site is back up.
I for one don't take it for granted.

Stay safe people incase the hacker decides to come back! And watch out with those dick pick
|
Fiery
Sword of Fire


Registered: 12/24/12
Posts: 36,574
|
|
Quote:
verum subsequentis said: Do you know who the hacker is? If so, do you know what they were actually after?
I was curious as well. I know they went on Reddit and were demanding a reply to an email from Mike- and then asking for money AFTER the hack took place or something along those lines.
Was it about money? Or what?
And what country did the hack originate from?
Did you guys ever find out who it was or where they were from or what the beef was? It almost seemed personal from the Reddit thing before it got deleted- but I really don't know.
|
Ythan
α( α )α


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 51 minutes, 4 seconds
|
|
Quote:
verum subsequentis said: Do you know who the hacker is? If so, do you know what they were actually after?
It doesn't appear to be anyone associated with the site. It looks like someone from Indonesia. They want money, but they decline to participate in our bug bounty program for responsible security disclosure. They claim they've been burned in the past by disclosing bugs and not being paid, so instead they're trying the extortion route. Unfortunately we're not willing to pay for bugs disclosed in this manner.
|
verum subsequentis
seeker of truth



Registered: 03/22/16
Posts: 8,732
Last seen: 1 year, 7 months
|
Re: shroomery hacked [Re: Ythan]
#27278768 - 04/22/21 11:57 PM (2 years, 9 months ago) |
|
|
I know several folks that are convinced that it's time to move on. Care to comment?
|
mndfreeze 
Shroomery Secret Service




Registered: 04/22/02
Posts: 20,529
Loc: PuppetMasterFlash
Last seen: 18 hours, 41 minutes
|
|
-------------------- Nothing says love like grannies prolapsed anus! quote]Urb said: I know... Its fucked up... Ill fix it minyana..[/quote]
|
Ythan
α( α )α


Registered: 08/08/97
Posts: 18,774
Loc: NY/MA/VT Borderlands
Last seen: 51 minutes, 4 seconds
|
|
Quote:
verum subsequentis said: I know several folks that are convinced that it's time to move on. Care to comment?
I don't blame them for thinking that. It's always disconcerting when a site where you're a member suffers a security breach, and we've had a couple over the past few years. I will say that over our 24 year history, our track record has not been as bad as recent events would lead you to believe. We always offer complete transparency about what happened. We continue to work to secure the site with the knowledge we have gained. And we're making plans to migrate to a platform where security is professionally managed for us. For people who are not comfortable being associated with the site, we've always made all mycology-related information available without requiring an account, so you can still browse our resources anonymously. But I would also caution people that whether they're participating on the Shroomery or any other site, if they're discussing sensitive topics, it would be wise to conduct themselves as if they could be subject to a data breach at any time and make use of tools like encryption and VPNs or TOR to help preserve their privacy. There are many ways that data can fall into the wrong hands, and if anything good can come of this incident maybe it will remind someone to take precautions that protect them later.
|
Loaded Shaman
Psychophysiologist



Registered: 03/02/15
Posts: 8,006
Loc: Now O'Clock
Last seen: 27 days, 21 hours
|
Re: shroomery hacked [Re: Ythan]
#27278791 - 04/23/21 12:21 AM (2 years, 9 months ago) |
|
|
Quote:
Ythan said: Sorry for not providing more timely details. We're still fixing bugs but things have slowed down enough I certainly should have replied already.
This is the second time we have been targeted by the same hacker. They found a way to upload a specially crafted image so that the thumbnail would be an executable script, then they used this to browse the server's filesystem. They found and downloaded a forgotten BB database backup from December 16, 2015.
The good news is, with data over 5 years old, the damage is somewhat limited. For the posters in this thread, your data wasn't in this dump and you weren't affected at all. No passwords are stored in our database, we use secure bcrypt hashes. And anyway, we have required a mandatory password change since then. So you don't really need to worry about your password being leaked. More of a concern is that non-secure PMs from 2015 and earlier could be viewed. If you used the secure PM functionality, those messages cannot be decrypted. And fortunately with such an old database dump, the statute of limitations has probably elapsed on anything that was said. But it's still embarrassing and inexcusable and I really regret that it happened.
The other thing of concern would be that e-mail addresses were contained in the leak, so for those who are still using the same address from 5 years ago, be on the lookout for unexpected messages claiming to be from the Shroomery. If someone already knows a site where you have an account, and your username, it's easier for them to spoof password phishing e-mails.
The reason for the extended downtime is that we had to update our entire web server to ensure the site was secure. Our old server was almost 6 years old and depended on numerous outdated software packages. We moved to a brand new server with fresh installs of everything. And of course we tested for and locked down the particular type of vulnerability that was used in this hack. In the future, we are looking at migrating to a fully managed solution where website security is continuously monitored and maintained by specialized staff, but that will be a long-term project.
I hope this gives a good explanation without turning into a wall of technical text. I'll be glad to answer any questions and again I just want to say how sorry I am for allowing this to happen, and how glad I am to be back.
This makes total sense! Thank you for taking the time to type this out, as I'm sure this is all you're being asked since Shroomery reappeared. I appreciate your hard work to maintain this sanctuary for us!
 
