MyBB Twitter & Staff Account Hacked.

[Azareal]

This is currently up on their Twitter account.
From the looks of some of the screenshots on the Twitter Account, they may have compromised a staff member's account on MyBB.com.
Edit: They probably don't have links to the ACP enabled, so it could be an admin account.

A member of the development team's account was hacked (it's not clear how as we have been unable to contact them as of yet, but we're currently assuming it was via social engineering). The staff member in question does not have ACP access, but did manage to get the last used IP addresses for all staff members, which they then dumped to Pastebin. The hacker also got the Twitter login credentials from a private thread that staff team members can view and changed the Twitter email and password.

Update: It's been confirmed that a moderator's account was compromised, and that the IP Addresses of all the staff was dumped on Pastebin (not sure what they're trying to accomplish with this). Along with the obvious being that the culprit compromised the Twitter Account.

 

[Jake]

They have access to a staff member's account too: https://twitter.com/MyBB/status/560113166072705024

 

[Azareal]

They have access to a staff member's account too: https://twitter.com/MyBB/status/560113166072705024

I was in the midst of editing my post to add that, but thanks.

 

[Danielx64]

Not looking good for MyBB again.

 

[Azareal]

I thought that MyBB was supposed to implement multi-factor authentication after the last incidents which was supposed to stop things like this from happening again..?

 

[Danielx64]

I thought that MyBB was supposed to implement multi-factor authentication after the last incidents that was supposed to stop things like this from happening again..?

That what I was thinking.

 

[euantor]

I thought that MyBB was supposed to implement multi-factor authentication after the last incidents which was supposed to stop things like this from happening again..?

2FA is included in the next release, not the current release.

A member of the development team's account was hacked (it's not clear how as we have been unable to contact them as of yet, but we're currently assuming it was via social engineering). The staff member in question does not have ACP access, but did manage to get the last used IP addresses for all staff members, which they then dumped to Pastebin. The hacker also got the Twitter login credentials from a private thread that staff team members can view and changed the Twitter email and password.

We will be doing a full incident report on our blog once we know more, but I must stress that this does not seem to have been caused by a flaw within the MyBB software at this point in time. This seems to be an unfortunate incident in which a staff member was a victim of a social engineering type attack.

They have access to a staff member's account too: https://twitter.com/MyBB/status/560113166072705024

As above, the two are linked rather than being exclusive. The MyBB account seems to have been used to view the Twitter login thread we have internally. This is what actually allowed us to realise which staff member it was that was compromised as nobody else had viewed that thread in the last few days.

 

[Azareal]

The culprit still seems to be tweeting via the MyBB Twitter Account.

The hacker also got the Twitter login credentials from a private thread that staff team members can view and changed the Twitter email and password.

Well, that explains why they've been tweeting for four hours without anyone stopping them.
I assume that you probably have a way to lock them out of the Twitter account and to reclaim control..?

 

[euantor]

View attachment 32035
The culprit still seems to be tweeting via the MyBB Twitter Account.

Well, that explains why they've been tweeting for four hours without anyone stopping them.
I assume that you probably have a way to lock them out of the Twitter account and to reclaim control..?

Yes, they seem to still have control. The only people who can do anything about this unfortunately is Twitter. The hacker has changed both the email and password for the account. Several team members have contacted Twitter without any kind of response or acknowledgement as of now.

Matt has just recently posted an official thread on the matter, with a blog post to follow as we know more: http://community.mybb.com/thread-166257-post-1135637.html#pid1135637

It's worth noting that the @MyBBGroup account hasn't been compromised and we still have full access to that. We will likely be using that for the time being.

 

[R44]

Congratulations guys. You got "compromised" by a retard.

That aside, he only wanted access to the staff forum. From there he has taken the vulnerabilities. So my priority would be patching them and rolling out an update in the meantime. One staff member can continue securing Effones account.

 

[Azareal]

Yes, they seem to still have control. The only people who can do anything about this unfortunately is Twitter. The hacker has changed both the email and password for the account. Several team members have contacted Twitter without any kind of response or acknowledgement as of now.

Matt has just recently posted an official thread on the matter, with a blog post to follow as we know more: http://community.mybb.com/thread-166257-post-1135637.html#pid1135637

It's worth noting that the @MyBBGroup account hasn't been compromised and we still have full access to that. We will likely be using that for the time being.

Is this statement true? Are there any unpatched exploits which they may have taken?

 

[euantor]

View attachment 32037
Is this statement true? Are there any unpatched exploits which they may have taken?

There are a few XSS flaws that are patched for 1.8.4, but not officially released yet. There are a few other patches coming in 1.8.4 too. I don't want to release full details into the wild unless we, as a team, decide to do so.

 

[euantor]

Congratulations guys. You got "compromised" by a retard.

That aside, he only wanted access to the staff forum. From there he has taken the vulnerabilities. So my priority would be patching them and rolling out an update in the meantime. One staff member can continue securing Effones account.

We are working on doing just that. We don't now believe it is effone is compromised as the attacker states he still has access, and effone is banned.

 

[Blind Bandit]

Mybb needs to get this handled ASAP. Mybb already has a damaged reputation from this happening in the past.

 

[R44]

View attachment 32037
Is this statement true? Are there any unpatched exploits which they may have taken?

I'm famous

We are working on doing just that. We don't now believe it is effone is compromised as the attacker states he still has access, and effone is banned.

On Twitter? I wouldn't listen to him. He is deranged.

 

[BrandonSheley]

I'm surprised they didn't have 2 factor setup on their twitter account with all the recent issues Mybb has had in the last year.
With that said, it's very easy for them to get back their account. It may take twitter 2 or 3 days but they can get it back and hopefully secure it this time..

 

[euantor]

I'm famous



On Twitter? I wouldn't listen to him. He is deranged.

We have to take everything said to be true to be sure. We can't just assume these things, we have to assume the worst.

I'm surprised they didn't have 2 factor setup on their twitter account with all the recent issues Mybb has had in the last year.
With that said, it's very easy for them to get back their account. It may take twitter 2 or 3 days but they can get it back and hopefully secure it this time..

Enabling 2FA is problematic as the Twitter account is shared between all team members who've been with us for more than 3 months. Anybody on staff can use the account to provide quick support and to post updates. 2FA just doesn't work in this scenario.

 

[Azareal]

We are working on doing just that. We don't now believe it is effone is compromised as the attacker states he still has access, and effone is banned.

Even if his telling the truth, there's always the possibility that several accounts were compromised.

 

[BrandonSheley]

Enabling 2FA is problematic as the Twitter account is shared between all team members who've been with us for more than 3 months. Anybody on staff can use the account to provide quick support and to post updates. 2FA just doesn't work in this scenario.

They need to rethink this approach then

@Mybb_bob can provide support just the same as @Mybb_jim can.

 

[euantor]

There's a possibility, which is why we're scouring server access logs for new IPs for all staff members.