LibriVox Forum Hacked

Posted on May 27, 2011 by | Posted in about LibriVox, News | Comments: 47 Comments

Hello everyone,

Last night the LibriVox forum got hacked. Below I’ll share the latest.

What happened?

Someone managed to get access to a “superadmin” account belonging to one of the MC/admins, meaning they could access the backend of our Forum software. The hack doesn’t appear to be a technical security hole, but rather the bad guys were able to find, guess or steal the admin’s password, and then login to the forum admin.

What did they do?

They did two bad things, one worse than the other:
- they vandalized parts of the forum, and injected some html in our template pages (this is annoying but relatively easy to fix)
- they downloaded the entire database, which includes: email address of users, personal messages, and *encrypted* passwords. The fact that the passwords are encrypted is good, however, hackers are good at breaking encryption, so it’s not as good as all that.

In short, they have a list of our emails, and a list of (encrypted by probably easy to crack) passwords. If you use the same password in different services, they *might* be able to access those other services too.

Why are other things like the catalog broken?

One of the thing we did was reset a bunch of internal passwords – so various bits of LibriVox, including the catalog, aren’t working. We’re slowly getting those back into working order.

Why did they do it?

All kinds of websites get hacked all the time (recent high-profile cases include Sony and Gawker). Usually hackers want emails & passwords, with which they can do other bad things.

What about LibriVox recordings, catalog and the rest?

All the data is safe, but there may be some glitches in the next day or so as we implement new passwords, and fix other things in our processes.

What has LibriVox done to protect us?

* We identified the security breach – and where it came from (someone had accessed an admin account – by guessing/stealing their password)
* We disabled the breached account – so the hacker can no longer access the forum
* We cleaned up all vandalism and other things that the hackers had done to the forum itself
* UPDATE: We rejigged our admin settings so only one person, our sysadmin dan, can access the database directly.
* Critically, we have RESET EVERYONE’S FORUM PASSWORD (including yours) … so that the hackers cannot get in again.

So, What do I do now?

* The next time you login to the LibriVox forum, you will be asked to reset your password (see below for more instructions)
* If you use the same password in other places, it would also be a good idea to change the password on your email & other internet services.

How do I login again and change my password?

To change your password, please follow these steps:

1. Go to the LibriVox forum as usual: http://forum.librivox.org/
2. At the top, click the ‘Login’ button
3. Below the password field, click the link ‘I forgot my password’
4. You’ll be asked to supply your username and email
5. Check your email. You should receive a system email from ‘noreply@librivox.org’ titled “New password activation”.
6. Follow the instructions in that email, i.e. a) click the activation link, b) login as in step 2. above, but this time enter your username and the new password from the email.
7. Once you have done this, it is a good idea to change your password, here’s how:
- in the top menu bar of the forum you will see “User Control Panel” … click that link
- in the left menu click on “Profile”
- in the left menu click on “Edit account settings”
- add the new password where prompted, as well as your “current password” which will be the one you received in the email above.

UPDATE -May 27, 11:46: NOTE: it’s probably a good idea to change the password on the email address that is associated with your LibriVox account, no matter what, as a precaution.

Any problems, please email us at info@librivox.org, or if here is a forum thread with questions and answers:

http://forum.librivox.org/viewtopic.php?f=23&t=33564&start=15

Very sorry for all the headaches.

And thank you to Dan for the hard work last night of cleaning this up.

All the best,

Hugh McGuire
Slightly tired Founder.

Tags:

47 comments

  1. Nullifidian says:

    Thanks to you and the sysadmin for being so prompt in fixing the breach and trying to get everything back to normal. :-)

  2. Anonymous says:

    Thanks for the hard work and effective solution. and for keeping the books safe for the public domain

  3. Adam says:

    Glad you guys disclosed this so quickly and openly. Also very glad the passwords were encrypted in your database. Were they also salted?

    The only downside is I can’t remember what my old Librivox password was, and now there is no way to find out. (I haven’t been active at Librivox in a couple of years.) Chances are I used it elsewhere for other accounts, too, but without knowing what it was, there is no way to be sure.

  4. Naoko says:

    Thank you for the honest disclosure and letting us know what happened. I hope you get a good rest soon.

  5. Wizard Prang says:

    Thanks for doing it right (encrypting the passwords) and doing it right (being up-front about disclosure).

    Like Hard Drive failures, breaches like this will happen. What is important is to have a plan and execute it.

  6. jollyrogered says:

    You guys are great!

