Jump to content
House Price Crash Forum
Sign in to follow this  
Webmaster

Important Notice Regarding Recent Hack

Recommended Posts

We recently communicated to you that we had suffered a hack via an Invision security loophole.

It looks like the hacker also harvested an unknown number of email addresses from the database for the purposes of spam.

Whilst the website was down we had a look at the security, talked to Invision and made a few changes to beef up the security of the website. We still cannot guarantee that this website will not be hacked again in the future but then again nor can any website on the internet including government websites etc. The problem with the Internet is there has to be a balance between having an interactive website and also having adequate security. Unfortunately there are a lot of clever hackers out there who like nothing better than to exploit any security loopholes that they find.

We would ask you all as a precaution to change your passwords on the site using the facility in My Controls:

My Controls > Options > Change Password

Please also be aware that you may now receive spam emails to the email address that you registered with this website.

We apologise for this recent turn of events but hope that you will understand that it is not possible to have a website that is 100% secure especially when using well known 3rd party software that hackers are continually seeking to exploit.

On the bright side, Invision have advised us of their new security features in the next version of Invision Powerboard which shows that they are committed to the security of their software.

Share this post


Link to post
Share on other sites

I've received the same spam that others have reported. It is very annoying.

Why was your software not patched immediately and what steps are being taken to ensure that security upgrades are applied immediately in the future?

Share this post


Link to post
Share on other sites

Leave off mate. It took out every invision board I know.

These guys did well to come back cleanly, most of the others were up and down like yoyos thinking it was patched.

Share this post


Link to post
Share on other sites

It looks like the hacker also harvested an unknown number of email addresses from the database for the purposes of spam.

I have just sent $300000 to Nigeria – are you telling me that the email might not be real – looks like the hackers have found some week minded and easily lead people to target – I look forward to my barrage of emails which I will PM to the Webmaster

Share this post


Link to post
Share on other sites

It was a govenment hack.

They are scared of us and wanted to know who we were.

Now they know.

I am wearing a tin foil hat..

Share this post


Link to post
Share on other sites
Guest John Brown

Leave off mate. It took out every invision board I know.

These guys did well to come back cleanly, most of the others were up and down like yoyos thinking it was patched.

I bet they were all set up before the security patch. So other Invision boards may still be hit.

Share this post


Link to post
Share on other sites

It was a govenment hack.

They are scared of us and wanted to know who we were.

Now they know.

I am wearing a tin foil hat..

You maybe closer to the truth than you know :)

Edited by Justice

Share this post


Link to post
Share on other sites
Guest mattsta1964

You maybe closer to the truth than you know :)

There's probably some Harry Palmer type in MI5 with horn rimmed glasses and a cockney accent reading this right now! LOL

Share this post


Link to post
Share on other sites
I've received the same spam that others have reported. It is very annoying.

Why was your software not patched immediately and what steps are being taken to ensure that security upgrades are applied immediately in the future?

It was patched quickly but by the time a security hole is discovered and a patch released by the software vendor a number of days can have elapsed.

Share this post


Link to post
Share on other sites

It was patched quickly but by the time a security hole is discovered and a patch released by the software vendor a number of days can have elapsed.

Is there a CVE number assigned to this vulnerability?

Share this post


Link to post
Share on other sites
Guest Baffled_by_it_all

Can you delete my details from your database. This is rubbish. Clearly FUBRA make their cash by skimping on security.

Share this post


Link to post
Share on other sites

Grow up Baff. Its the internets. Get used to it. Don't put personal information online you are not happy for the world to know. Especially not on a site that makes no pretensions to massive levels of indepth security (eg not an online retailer/bank etc). They make an effort - I would assume an effort proportional to the level of data held, but really, get a grip.

If you really want your data gone, write to their data controller, citing the dpa. But what data do they actually hold about you that's so critical you want it gone? An email address?

Share this post


Link to post
Share on other sites

Fair play to the Webmaster for disclosing the full details of what happened and for advising people to change their passwords.

It would have been easier to say "there was a problem with the server" and leave it at that.

