It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.
The database contains the following sensitive information:
- Your forums username
- An encrypted copy of your forums password
- Your email address
- Any personal information you might have put in your signature/profile/etc…
- Any personal information you might written on the forums (including private topics and private messages)
People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information.
Out of precaution we recommend all forums users change their passwords.
While changing your passwords, please start with your email password and do not use the same password on different websites.
90% of my passwords are different and complex, including my forums password, and the forums are also currently down. Should I change my password once they go back up?
Hope WordPress can fix the bug
Edit by Clem: The forums will likely go back up on a different server, with a policy to enforce strong passwords and with all accounts required to change their password before being able to login (we’ll need to check how that’s done with phpbbb but that’s the intention).
Dude, your blog is running WP 4.2.2, which has known security vulnerabilities. Is linuxmint.com running the same version? Perhaps it’s time to update…
> If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.
How is that possible if the forum website is down? Is there some other method of resetting the password?
Edit by Clem: Change your passwords on other websites.
Were the passwords stored salted or just plain hash?
Hi Clem.
What’s the situation with the password for http://community.linuxmint.com/? Does it also need to be changed?
Edit by Clem: It’s a different server. That being said, any server (including other websites than ours) can be hacked. Some are harder than others but they’re never 100% safe. Don’t use the same password on multiple websites.
There’s no sense in changing passwords if the compromised one isn’t used anywhere else, right?
http://www.linuxmint.com/start/rosa/ Unable to connect
I do not see my comment from the rosa os, and your form with held the letters from the word dont nt and when i was typing it lost a the letter t.
Any ways hackers should be forced to step out side ,. for a real life lesson, if they are not paid to test or keep safe.
let the governments have them.
ubuntu 15.10 i do no like it
Clem, did the site use Salt (and maybe even Pepper)? And a strong cipher like bcrypt? Or which one?
A total disclosure is important IMHO in such situations.
hey clem…
i still love linuxmint but please make the website more secure like the fedora site https pgp signed….
if you are at it, you can make a better design also….
sorry for my bad english 😀 ^^
dear
abat
I have an idea on how to alert users if the backdoor is on their system:
Release a package to the Linux Mint repo, that is installed on everyone’s systems once they update. Once installed, it detects if the backdoor is on their system, and if it is, it displays a permanent message box asking users to reinstall.
We really need a synonym for hashed that sounds secure to the layman without giving people who know a bit about cryptography the impression that you might be using AES to encrypt your passwords or something.
I suppose “cryptographically hashed” is almost too much to type, but gives the right impression to both laymen and those familiar with proper password storage.
On the other hand, if you just mention that the passwords were run through Argon2, Scrypt, or whatever, then people who know will know and those who care to know will read on Wikipedia. Sadly, people who don’t care to know are unlikely to choose passwords strong enough that Argon2 or Scrypt will do them much good anyway. People who freak out over the difference between a proper password hash function / KDF and a plain cryptographic hash function probably have high enough entropy passwords that they aren’t personally affected by the difference. (My Linkdin password was stolen, but it’s 96 bits of entropy from /dev/urandom and not used anywhere else, so I hope some cracker is still grinding away on that one.)
Yesterday afternoon (Feb. 20, around 15:00 EST), I created two posts in the linuxmint forums.
I couldn’t comprehend WHY the usual notitifications from admin at linuxmint.com were being tossed by gmail into my spam folder, so I marked as “not spam” and moved them to my inbox. NOW I know why!
QUESTIONS: I had upgraded my 17.2 XFCE-32 bit to 17.3 on my Asus netbook shortly before this.
1) Should I be concerned?
2) Should I move those notification emails back to the spam folder and / or delete them outright?
3) Is there some way to change my password for the forums …given that I _still cannot access_ the site?
This sucks. I wonder if it was Big Brother (CIA, DOD, etc..)
I add a random symbol and number to the end of my passwords, different on every single site. It helps some.
mynormalpassword&2
@Clem: Please advise the community about the algorithm used to hash passwords (and fix “An encrypted copy of your forums password” < :%s/encrypted/hashed/g).
It _should be_ blowfish-based bcrypt since PHPBB hashing function is based on PHPASS (http://www.openwall.com/phpass/). Please confirm.
Hope you guys have setup the database user with minimum permissions. "show grant lms14" ?
plata, that is correct (if your using random unique passwords) you just need to change mint one
your email password should never match or even closely any other password (same for money related sites)
@ #5 – PHPBB by default uses md5 hashing to encrypt the passwords, IIRC.
There *is* a function in PHPBB’s ACP under “User Registration Settings” that can force a password change every X days, however it’d only be useful if a user actually logs in. There are also settings to define complexity/length of the password… but again, if a user doesn’t log in frequently, it won’t do much. There doesn’t seem to be a plugin to force a one-time password change that I’ve been able to find.
What I’d suggest is to overwrite the password field in the SQL database so that nobody can log in. Put up a notice that users must reset their password, and provide instructions for the user to click the “I forgot my password” link so the system will generate a new PW and send to the registered email that was used when the account was generated. They can always change the password after they’ve logged in with the temporary one. There are sure to be some cases that need to be handled manually, but that should catch the majority of users that actually log in to the forums?
hi guys,
do you know when the fix will be done to download a new copy of mint?
