Kerii

Did the site get hacked? Receiving extremely suspicious emails.

Recommended Posts

I got this too, twice actually. Either hacked or one of the admins needed some extra money and sold out to some spammer.

The file linked to is the following according to virustotal:

2mx5080.png

Edited by anybody

Share this post


Link to post
Share on other sites

I received the same message about 4 hours ago. There have been some major breaches and user databases from many websites have been published.

Over 770 million email addresses shared online in largest data breach in history

I checked my email adress on the site https://haveibeenpwned.com/ and it is found in databases "Anti Public Combo List" and "Onliner Spambot". Perhaps one of those includes the storagereviews user data.

Share this post


Link to post
Share on other sites

Thankfully our users are smart enough to know we wouldn't send an HDD tool executable.

Share this post


Link to post
Share on other sites

From what I can tell someone most likely breached an old account with an unchanged password, logged into the admin console here and sent out a bulk email. We've since pruned all the old admin accounts and reset passwords. It was sent through the bulk mail feature built into the forums itself, selecting all the users as recipients. So individual account as far as we can tell were not breached, just someone getting into an admin account.

Right now the email engine on the server is disabled and the port is blocked at the firewall to prevent anything more from coming through while we check through all the layers.

Share this post


Link to post
Share on other sites

I did not get this email, or any other from SR in the last 48 hours. Checked my trash & spam folders to be sure. My email addy with the board is valid. Perhaps SR interrupted outgoing mails before it got to mine.

Advice from an admin on an unrelated board: they want to download the user table. Preferably via SQL access, makes it easier and faster. They want the hashed passwords, salts, and email addresses. Over time they can crack the hashes, making the dump much more valuable than emails alone. They may also be interested in the private message table, in case any users exchanged email addresses.

Hope everyone uses unique random passes on every site. That's the way to go. Once SR is sure they're clean, I'll update mine.

Share this post


Link to post
Share on other sites

When most of this started happening, we had our host kill port 25 at the firewall level, then we started flushing the email queue. We just started opening it up slightly yesterday to monitor outgoing email traffic. But that is why many site-generated emails are slow or not moving out at all. Lots of them probably got caught up in the queue purge as well.

Share this post


Link to post
Share on other sites

Probably no one was impacted, our users are far too smart. They were trying to send out malware. 

Share this post


Link to post
Share on other sites

I updated my pw, so the thieves cannot log in and reduce the average quality of my postings. Those viagra posts would really cut into my rep.

However, I had to change my pw over HTTP. SR has an HTTPS cert, but it's only valid for the news side. And using it with a forum address loads the news side anyway.

Perhaps the SR cert(s) could be updated, so the forums will load securely?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now