Possible Security Breach of email addresses and passwords

[RadioMan0520]

I believe it is possible that RadioReference.com has been breached, most likely this forum. I am not only an ARRL member with a General license, but I am a certified Cyber Security Analyst. I deal with Cyber Security everyday. Here is what has happened:

Today, I received some common SPAM about "you are being watched, we have recorded video, ........ please submit bitcoin" .... This is obviously SPAM. No big deal. But what made it unique is that this one also had a Password in it that I have used in the past. Doing some digging, the only two places where I used that particular password with the email address that the SPAM came into, was Udemy.com (a website for education and one that teaches security so that I would hope it is not them) and register.RadioReference.com . I made my account with RR before I had my call sign but changed my account profile to use my callsign@arrl.net once I got it.

Now it seems that the forum.radioreference.com is administered separately because it is still using that older email address that got the SPAM and the same old Password that was reported in the SPAM email to log me in as RadioMan0520, (which I don't even remember setting up). Interestingly, I can also log in with my new call sign email address and a different password. I purposely logged in with the old one for this post to prove a point; it still exists when it shouldn't.

So I believe these forums got breached and that these forums are storing passwords in a PLAIN-TEXT format which is a huge no-no in the Cyber Security field. Another possibility is that there is an old database that is exposed on the Internet.

But this does need investigating.

 

[blantonl]

We don't store anyone's passwords ANYWHERE in plain-text format - all passwords are hashed and salted. And we NEVER have stored plain-text passwords in any database.

With that said, I've received your report and I'm looking into the issue.

 

[Richard]

I too, received a similar SPAM email yesterday which revealed my RadioReference password. The only two places that this password would have been used is on this site and when using the Butel ARCXT program which connects to RadioReference when downloading from the RR Database. Of course, I changed my password since.

 

[blantonl]

Right now we're in investigation mode.

Once we get to the bottom of what might have happened, we'll start the process to force everyone to reset their passwords. Stay tuned.

 

[kruser]

Right now we're in investigation mode.

Once we get to the bottom of what might have happened, we'll start the process to force everyone to reset their passwords. Stay tuned.

I received the same but on Tuesday of this week.
The password that the email displayed was a very old (1.5 years maybe) password that had been stored by IE-11 quite some time ago for the main RadioReference login. I've changed my password twice since I last used the password that the spam email showed.

They apparently exploited a hole in IE that reveals stored passwords.

My current password was not or is not stored by IE. I used IEPassview to see what passwords were being stored by IE and was able to delete them all as they were all old.
I also had only been to this site for the 12 or more hours before receiving the bogus email.

Not sure this will help but figured I'd post the info being as the password revealed was an old unused one.

 

[buddrousa]

I also started receiving mass spam emails asking for bitcoins

 

[Hit_Factor]

Darn it, I didnt have to pay...

 

[br0adband]

I just came here to post this very thing: I received some scam emails the past day or so hoping for bitcoin and the password the email contained was one I did use here in the past (specifically for this forum, never anywhere else), so it did give me a moment or two to pause and think of what could have happened. Apparently it's a fairly well known scam but not exactly the one where someone uses a password on one of the breach lists to contact unsuspecting users, and so I did some cursory scans using Housecall from TrendMicro and Eset's online scan but of course found nothing.

 

[BruceMurray]

Somebody e-mailed my Radio Reference user name with my hotmail account last spring. Scam blackmail for bitcoin. That user name is unique to RadioReference and Butel access to Radio Reference. I just deleted the email. No password was mentioned. Bruce.

 

[zz0468]

At 2:30 AM this morning, I received an email at the email address in my account records here. This is the ONLY place that email address is used for. Ever. My password here is the ONLY place that password is used. The email received contained both my password and my email address.

I agree, something here has been breached.

 

[techman210]

You mean I didn’t have to send those bitcoins after all?!!

It said they had video of me using a Baofeng UV5R

 

[DomW]

Reading this I checked my email spam folder, I have two of the messages. I did a little checking and notice that Win500 had my user name and password in plain text in an old config file but not in the most recent. I wonder if any other software that goes to RR for downloading freqs does this too. I'm curious, he never mentioned which browser or operating system. I do most of my browsing on my Mac, but my scanner stuff is 90% Win 7. Admin: feel free to contact me if you need the email, etc.

 

[RayAir]

We don't store anyone's passwords ANYWHERE in plain-text format - all passwords are hashed and salted. And we NEVER have stored plain-text passwords in any database.

With that said, I've received your report and I'm looking into the issue.

What is being used to hash the passwords (MD5, SHA-1, PBKDF2, bcrypt, scrypt, etc)?

I also noticed a few times when trying to log in to the wiki it wasn't using https so maybe there was some credential grabbing going on as anything entered would be sent in the clear.

 

[mmckenna]

Dammit, I feel left out, I didn't get an e-mail like that. And I got all this bit coin stack up all over the place that I don't know what to do with.

I did just change my password to something totally random and used only here, so I'll keep my eyes open.

btw: The servers don't say BaoFeng on the front, do they?

 

[mikewazowski]

If anyone would like two factor authentication enabled in their account, send me a PM.

 

[eorange]

I just got the same e-mail with my cleartext RR password which is only used on this site. Fortunately I was able to steal some of mmckenna's bitcoins and paid them off, so I'm good.

I'd bet this is a MITM attack. Seems coincidental with new infrastructure that was rolled out...?

 

[MTS2000des]

Same here, password used only on this site. I also borrowed some bitcoins and should be okay, for now!

 

[blantonl]

We identified the problem - it was an SQL injection attack that allowed the hacker to download the email address and encrypted passwords for about 300K out of 1.2M of our users. The attacker was then able to decrypt the passwords by using MD5+salt rainbow tables. No other information was compromised, and no payment details, credit card details etc were affected.

The vulnerability was in the frequency ID field in the mobile version of RadioReference.com - and it was fixed and patched back in July during a cursory review of code. At that time we didn't know the vulnerability was being used to steal data.

Right now we are in process of:

1) Getting an official announcement out
2) Testing new much strong password encryption (bcrypt)
3) Resetting everyone's passwords once testing is complete

Stay tuned...

 

[iMONITOR]

Fast response, great work! Kudos to Lindsay and his team!

 

[smason]

Just came to report the same thing, glad I searched first.
I use unique passwords on every site like everyone should.