I got a run-of-the-mill threat spam mails addressed to the unique address I use for SitePoint this morning, and it is not listed on haveibeenpwned. So I was slightly worried they got hacked as well.
Looks like it has. Just got this email:
Dear SitePoint Member,
We have recently confirmed that SitePoint’s infrastructure was breached by a third party and some non-sensitive customer data was accessed as part of this attack.
As a precautionary measure, while we continue to investigate, we have reset passwords on all accounts and increased our required length to 10 characters. Next time you login to SitePoint you will need to create a new password.
Your browser will remain logged in if you have used our service recently. However, you can still create a new password manually by clicking on the ‘Account > Profile & Settings’ option and entering your details in the ‘Change your password’ section.
If you use Social Login (e.g. Google or Facebook), you will be able to login as normal.
If you have deactivated your SitePoint account, no action is required however we recommend you refer to the ‘What can I do to protect myself?’ section.
What information does this relate to?
At this point, we believe the accessed information mainly relates to your name, email address, hashed password, username, and IP address.
Did they get access to my Password?
All passwords are uniquely hashed and salted for security purposes and therefore much harder for malicious parties to access. Still, we recommend you update your SitePoint password.
Did they access any financial or Credit Card information?
No. There is currently no evidence your financial information was accessed at this stage. We do not store your Credit Card information in our system, we use a third party service (Stripe) for all credit card processing.
What can I do to protect myself?
We recommend that you change passwords from any other websites that may be a duplicate of your SitePoint password, just as a precaution.
How did this happen?
Investigations suggest this attack was a result of a third party tool we used to monitor our GitHub account, which was compromised by malicious parties. This allowed access through our codebase into our systems. This tool has since been removed, all of our API keys rotated and passwords changed.
What will happen next?
We are currently performing a full assessment of the data breach, and our infrastructure, and security. You will be notified of any additional changes or risks if they arise.
We are very sorry for any inconvenience this has caused. Please contact us at security@sitepoint.com if you have any further questions or concerns.
As always we appreciate your trust and support.
Thank you,
SitePoint Team
Not sure if the forums would have been affected as I don’t believe that the forums share the login system with the main site but don’t quote me on that
UPDATE: crossed out by @rpkamp as this is not true, the forums do share the passwords with the main site.
4 Likes
Well, I’ve received this email, just come to the forums and not been prompted to change my password, so I presume you are correct, the main site must be different. That seems strange, but I do recall some confusion last time I tried to do stuff on the main site.
UPDATE: quote crossed out after it was crossed out in earlier post.
Hey,
Yes they do share the system we do SSO login so you would have an account on sitepoint. You won’t be forced to reset until you are logged out. I suggest just going and doing a reset just in case. They were hashed with bcrypt but I still suggest doing an update.
Very sorry for the trouble.
4 Likes
Anything I should do for my account? I don’t have a password, I use GitHub oauth.
1 Like
Can I pre-emptively change my password while logged in? I do not see how to change my password. I tried to look everywhere. As a last resort I can logout.
You need to go to Premium to change your password and any other account settings.
1 Like
@ralf_e yes, I got an email just last night on it :
Dear SitePoint Member,
We have recently confirmed that SitePoint’s infrastructure was breached by a third party and some non-sensitive customer data was accessed as part of this attack.
As a precautionary measure, while we continue to investigate, we have reset passwords on all accounts and increased our required length to 10 characters. Next time you login to SitePoint you will need to create a new password.
Your browser will remain logged in if you have used our service recently. However, you can still create a new password manually by clicking on the ‘Account > Profile & Settings’ option and entering your details in the ‘Change your password’ section.
If you use Social Login (e.g. Google or Facebook), you will be able to login as normal.
If you have deactivated your SitePoint account, no action is required however we recommend you refer to the ‘What can I do to protect myself?’ section.
And so on… . You should change your password. Unless you have Gmail, which seems not affected, as you can still use that account to get in.
I found it. I think it is not as direct as most sites but at least I did find it.
In reply to the topic more directly, I just now read a message I received Tuesday. It claims We Are Computer Scientiest at Russia/China (Complex). It also says, in part:
But we have your all of your personel files. So we can publish it on darkweb or something.
And it says:
You can pay with bitcoin, total price is 650$
I do not use the email address exclusively for SitePoint but the uses are limited enough that it is likely I got that message due to the SitePoint hack. The good news is that we know the data they actually have is limited, not anywhere close to what they claim.
I especially like the casualness. “We can publish it on darkweb or something”.
Laziest ransom ever. But it’s All in the Delivery (YouTube - Door Monster)
3 Likes
Yikes. You would have hoped that a website which teaches web development best practices would be more secure. The problem I assume comes from the fact that the blog uses Wordpress which is notoriously insecure.
On the plus side, it’s good to see that SitePoint have been open about what happened and what data was compromised.
This may be a good time for me to remind people that they should be using a strong, unique password for every site they visit with a password manager like Bitwarden.
4 Likes
Hey Tom,
The issue was actually with a 3rd party GitHub tool that we used. They got hacked and this gave the attackers access to our private GitHub repos where we did have some secrets stored.
The fail on our part was the database was public and not behind our private VPN so that along with them having some passwords allowed them in.
We have certainly taken on the lessons from this and are now working on how to better store our secrets. We have now moved the db into private VPN. So nope was nothing to do with WordPress.
Also in the interest of information we only use WordPress to publish articles these days. The FE if the site is Gatsby and all the accounts are within our Ruby on rails application so WordPress does not do much these days.
Cheers and again to everyone very sorry for the trouble we have caused you all.
9 Likes
Private/public repo does not matter in fact. Its not the best thing to do to store secrets in repo.
Private repo is not so private as this example shows…
I didn’t get any email/s from Sitepoint, but got the usual “pay up or else”, the To: email address is ONLY used for Sitepoint, so obviously email addresses are compromised.
On another issue, yet related. My records show a secret question for the Sitepoint forums, yet I cannot find anything to edit that in the profile or elsewhere. Am I to assume the secret question is no longer used ??
Not was but IS. Its ongoing…
I got another scam email today sent to the email address used for Sitepoint and using my Sitepoint user name. So yes it continues and it is not possible to stop the use of the data that has already been compromised. Thank you for securing the site from future compromise.
So I try to update my email address. The preferences state it can be updated in my profile, and the profile has NO function to update the email address.
Also, the popups/advertisements on this forum are a PITA. It may be better for me to close the account.
Hi,
You should be able to update your email via the SitePoint profile page. Please post back here if that doesn’t work.
I hear you, but monetizing free content has unfortunately become hard. I sincerely hope you don’t end up closing your account, but if you decide that is the best course of action, let me know and I’ll pass it on to the appropriate person.
3 Likes