DaniWeb Database Breach

Just out of curiosity, how did you come to learn of this? And, again, out of curiosity, what was the vulnerability?

I am interested to know how you got know this

Just out of curiosity, how did you cone to learn of this?

The leaked data wound up being recently traded amongst security websites who collect breaches:

https://vigilante.pw/
https://haveibeenpwned.com/
https://www.leakedsource.com/

And, again, out of curiosity, what was the vulnerability?

We believe that we were exploited during a temporary firewall-related issue with one of our old memcached servers last year. Needless to say, this entire breach was just uncovered now, and we are currently on entirely different and much more secure infrastructure (both different hardware and software) ever since the shift to the Dazah platform over the summer. We're simply infinitely more secure because Dazah was designed to be that way from the ground up as one of its primary functions is to be a login API.

While we're still looking into the definite cause of the vulnerability, we no longer have access to any of the hardware that was being used at the time, and the entire DaniWeb software has since been rewritten from the ground up to be based on the Dazah platform. Therefore, the most we can really do is look back at logs and speculate as to when something might have been exposed, and James mentioned to me a firewall incident that temporarily exposed memcached around the time of the breach, so that's the best guess as of right now.

I just want to reiterate, however, that passwords were not leaked. Emails, unfortunately, were.

Troy over at haveibeenpwned is saying that salted MD5 hashes of passwords were amongst the leaked data, is this not the case then Dani? Might be worth pointing out his error if so.

It's true that the leak does include salted MD5 passwords. However, two things to note: Firstly, the fields were leftover from our old vBulletin days. Secondly, even then, we used multiple rounds of salts and peppers, which were not leaked.

A vulnerability does exist only if it's possible to decrypt a multi-salted MD5 hash without knowing the algorithm used. And, even then, the only vulnerability would be if the same password can be attached to the user on other websites outside of DaniWeb/Dazah, as the login credentials wouldn't work on Dazah.

It was a decision made towards the beginning of this year for DaniWeb passwords to not be imported into Dazah. For Dazah to be at the level of security I desired, I needed the freedom to not be bound by the limitations of retrofitting on top of the old vBulletin MD5s, which is what I had been doing at the time of the leak. (Back in the day, I didn't want users to have to reset their passwords when we switched off of vBulletin.)

The description on the haveibeenpwned website does mention that passwords were not compromised, as Troy and I exchanged a couple of emails this morning before he went public with the information.

I think I'm going to go crawl into a hole and hide now.

Might be worth pointing out his error if so.

If you have a pre-existing relationship with Troy as a security journalist, feel free to reach out to him.

Quite unfortunately, AssertNull posted a thread about 2 weeks ago in which he mentioned he had recently started receiving spam to the email address associated with his DaniWeb membership. At the time, I certainly didn't think anything of it. But now I'm incredibly nervous that it wasn't a coincidence.

Davey, or anyone else out there in Internet land who has security experience, is there a way of finding out if the database has been sold or made available anywhere?

It would appear that the leak is available; the reason I logged in after quite a break was that I received an email from haveibeenpwned.com telling me that:

You've been pwned!
You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:

Email found: xxxxxxxxx@gmail.com
Breach: DaniWeb
Date of breach: 1 Dec 2015
Number of accounts: 1,131,636
Compromised data: Email addresses, IP addresses, Passwords
Description: In late 2015, the technology and social site DaniWeb suffered a data breach. The attack resulted in the disclosure of 1.1 million accounts including email and IP addresses which were also accompanied by salted MD5 hashes of passwords. However, DaniWeb have advised that "the breached password hashes and salts are incorrect" and that they have since switched to new infrastructure and software.

I think I'm going to go crawl into a hole and hide now.

Hey Dani, I think you are doing a brilliant job of being open and up front about disclosing what you know (and what you don't) about this breach. For that alone you should be congratulated!

That the system has undergone such changes in the time since the breach occured and since it then became know does, for a large part, mitigate the impact it might have. We are not talking financial information here whatever, and any login data that may have been exfiltrated is only of real value to the hacker, or anyone who may buy (or access) the database on the dark market, if that login were to have been reused elsewhere (especially for an email account or bankling accounts of course). That multiple rounds of salted, and peppered, hashes were used and not leaked further mitigates that risk. Again, something you should be congratulated for as many breaches of the million plus magnitude involve unhashed and even plain text passwords.

I have not had a chance (courtesy of the seasonal holidays and ongoing ill health) to investigate using my dark market contacts as to whether the database has been sold. However, the fact that the breach has come to light via haveibeenpwned is evidence that database content has been 'released into the public domain' otherwise Troy would not have become aware of it.

Welcome back, pty!! How funny! You receive an email about a data breach and so then you log in and contribute a nice article about MySQL unions. Maybe this can be a blessing in disguise if it brings more of you back here.