  7. msjodi777 says:

    Thanks to everyone at librivox (especially you, Dan) for all the work you did to get this taken care of before we knew there was a problem. Glad to know there are still web admins who know what and how to correct invasions… It’s a whole new world out there – unfortunately there are still bad people in it. Why do people have to make things bad for those who are only trying to do good stuff? hmmm… maybe the question is an answer in itself… <

  8. kattekliek says:

    Very clear communications, as usual, Hugh! :)

  9. Bill Johnson says:

    Sorry for the problems. When you are doing so much for the public good, it is frustrating to have to use valuable ‘resources’ to address problems that should never have occurred in the first place. Keep up the good work and remember that 99.99% of the people are honest and ethical but it only takes a few to create real issues.

  10. charles says:

    Thanks for being so communicative and diligent! Any way of finding out who these bad guys were?

  11. anon says:

    is there a way to know what the old passwords are so I know which one to change on other sites? I use about 9 passwords on several dozen sites.

  12. miette says:

    What a relaxing way to return from BEA! I’m sending you a drink.

    Cheers to Dan for what must’ve been dirty, dirty work.

  13. Madeline says:

    Keep up the good work . . . and THANK YOU!

  14. Nicholas Clfford says:

    Many, many thanks for all the work done to clean this up — what a mess. It seems odd that anyone would hack into a site where all the content is free — but I suppose the hope is to turn up some hidden gold in the passwords.

  15. Anonymous says:

    Thanks for the quick alert.

  16. Riese says:

    I don’t have an account here, but I’m so impressed at seeing this very open and honest article, especially, taking care to advise persons of what the hackers could do with the information.

  17. MaryAnnSpiegel says:

    Thank you to all the Admins and others behind the scenes who are working to correct this problem. We don’t think to thank you when things run smoothly – shame on us. But when the problems arise, and we get a look at all that you do, we are terribly grateful that you are there and committed to supporting the Librivox community with your talents and time.

  18. Lars Rolander says:

    When such a marvellous project like this, kept up by volunteers, is treated bad, one does really feel sorry and angry. But you have done a fantastic job to get it going again!! Thank you!!

  19. elisa says:

    I’m really sorry… Just now I noticed that the catolg was “strange” (all languages filters in the search form are missing). And then I have seen this article with the sad news. But I’m sure everything will be all right soon; thank you for working so hard to fix all the problems. You are great!

  20. Michele says:

    Thanks for being so prompt in notifying us. As for the hackers: may their disks fragment, their backups fail, their files corrupt and their hard drives decompose into puddles of goo, from now unto the end of time, forever and ever, amen.

  21. Anonymous says:

    Hi and thanks for your great job and for your quick alert. My English has improved a lot thanks to you. I am not a forum user. I surfed the librivox.org site and tried to download a podcast via itunes this morning (I live in Italy – it was night in Usa). I later succeeded in downloading another podcast (i think it was in my bookmarks). As far as you know, could these things be “dangerous”? Thanks a lot

  22. hugh says:

    no, there is no worry about downloading. our audio is hosted in another place altogether.

  23. mark says:

    Because you sent the notification email to “undisclosed-recipients” I recall neither the email address nor the password I used. Can you make these available to me?

  24. mark says:

    Was the logon/database shared between http://www.pgdp.net?

  25. Anka says:

    Thanks, guys! I`m quite unhappy that librivox has been targeted (I see it as one of the few sites that are entirely good and prove to me that people like to do stuff for others and share) but also this is a huge “compliment” to the impact librivox has had. I`m also pleased with the prompt communication and the way everybody seems to take it in their stride. Keep up the excellent work!

  26. Dr. Backer says:

    what one should do ? the hacked all my life, the privacy, mail box , credited account , whatever , I thought this was only in Tunisia before revolution . I thought only at Arab region where the justice depends on many factors ; social relationship when u activate it , power where u show it … etc.
    the black-ships as I categorized them , I don’t no if thats right , this is only my opinion , are three classes :
    1) the free of work , youth mostly , who spend time to risk things
    2) harmful people who aimed to do harm for others , either selectively or randomly as a habit
    3) the stupid people , who don’t expect the hart and damage they cause for others , they are sometimes nosy , un or not well studied groups , generally speaking they don’t receive and practice enough information about ethics and legal conducts

  27. LibriVox Admin Team says:

    Mark – you said:
    > Because you sent the notification email to “undisclosed-recipients” I recall neither the email address nor the password I used. Can you make these available to me?

    Send a request to info[AT]librivox[DOT]org with your request and your forum user name. Once the catalog system is up, we should be able to at least pull up what email address we have for you; we won’t be able to pull up the old password.

  28. Pam M says:

    I am very proud to be a small part of this team. Thank you all for you diligence.