Are the hackers able to use IP or MAC address (or any data Mint forum has about us) of the forum users in order to attack them? Just asking, I’m not familiar with any technical details of web security and I’d like to know if we’re safe
You should probably post this notice on the Linux Mint Facebook/Twitter, as well
According to this guy, testcees, from the dutch Ubuntu-NL forum the linux Mint forum database (incl. password hash) is apparently already for sale on the black market/circuit:
https://forum.ubuntu-nl.org/index.php?topic=96196.msg975926#msg975926
🙁
Looks like your forums were compromised a month ago. 🙁
https://twitter.com/ChunkrGames/status/688346150622081024
Are you saying that you did NOT salt the password hashes?
All this will have huge negative impact on Mints popularity, i am afraid 🙁 And maybe that’s the real motive for this attack. It’s hard for me to accept that all this hacking exercise is only to spread a stupid outdated trojan.
I changed the pw on the community.linuxmint.com Site. This was working fine. But i could not find the place to change the e-mail address. Is this linked with the Forum?
@ Mr. B
since my password is unique to that forum (and I never put personal data in my profile or posts) the worst I expect is that I may get some more spam. annoying, but BFD
@ Clem
No idea if this is real or just somebody who wants to take credit, but thought I’d bring it to your attention:
http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
Though personally, it seems as if the hacker is so proud of himself, he can’t stand it. Guess he wants the attention
I do have an account, but never posted a topic. I am not getting the website to change my password, hoping it will be resolved soon…..
@Clem: If the live DVD is installed, then your system is obviously compromised but what if you only booted the live DVD and you didn’t install from it? Would that constitute a problem as well?
Make sure you report them to law enforcement, they’re actively selling our information online!
For the love of god put a placeholder up on the www. site – this is not inspiring confidence or making the Linux community look good at all!
i change my password in http://community.linuxmint.com/
I have just one question; Were passwords encrypted or hashed?
Byebye no more mint for me.
Maybe http://www.linuxmint.com should point to blog.linuxmint.com as long as the website is offline.
Please clarify which algorithm you used for hashing passwords within your forum software and how passwords were salted (including the entropy of salts). When you “lose” the contents of your database, this should prompt *full* disclosure and transparency on your side so everyone can assess for themselves just how badly you screwed up. In case you used sub-par protection of user credentials, please clarify which process and improvements you will deploy in order to avoid this sort of incident happening a second time.
“An encrypted copy of your forums password”
Why do you store an encrypted password? Isn’t a salted hash appropriate?
Hello Clement ! If there can be any good in this story , it might be that it cannot be greatness in this word without sacrifices and stupid ppl around.
That being said , i ditched WP long time ago for same poor code problems , and far from being complete , i started along jedi path with a brand new my own CMS without exposing php files towards world.
index.php looks like
&1″);
print_r($output);
?>
from this point , it is sh file job to read stin (user wish) and to simply sed and replace html.template to html output and generate pure html, even read sql database, totaly invisible .
In this way , no php security it is involved, only php?id=value is passed along.
As long as my server runs linux I am happy with it.
Maybe it is an old ideea , i surely like to see it spread
Hope to hear good news Clement, and keep up the very good job !
seems that php code is forbiden , sorry abt that !
Why is the Home page blocked?
Unable to connect
Firefox can’t establish a connection to the server at http://www.linuxmint.com.
DuLac,
It’s down because Clem shut down the server because the site and forum were hacked too. Read the blogposts and other news sites a bit.
I would like to know if the donations information was also gleaned.
Edit by Clem: We don’t know for sure. They left a dump behind and it contained the forums user table, they might have taken more but we can’t confirm it.
Thought it was pretty obvious what this was about….
intentional damage to mints reputation….wonder what corporation would pay a hacker to do that hmmmm?
Hey!
I think that someone who managed to get unrecognized access to the server and the whole forum database for more than a month also will be able to decrypt the passwords. I am also interested in Robin’s question here: “Were passwords encrypted or hashed?”
I can understand that this can happen to anyone, but I am a bit angry that noone of the staff listened to the warning and informed the community earlier:
https://twitter.com/ChunkrGames/status/688346150622081024
It is likely that the passwords have been tried for at least your mail account. I did get a lot of messages lately that someone tried to log into my mail account, which is connected to the Mint forums, with a bad password!
By the way.. It could be likely that it have been two different groups of people attacking Mint.. As already pointed out by different sources the guys from Bulgaria doesn’t seem to be very experienced, so maybe they just bought the data from another guy who managed to break into the system already in Januar.. Why else would someone wait for more than a month to attack? But for this you would also need to investigate on the attack in Januar.
For me it sounds like you are already investigating it and work hard solving the situation and finding a solution for the future… I just wanted to share a possible theory found on linuxmintusers.de and the fact that it seems that you’ve been attacked for a longer period than you thought!
