MyBB Twitter & Staff Account Hacked.

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
Enabling 2FA is problematic as the Twitter account is shared between all team members who've been with us for more than 3 months. Anybody on staff can use the account to provide quick support and to post updates. 2FA just doesn't work in this scenario.
A better approach would be to distribute the password to very senior staff members and for the messages to be destroyed afterwards, instead of having a private topic that they can read at any time.
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
They need to rethink this approach then ;)

@Mybb_bob can provide support just the same as @Mybb_jim can.
Yeah, the problem is that @Mybb_Brandon could come along, slap a MyBB logo on as an avatar and start playing the part, and people would think they were an official team member...

We do need to think of a solution, we'll be looking into it as soon as we have control back.
 

R44

Asperger's Network? Absolutely.
Joined
Apr 29, 2013
Messages
1,071
A better approach would be to distribute the password to very senior staff members and for the messages to be destroyed afterwards, instead of having a private topic that they can read at any time.
Yep. This.
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
A better approach would be to distribute the password to very senior staff members and for the messages to be destroyed afterwards, instead of having a private topic that they can read at any time.
True, the problem is that people then tend to store these things in obvious places such as in the UCP notepad ;)
 

Deimos

Devotee
Joined
Oct 21, 2007
Messages
2,819
Yet another MyBB issue, it's going to rock consumers confidence in the product...again.
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
Yet another MyBB issue, it's going to rock consumers confidence in the product...again.
Unfortunately, yes. We seem to be a big target, likely due to the fact that many large hacking forums run MyBB. We do try to handle these issues as best as we can but we don't have quite the same amount of manpower as other projects do.
 

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
True, the problem is that people then tend to store these things in obvious places such as in the UCP notepad ;)
Even MS Notepad would be a vastly better option than storing it in the UserCP. Sounds like it's time for a new policy.
 

BrandonSheley

loving life
Joined
Jan 2, 2006
Messages
2,609
Yeah, the problem is that @Mybb_Brandon could come along, slap a MyBB logo on as an avatar and start playing the part, and people would think they were an official team member...

We do need to think of a solution, we'll be looking into it as soon as we have control back.
I'm pretty sure IPB and vBulletin both have Twitter accounts that offer public online support like this.. Well maybe not vb as much anymore but at one time they did.

I assume you're with mybb?
 

Deimos

Devotee
Joined
Oct 21, 2007
Messages
2,819
Unfortunately, yes. We seem to be a big target, likely due to the fact that many large hacking forums run MyBB. We do try to handle these issues as best as we can but we don't have quite the same amount of manpower as other projects do.
I agree, it's just a shame, I genuinely feel sorry for the team and product.
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
Even MS Notepad would be a better option than storing it in the UserCP. Sounds like it's time for a new policy.
Yep. We will be rethinking how we handle official accounts in the future for definite. Right now we're concentrating on getting the account back and working out exactly what has happened.

I'm pretty sure IPB and vBulletin both have Twitter accounts that offer public online support like this.. Well maybe not vb as much anymore but at one time they did.

I assume you're with mybb?
Yes, I am one of the developers. Hopefully we'll be able to open a line of discussion with Twitter when we get the account back and see if they have any advice for us.
 

BrandonSheley

loving life
Joined
Jan 2, 2006
Messages
2,609
Yes, I am one of the developers. Hopefully we'll be able to open a line of discussion with Twitter when we get the account back and see if they have any advice for us.
I don't honestly seeing Twitter helping at all other then getting your account back which you need to contact them asap. It'll take them a few days to get your access back.
The best advise I have is not to share accounts and enable security on your account. Especially if you're having clients send you private info via DM's (not sure if you are, just throwing it out).
There are companies all over the web that have support accounts on Twitter.
Create a public list off the main account and add the "official" support twitter accounts if you're really worried about it..

Oh.. you already have one.. 21 devs?
https://twitter.com/MyBB/lists/mybb-staff/members
 

Azareal

The AtomBB Overlord
Joined
Mar 7, 2010
Messages
1,142
There are a few XSS flaws that are patched for 1.8.4, but not officially released yet. There are a few other patches coming in 1.8.4 too. I don't want to release full details into the wild unless we, as a team, decide to do so.
4.PNG
Some of the messages are being deleted now, but I managed to screenshot this very concerning tweet.
From the sounds of it, there may be some SQL Injection vulnerabilities which they took.
 

BrandonSheley

loving life
Joined
Jan 2, 2006
Messages
2,609
From the looks of it, the list is probably terribly outdated.
There are several that mention mybb or mybbgroup, so I'm not sure.
My point is that one person should have control of the official account and have their phone tied to it. If that were the case, they would never be able to hack the twitter account again.
 

R44

Asperger's Network? Absolutely.
Joined
Apr 29, 2013
Messages
1,071
Just for future reference, your immaturity in the comments made on twitter is pretty much on par with the person who has the account now.
Yes but I occupied his time.
 

R44

Asperger's Network? Absolutely.
Joined
Apr 29, 2013
Messages
1,071
Congratulations? It just made you look as immature as him.
Probably. But hey it was fun to wake up to a troll to troll back. While he was intertwined with me he wasn't doing harm.
 

euantor

MyBB Lead Developer
Joined
Jul 23, 2009
Messages
723
I don't honestly seeing Twitter helping at all other then getting your account back which you need to contact them asap. It'll take them a few days to get your access back.
The best advise I have is not to share accounts and enable security on your account. Especially if you're having clients send you private info via DM's (not sure if you are, just throwing it out).
There are companies all over the web that have support accounts on Twitter.
Create a public list off the main account and add the "official" support twitter accounts if you're really worried about it..

Oh.. you already have one.. 21 devs?
https://twitter.com/MyBB/lists/mybb-staff/members
I'm going to be looking into a solution this week. I already have a few ideas which should work.

View attachment 32038
Some of the messages are being deleted now, but I managed to screenshot this very concerning tweet.
From the sounds of it, there may be some SQL Injection vulnerabilities which they took.
There are no public facing SQL injection vulnerabilities. Most of the flaws are in the ACP (which obviously requires ACP access, which should only be handed out to trusted users), and there is one XSS in the public facing side. All of these are to be patched in 1.8.4. SQL Injections on the public facing side are taken very seriously, and when we are made aware of one we bring releases forwards - usually releasing within 1 day of us being made aware.
 

Ryan Ashbrook

IPS Developer
Joined
Jan 26, 2004
Messages
3,533
Yeah, the problem is that @Mybb_Brandon could come along, slap a MyBB logo on as an avatar and start playing the part, and people would think they were an official team member...

We do need to think of a solution, we'll be looking into it as soon as we have control back.
I would recommend LastPass. You can share the login among other LastPass users while allowing it to be secure, and not needing it to be stored anywhere at any point in time. This also applies to other things where a joint-account needs to be used.
 
Top