MyBB Twitter & Staff Account Hacked.

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
mybb-2.PNG
B8Xr9JICMAA0DoN.png

This is currently up on their Twitter account.
From the looks of some of the screenshots on the Twitter Account, they may have compromised a staff member's account on MyBB.com.
Edit: They probably don't have links to the ACP enabled, so it could be an admin account.

A member of the development team's account was hacked (it's not clear how as we have been unable to contact them as of yet, but we're currently assuming it was via social engineering). The staff member in question does not have ACP access, but did manage to get the last used IP addresses for all staff members, which they then dumped to Pastebin. The hacker also got the Twitter login credentials from a private thread that staff team members can view and changed the Twitter email and password.
Update: It's been confirmed that a moderator's account was compromised, and that the IP Addresses of all the staff was dumped on Pastebin (not sure what they're trying to accomplish with this). Along with the obvious being that the culprit compromised the Twitter Account.
 
Last edited:

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
I thought that MyBB was supposed to implement multi-factor authentication after the last incidents which was supposed to stop things like this from happening again..?
 
Last edited:

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
I thought that MyBB was supposed to implement multi-factor authentication after the last incidents which was supposed to stop things like this from happening again..?
2FA is included in the next release, not the current release.

A member of the development team's account was hacked (it's not clear how as we have been unable to contact them as of yet, but we're currently assuming it was via social engineering). The staff member in question does not have ACP access, but did manage to get the last used IP addresses for all staff members, which they then dumped to Pastebin. The hacker also got the Twitter login credentials from a private thread that staff team members can view and changed the Twitter email and password.

We will be doing a full incident report on our blog once we know more, but I must stress that this does not seem to have been caused by a flaw within the MyBB software at this point in time. This seems to be an unfortunate incident in which a staff member was a victim of a social engineering type attack.

They have access to a staff member's account too: https://twitter.com/MyBB/status/560113166072705024
As above, the two are linked rather than being exclusive. The MyBB account seems to have been used to view the Twitter login thread we have internally. This is what actually allowed us to realise which staff member it was that was compromised as nobody else had viewed that thread in the last few days.
 

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
-2.PNG
The culprit still seems to be tweeting via the MyBB Twitter Account.
The hacker also got the Twitter login credentials from a private thread that staff team members can view and changed the Twitter email and password.
Well, that explains why they've been tweeting for four hours without anyone stopping them.
I assume that you probably have a way to lock them out of the Twitter account and to reclaim control..?
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
View attachment 32035
The culprit still seems to be tweeting via the MyBB Twitter Account.

Well, that explains why they've been tweeting for four hours without anyone stopping them.
I assume that you probably have a way to lock them out of the Twitter account and to reclaim control..?
Yes, they seem to still have control. The only people who can do anything about this unfortunately is Twitter. The hacker has changed both the email and password for the account. Several team members have contacted Twitter without any kind of response or acknowledgement as of now.

Matt has just recently posted an official thread on the matter, with a blog post to follow as we know more: http://community.mybb.com/thread-166257-post-1135637.html#pid1135637

It's worth noting that the @MyBBGroup account hasn't been compromised and we still have full access to that. We will likely be using that for the time being.
 

R44

Asperger's Network? Absolutely.
Joined
Apr 29, 2013
Messages
1,071
Congratulations guys. You got "compromised" by a retard.

That aside, he only wanted access to the staff forum. From there he has taken the vulnerabilities. So my priority would be patching them and rolling out an update in the meantime. One staff member can continue securing Effones account.
 

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
Yes, they seem to still have control. The only people who can do anything about this unfortunately is Twitter. The hacker has changed both the email and password for the account. Several team members have contacted Twitter without any kind of response or acknowledgement as of now.

Matt has just recently posted an official thread on the matter, with a blog post to follow as we know more: http://community.mybb.com/thread-166257-post-1135637.html#pid1135637

It's worth noting that the @MyBBGroup account hasn't been compromised and we still have full access to that. We will likely be using that for the time being.
3.PNG
Is this statement true? Are there any unpatched exploits which they may have taken?
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
View attachment 32037
Is this statement true? Are there any unpatched exploits which they may have taken?
There are a few XSS flaws that are patched for 1.8.4, but not officially released yet. There are a few other patches coming in 1.8.4 too. I don't want to release full details into the wild unless we, as a team, decide to do so.
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
Congratulations guys. You got "compromised" by a retard.

That aside, he only wanted access to the staff forum. From there he has taken the vulnerabilities. So my priority would be patching them and rolling out an update in the meantime. One staff member can continue securing Effones account.
We are working on doing just that. We don't now believe it is effone is compromised as the attacker states he still has access, and effone is banned.
 

Blind Bandit

Fanatic
Joined
Aug 24, 2008
Messages
3,487
Mybb needs to get this handled ASAP. Mybb already has a damaged reputation from this happening in the past.
 

BrandonSheley

loving life
Joined
Jan 2, 2006
Messages
2,606
I'm surprised they didn't have 2 factor setup on their twitter account with all the recent issues Mybb has had in the last year.
With that said, it's very easy for them to get back their account. It may take twitter 2 or 3 days but they can get it back and hopefully secure it this time..
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
I'm famous :D



On Twitter? I wouldn't listen to him. He is deranged.
We have to take everything said to be true to be sure. We can't just assume these things, we have to assume the worst.

I'm surprised they didn't have 2 factor setup on their twitter account with all the recent issues Mybb has had in the last year.
With that said, it's very easy for them to get back their account. It may take twitter 2 or 3 days but they can get it back and hopefully secure it this time..
Enabling 2FA is problematic as the Twitter account is shared between all team members who've been with us for more than 3 months. Anybody on staff can use the account to provide quick support and to post updates. 2FA just doesn't work in this scenario.
 

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
We are working on doing just that. We don't now believe it is effone is compromised as the attacker states he still has access, and effone is banned.
Even if his telling the truth, there's always the possibility that several accounts were compromised.
 

BrandonSheley

loving life
Joined
Jan 2, 2006
Messages
2,606
Enabling 2FA is problematic as the Twitter account is shared between all team members who've been with us for more than 3 months. Anybody on staff can use the account to provide quick support and to post updates. 2FA just doesn't work in this scenario.
They need to rethink this approach then ;)

@Mybb_bob can provide support just the same as @Mybb_jim can.
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
There's a possibility, which is why we're scouring server access logs for new IPs for all staff members.
 
Top