Last night the LibriVox forum got hacked. Below I’ll share the latest.
Someone managed to get access to a “superadmin” account belonging to one of the MC/admins, meaning they could access the backend of our Forum software. The hack doesn’t appear to be a technical security hole, but rather the bad guys were able to find, guess or steal the admin’s password, and then login to the forum admin.
What did they do?
They did two bad things, one worse than the other:
- they vandalized parts of the forum, and injected some html in our template pages (this is annoying but relatively easy to fix)
- they downloaded the entire database, which includes: email address of users, personal messages, and *encrypted* passwords. The fact that the passwords are encrypted is good, however, hackers are good at breaking encryption, so it’s not as good as all that.
In short, they have a list of our emails, and a list of (encrypted by probably easy to crack) passwords. If you use the same password in different services, they *might* be able to access those other services too.
Why are other things like the catalog broken?
One of the thing we did was reset a bunch of internal passwords – so various bits of LibriVox, including the catalog, aren’t working. We’re slowly getting those back into working order.
Why did they do it?
All kinds of websites get hacked all the time (recent high-profile cases include Sony and Gawker). Usually hackers want emails & passwords, with which they can do other bad things.
What about LibriVox recordings, catalog and the rest?
All the data is safe, but there may be some glitches in the next day or so as we implement new passwords, and fix other things in our processes.
What has LibriVox done to protect us?
* We identified the security breach – and where it came from (someone had accessed an admin account – by guessing/stealing their password)
* We disabled the breached account – so the hacker can no longer access the forum
* We cleaned up all vandalism and other things that the hackers had done to the forum itself
* UPDATE: We rejigged our admin settings so only one person, our sysadmin dan, can access the database directly.
* Critically, we have RESET EVERYONE’S FORUM PASSWORD (including yours) … so that the hackers cannot get in again.
So, What do I do now?
* The next time you login to the LibriVox forum, you will be asked to reset your password (see below for more instructions)
* If you use the same password in other places, it would also be a good idea to change the password on your email & other internet services.
How do I login again and change my password?
To change your password, please follow these steps:
1. Go to the LibriVox forum as usual: http://forum.librivox.org/
2. At the top, click the ‘Login’ button
3. Below the password field, click the link ‘I forgot my password’
4. You’ll be asked to supply your username and email
5. Check your email. You should receive a system email from ‘email@example.com’ titled “New password activation”.
6. Follow the instructions in that email, i.e. a) click the activation link, b) login as in step 2. above, but this time enter your username and the new password from the email.
7. Once you have done this, it is a good idea to change your password, here’s how:
- in the top menu bar of the forum you will see “User Control Panel” … click that link
- in the left menu click on “Profile”
- in the left menu click on “Edit account settings”
- add the new password where prompted, as well as your “current password” which will be the one you received in the email above.
UPDATE -May 27, 11:46: NOTE: it’s probably a good idea to change the password on the email address that is associated with your LibriVox account, no matter what, as a precaution.
Any problems, please email us at firstname.lastname@example.org, or if here is a forum thread with questions and answers:
Very sorry for all the headaches.
And thank you to Dan for the hard work last night of cleaning this up.
All the best,
Slightly tired Founder.