Share this post


Link to post
Share on other sites
Guest Bart of Darkness

I build my own tinfoil hats since you should trust no one, always construct your AFDB (Aluminum Foil Deflector Beanie) yourself to avoid the risk of subversion and mental enslavement. Sometimes, AFDBs will be sold on places like eBay. Do not purchase these pre-made AFDBs, even if the seller seems trustworthy. They may contain backdoors, pinholes, integrated psychotronic circuitry or other methods that actually promote mind control.

Build youself a tinfoil hat now, give your brain a rest from mental enslavement.

Share this post


Link to post
Share on other sites
Guest Bart of Darkness

This is a clear case of reverse-reverse psychology. The forces of darkness are trying to make us think that our tinfoil hats are not effective, yet they know that we know how they think. But in knowing how they know we know how they think, they hope to sow confusion and discord amongst those still unaffected by their insidious propaganda.

I shall keep on wearing my "fez" thank you very much.

Share this post


Link to post
Share on other sites

The people that write the software for sites like these ought to cop themselves on. I think on this site you now have to enter a valid email address because, when you register, an email is sent to that account and you have to click on a link in it to activate your account. All astonishingly clever - apart from the fact that you can still register email accounts with people like Yahoo and put in Mickey Mouse as your name etc. So what does that prove?

On the other hand, if a site is going to store your details - assuming you enter a correct email address which could be used to identify you - it ought to take care to make sure that info cannot be got at.

Cross Site Scripting is relatively easy to disable - checking and removing certain characters from strings sorts out lots of the problems and not creating SQL Strings in your code sorts out others.

People either need to decide 'this site is secure so you must identify yourself' or 'this site is not secure so we are not going to ask you for any personal details'.

Share this post


Link to post
Share on other sites
Guest John Brown

I hope nobody uses the same password on here as they do for their online banking etc. If so, you might want to change your details ;)

Dark in name and dark by nature. The tool of your master.

Share this post


Link to post
Share on other sites

Leave off mate. It took out every invision board I know.

These guys did well to come back cleanly, most of the others were up and down like yoyos thinking it was patched.

It didn't take out the ones that I knew about.

And it didn't "come back cleanly" unless by coming back cleanly you mean that members are getting spammed and have had their passwords, emails and other details stolen.

On their forum policy it states that We use a secure server cluster situated in a secure data centre to protect all the information you provide us with. We have invested heavily in equipment and highly qualified staff to ensure all information you enter is protected from access by any third party and only necessary and restricted access is available internally. We also protect all our connections to the Internet using various security measures including firewalls and regular security audits on all our servers.

Clearly they have failed to protect our personal information. I don't think it is unreasonable to ask for how long the vulnerability remained unpatched and what steps have been taken to prevent this from happening in the future.

The responses so far seem to indicate that the forum was known to be in an unsafe state yet nothing was done to fix it. Amazing that there have been all the changes to the adverts and banning references to ********** and monitoring/stopping PMs but nothing done to secure the email and other info until an official patch was available (although with "highly qualified staff" you'd think they'd be able to patch the software themselves).

Dark in name and dark by nature. The tool of your master.

Brown by name and brown by nature. The master tool.

BTW, it's Darke.

Edited by Charles_Darke

Share this post


Link to post
Share on other sites

I understand that email addressess have been lifted from the servers as a result of this hack but surely passwords would have been retained in an encrypted format and therefore could not be pulled from the server.

Can anyone who knows the technology behind these message boards confirm method of password storage/retrieval?

Xil.

Share this post


Link to post
Share on other sites

I understand that email addressess have been lifted from the servers as a result of this hack but surely passwords would have been retained in an encrypted format and therefore could not be pulled from the server.

Can anyone who knows the technology behind these message boards confirm method of password storage/retrieval?

Xil.

Passwords and other details are rarely stored in encrypted format. They are normally stored in plain text. Although if at risk, one would normally either move the data offline or temporarily encrypt them.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • 301 Brexit, House prices and Summer 2020

    1. 1. Including the effects Brexit, where do you think average UK house prices will be relative to now in June 2020?


      • down 5% +
      • down 2.5%
      • Even
      • up 2.5%
      • up 5%



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.