This month's newsletter is brought to you by …

Please consider a DaniWeb donation

DaniWeb is designed, developed, and maintained by a small team consisting of myself (Dani), James, our systems administrator, and Davey, our community manager. I have been working fulltime, largely behind-the-scenes, and often putting in 80+ hour weeks, ever since I was a teenager, to build DaniWeb into what it has grown into today. Servers are expensive, and all of our expenses are paid for out of my own pocket. We have no debt and have never taken any outside funding since our inception in 2002.

This website and its community have been both my livelihood as well as my passion project for more than half my life, and it warms my heart to see how many others out there it touches. If you have ever found DaniWeb helpful, useful, fun, a great learning experience, a place to meet, talk to and share ideas with smart, talented people, or has in some way enhanced your life over the past two decades, please help us out with a financial contribution.

Welcome to the January 2017 edition of the DaniWeb Digest

Disclosure: DaniWeb Database Breach

It is with the greatest regret that we inform our members that it has come to our attention, during the holiday season, that the DaniWeb database was breached back in December 2015. The attack resulted in the disclosure of some 1,131,636 user profiles including: email and IP addresses, name, date of birth and username. There appears to be some confusion as to whether passwords were stolen or not, so let us make this clear: while encrypted versions of passwords (using multiple rounds of unique salts and peppers) were accessed, there is no way of decrypting these without access to the older version of DaniWeb's codebase (which was not accessed.) Further, it should be noted that the breach occurred more than a year ago and during the past 12 months DaniWeb has migrated to an entirely new infrastructure and codebase. Not only has DaniWeb migrated from Apache to Nginx, but the login mechanism is now powered by our sister organization Dazah and is more secure as a result of being built from the ground up with a primary function of acting as a login API.

As soon as word of the breach reached us here at DaniWeb, we started investigating the potential cause. However, DaniWeb currently no longer has access to any of the hardware that was being used at the time of the breach. All we can say at this point in time, other than expressing how sorry we are that this attack should have been successful, is that with the entire DaniWeb software having been rewritten from the ground up (based upon the new Dazah platform) the exfiltrated credentials cannot successfully be used on either DaniWeb or Dazah. This is because that a decision was taken at the start of 2016 not to enable DaniWeb passwords to be imported into Dazah.

A discussion thread has been opened on DaniWeb here where you can ask questions or catch up with the latest breach-related news.

In the meantime though, here are some tips as to how you can best protect yourself and your data. This has already started with knowing what information may have been accessed by the perpetrator of the hack and available to those upon publication of the stolen database. However, as important as what information may have been accessed by the perpetrator is what hasn't. So, while DaniWeb understands that email and IP addresses, name, username and date of birth were amongst information exfiltrated, to the best of our knowledge no payment card, financial data or unencrypted passwords were stolen. As already noted, the infrastructure that DaniWeb operates upon (and the software that drives it) has seen a root and branch change since the time of the unauthorized system access. This means that neither the original hacker, nor anyone into whose hands the stolen database might fall, can access your DaniWeb account using your old login data.

However, if you were to have re-used those logins (or just the passwords) at other services then access to those services could be possible where two factor authentication systems are not in place. In order to be better safe than sorry, DaniWeb strongly advises that you:

  1. Change any passwords where such re-use has occurred
  2. Employ a secure password vault so as to be able to manage both strong and unique passwords for every site and service

These password management applications can help automate the process of changing multiple logins for good measure, so it's not as daunting as it might sound. This is good general security advice whatever, as is implementing the aforementioned two factor authentication (2FA) options where offered. These add an extra layer into the login process, usually by way of a unique and time-limited code generated by an app on your smartphone. With the addition of an authentication code, it now requires something you know (your username and password) and something you have (your smartphone) to gain access to your account. If 2FA is not an option, then make sure your password isn't weak: so not under 12 characters in length or consisting of dictionary words. Unless your password is lengthy and comprised of a mixture of upper and lower case text, non-alphabetic characters and numerals then, frankly, it's so easy to crack that you might as well consider it stolen anyway...

© 2018 DaniWeb® LLC