Also:
Quote:
Ythan said:
Quote:
verum subsequentis said: I know several folks that are convinced that it's time to move on. Care to comment?
I don't blame them for thinking that. It's always disconcerting when a site where you're a member suffers a security breach, and we've had a couple over the past few years. I will say that over our 24 year history, our track record has not been as bad as recent events would lead you to believe. We always offer complete transparency about what happened. We continue to work to secure the site with the knowledge we have gained. And we're making plans to migrate to a platform where security is professionally managed for us. For people who are not comfortable being associated with the site, we've always made all mycology-related information available without requiring an account, so you can still browse our resources anonymously. But I would also caution people that whether they're participating on the Shroomery or any other site, if they're discussing sensitive topics, it would be wise to conduct themselves as if they could be subject to a data breach at any time and make use of tools like encryption and VPNs or TOR to help preserve their privacy. There are many ways that data can fall into the wrong hands, and if anything good can come of this incident maybe it will remind someone to take precautions that protect them later.
--------------------
  "Real knowledge is to know the extent of oneβs ignorance." β Confucius
|
Feasoghorm

Registered: 10/24/18
Posts: 4,384
|
Re: shroomery hacked [Re: Ythan] 4
#27278801 - 04/23/21 12:52 AM (2 years, 9 months ago) |
|
|
Your a king among stoned peasants, Ythan. Thanks for all that you do.
|
Ashtray161
SettledNomad



Registered: 03/21/21
Posts: 4,503
Loc: Rugby, England
|
|
Hopefully people disclosing anything interesting enough to perk up ears their op sec is good enough to at least use a VPN lol
--------------------
(You Know What Time It Is) Major Issues in the Psychedelic Movement: https://www.shroomery.org/forums/showflat.php/Number/27677086 "You never have to prove the fool a fool, just let them speak." Please, be an adult. Get vaccinated. Dont use psychedelics as an excuse. Dont come at me with some hippy dippy nonsense, GO GET VACCINATED. Be Gay, Do Crime 161 1312
|
Asante
Mage


Registered: 02/06/02
Posts: 86,795
|
Re: shroomery hacked [Re: Ythan] 1
#27278833 - 04/23/21 02:38 AM (2 years, 9 months ago) |
|
|
PM sent!
-------------------- Omnicyclion.org higher knowledge starts here
|
christopera
Stranger


Registered: 10/13/17
Posts: 14,201
Last seen: 2 hours, 30 minutes
|
Re: shroomery hacked [Re: Ythan] 1
#27278923 - 04/23/21 05:48 AM (2 years, 9 months ago) |
|
|
I moved my site to a fully managed hosting package about a year ago and it means I pay significantly more annually. About 300% more in fact. I was extremely apprehensive to make the change as I am running a business and overhead is overhead. That said, it was totally worth it. My site is more reliable, much faster, and when I have issues I just tell them to fix it and continue about my life. Honestly, I should have moved to a managed solution like 5 years earlier.
-------------------- Enjoy the process of your search without succumbing to the pressure of the result. A Dorito is pizza, change my mind. Bank and Union with The Shroomery at the Zuul on The internet - now with %'s and things Iβm sorry it had to be me.
|
|