This month's newsletter is brought to you by …

Please consider a DaniWeb donation

DaniWeb is designed, developed, and maintained by a small team consisting of myself (Dani), James, our systems administrator, and Davey, our community manager. I have been working fulltime, largely behind-the-scenes, and often putting in 80+ hour weeks, ever since I was a teenager, to build DaniWeb into what it has grown into today. Servers are expensive, and all of our expenses are paid for out of my own pocket. We have no debt and have never taken any outside funding since our inception in 2002.

This website and its community have been both my livelihood as well as my passion project for more than half my life, and it warms my heart to see how many others out there it touches. If you have ever found DaniWeb helpful, useful, fun, a great learning experience, a place to meet, talk to and share ideas with smart, talented people, or has in some way enhanced your life over the past two decades, please help us out with a financial contribution.

Welcome to the September edition of the DaniWeb Digest, our newsletter that is exclusively for DaniWeb community members.

It has come to our attention that some members of DaniWeb have received a notification from ID monitoring companies that have been a cause for concern. These notices report that DaniWeb member accounts have been hacked, and the wording is such that some recipients have contacted us as they are concerned that their login email and password have been compromised.

We have investigated this matter, and concluded that the notifications refer to data being traded on dark web sites, where criminals buy and sell databases of logins from breaches. The DaniWeb breach in question happened back in December 2015 and came to our attention here at DaniWeb in January 2017.

The notifications that we have seen do not state that DaniWeb passwords have been compromised, or at least have not been decrypted; the entries for that field are all obscured with asterisks rather than being populated with a partial string as per the username and email fields. This is because the passwords were (and remain) encrypted and have not been decrypted to plain text.

Although the advice given by identity monitoring services is good, in this case we do not believe that there has been any 'cracking' of the encryption used on DaniWeb passwords at the time of the breach. While encrypted versions of passwords were stolen, without access to the old version of DaniWeb's code base there is no way for a hacker to figure out the very unique encryption method, which included multiple unique salts, that was employed.

Indeed, when the compromise was first reported by the very well respected 'Have I Been Pwned' site at the start of the year, the description of the breach states that passwords were not compromised due to the hashes and salts being incorrect. Vigilante, another site that watches for dark web activity, reported at the time that the hashing algorithm for passwords was corrupted which, again, makes decryption all but impossible.

Just to be clear, 18 months ago DaniWeb migrated to entirely new infrastructure with a new code base, and the login mechanism is now powered by Dazah which is infinitely more secure. At the time of the migration, all DaniWeb members were required to create a new login password.

The most likely reason for these new notifications to have appeared now, is that a database of stolen credentials (including the emails and still encrypted passwords from the DaniWeb breach) has been offered for sale on a specific dark web market monitored by the services in question.

Here's our original breach disclosure from January, which still stands today:

It is with the greatest regret that we inform our members that it has come to our attention, during the holiday season, that the DaniWeb database was breached back in December 2015. The attack resulted in the disclosure of some 1,131,636 user profiles including: email and IP addresses, name, date of birth and username. There appears to be some confusion as to whether passwords were stolen or not, so let us make this clear: while encrypted versions of passwords (using multiple rounds of unique salts and peppers) were accessed, there is no way of decrypting these without access to the older version of DaniWeb's code base (which was not accessed.) Further, it should be noted that the breach occurred more than a year ago and during the past 12 months DaniWeb has migrated to an entirely new infrastructure and code base. Not only has DaniWeb migrated from Apache to Nginx, but the login mechanism is now powered by our sister organization Dazah and is more secure as a result of being built from the ground up with a primary function of acting as a login API.

As soon as word of the breach reached us here at DaniWeb, we started investigating the potential cause. However, DaniWeb currently no longer has access to any of the hardware that was being used at the time of the breach. All we can say at this point in time, other than expressing how sorry we are that this attack should have been successful, is that with the entire DaniWeb software having been rewritten from the ground up (based upon the new Dazah platform) the exfiltrated credentials cannot successfully be used on either DaniWeb or Dazah. This is because that a decision was taken at the start of 2016 not to enable DaniWeb passwords to be imported into Dazah.

A discussion thread has been opened on DaniWeb here where you can ask questions or catch up with the latest breach-related news.

In the meantime though, here are some tips as to how you can best protect yourself and your data. This has already started with knowing what information may have been accessed by the perpetrator of the hack and available to those upon publication of the stolen database. However, as important as what information may have been accessed by the perpetrator is what hasn't. So, while DaniWeb understands that email and IP addresses, name, username and date of birth were amongst information exfiltrated, to the best of our knowledge no payment card, financial data or unencrypted passwords were stolen. As already noted, the infrastructure that DaniWeb operates upon (and the software that drives it) has seen a root and branch change since the time of the unauthorized system access. This means that neither the original hacker, nor anyone into whose hands the stolen database might fall, can access your DaniWeb account using your old login data.

However, if you were to have re-used those logins (or just the passwords) at other services then access to those services could be possible where two factor authentication systems are not in place. In order to be better safe than sorry, DaniWeb strongly advises that you change any passwords where such re-use has occurred.

© 2018 DaniWeb® LLC