Yes, I'm aware that email was sent out to subscribers of haveibeenpwned.com. I'm aware so far that the leaked data wound up being recently traded amongst security websites who collect breaches, and i'm okay with that. What I'm trying to desperately uncover is whether any people with malicious intent have accessed / distributed / sold the data.

What I'm trying to desperately uncover is whether any people with malicious intent have accessed / distributed / sold the data.

You can assume that they have, yes.

The haveibeenpwned FAQ states that "All the data in the site comes from website breaches which have been made publicly available" as the source of the data the site refers to.

Further:

"The following activities are usually performed in order to validate breach legitimacy:

1. Has the impacted service publicly acknowledged the breach?
2. Does the data in the breach turn up in a Google search (i.e. it's just copied from another source)?
3. Is the structure of the data consistent with what you'd expect to see in a breach?
4. Have the attackers provided sufficient evidence to demonstrate the attack vector?
5. Do the attackers have a track record of either reliably releasing breaches or falsifying them?"

Vigilante is showing a dump date of April 2016 for the DaniWeb breach (it also shows the hashing algo as corrupted)

LeakedSource is stating that the database (with an unknown date of breach) contains: username, hash, salt, email, ipaddress, City, birthday, Website, register_date, firstname, lastname, last_login

I saw that they have a dump date of April 2016, but upon inspecting the data, my last login information was December 2015, and as I log in every day, I think that's more accurate. Either way, both December and April were on the same old platform.

Davey, or anyone else out there in Internet land who has security experience, is there a way of finding out if the database has been sold or made available anywhere?

Is there any way of discovering who the initial hacker was and how it ended up being known about by the security people in the first place?

Hey Dani, I think you are doing a brilliant job of being open and up front about disclosing what you know (and what you don't) about this breach. For that alone you should be congratulated!

Thanks!! On that note, I'm actually going to retract the statement I made earlier about a Memcached firewall issue being the culprit. It looks as if I spoke too soon, or misunderstood James, and it was actually just one potential thing he was considering since memcached offers no password protection and therefore it's the only point in our network where the firewall is the only layer of protection.

Either way, it might be that we may never figure it out as we have not had access to the servers from the time of breach in a very long time, so there's not much actual investigating that can be done I'm afraid.

You can assume that they have, yes.

I'm sorry, everyone!!!

LeakedSource is stating that the database (with an unknown date of breach) contains: username, hash, salt, email, ipaddress, City, birthday, Website, register_date, firstname, lastname, last_login

While that may be true, the only items I care about are email and ipaddress, as the hash+salt are invalid and the rest can be easily accessed via a member's public profile or via the public API.

Is there any way of discovering who the initial hacker was and how it ended up being known about by the security people in the first place?

Discovering who hacked you is usually not an easy, nor inexpensive for that matter, task. Forensic investigation teams would need access to servers and logs to trace where and when the intrusion occured and work backwards from there.

You (DaniWeb LLC) will also need to go through the required (by statute) process of breach notification. See http://www.dwt.com/newyorkstate/ for a basic overview.

The security folk, such as Troy, monitor places like Github and dark web sites where breached databases (or part thereof) get dumped. This will be how the breach came to light, in the same way as other historical breaches which have only recently been disclosed.

A while back someone was encouraging people to check if their email address had been involved in a breach and of course I checked mine, noticing this among the breaches. I hadn't even been active here, I created an account 6 years ago and went inactive straight after. I can't remember why I originally created an account for but most likely I didn't find what I was searching for. Recently I was sent automated emails informing me that I never actually confirmed my email address despite registering. It seems a bit funny that a site like this could allow people to enter an email address and have it linked to a profile without ever actually checking if it was valid. Most likely it's different nowadays than what it was 6 years ago, but it's a bit discouraging to think that my email address is listed in various databases, potentially being sold to spammers, and actually migrating over to a new email address would be problematic for multiple reasons. I know this is not the only site to be breached, others like Adobe and Myspace have also had the same thing happen. It's just sort of frustrating to know that even if I were to create a new email address and only use it with trusted parties, one security failure anywhere could result in endless spam again. At least I'm fortunate enough that my spam filter is able to catch pretty much everything, there are some false positives occasionally but very few cases of important mail being mistaken for spam. It still requires me to take a glance at it regardless. I think I should probably delete my account soon but I just wanted to say this. It's far too easy to create an account just to gain access to some site that doesn't allow visitors to post (or in some cases, to view content) and forget about it. Maybe with GDPR, it's less likely that inactive accounts will be stored indefinitely by standard.

Truly, I have. A "break" is a PC security episode where a site's information has been wrongfully gotten to by digital aggressors and discharged freely.

I realize that my principle email account has been undermined before, and utilized for sending Spam, in light of the fact that my facilitating supplier incapacitated my email account and facilitating account until I had a chance to change my secret key.

I realize that every one of my sites are under consistent robotized secret phrase speculating assault, in spite of the fact that I was never broken.