Jump to content

Has Mbam forum been hacked?


QuantumCheese

Recommended Posts

Hi all. 

I registered here 16/11/2013 with a unique-to-this-site email address.  (I'm not going to publish it here as i assume a Mod ought to be able to look it up)

I have never given this email address to anyone else.  in addition i use individual addresses for every business i have dealings with. This enables me to track such leaks of my personal information.

I ask if you have been hacked for two reasons.

1) Stating on 02/07/2016 I began to receive SPAM emails sent to the email address registered with this forum

2) When i went to log in, using my browser-stored password, i was told it was incorrect & had to initiate a password reset in order to regain access.

To date i have now received a total of 12 SPAM emails and will have to can this address shortly, before i do I thought i would ask here if you know anything about this?

Link to post
Share on other sites

Take a look at the header of the spam email(s) and see who it was sent to.

 

I recently got a spate of phishing emails on an email address that I had only set up the week before, and hadn't given out anywhere.

Looking at the header I saw that they had been 'sent' to various itterations of the actual email address.

50 or so slight variations were CC'd in each of the emails; obviously a randomly generated list.

That's partly why it's called phishing- they throw out hundreds of thousands of random hooks hoping that one may be a real email address and will catch.

 

Whatever your email address you are going to get this now and again.

Link to post
Share on other sites

Hi, @QuantumCheese:

In addition to the advice already provided...

...Yes, there was a forum security breach several years ago (I think it may have been shortly after you registered here).  At that time, all forum members were notified that  -- for security's sake -- they would need to change their forum password. It's possible that you missed that notification.

I cannot be sure if the behavior you report specifically relates to that the episode.  But, if you have not been online here in a very long time, until today, then I suppose it is possible.

Having said all that, AFAIK no, the forum has not been recently hacked.  The forum software was upgraded from IPS v3 to IPS v4 several months ago.  According to the forum staff, the new version includes security enhancements over the previous version.

Other than that, we would need to wait for @AdvancedSetup to weigh in with more specifics.

Thank you,

Link to post
Share on other sites

Unfortunately - yes, { sigh }

The Malwarebytes' Forum was hacked in November 2014.  The vulnerability that lead to the account compromise was discovered on November 10, 2014, and Malwarebytes was extremely quick in addressing it.

Malwarebytes broadcasted an email, at that time, informing us that our passwords had been reset.

MS MVP Troy Hunt created the site  https://haveibeenpwned.com/  where you can enter your email address to see if it was/is associated with any site that had been compromised.

Edited by David H. Lipman
Link to post
Share on other sites

Yes, the email headers would suggest the correct destination.  here is a short  excerpt. I have replaced the real address with "CORRECT EMAIL ADDRESS" ...

/From - Sat Jul 09 10:29:04 2016

...
Received: from Postfix-filter-42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
    by smtp-in-110.livemail.co.uk (Postfix) with SMTP id 32537D8186
    for <CORRECT EMAIL ADDRESS>; Sat,  9 Jul 2016 09:30:32 +0100 (BST)
Received: from static.167.172.46.78.clients.your-server.de (static.167.172.46.78.clients.your-server.de [78.46.172.167])
    by smtp-in-110.livemail.co.uk (Postfix) with SMTP id 10849D818A
    for <CORRECT EMAIL ADDRESS>; Sat,  9 Jul 2016 09:30:32 +0100 (BST)
Message-ID: <4496472280922-PCVXFBBKOOXEBZOHXUHYQU@kdpjrt.bernilabs.com>
From: %GIRL_NAME Grayson <Grayson_%GIRL_NAME@bernilabs.com>
Subject: Look rich for the first time
To: <CORRECT EMAIL ADDRESS>
Date: Sat, 9 Jul 2016 04:23:31 -0500
Content-Type: text/html
Content-Transfer-Encoding: 7Bit
X-Original-To: CORRECT EMAIL ADDRESS
Return-Path: ordosspta@g-ent.net

.../

Normally i would have already forwarded these emails to SPAMCOP, but as i have been busy the last few days these have just sat in my SPAM to report folder, also i wanted to leave it a day or two & see if i continued to receive them to the same address.

Incidentally, all the spam are different & from different (presumably) compromised MX's

Thanks for the replies so far.  i'll wait now to see what @AdvancedSetup has to say.

Cheers.

 

Link to post
Share on other sites

Ron ( AdvancedSetup )  will indicate the same.  Basically there was an event, Malwarebytes remediated the vulnerability and reset account passwords and they sent all forum members an email notification.

Did you try the site  https://haveibeenpwned.com/  with that email address  QuantumCheese ?

Link to post
Share on other sites

42 minutes ago, David H. Lipman said:

Ron ( AdvancedSetup )  will indicate the same.  Basically there was an event, Malwarebytes remediated the vulnerability and reset account passwords and they sent all forum members an email notification.

Did you try the site  https://haveibeenpwned.com/  with that email address  QuantumCheese ?

Hi, Sorry Dave, i forgot to check that one.  Yep, it has 1 entry listed.... you guys and at the date you said.

Looks like i've got to the bottom of that one then.  Odd 'they' took so long to start spamming it, it usually occurs sooner.

Cheers

Carl

Link to post
Share on other sites

Yes, the time delay factor is something to keep in mind. 

I have been in some really nasty breaches and they have paid for Credit and Account monitoring for up to 3 years.  If you take into account a time delay factor of subsequent possible malicious behaviour then that 3 year Credit and Account monitoring has the propensity of not actually helping.  It would only serve to placate the subjects of that breach in the short term.

Often such lists may lay dormant until there is a buyer who will actually use the content purchased.

I gave the site  https://haveibeenpwned.com/  four email addresses.  Two were the subject of breaches.  One with Malwarebytes and the other with Adobe Systems,

 

Edited by David H. Lipman
Link to post
Share on other sites

  • 3 weeks later...

I checked 3 email addresses @ haveibeenpwned.com - 2 email addresses were clean and the third had two hits - MBAM forum & Avast forum.

I was notified by MBAM and did change my MBAM "site password". It says Avast was hacked in May 2014. There was no notification from Avast 

and I have not used their product or been on their forum since 2012.

I have not detected any spam on the email account in question.

My question is fairly simple. To be sure of future security would it not be better to close the email account in question and open a new email account?

Because I structure my email account passwords using upper & lower case letters, numbers and special characters with a minimum of 9 characters 

I am confident the email password has not been compromised.

Link to post
Share on other sites

  • Root Admin

Our site was not hacked. There was an incident where it is believed that an unauthorized user from another forum that was running on the same node as our server had someone login to the Admin Console on an IPS forum. There was no "hack" found. Logs indicated the user logged in with an admin level password. IPS took down sites on that node as a precautionary means and we sent out password reset notice as well as a precaution. We also moved our Admin Console behind two-factor authentication to ensure ACP cannot be logged into by just password alone.

 

 

Link to post
Share on other sites

54 minutes ago, AdvancedSetup said:

Our site was not hacked. There was an incident where it is believed that an unauthorized user from another forum that was running on the same node as our server had someone login to the Admin Console on an IPS forum. There was no "hack" found. Logs indicated the user logged in with an admin level password. IPS took down sites on that node as a precautionary means and we sent out password reset notice as well as a precaution. We also moved our Admin Console behind two-factor authentication to ensure ACP cannot be logged into by just password alone.

 

 

I did not use the word hacked in referring to the MBAM forum. I did use the word hacked with the Avast forum. I also did not choose the title of this thread.

I submit that you might want to address this issue with https://haveibeenpwned.com/

mbam 1.png

Edited by Spud
Link to post
Share on other sites

  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.