  29. HeatherA says:

    Thank you for all your hard work!!! I feel honored to be part of librivox.

  30. Damn Hackers! What are you messing about with a WONDERFUL site like Librivox for . . . YOU FILTHY SCOUNDRELS!!! Sorry. I am just mad about this. Is there any way we can find out who this individual, or individuals, is?

  31. carolb says:

    Thanks to all involved in restoring the site.
    I too feel honoured to be part of such a wonderful organisation – full of good, kind, friendly people. Long live Librivox!

    Carol

  32. gesmerSo, says:

    I noticed that the full names of Librivox titles in iTunes are suddenly missing. For example, instead of itunes showing “Librivox: King Lear by Shakespeare, William,” itunes shows only “Librivox” as the header. The actual files titles appear OK. Was this caused by the hack?

  33. AF says:

    Fortunately I use an “extra” email address and unique PW for this site that I’ll change as requested, but I would certainly be interested to learn of any future reports from users on specific problems arising from the break-in – was it only for valid spam-targets, or something more sinister?

  34. gaffo says:

    Hi Hugh. Bad news. remember me? i’ve not posted here for a couple of yrs. Did those amataur Sheckley shorts that I linked to in the forums way back. i think you did a listen to them “alien futures” ;-/.

    Sadly all my passwords on the 20 or so forums over the last 10 yrs or so is the same one (my memory sucks is why – I’ll not bother to change all the other 20 or account passwords and chance it).

    I got my identity stollen (maybe thanks to Monoprice!!!!!!! big electronics online dealer – turns out they have a history of poor security!! – which i found out about after buying stuff using my credit card a few months ago), 2 months ago. SECOND TIME – first time was 3 yrs ago.

    Guess its just something to live with ;-/.

    I still beleive in your Mission Sir!! and hope to contribute to it when I get the time (still waist deep in restoring my near 100-year home…………..never ends…….(esp. when you do it yourself ;-/……….).

    ………………………How’s the Public Domain Sound Effects effort going? I really do think AudioDrama (even if only a cast of one (like me) with added sound effects and music (public domain in your efforst of course) is far better than just a steaight reading).

    peace and hope to contribute someday!!

  35. WYSIWYG says:

    And I thought our power outage here of several days was bad! I wish I could serve you all some nice hot tea. Rest easy. We mostly have firewalls out here.

    ~S~
    PS THANKS!

  36. adsum iam says:

    So sorry this has happened and caused our great admin team such headaches – and thanks to them for being so clear and open about the issues.

  37. OliveSorceress says:

    Sniff, sniff. Okay, good. You got the invading troll stink off the website. Thanks for fumigating so quickly. You should take an extra day off to enjoy your holiday barbeque.

  38. Chris Goringe says:

    @gesmerSo – the rss/iTunes feeds were certainly broken (not by the hack, but because we changed all sorts of internal passwords!). They should be working again now. If you still have a problem, please let us know!

  39. kløv says:

    What encryption was used? (If e.g. md5 was used, you can check if your passwords are on a list of hacker websites by searching for their md5sum, use a privacy-aware search engine like duckduckgo.)

  40. cristy says:

    Hi
    I love your work, i feel bad for the bad things than happen by the hacker, God bless you. I am from Mexico

  41. dhawk says:

    Thanks Guys for the heads up! You do an awesome job. I love this site and tell everyone about it. Keep up the good work.

  42. Raymond says:

    Thank you for your amazing efforts to get the service back for your users. Its the best project on the web. It brought me hundreds of joyful hours…Just amazing concept and service. Thank you again!

  43. Chris says:

    Keep up the good work LibriVox.

    These “hackers” will likely go after an orphanage, widows refuge or other compelling target in their twist sense of right and wrong.

    Such “hackers” are pathetic. Vandals really, criminals. Petty, very petty people.

  44. Ted Garvin says:

    I’m sure you’re aware that the Magic Windows report a 404 error. Any idea when they’ll be back to functionality? I’m sure you’re working as hard as you can to fix it.

  45. Jerry says:

    Thank you for your hard work, LibriVox. It’s sickening that someone would target such an obviously good site like this. Is there anything we can do to catch the perpetrators? This seems like an attack on public property that shouldn’t go unpunished.

  46. Anonymous says:

    “hackers are good at breaking encryption”

    I can has SHA256 hashes in the future please?

  47. Anonymous says:

    I’m sorry to hear that a good, free and very helpful service like yours was hacked. Any hacker who did it was despicable for attacking a public service like yours which does a lot of good. Thanks for all the good work you guys do and I hope this doesn’t happen again in future.

Sorry, comments are closed.

Browse the catalog