Security Incident - Please Change Your Password

Status
Not open for further replies.

blantonl

Founder and CEO
Staff member
Super Moderator
Joined
Dec 9, 2000
Messages
11,095
Location
San Antonio, Whitefish, New Orleans
Everyone,

We've recently received reports of scammers emailing our members with bitcoin extortion attempts. We've identified that hackers were able to download email addresses and encrypted passwords from our database for a number of our users and use that information in these emails.

We believe we have identified the problem and fixed the vulnerability on the site, however we request that you change your password on the site as soon as possible.

Note that no credit card information, premium payment details, or other information is believed to have been exposed through this security incident. Additionally, RadioReference does not and never has stored plain-text passwords anywhere on the site or in the database.

What happened

Hackers exploited an SQL Injection vulnerability on the site to download approximately 25% of our members email addresses and encrypted passwords. The hackers were then able to decrypt some of those passwords. The hackers then emailed some of these members with extortion demands for Bitcoin payment.

Technical Details

A query field on the RadioReference Mobile site m.radioreference.com was not properly sanitizing data (specifically, the ?fid=### field), which allowed hackers to craft a specific query to trick the page into retrieving a user's email address and encrypted password. We believe that about 25% of all our user accounts were affected, based on analysis of our logs.

The vulnerability that was exploited for this incident was fixed during a cursory code review on July 12th 2019. We were not aware at the time that it was being actively exploited.

Passwords were encrypted with the MD5 hashing algorithm and basic salt. The hackers were able to decrypt some of those passwords and then email the users indicating they knew what their passwords were.

Moving Forward
  • All users should immediately change their password to upgrade the security on their stored password
  • The site has been upgraded to use an extremely strong password hashing mechanism based on bcrypt, which greatly reduces the ability to decrypt a user password.
  • We are continuing code reviews and firewall configurations to prevent this from occurring again
  • We will soon expire and reset all user's passwords who have not changed and updated their password to use the new hashed method

Thank you for your patience and our apologies for the problems.

Lindsay
 

citiot

ʇoᴉʇᴉɔ
Premium Subscriber
Joined
Feb 8, 2007
Messages
134
Don't forget to change your passwords on other sites if you use the same password on accounts like bank and credit cards.
 

chaycock

Member
Joined
Oct 28, 2002
Messages
113
Location
Columbus, GA
Interesting that they were able to do so seeing that Salt was used....that should have thwarted a traditional rainbow/brute-force attack.
 

iscanvnc2

Member
Premium Subscriber
Joined
Nov 13, 2012
Messages
358
Location
Ventura, CA
  • We will soon expire and reset all user's passwords who have not changed and updated their password to use the new hashed method
I updated last night approx 2330 hrs PDT. Does this meet new criteria?
 

KG4DRF

Member
Joined
May 26, 2019
Messages
118
My question is, does resetting on forum reset Database as well or do I have to go there and reset as well?
 

blantonl

Founder and CEO
Staff member
Super Moderator
Joined
Dec 9, 2000
Messages
11,095
Location
San Antonio, Whitefish, New Orleans
Changing your account password updates it everywhere (RadioReference, Broadcastify, Forums, Wiki etc)

The new password scheme was rolled out today (8/24/2019) at about 3:40 PM CDT, so if you haven't changed your password after then you need to.
 

KG4DRF

Member
Joined
May 26, 2019
Messages
118
Had reset it after seeing post but wasn't sure if forums profile carried over to DB site. Thanks for quick answer.
 

tfranklinh

Newbie
Premium Subscriber
Joined
Jul 17, 2012
Messages
3
Location
Cumberland, MD
I concur with @LEH. Thank you for your quick response and advice. My history with InfoSec can confirm that prompt notification and action on PWs is the safest way to mitigate damages. Well worth my subscription fee! (y)

Great work and happy listening.
 
S

simpilo

Guest
I checked the email I put on my RR account. nothing in spam nothing in inbox. always a blank slate. I don't use that email address registering online accounts much. I think RR is the only site i used that email address with.
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
10,362
Location
Carroll Co OH / EN90LN
Lindsay,

Can you tell us what the real character limit is on passwords? This is not obvious on the password change page, which looks like it displays a field length of 20.

thanks

Mike
 

ad8g

Member
Feed Provider
Joined
Jun 20, 2011
Messages
71
Location
Cleveland, Ohio
Hashing is not the same as encryption, and you’re doing the right thing by hashing passwords.


But seriously, how in 2019 were you still using MD5? It’s been considered insecure for years now.
 

mechanic

Member
Joined
Jun 20, 2003
Messages
18
I received one of those extortion attempts . It is titled Save yourself . It says they have your password and and your accounts and have been accessing your camera . I changed my password immediately . Hard to believe people can be so disgusting.
 

clbsquared

Member
Joined
Oct 13, 2015
Messages
990
Location
Isle of Wight County
A major incident such as this should probably be communicated via direct message or email to every user. This thread will not necessarily be seen by every user.

Agreed. This is a major breach of security. Notification of such activity should have been done in a more personal manner. I found out about it from another site. Very poor communication of the event from the admin team here at RR.
 

pinarello

Member
Premium Subscriber
Joined
Oct 23, 2009
Messages
15
Location
Princeton, NJ
Wow, as a CISO, this was a negligence gap in you cyber defenses. The SQL Injection vulnerability is so old and easily exploited. Vulnerability and Penetration testing would have detected this, did you not conduct this type of testing before a "cursory code review " found it maybe months after the exploit? What are you going NOW to mature your cyber security controls?

As noted in another comment, you need to be transparent on this matter and advise all of your Users about this Incident not just in this forum. Has your legal team reviewed, as you may have to reporting requirements to a few State Attorney Generals on this breach? Get your PR team going....
 
Status
Not open for further replies.
Top