Purported hash type used:
“It’s understood that the site used PHPass to hash the passwords, which can be cracked.”
zdnet .com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
openwall .com/phpass/
github .com/micahflee/phpass_crack/blob/master/README
@ #10 Arun:
“I do have an account, but never posted a topic. I am not getting the website to change my password…”
If you created an account, then whoever hacked into the site has an encrypted version of your password.
Linuxmint team is suggesting that you change your passwords to OTHER sites (especially your email account) right away if they used the SAME password that you used for your Linux Mint forums account.
@ #12 Robin:
Passwords were encrypted.
@ #13 DuLac:
As Mr. B noted: The Linux Mint team is trying to clear up the security holes on their server and with their installation of wordpress. to do this thoroughly, then needed to shut down their server temporarily.
~
Again, the most important part is that if you used the SAME password on OTHER SITES as you used for your Linux Mint Forums registration, then you need to change that password ON THOSE OTHER SITES right away.
Did this attack affect the donation site in any way? Is there an ETA on the forums so i can see if i had registered an account?
Edit by Clem: The dump which was left behind was of the forums user table. That said, they had access to our server so it’s possible they looked at donation data.
It seems to me, sickening as it is. The only way to combat this stuff, is for the open source community, to build a response team. Dedicated only to going after people who hack our software, and ruin them. I’m tired of this crap, every day, it comes from somewhere else. Let’s stop patching and rebuilding our sites and go after them.
Will the forum login be protected with an SSL going forward, to protect the new passwords from being sniffed?
In an interview the hacker (called “peace”) said (s)he/they would not reveal the vulnerability they exploited in the linuxmint.com site in case they “needed it in the future”. Have you found the method they used? I don’t want to know what it was, but just if you know what happened and how to remedy the situation.
It’s a good idea to use a password manager to ensure that all websites you use have different password. Keepass is a good example.
Since I use it this site is the only one affected so soon as it’s back up will change it.
Thanks for letting us know what is going on.
This is really bad reputation for Linux Mint and its community. No idea how to recover it again. “once on the internet always on the internet”
I see my comment is still awaiting moderation, but you’ve posted this notice on Facebook. Wanted to thank you for doing that.
@ 7. Ross
Linux Mint is the distro that has made using Linux enjoyable, that so many things work correctly as default, etc. I do remember in other distros how much work is it to get to the same level as Linux Mint, if that is at all possible. I did stop reading those distro-hopper badmouthing discussions going on elsewhere, they don’t seem to recognize all the good Linux Mint has brought to people.
Lucky me. All my passwords are unique. And the email is known anyway. So I won’t change anything.
As for “All this will have huge negative impact on Mints popularity, I am afraid”: Contrarywise, this will happen sooner or later to all popular distros. There is no absolute safety. The linuxmint team learns from this experience how to deal with it and how to improve. That awareness even can have a positive impact on Mint’s popularity.
It is a pr-problem for Linux, which was always said to be so safe, which I not always believed by the way.
For the rest: it is good that it happened, it will harden Linux.
By the way, I can’t reach the Mint Forum. But I hope that is timely.
how i can change my pass? The site is down
First of all – All my kudos to Clem and the Mint team trying to handle this situation. Probably chaos with all the fallout.
– What happened? What was compromised and how does Mint get our community up and running as fast as possible…? –
Keep it up guys! You know we are thousands ++ rooting for you.
If you just could take five minutes out of your crazy day just now and then to update this blog I would love that. We are multiple Mint
users/followers/etc getting more and more nervous for every hour without news. Me and plenty others is using Mint as our main OS.
I hope you see my point clem. Thanks
Regards
I have long felt that a big part of Linux’s protection against this kind of attack is that it’s not that popular, and therefore doesn’t offer as many potential targets. As Linux gets more popular, there will be more of this.
And, as one of the more popular Linux distros, Mint offers one of the more tempting targets.
And there’s the factor of high-value targets- is there money to be made?
It’s clear that the hacker thought he could make some money on the dark web from this exploit- an early article on the problem:
http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
Hi all, Clem. Please allow this comment.
We are targeting the attackers. They are (atleast) 4 people from 2 countries. As a preliminary statement, they all have some talking with Cannonical and an group from IRC called skmething like “DmgUx” (something related to that).
Our preliminary investigations point us to the idea that they are doing somekind of “job” for other linux competitors and all is pointing that there are some others attacks coming next on other distros out there.
Atleast there are 3 distros/partners to consider getting attacked this month: BlueSystems, Suse and SteamOS (but this one I higly doubt they will do something) … I dont know if its for sure, but its for considerations..
The point of linuxmint attack is for bad marketing porpouse. With LinuxMint getting hacked Mint will loose members, customers and, maybe, partners. Thats the case here and the only objective of this attack. No matter what people claim on internet, thats the fact.
The guys on facebook (someone posted a picture) is just an a$$hole trying to get some attention and he is not related to this attack (not directly). The interview on ZDNET is fake (atleast not the real deal with one of the real attackers).
Its time for Linux to concentrate efforts on isolating himself from others distros and backers as Canonical, and invest in infraestructure to release a new website with more security and reliability. WordPress is a mess and a great meal for attackers. Consider pure HTML5, pure own development in PHP or keep getting in trouble for the near future.
My understanding is that this attack will not make mint reputation fades away nor make it a bad deal for new users. But its an allert for others too.
Its not that Linux is open that it has no attention from others. And the big problem lies on the neighbors as derivatives, competitors on this little market that desktop with Linux is and the own team working with bad intentions, as it is on LinuxMint (my guess). There is one guy sending some data from linux to others(again, only assumption based on some datas collected here and there). Keep one eye on it, just in case..
Im working (every now and then) on a team of good people who likes to solve puzzles and make chaos on the bad people heads…
Just a quick note to reply to questions about the passwords.
The passwords cannot be “decrypted” (I was too vague when I said they were “encrypted”), they are hashed and salted. However, the method to go from the clear password entered by the user to what is stored in the database is deterministic and available. The salts are also stored and available to the hacker. So the same way phpbb is able to compare what you type with what’s in the database to know if it’s a match, the hackers are able to compare what they guess (and that’s automated with dictionaries and lists of simple/common passwords) with what they see in their DB dump. What’s really important here is that it is possible for them to find-match passwords. It’s a matter of time, effort and password complexity but the end result from your point of view should be the same: If you’re using this password anywhere else, please change it on all other websites.
Somebody also asked if IP addresses were part of the dump. Yes, the forums store the IP you used during your last connection. Regarding some of the information it depends on whether or not you put it in your profile, for instance birthday information was set on around 9% of the accounts.
In the DB dump that the hackers left behind them, the only table was the forums users table. That doesn’t mean they didn’t make more dumps though, so it’s possible they also dumped topics, messages etc.
Finally, for people who can’t remember whether they had a forums account, or even for people whose password with us was secure, please go and check whether your email was breached at https://haveibeenpwned.com/.
Must have been a tough week! Shit happens; but once you cleanup, things are fresh and clean. Take your time. We ll wait 🙂
Thanks for this wonderful OS.
I also have a hunch from the smell of this that the aim here was to damage Mint’s reputation.
@Yro: I hope you find their identity and I hope you’re wrong about their association with Canonical. In any case, you should not mention this publicly until you’re absolutely sure about it. We have data on the hackers as well but nothing linking them to any organization, we passed this on to security experts and police officers dedicated to cybercrime as this isn’t our domain.
>”I also have a hunch from the smell of this that the aim here was to damage Mint’s reputation.”
I concur. I have see no other logical motive. But, assuming Yro is right – and without source data how can we be sure his isn’t a “wind up?” – it would have been better not to name parties.
We have to wait for confirmed findings from Clem.
As I have said elsewhere, when the website is back up, let’s all donate something, just $5 or so to show support for Mint, reduce the pain for Clem and co. and raise Mint’s profile with reports of it’s community standing by Clem and Mint.
I hope the next headline on Mint will be:
“Record number of donations to Mint as user base stands by their distro” or some such.
Hey Clem
Hope all is getting better through this for you.
I got an upgrade appearing just wondering if it is safe to update or not yet, it is for the cpio package.
Just thought I would double check before doing anything and to let you know in case this something that shouldn’t be happening.
All the best to you and the team.
Edit by Clem: That’s an update from upstream isn’t it? You can check with “apt policy cpio”.
>”This is really bad reputation for Linux Mint and its community. No idea how to recover it again. “once on the internet always on the internet”
Naw – it’s not *that* bad. The amount of times Windows has fallen over and Microsoft have come back. And this was not even a flaw in Mint – it was the website.
I will grant there will be a period of FUD and Clem and co. are going t have to work fast and hard on beefing up website security. But news gets old fast.
As I say, we can help with the next set of headlines.
My email shows as being pwned. It didn’t this morning, but does this afternoon. Is there anything I should do besides changing any identical or similar passwords on other sites and changing my LM Forums pw when the site comes back up? Do I need to subscribe to an identity protection service?
An annoyance, but it certainly won’t affect my extremely high opinion of Mint. Thanks to Clem et al for fighting this. Must be a tough time right now.
#67
Thanks Clem much appreciated yup its upstream good to go.
I’ll have to come up with a special mdm after this is over, this kind of makes me want to do more now just because of this for support in some way.
Cheering for a good recovery, things to note:
>> We are targeting the real attackers. They are (at least) 4 people from 2 countries. As a preliminary statement, they all have some talking with Cannonical and an group from IRC called skmething like “DmgUx” (something related to that). This is what the authorities are saying and they have some great leads, because the hacker left breadcrumb tracks.
Where is this info from ? and the ZDNET article is false ? Contacted ZDNET for comment waiting on reply.
The bad thing is even this blog is vulnerable,
Clem: I emailed you some security tips for your site if you stay with WordPress –
i recommend not hosting this on your own server – that allows a big tech firm to do the protection, the directory you mention /var/ something is your server not part of wordpress, moving it to a secure host, will help you stop the hackers
also it might give you an option of making an ftp site through the host you choose , so you get clean downloads going again, a big step, since your still down.
but you have wordpress in this them, in the footer, in the public accessible login , they need to be locked down with the security tools I sent you in an email
also the forums, i would create a new forum, hosted on a 1and1 server or secure host, not your own server. Let this new forum, help with important info, like in this case, this blog and comments
when you get the old forum up, i would make it an archive or migrate the threads to the new forum.
