2

It is with deep regret that I inform everyone that it just very recently came to my attention that the DaniWeb database was breached in December 2015. Over a million user profiles, including email addresses and IP addresses, were stolen. Logins and passwords were protected through an additional security layer and were NOT able to be stolen.

While encrypted versions of passwords were stolen, without access to the old version of DaniWeb's code base, there is no way for a hacker to figure out the very unique encryption method, which included multiple unique salts, which we used.

Please note this attack happened over a year ago. Over the past year, DaniWeb migrated to entirely new infrastructure, a new code base, off of Apache and onto Nginx, and its login mechanism is now powered by Dazah, which is infinitely more secure.

Edited by Dani

5
Contributors
18
Replies
162
Views
10 Months
Discussion Span
Last Post by happygeek
Featured Replies
  • > I think I'm going to go crawl into a hole and hide now. Hey Dani, I think you are doing a brilliant job of being open and up front about disclosing what you know (and what you don't) about this breach. For that alone you should be congratulated! That … Read More

0

Just out of curiosity, how did you come to learn of this? And, again, out of curiosity, what was the vulnerability?

Edited by Reverend Jim

0

Just out of curiosity, how did you cone to learn of this?

The leaked data wound up being recently traded amongst security websites who collect breaches:

https://vigilante.pw/
https://haveibeenpwned.com/
https://www.leakedsource.com/

And, again, out of curiosity, what was the vulnerability?

We believe that we were exploited during a temporary firewall-related issue with one of our old memcached servers last year. Needless to say, this entire breach was just uncovered now, and we are currently on entirely different and much more secure infrastructure (both different hardware and software) ever since the shift to the Dazah platform over the summer. We're simply infinitely more secure because Dazah was designed to be that way from the ground up as one of its primary functions is to be a login API.

While we're still looking into the definite cause of the vulnerability, we no longer have access to any of the hardware that was being used at the time, and the entire DaniWeb software has since been rewritten from the ground up to be based on the Dazah platform. Therefore, the most we can really do is look back at logs and speculate as to when something might have been exposed, and James mentioned to me a firewall incident that temporarily exposed memcached around the time of the breach, so that's the best guess as of right now.

I just want to reiterate, however, that passwords were not leaked. Emails, unfortunately, were.

0

Troy over at haveibeenpwned is saying that salted MD5 hashes of passwords were amongst the leaked data, is this not the case then Dani? Might be worth pointing out his error if so.

0

It's true that the leak does include salted MD5 passwords. However, two things to note: Firstly, the fields were leftover from our old vBulletin days. Secondly, even then, we used multiple rounds of salts and peppers, which were not leaked.

A vulnerability does exist only if it's possible to decrypt a multi-salted MD5 hash without knowing the algorithm used. And, even then, the only vulnerability would be if the same password can be attached to the user on other websites outside of DaniWeb/Dazah, as the login credentials wouldn't work on Dazah.

It was a decision made towards the beginning of this year for DaniWeb passwords to not be imported into Dazah. For Dazah to be at the level of security I desired, I needed the freedom to not be bound by the limitations of retrofitting on top of the old vBulletin MD5s, which is what I had been doing at the time of the leak. (Back in the day, I didn't want users to have to reset their passwords when we switched off of vBulletin.)

The description on the haveibeenpwned website does mention that passwords were not compromised, as Troy and I exchanged a couple of emails this morning before he went public with the information.

I think I'm going to go crawl into a hole and hide now.

0

Might be worth pointing out his error if so.

If you have a pre-existing relationship with Troy as a security journalist, feel free to reach out to him.

0

Quite unfortunately, AssertNull posted a thread about 2 weeks ago in which he mentioned he had recently started receiving spam to the email address associated with his DaniWeb membership. At the time, I certainly didn't think anything of it. But now I'm incredibly nervous that it wasn't a coincidence.

Davey, or anyone else out there in Internet land who has security experience, is there a way of finding out if the database has been sold or made available anywhere?

0

It would appear that the leak is available; the reason I logged in after quite a break was that I received an email from haveibeenpwned.com telling me that:

You've been pwned!
You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:

Email found: xxxxxxxxx@gmail.com
Breach: DaniWeb
Date of breach: 1 Dec 2015
Number of accounts: 1,131,636
Compromised data: Email addresses, IP addresses, Passwords
Description: In late 2015, the technology and social site DaniWeb suffered a data breach. The attack resulted in the disclosure of 1.1 million accounts including email and IP addresses which were also accompanied by salted MD5 hashes of passwords. However, DaniWeb have advised that "the breached password hashes and salts are incorrect" and that they have since switched to new infrastructure and software.

