This month's newsletter is brought to you by …
DaniWeb is designed, developed, and maintained by a small team consisting of myself (Dani), James, our systems administrator, and Davey, our community manager. I have been working fulltime, largely behind-the-scenes, and often putting in 80+ hour weeks, ever since I was a teenager, to build DaniWeb into what it has grown into today. Servers are expensive, and all of our expenses are paid for out of my own pocket. We have no debt and have never taken any outside funding since our inception in 2002.
Welcome to the January 2017 edition of the DaniWeb Digest
Disclosure: DaniWeb Database Breach
It is with the greatest regret that we inform our members that it has come to our attention, during the holiday season, that the DaniWeb database was breached back in December 2015. The attack resulted in the disclosure of some 1,131,636 user profiles including: email and IP addresses, name, date of birth and username. There appears to be some confusion as to whether passwords were stolen or not, so let us make this clear: while encrypted versions of passwords (using multiple rounds of unique salts and peppers) were accessed, there is no way of decrypting these without access to the older version of DaniWeb's codebase (which was not accessed.) Further, it should be noted that the breach occurred more than a year ago and during the past 12 months DaniWeb has migrated to an entirely new infrastructure and codebase. Not only has DaniWeb migrated from Apache to Nginx, but the login mechanism is now powered by our sister organization Dazah and is more secure as a result of being built from the ground up with a primary function of acting as a login API.
As soon as word of the breach reached us here at DaniWeb, we started investigating the potential cause. However, DaniWeb currently no longer has access to any of the hardware that was being used at the time of the breach. All we can say at this point in time, other than expressing how sorry we are that this attack should have been successful, is that with the entire DaniWeb software having been rewritten from the ground up (based upon the new Dazah platform) the exfiltrated credentials cannot successfully be used on either DaniWeb or Dazah. This is because that a decision was taken at the start of 2016 not to enable DaniWeb passwords to be imported into Dazah.
A discussion thread has been opened on DaniWeb here where you can ask questions or catch up with the latest breach-related news.
In the meantime though, here are some tips as to how you can best protect yourself and your data. This has already started with knowing what information may have been accessed by the perpetrator of the hack and available to those upon publication of the stolen database. However, as important as what information may have been accessed by the perpetrator is what hasn't. So, while DaniWeb understands that email and IP addresses, name, username and date of birth were amongst information exfiltrated, to the best of our knowledge no payment card, financial data or unencrypted passwords were stolen. As already noted, the infrastructure that DaniWeb operates upon (and the software that drives it) has seen a root and branch change since the time of the unauthorized system access. This means that neither the original hacker, nor anyone into whose hands the stolen database might fall, can access your DaniWeb account using your old login data.
However, if you were to have re-used those logins (or just the passwords) at other services then access to those services could be possible where two factor authentication systems are not in place. In order to be better safe than sorry, DaniWeb strongly advises that you:
These password management applications can help automate the process of changing multiple logins for good measure, so it's not as daunting as it might sound. This is good general security advice whatever, as is implementing the aforementioned two factor authentication (2FA) options where offered. These add an extra layer into the login process, usually by way of a unique and time-limited code generated by an app on your smartphone. With the addition of an authentication code, it now requires something you know (your username and password) and something you have (your smartphone) to gain access to your account. If 2FA is not an option, then make sure your password isn't weak: so not under 12 characters in length or consisting of dictionary words. Unless your password is lengthy and comprised of a mixture of upper and lower case text, non-alphabetic characters and numerals then, frankly, it's so easy to crack that you might as well consider it stolen anyway...