I tried to reach out to the author of this blog theme, no email reply, so possibly you want to get a more secure theme for your blog also.
Do you have some partners, I think you do hope they can help you, wish I was around, I could help you secure your wordpress site, security is not a problem, if you know what you are doing and keep it off your own servers.
also sophos and other companies make good antivirus, firewalls etc for servers if you choose to keep your server.
I am sure you are making the right choices.. hope your back up soon, meanwhile I must find an older version of the .iso
Sorry Clem to say things like that on public but Im afraid people need to have atleast a clue. Will see what happens and we will decide to turn everything we have public or private. If all goes private, ill send to you by e-mail so You can use everything as prove to go to the proper police offices on your country as well the servers local partners so they can take actions too.
As how things stands right now, I feel that everything is real and the proves are standing unfortunately well..
If some came to you for appologies, please tell me by private mail, not this one used in here. You have it as I sent an e-mails months ago about these kids..
The comment above about ZDnet must be incorrect, I posted it as a comment, then emailed the editor that the story was false, linked to this blog, and guess what, my comment was removed. Did not get email from the editor yet. Either it is not correct or ZDnet owned by CBS doesnt care.
seems like a great fix for security of the downloads checksum is outdated and unsecure according to this guy https://www.linkedin.com/pulse/linux-mint-iso-images-compromised-peter-gamache-cissp
Whatever security protocols you implement, please stay far, far away from the nightmare known as cloudflare …..
Edit by Clem: Hi, please elaborate on this. Are you saying this for technical or political/moral reasons?
In addition to fixing any security holes, I’d give some serious consideration to …
a) Opening a new and secure avenue for accepting “emergency” donations.
b) Asking the million or so Mint users to donate $5 each to an “emergency” fund.
c) Putting a $100,000 bounty on the head of the person or persons responsible for hacking the site, payable to anyone who’s specific information leads to their arrest and prosecution.
d) Waiting for the fun to begin. 🙂
I realize this is may not be the best place to ask, but is the linux mint forum also shut down? I get the web page is not available message when goning to http://forums.linuxmint.com/viewforum.php?f=208
Not sure if related, but for the last 2 weeks I’ve tried to get a login id for that forum when it was working. However, I get to the part where I’m supposed to receive validation to my email I never get anything. I don’t have trouble with any other forums. Is it because I have USA email or is the forum new id function broken?
I don’t have very much money, but I do have a lot of time, I will be glad to help out in any way I can.
Just don’t ask me to write programs, the last language I used was Pascal 🙂
Maybe a dumb question, but any idea what the timeframe was on the attack? I couldn’t remember my PW and reset it the morning of the 20th to a new generated complex one. Just curious if it was before or after the attack.
THERE IS NO SUCH THING AS A SAFE WEB FORUM
Hi, All
(sorry for bad english)
Thank for your work mint team. that all I want to say…
one more thinks , when website back online I will make a donation as I already done.
Regards
Nicolas
@77 Jamaica Man: It’s way cheaper to pay for a full-time sysadmin to take care of updates and stuff. 🙂
I hope someone will take care of this full-time from now on. Considering how many (sub)domains Linux Mint has, it’s plenty of work to update and keep an eye on everything. It’s the OS, the CMS’, the frameworks, the add-ons, the logs, everything counts.
@78 don: Yes it is offline now.
@don,
Yes, Clem shut down the servers for the LM web site, which includes the forums. It appears the blog and community sites are on different servers since they are both still up (and were not compromised as far as anyone knows).
@Brent,
I don’t know for certain, but from what info we have I’m guessing the forum database was downloaded prior to the ISO hack (so, before the 20th), which means your password change was probably well timed.
However, if you used the same passwords anywhere else, I’d still change them on the other sites. And it’s pretty much a given that we’ll all be required to change our passwords when the forums return.
@Patrick,
There is no such thing as a safe web. We all just to what we can to protect ourselves while online. But the truth is, the only secure computer is one that is not connected to the Internet.
My username and password on the LM forums was not used anywhere else, and I use email forwarders when I register on forums so they didn’t even get my real email (I’ve already killed the forwarder).
I hope everyone else doesn’t have too much trouble from this.
Aloha
I still fully support Mint! Thanks anyway for this great distro.
I am surprised however about the use of WP for the forums,blogs etc.
Maybe Concrete5 is a good alternative?
Or what Yro (@61) suggests: building an own developped cms. Well, I know that would take a large amount of time and/or money, but that is where comes in my support for the idea of Jamaica Man (@77): as a response to the attack start raising funds with these 2 explicit goals:
– improve security of LM websites (showing the linux community is self-learning and getting better all the time) paying the (community-) programmers with the raised funds
– give interviews on this topic and publicly searching (chasing) the attackers. @77 suggests a 100.000 bounty…well maybe 10.000 is already enough and the other 90.000 could be used to pay Mint programmers :))
I think this debacle really highlights the need for delegation to a dedicated server administration team.
Old, vulnerable and insecure WordPress, phpBB (always a risk) on the same server, weak MySQL passwords, misconfigured SMTPD – it’s not a pretty picture. This was a ticking time-bomb. These services need proper review, separation, configuration and regular maintenance.
Whilst being open and transparent about the extent of this security breach and its implications is commendable, these schoolboy errors in security are amateurish and inexcusable. There are experienced volunteers ready to help – use them!
If I change my password on community.linuxmint.com, does it also change on the forums?
Sjur,
No – the Forums and Community Site are separate entities
I’m not sure if this has been asked before, but how do I modify my password on the Linux Mint Forums when the forums are down?
Edit by Clem: You’ll be able to do so when they come back up. That said, if the hackers manage to find your password, they won’t learn much more by logging in as you in the forums. They already have that information. What’s really at risk here is your email account, and other sensitive websites where you might have used that password or a similar one.
@Giles: phpBB has had an outstanding security record since 2007. Calling it “always a risk” is just spreading false information.
Also, if a MySQL server only allows access from the local server a weak password makes this less of an issue than people are trying to make it.
Edit by Clem: Hi, our phpbb version was outdated. We were also contacted by the PHPBB team after they learnt of the attacks to see if they could help us in any way.
Re: #87
Ok, thanks, I changed it anyway 🙂
@80 Brent:
Afaik the database was ccopied several times.. But at the moment there is not enough (valid) information and some of the information available seem to be troll posts (even the interview from ZDNET is wrong or Yro and his unknown sources are wrong).
Seems like there is nothing better than waiting and thanking the devs for the hard work they’re doing!
Here is the ZDNet article: http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
#10 I doubt that. I think LM does not have forced updates.
This was said:
All this will have huge negative impact on Mints popularity
A contrast to this thought:
This could even be an oppurtunity to increase support and gain additional users.
The press is hungry and demands to be fed. So be it.
When linuxmint.com returns in an improved format the team should take every opportunity to talk about it. Video interviews could be granted to the tech publications with explanations of the compromise and the new measures put in place. This could be an opening to positively expound on the transparency and dedication of the Mint team, and the continued support and oneness among members and users.
A screencast showing the location of the compromised file would be an oppurtunity to show the very nice Cinnamon desktop and it’s navigation
to a world wide audience. And of coarse we will make sure the video gets a permenent post online.
When life deals lemons–make lemonade.
#97 Exactly! Let the ordiany see the beauty of Linux mint 🙂
Hi, so what do we do in the meantime, I have the disc I burned, but I originally downloaded it to my desktop, then transferred to a stick, then uploaded to a windows based machine to burn to a disc then back over and installed on the desktop. So I doubt the checksum would be the same?
How do we change passwords if the site is down?
Also, how safe is the site have I been pwned to check your email??
How do I know I am not putting myself out there by entering my email address into that database??
Thanks
3
@92 Mark: I stand corrected.
Perhaps I have been a member of one too many hacked forums over the years.. I think the last was vBulletin.
Regarding weak MySQL passwords: with phpBB and WordPress on the same server, I’d be concerned about multiple databases being compromised, rather than just the one.
@jake
I believe that ZDNet article is considered “erroneous” as in the “cracker” that was interviewed was a wannabe, not the real culprit.
Forum still inaccessible, so cannot change password. When will it be available again ?
Hmm. I created a new account about a month ago, just to ask a question here or there. It never was approved. Maybe I will try again after the site comes back online.
I’ve been using Linuxmint Rosa Cinnamon 17.3 for maybe a couple months, and the OS is just beautiful. (I tested the ISO with MD5SUM and and also the DVD I made from it (for illegitimate “man.cy” file), they both pass)
Take your time so you can make all the correct decisions to get the website right. Maybe put up static web pages up for downloads for a while, just to keep it available.
Again, amazing job!!
Just plain sad.
Pwd was unique to the forum, not worried in that respect.
It does present a learning opportunity however, no matter where you are getting a file from, check the hash!
Clem, you still have the trust of the masses, we’ll just have to remember the basics every now and then 🙂
Still using mint. Once we know who is full responsible, I will gladly break their hands. These groups are RATS
Several years ago, after my WinXP-system having been ruined twice by a root-kit trojan (one propagated via my dropbox connection, the other via an infected .pdf doc), i decided to give the “Lastpass” password manager a try (@ https://lastpass.com) Today, i couldn’t & wouldn’t do without it. Since many browsers’ built-in password managers aren’t exactly “attack-proof” (Firefox’ is vulnerable), i would highly recommend to y’all to step up to using external password manager, not a built-in one. In my case, after Ubuntu’s forum got looted, i simply let Lastpass cross-“validate” all my login credentials, and then made sure that every password/phrase was unique for EVERY site.
Of course, i still have to wait for Mint’s other (now-hardened) servers to come online; but then it will be a cinch to update every one of my Mint-related passwords.
Respectful request to your admin(s): configure your PHPBBS so that both lower-case AND special characters are allowed in your passwords … Imho, a minimum of 10 characters s/b required, too. Thanks for all your efforts — i pledge to donate some bucks to the Mint project a.s.a your donate-page is back online.
Response to the edit in comment 90:
Should I change my e-mail, then? I don’t want to have to, but if that’s what it requires, I’ll try.
#101
If you used the same password on the forums as your email, then yes, you should absolutely change your mail password.
@100 ByeByeXP: Don’t worrie but Laspass was hacked too half year ago.
http://www.theregister.co.uk/2015/06/15/lastpass_data_breach/
@kneekoo: Of course, you’re absolutely right (and I was only making a joke). System administration is definitely a full-time job.
@all41: I agree 100%. Most people see only the negatives. Plus, when this sort of thing happens, the systems that are targeted generally end up far more secure than they were before. Adversity can be a great teacher and I’m confident that the Mint team will do what’s best.
Yippee! Donations page is back up guys -let’s get cracking. Linux Mint needs our $$help$$.
Should we check with Clem to make sure it is indeed Mint’s donation page?
. . . and have donated. Feels good to stick one to the criminal(s).
One Love. One Heart. Linux Mint can’t be beat!
I need to be able to login to the forums to be able to tell what password I used for them. When will it be up again so I can find out?
I have noticed that updates may have a recent issue as well. The shield indicates that I need to update and during the process I get this message: Warning – You are about to install software that can’t be authenticated which could allow a malicious individual to damage or take control of your computer. The programming is holding back packages from the upgrade and proceeding with others. I have an image of it if you need it.
I also received an additional upgrade notice today for cpio, which is alerting me in the same way. (I have Cinnamon 17.3 32 bit) I am not upgrading anything until I hear from you. Thanks.
Unable to determine if anyone else’s download goes back earlier than 20feb2016. I downloaded Linux Mint on 16feb2016, installed it a day or so later. The MD5SUM matches. It is gone now. I will wait a bit for the healthier version. Many thanks for your efforts but needed you to know that it goes back at least to 16feb.
Do you think this “Hacker drama” will delay Mint 18.0/17.4?
@Jamaica Man–exactly. The Mint team should also seek opinions of public relations and press management types–this could be a double-win opportunity
@66 I was thinking the same thing. I think that we can all afford a little bit, even those of us pretty destitute. I’ve been discussing this with a friend, and considering that much of what is going on is volunteer based and has no giant company behind it, it gave them confidence in Clem and the team.
When this is over, I know I will be giving at least $5 dollars to the project. I will stand by Mint. I don’t have much, but I know this will negatively impact the team, and that costs to fix this is going to go up.
I think at least a five dollar pledge to show our support is a good idea. If I remember correctly I can pay with paypal, so I will make a donation via that when this is up and running again!
First of all, thanks and appreciation for Clem and his team for handling this security issue swiftly and transparently.
I noticed, however, that some LM users did not get the info about the hack directly from the blog. Some actually only found out when they were surfing the web for info. I would suggests that once this issue blow over, a drive is carried out to get more LM users to subscribe to the blog to get first hand information directly from the LM team, especially on urgent security issues like this one. This would help reduce the number of casualties. Perhaps this should even be part of the welcome screen.
Also, I notice that the main LM site is now back online. But so far there is no announcement from the LM team. Already people who wish to donate (including myself) are asking if it is safe to do so via the site. They need assurance on this. A clear note from the team would be nice.
There is also a new mintupdate coming through the Update Manager which says that it is to detect TSUNAMI and warn the user. Given what had just happened it is understandable that the LM community are a bit cautious. So a note from the LM team on this would be reassuring before we go ahead and do the update.
We know that the LM team is overwhelmed at the moment and our heart and sympathy is with you. We appreciate your sacrifice. Personally I feel this issue does not undo all the good work the team had done on this great distro. It only means that going forward, we need to pay more attention to security. Perhaps (if there is not already one) it’s time to get a team of security experts on board the team to help with administration of the sites and also to review the security of the distro itself. So far I have not faced any security issue using LM for the past (almost) two years. But it pays to be constantly vigilant.
@ttjimera That was eloquently put.
Thanks for the mintupdate update! 🙂 It will certainly help the ones affected.
@John Pongratz: you said, ‘I have noticed that updates may have a recent issue as well….’
Could the warning message you’re receiving is in relation to the Level 5 update for the Linux Kernel Headers for development? Afaik, Level 5 updates tend to warn us. I do have that update as well as cpio in my UM at the moment.
I know Clem has been saying updates are fine to run but I choose to hold off them for a bit anyway. (in agreement with @ttjimera’s #112 last sentence.)
Clem–it seems there is shyness among cautious contributors. Tell them why the donation link is trusted
I can’t believe you so callously used such a weak password for the administrator account on the forums which resulted in all of our info to winbd up for sale. A day late and a dollar short. I wiped LM off my computer and moved to openSUSE. Sorry but there is no valid reason you can provide me for using such a weak password to begin with. Thanks for all your hard work on LM, but you seem to have priorities different from mine.