Edited by pty: Formatting

2

I think I'm going to go crawl into a hole and hide now.

Hey Dani, I think you are doing a brilliant job of being open and up front about disclosing what you know (and what you don't) about this breach. For that alone you should be congratulated!

That the system has undergone such changes in the time since the breach occured and since it then became know does, for a large part, mitigate the impact it might have. We are not talking financial information here whatever, and any login data that may have been exfiltrated is only of real value to the hacker, or anyone who may buy (or access) the database on the dark market, if that login were to have been reused elsewhere (especially for an email account or bankling accounts of course). That multiple rounds of salted, and peppered, hashes were used and not leaked further mitigates that risk. Again, something you should be congratulated for as many breaches of the million plus magnitude involve unhashed and even plain text passwords.

I have not had a chance (courtesy of the seasonal holidays and ongoing ill health) to investigate using my dark market contacts as to whether the database has been sold. However, the fact that the breach has come to light via haveibeenpwned is evidence that database content has been 'released into the public domain' otherwise Troy would not have become aware of it.

Edited by happygeek

Votes + Comments
+1
+1
0

Welcome back, pty!! How funny! You receive an email about a data breach and so then you log in and contribute a nice article about MySQL unions. Maybe this can be a blessing in disguise if it brings more of you back here.

Yes, I'm aware that email was sent out to subscribers of haveibeenpwned.com. I'm aware so far that the leaked data wound up being recently traded amongst security websites who collect breaches, and i'm okay with that. What I'm trying to desperately uncover is whether any people with malicious intent have accessed / distributed / sold the data.

0

What I'm trying to desperately uncover is whether any people with malicious intent have accessed / distributed / sold the data.

You can assume that they have, yes.

The haveibeenpwned FAQ states that "All the data in the site comes from website breaches which have been made publicly available" as the source of the data the site refers to.

Further:

"The following activities are usually performed in order to validate breach legitimacy:

  1. Has the impacted service publicly acknowledged the breach?
  2. Does the data in the breach turn up in a Google search (i.e. it's just copied from another source)?
  3. Is the structure of the data consistent with what you'd expect to see in a breach?
  4. Have the attackers provided sufficient evidence to demonstrate the attack vector?
  5. Do the attackers have a track record of either reliably releasing breaches or falsifying them?"
0

Vigilante is showing a dump date of April 2016 for the DaniWeb breach (it also shows the hashing algo as corrupted)

LeakedSource is stating that the database (with an unknown date of breach) contains: username, hash, salt, email, ipaddress, City, birthday, Website, register_date, firstname, lastname, last_login

0

I saw that they have a dump date of April 2016, but upon inspecting the data, my last login information was December 2015, and as I log in every day, I think that's more accurate. Either way, both December and April were on the same old platform.

0

Davey, or anyone else out there in Internet land who has security experience, is there a way of finding out if the database has been sold or made available anywhere?

Is there any way of discovering who the initial hacker was and how it ended up being known about by the security people in the first place?

0

Hey Dani, I think you are doing a brilliant job of being open and up front about disclosing what you know (and what you don't) about this breach. For that alone you should be congratulated!

Thanks!! On that note, I'm actually going to retract the statement I made earlier about a Memcached firewall issue being the culprit. It looks as if I spoke too soon, or misunderstood James, and it was actually just one potential thing he was considering since memcached offers no password protection and therefore it's the only point in our network where the firewall is the only layer of protection.

Either way, it might be that we may never figure it out as we have not had access to the servers from the time of breach in a very long time, so there's not much actual investigating that can be done I'm afraid.

0

LeakedSource is stating that the database (with an unknown date of breach) contains: username, hash, salt, email, ipaddress, City, birthday, Website, register_date, firstname, lastname, last_login

While that may be true, the only items I care about are email and ipaddress, as the hash+salt are invalid and the rest can be easily accessed via a member's public profile or via the public API.

0

Is there any way of discovering who the initial hacker was and how it ended up being known about by the security people in the first place?

Discovering who hacked you is usually not an easy, nor inexpensive for that matter, task. Forensic investigation teams would need access to servers and logs to trace where and when the intrusion occured and work backwards from there.

You (DaniWeb LLC) will also need to go through the required (by statute) process of breach notification. See http://www.dwt.com/newyorkstate/ for a basic overview.

The security folk, such as Troy, monitor places like Github and dark web sites where breached databases (or part thereof) get dumped. This will be how the breach came to light, in the same way as other historical breaches which have only recently been disclosed.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.