*CRITICAL* Website Server Compromised - READ THIS - ACTION NEEDED

edited April 2018 in Announcements
Dear Biohack.me Community,

We are pissed and dismayed to say that our website server has been compromised. Thanks to tekniklr and bird’s investigation about password reset issues we now know that someone, possibly through a PHP or Vanilla bug, was able to access the server and all our hashed passwords. Did we mention pissed?

Securing and patching the server ASAP is the priority for us. We are also reporting this to the haveibeenpwned site so any less active users will know.

We are telling everyone right away for transparency and so you can secure your other logins. While we hope that everyone uses a password manager and unique passwords on every site that’s probably not going to be true.

Action Item 1: DO NOT CHANGE YOUR BIOHACK.ME PASSWORD — until we give the all clear it would still be compromised. When we give the all clear, don’t use a password that you use on other sites. 

Action 2: If you use your biohack.me password on other sites (which is way more common than we like to think), please go change those passwords. 

We’ll keep you updated here. 

Thanks,
Tagged:
«1

Comments

  • Yikes, thats atrocious to hear. Thanks for passing word long. Managed to go ahead and change other platforms. Thank you for bringing this to our attention, and good luck getting everything sorted out!
  • Thanks for the heads up.
  • edited August 2017
    Update: 
    The hosting company did a scan and found nothing [additionally] malicious. However no software is going to be able to detect all malicious content. We are in progress for the reviewing, cleaning up and patching of all the server things.
  • The mobile site is trashed too, by the way. ;~;
  • Just went in and did some hotfixes on the mobile theme. Should be functioning now, if nothing else.

    New Upgrades are just about ready to launch and I am *SO* happy to say we won't need to wait for discord to get actually viable, usable mobile functionality :D

    So exited to stop having to just say Soon, soon. Progress updates are in the website room in slack if you want some previews and updates.
  • Confirmed, mobile functions properly now. ^^

    Proceeding happily :D
  • So is the plan to move to discord?
  • I'm honestly surprised it hasn't happened sooner, and glad it was fixed so quickly.
  • Ya'll might have noticed a handfull of errors over lunch. All to good ends, I promise!

    We're now patched up to the latest version of Vanilla!
    We still need to make some more server adjustments, so please take note to specify https. Currently it's not being enforced by default (yet),

  • Was going to say when I looked yesterday the mobile site was broken. Anyway thanks for being so open about it. Hopefully it doesn't happen again.

  • https seems to be enforced now, so please carry on as usual!

  • I see the website's been updated

  • Were the hashed passwords salted? Will there be email comms on this?
    Cheers for taking some good measures to inform users of the risks.

  • Unfortunately, we cannot confirm if they were salted. Such is the nature of inheriting a legacy system :( apologies for that.

    An email should have gone out to users who no longer visit by way of haveibeenpwned(https://haveibeenpwned.com/), which tekniklr submitted our user list to.

  • That email has not gone out yet, but we have submitted all user emails to haveibeenpwned.

  • Are we cleared to change our passwords then? Or is there more to the new site rollout?

  • HTTPS seems to be behaving now, so everyone should be cleared to update their passwords. Do be mindful if you notice you wind up on plain http though, and please tell us where so we can fix it :smile:

  • thanks for reporting just got notification via email today from "have i been hacked" website with details as follows:

    Breach: Biohack.me
    Date of breach: 2 Dec 2016
    Number of accounts: 3,402
    Compromised data: Email addresses, Passwords, Private messages, Usernames
    Description: In December 2016, the forum for the biohacking website Biohack.me suffered a data breach that exposed 3.4k accounts. The data included usernames, email addresses and hashed passwords along with the private messages of forum members. The data was self-submitted to HIBP by the Biohack.me operators.

  • I have not received any email about such an event. I just want to let you know in case others didn't get it either.

  • edited September 2017

    Is it safe yet? D:>

    Also, @cyberlass / @BirdMachine ERROR!!

    The mobile version... I looked at it.. It's black text on black background for default... It's really hard to read. Just mentioning it. ;^;

  • ^^ proceeding happily. Mobile is crisp.

  • Mobile should be behaving now, yep :) glad the fix worked!

    Larry Any luck with the Have I Been Pwned one? Nothing in spam?

  • @BirdMachine No emails in spam either. Haveibeenpwned shows loads of leaks though O.o

  • What a nice thing to come back to....-__-

  • Am I going crazy or did there used to be a "mark all viewed button" that isn't there anymore? If that was removed, is it possible to put it back...?

  • It's not there by default. I used to activate it twice cause I personally hate to be forced to click all the discussions individually when I was not active for two weeks. Appears it got deactivated again for some reason. I did not re-activate it since there might be a reason for its deactivation but if there are no reasons against it, I'd like to enable it again.

  • edited October 2017

    This is probably the wrong place to post this but is there any way to change the # of views, # of comments, most recent, etc. to a darker font? It might just be something with my browser (or my eyes) but I need to highlight it or look very closely to see it.

  • We have been trying to look into some problems with getting the email server sending notifications, so it's possible it got deactivated during a plugin cleansing process? There's no reason against it, so I dug it up and flipped it back on :) Should now be back to showing between Inbox and your Profile! Apologies for that.

    The darker font should be pretty easy to update, I'll see what I can pull off today

  • Awesome thanks :)

This discussion has been closed.