README: Change your password.

Just what it says.

Moderator: peterZ

Post Reply
User avatar
daniel_reetz
Posts: 2812
Joined: 03 Jun 2009, 13:56
E-book readers owned: Used to have a PRS-500
Number of books owned: 600
Country: United States
Contact:

README: Change your password.

Post by daniel_reetz »

So, as mentioned here, the site was hacked a few days ago.

As far as we've seen, the hack was automated and based on a Wordpress PHP vulnerability. The hack injected some code into each PHP file on this site. The injected code attempted to cause your browsers to download a fake antivirus. I've personally pored over logs and our databases for signs of tampering and seen nothing since our repairs. Also, I've asked some people with deep knowledge of the topic to take a look, and they've seen nothing further.

We've been working hard to restore security. Part of running a secure site is full disclosure - this post. As far as we know, the database containing user information was not downloaded, although the hacking software could certainly have accessed our database. Further, we do not store your passwords in the clear, rather they are MD5 hashed. So if the attacker downloaded all the passwords, they would still have to get through the hashes to see your passwords. And frankly, for a measly PHPBB site, the value of your accounts simply doesn't justify that kind of work.

That said, in the interest of security going forward, this is a good time to change your password. It's easy to do. Please do so. Thanks.
User avatar
Drake Ravensmith
Posts: 70
Joined: 04 Jan 2011, 05:16
E-book readers owned: Kindle 3
Number of books owned: 0

Re: README: Change your password.

Post by Drake Ravensmith »

Something to keep in mind about how "measly" a site we are. People, and I have been guilty of this in the past, are really stupid when it comes to passwords. Since we have to remember passwords, people tend to use the same passwords for various sites or variations of the same passwords. We also like to use the same screen name. I used to visit a knitting site and got an email a while back telling us they were hacked and the encrypted password info was taken. I don't use common passwords for my banking or credit cards but since it was just a knitting site I used my stock password and realized that some hacker could potentially have Drake Ravensmith's password for a dozen other sites I don't really put much value on.

Who would hack a knitting website? Who would hack a small DIY book scanner site? The answer is someone who is hoping to score a valuable password to some other site.
User avatar
Shyamasundara
Posts: 15
Joined: 29 May 2012, 09:43
E-book readers owned: I use PDF on my Mac
Number of books owned: 3500
Country: India
Location: Bangalore, India

Re: README: Change your password.

Post by Shyamasundara »

For generating and keeping strong passwords download a password keeper for OSX and Windows there is KeePassX http://www.keepassx.org/.If you don't like it there are others to choose from. The advantage is that you only need to remember one password, the one to your password keeper, all your other passwords should be military grade.
Post Reply