This month's newsletter is brought to you by …
Welcome to the September edition of the DaniWeb Digest, our newsletter that is exclusively for DaniWeb community members.
It has come to our attention that some members of DaniWeb have received a notification from ID monitoring companies that have been a cause for concern. These notices report that DaniWeb member accounts have been hacked, and the wording is such that some recipients have contacted us as they are concerned that their login email and password have been compromised.
We have investigated this matter, and concluded that the notifications refer to data being traded on dark web sites, where criminals buy and sell databases of logins from breaches. The DaniWeb breach in question happened back in December 2015 and came to our attention here at DaniWeb in January 2017.
The notifications that we have seen do not state that DaniWeb passwords have been compromised, or at least have not been decrypted; the entries for that field are all obscured with asterisks rather than being populated with a partial string as per the username and email fields. This is because the passwords were (and remain) encrypted and have not been decrypted to plain text.
Although the advice given by identity monitoring services is good, in this case we do not believe that there has been any 'cracking' of the encryption used on DaniWeb passwords at the time of the breach. While encrypted versions of passwords were stolen, without access to the old version of DaniWeb's code base there is no way for a hacker to figure out the very unique encryption method, which included multiple unique salts, that was employed.
Indeed, when the compromise was first reported by the very well respected 'Have I Been Pwned' site at the start of the year, the description of the breach states that passwords were not compromised due to the hashes and salts being incorrect. Vigilante, another site that watches for dark web activity, reported at the time that the hashing algorithm for passwords was corrupted which, again, makes decryption all but impossible.
Just to be clear, 18 months ago DaniWeb migrated to entirely new infrastructure with a new code base, and the login mechanism is now powered by Dazah which is infinitely more secure. At the time of the migration, all DaniWeb members were required to create a new login password.
The most likely reason for these new notifications to have appeared now, is that a database of stolen credentials (including the emails and still encrypted passwords from the DaniWeb breach) has been offered for sale on a specific dark web market monitored by the services in question.
Here's our original breach disclosure from January, which still stands today: