Hi, we were recently social engineered to give admin to a compromised user. As far as the logs say, he enabled “Data Explorer”, and didn’t do anything else except Impersonate a few users.
What is the impact of this incident to our forum and is there anything serious?
The impersonation can show them that users email with out that part being logged.
As for the data explore…
Almost anything can be received using it including every users email, Ip, PASSWORDS (well the hash and hashing algorithm but you can then get the password with that), etc and can be exported in just a click. And making and deleting queries are not logged.
I would recommend making a post pinning globally and banner saying that a user with bad intent was given admin and their emails, IPs etc may have been leaked to them as a result. And to CHANGE THEIR PASSWORD.
But the passwords would be hashed so that part would be safe right?
I think the algorithm that they can get (matched with the hash) would let them decrypt the hash.
Is there a way to force everyone to reset their password? I made an announcement but that’s not going to cover everyone
I do not think so. What you can do is use the API and send a password reset email to every user.
What? it’s impossible. Cryptography makes it impossible for us to restore the password from the password hash, unless social engineering is used.
To put it simply, although the leaked password hash does have a great risk, it can help others guess the password through information such as birthday, name, phone number, etc., but no one can restore the password based on the password hash alone.
What about with the salt and algorithm?
A cryptographic algorithm is like taking a picture of a password. The same person will indeed take the same photo, but the person who gets the photo cannot restore your DNA from the photo alone.
The password salt increases the security of the password, making it more difficult to be cracked by rainbow tables and other means even if it is leaked.
So even with all 3 leaked passwords are safe?
It is not absolutely safe. If his users have very good password habits, such as not using ilovexxxx or name+birthday as passwords, these methods can greatly reduce the probability of their passwords being cracked. If users don’t have good password habits, all their accounts on all websites are at risk.
You could try resetting everyone’s passwords to random passwords in the Ruby console, which will force them to reset their passwords to log in.
Ask your admins and users to enable 2FA.
If you’re resetting everyone’s password, be sure to put up some kind of banner letting people know they need to change their password, and be prepared to expect problems with people doing that.
I think it’s misleading for this answer to be marked as the “Solution”.
I don’t think it is misleading. The question was about the impact of someone having temporarily gained admin access and the answer is that basically everything could be compromised because the attacker could have downloaded (parts of) the database without leaving a trace.
And yes, password hashes could be very hard to crack but if you have extra context (like user email addresses) and access to leaked passwords from another source then there is a chance you could piece together some things and succeed.
By “you can then get the password” with “the hash and hashing algorithm” I thought Ethan’s meaning was that armed with only the hashes and the hashing algorithm you can obtain all the passwords.
That is the meaning that I thought was intended and which I found misleading. Perhaps it’s only misleading to the uneducated. I will look into this interesting subject as soon as I get the chance!
With average users you can obtain most.
It doesn’t take much more than raw CPU to brute force using a password list once you have the hashes, salts, and no rate limiting.