Is the MySql databases already restored from backup at this moment?
Besides the MySql databases backups are there also backups made / available of all the PHP scripts (and all other needed files) involved in running this forum? And are those backups restored as well as we speak?
Hmmm, the forum almost looks like abandoned. Not much member activity and no new members today . . .
Zorkas is speaking from experience with his own website which also uses SMF software.
We haven’t had any details from Comodo other than they are working on it. I am sorry I can’t provide more information… I’d love to know and share with you guys.
In this case it is a hacking of the MySql database where the user IDs containing the name (nickname), the email, the password, the IP
The password is coded SHA-1.
It is not interesting for the hacker to decipher the password (SHA-1) because it has been reset by the administrator.
Concerning IPs, many are dynamic so with change by the ISP periodically.
The only interest is the e-mails which often on a forum are only pseudonyms.
In the case of a database hack, you have to search the connection logs on the server to deduce the source, I think Comodo takes care of it to find the flaw, it takes time.
There is no point in rushing a restoration until safety is restored.
For the PHP language, like all programming, it has security updates that must be applied in relation to SMF, which has also undergone updates.
The PHP <=> MySql relationship needs to be upgraded on both sides to avoid hacking
Only administrators have the rights to access the configuration - repair - upgrade - backup of an SMF forum.
Understandably that restoration takes time and that Comodo needs time to find the source of the attack so that they can investigate it further and hand it over to higher authorities.
Of course safety comes first, no need to rush things.
You say that “The only interest is the e-mails …” can you elaborate on why this is valuable to the attacker?
I mean if they are not interested in deciphering the database passwords how would they make money from the database then?
They are after making money and without knowing the correct passwords they can’t do anything with both the user profiles and their emails addresses.
What’s the point ?
To know the emails, it allows to try to hack and to know the messages on the server where the mailbox is hosted.
The resale value for an attacker is the utility of the SQL database and its importance
The value is subject to the profile of the company and its employees, here it’s not a bank or the white house so it’s a lesser value.
It is above all the fact of inducing a piracy effect to reduce the value of the company that is most important, I think…
Hacking a Security Company is ‘usually’ a challenge and gives them prestige for a start, but the sale of thousands / millions of valid email addresses is valuable in its own right . . . primarily for Phishing and spam attacks
It doesn’t take many successful Phishing emails to make it very worthwhile. Run any of your old emails through here and it’s quite an eye opener: [b]Have I Been Pwned: Page not found
Clear, understood.
Liked the comparison with a bank or a white house. 
Got it.
I’ve never cheched that site.
Does it report about web-email addresses only or also about ISP-email addresses?
All emails
Another interesting thing to know would be why (seemingly) only few members (as I have noticed so far) could escape this breach and where able to reset their password (including me)?
Maybe it was all related to timing and quick responding to the password reset, just pondering…
We are wondering about this also but we don’t know either. May be the system choked on the amount of password reset messages?
Hello,
so i have registered to the forums 3 days ago with another email and then i got an email telling me that my registeration request needs to reviewed first then i get access to the forums, so after 3 days i still getting the message that my account needs approval to login to the forums. today i’ve registered with another email and it just sent me an activation link and i’m in ( current account ). so what’s the matter with my previous registration? is it lost somewhere? i need to change email of this account to the email that i’ve registered for the other one if that one is not going to get access to forum. i tried to change email in settings and it telling me that there is someone registered with that email. any admin can help fix this?
Thanks!
Hi - I wouldn’t go changing anything on your account, until potential problems with the forum access are sorted out. Once that is done we should be able to fix problem
The breach struck everyone, that’s serious matter.
I think that it could take quite some time (maybe a long time) for the investigators to check each and every user profile before they can approve and release them.
The problems with the password reset not working is likely unrelated to the breach.
With the password reset for all accounts the danger has been neutralized. That is the beauty of the password reset; there is no need to scrutinize all accounts (which is too much work).
According to the post by Vinny Troia the hack was done by using a vulnerability in vBulletin. That means the hack started at one of four other Comodo Forums using vBulletin software. Those forums have been patched to the latest version which fixes the vulnerability used in the hack. With this entry blocked and all passwords reset the danger is averted.
Doesn’t work for me by following Comodo’s instructions to re-enter password for security purposes.
The fix is just to click “Forgot password” and then to have them “e-mail you” to reset your password.
I chose a new password clicked apply and boom, done, access restored.
Thanks for letting us know. The password reset works for some and will not work for others.
When did you change your password? Shortly before you posted here?
Today.
I changed my password as soon as I clicked the “forgot password” option. Comodo immediately e-mailed me a link to choose a new password. I then followed the link and changed my password and I logged in here to post that initial reply. I wasn’t going to mess around with the other option you can choose the “secret security question” as I don’t know if I would remember.