An Eventful Morning
TL;DR: Our Vanilla Forum installation was hacked, but our VPN system was completely unaffected. Forum users should change their passwords if they are used on other sites.
Today, on November 18, 2013, on or about 5AM, we discovered a message posted across the top of our offsite forums propositioning visitors to send Bitcoin to an address to receive 10x the Bitcoins in return. Luckily, visitors of our forums are much more experienced than to fall for tactics like this.
How did it happen?
Moving into detail, the exploit was publicly announced quite some time ago as can be seen here. Our security team was aware of this issue, but the reported details of the vulnerability were incorrect. As such, our system remained vulnerable despite having been outside of the vulnerability’s report.
Our Response
We immediately found and patched the issue and, further, we examined the actions of the intruder and determined they had accessed the forum server’s SQL database.
Our strategy moving forward will be to make a number of changes to harden our frontlines in the ongoing battle to push our industry’s security best practices to new frontiers. Specifically, we will be migrating to a more secure forum system. This new, more secure forum will continue to be isolated from the rest of our systems as it has always been.
Additionally, we would like to introduce our new Private Internet Access Whitehat Alert Security Program (PIA WASP). PIA WASP will be rewarding whitehat and blackhat researchers alike who follow our program’s simple guidelines. We will reward, in name or anonymously, via any method, including Bitcoin for confirmed exploit discoveries based on their severity. Shell and SQL like access will be rewarded a minimum of $5,000 US if determined to be legitimate, unique and severe.
Finally, we have sent out an e-mail to all forum users to notify of this issue. Private Internet Access subscribers who did not use the forum are not affected in any way, shape, or form.
What Forum Users Should Not Be Worried About
Our VPN system is completely separate from our third party, offsite forum system. They are using entirely different passwords, different servers, different databases, different keys, different certificates, different software stacks, different datacenters, and, of course, there is no cross access between our forum server and VPN system. Absolutely nothing is shared.
We intentionally setup this structure from the beginning to mitigate against these types of attacks since our forums and other third party systems are built and maintained by others. We were worried about the possibility of an attack vector which would have compromised the privacy of our users, so this was setup well in advance. The forum is simply reverse proxied in order to appear to be served from the same root domain. You can learn more about reverse proxies on Wikipedia.
What Forum Users Should Do
Vanilla Forums uses 256 iterations of a salted MD5 to hash user passwords. While this is okay in practice, unfortunately, a highly determined adversary could potentially crack the password, still, if it is simple (such as a dictionary based password, etc.). It is highly advisable that you change your password on other websites if you used a common password between multiple sites, including the forum. Moving forward, it is additionally highly advisable to use a password manager that generates random, long, strong, and unique passwords for each website/service such as Last Pass with 20+ char passwords.
For Forum Users who are also Private Internet Access subscribers, please rest assured. Even if your VPN password matches your forum password and the adversary is able to somehow crack your password, this will not affect your VPN security/privacy since the password is only used for authentication. The encryption is not based on the password at all, and more details can be found on our VPN encryption page.
Ending Remarks
We greatly apologize for this happening. Luckily this was an eventuality we had planned for, and that’s why our core VPN systems remain solid and unaffected. We will continue to focus on and strengthen our security practices.
Comments are closed.
11 Comments
This kind of honesty is refreshing in this day and age of corporate deception. Your response to and handling of the situation was quick as well.
Well done!!!
Thank you for being open and honest about it, also for letting us know so fast.
I use a 21 character password with letters and numbers. Do I still have to change it?
I would just to make sure. Anytime there is a possibility, err on the side of caution. I use a 100 character password and I changed mine just to make sure although I am more than sure no one could crack it.
Thanks for letting us know so quickly. MacRumors forum which also got hacked took 5 days to write to me!