Hack/break-in: New login from

richb-hanover · January 16, 2021, 3:27pm

Hi folks, I’m an admin on another Discourse system, and this morning I awoke to four email messages, which indicated an unauthorized login (see sample below).

I live in NH, US, so it is correct for Discourse to have flagged this log-in from Germany. I have always used a good password (15 letter, random, which I have now changed). I am in possession of the two computers which I ever used to log in.

A few questions:

Any idea how this might have happened?
My profile page showed another login (also “from Germany…”) in the 24 hours prior to the message below. But I did not receive a notification for that login - either in my inbox or my spam folder. How might that have happened?
It appears that the attacker may have exported the user list. Is it possible to tell if it was ever downloaded?
Do you have a standard playbook/procedure for notifying users?
What other information could I provide to diagnose or investigate this?

Many thanks.

[Sorry if this isn’t the right category. @moderators - please move to the right place. Thanks.]

merefield · January 16, 2021, 3:39pm

Do you have 2FA activated? If not get that added ASAP

richb-hanover · January 16, 2021, 3:43pm

I don’t, but will activate 2FA. Any thoughts on the other questions? Thanks.

Falco · January 16, 2021, 6:54pm

Password reuse, weak passwords, keyloggers, shared wifi networks, etc

Nginx logs.

If the attacked may have obtained a backup, which needs email access too, there is What to do if your Discourse is compromised

If not, a banner topic or a topic in a category everyone is notified may suffice.

pfaffman · January 16, 2021, 11:04pm

And that was while you were asleep? It’s not possible that you got a new Ipv6 address that maxmind just had the wrong location for?

richb-hanover · January 16, 2021, 11:24pm

Thanks for the note.

Yes, I was asleep
That IPv6 address is not from my range (I take from Hurricane Electric, in the 2001:470:… range)
We have evidence that the intruder attempted to add their email to an admin account, download the user list, and get the database backup. No access was granted to the new email address; we assume they retrieved the user list; but that they could not get the latter (the database) because they had not yet got email address.

So we assume emails and handles have been compromised, but that the database has not been downloaded (nginx logs).

Are there other things we should look for? Many thanks.

Falco · January 17, 2021, 1:57am

Great to hear 3 of our protections were useful:

Invader couldn’t get backups because of the needed email flow
Invader couldn’t get admin on a email that he controls because there is emails to confirm to both addresses
Warning emails when login happens from far away

One thing that you should check is if Discourse is running the most recent version so it’s patched against any know vulnerabilities.

codinghorror · January 19, 2021, 5:49am

Yes, and each of those protections was individually added after a hard-earned lesson, so it’s especially satisfying to see them all working together in tandem!