@John B
http://www.theregister.co.uk/2014/01/08/opensuse_forums_hacked_emails_exposed/
stuff happens … and is was not a weak password thing 🙂
Clem please post this thanks
zwhittaker CONTRIBUTOR15 HOURS AGO confirms that their story is true and verified:
@obertscloud Hi, comment not deleted as you claimed — it’s here, I can see it. (Also writers/editors don’t have control over comments.) Story isn’t false. You’ll see that we had help in verifying the hacker in question, and the story was OK’d by the EIC.
Reading Clem’s blog entries I thought it was more than just one hacker.
I challenge every mint user to comment, as I have asked ZD net to comply with Clem and the Mint team, and the FBI and authorities ,
http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
We really don’t know what else these hackers did at this point, you really never know, but it is clear they violated some laws.
Also recommend future versions of mint have GNUpG encryption
Clem said “please go and check whether your email was breached at “https://haveibeenpwned.com/.
Gee thanks…
Breaches you were pwned in
A “breach” is an incident where a site’s data has been illegally accessed by hackers and then released publicly. Review the types of data that were compromised (email addresses, passwords, credit cards etc.) and take appropriate action, such as changing passwords.
Linux Mint logo
Linux Mint: In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.
Compromised data: Avatars, Dates of birth, Email addresses, Geographic location, IP addresses, Passwords, Time zones, Website activity
How do I change my password?
I can’t log in to my account to change it!
None of my bookmarked links work (404).
Hi !
How is the changing of all password will take place? Do you it automatically for all users or shall I ask for a new password when the forum is up again.
Is it possible that we will need virus protection programs for Linux (Mint) now or later?
Comment: How will the changing of all …
Hey clem Mark here I know this db thing is new and all but id like to point out this website here https://haveibeenpwned.com if you have had your information leaked it will find the site your email is leaked on just for users who are wondering I found out I was posted on a db leak from another webhosting based website forum I did not even know about and it links to the db release breach.
Still using Linux Mint.
To those worrying about Mint with fears that virus checking is needed, malware detectors, whether Mint Linux is safe, can downloads be trusted, etc, etc.
Calm down!
NOTHING HAS CHANGED!
Mint Linux itself has not changed. Mint was not even hacked!
Nothing has changed regarding virus, the need for virus checkers or anything else.
I am using Mint Linux KDE 17.0 and continuing to use it as before.
The Mint WEBSITE was hacked!!
That’s like Google being hacked. Any data you had stored on Google is up from grabs but it has no impact on the operating system you were using to access it, be it Windows, OSX, Android or Mint.
You can use Mint in the exact same way you were before – though its a lesson on having different passwords for different sites.
Yes, on the 20th Feb Mint Cinnamon 64 was ‘hacked’ in the sense the weblink to the ISO image was REPLACED and the user sent to a hacked version of Mint. But we’re talking about a REPLACEMENT ISO – not a bit of malware you pick up from an update.
Absolutely NOTHING was compromised on updates, software installs, nothing.
You would be infected if you installed SPECIFICALLY mint Cinnamon 64bit edition having downloaded the ISO image in EXACTLY the 20th February – which means 99.8% of Mint users are unaffected- including me. I am a naturally nervous person and even I am completely sanquine about this. I know I have no problem and odds are – neither to you.
If you installed Mint Cinnamon 64 using an image from the 20th, get a new image, reformat the hard disk, re-install, problem solved.
If you used the same password to access the Mint forums and other sites, you should change the password on ALL sites that you used that password on. But, again, this has nothing to do with Mint itself.
Linux Mint remains as secure as it ever was. Nothing has changed. Now, the website is whole other matter and it seems deficiencies were found and exploited – but it’s damn hard to maintain web security. But, again, this has NOTHING to do with Mint.
There is a FUD flying around Mint now which is completely undeserved. Let’s keep our heads – and donate to keep the A number 1 easy to use, “it just works (and still works) Linux distro going from strength to strength!
I will donate as soon as I can get the credit card from the wife. That maybe later rather than sooner… but I will do it!
@jedinvoice: (#134 at time of writing this) “To those worrying about Mint with fears that virus checking is needed, malware detectors, whether Mint Linux is safe, can downloads be trusted, etc, etc.”
Very well explained, jedinvoice.
@Mark: (#132 at time of writing) “Hey clem Mark here I know this db thing is new….” Mark, Clem was the one who point us to https://haveibeenpwned.com.
My Mint forums email is used for inconsequentials like forums etc. I pwned that email address and wouldn’t you believe, I found it has been hacked before in 2013 when I used ADE.
Indeed I pwned another email of mine and it too was compromised in 2013. Did I hear of it then? Perhaps and I have forgotten.
Did you also see the top ten Breaches list on that site -some really big corporations there and none of them Open Source as far I could tell. Sooo. . .
Let’s cut Mint some Slack. Clem and Team have been honest with us from the start and are working very, very hard, at the detriment of their health no doubt, to fix things.
While it is normal and well within our rights to be peeved and worry, let’s not be nasty to Clem. Take the actions to reset pwords for other sites if needed etc. but remember this is our community, our distro and prior to this, we were all happy with it and Clem; We’ve hit a bad patch now and unity now is essential in fighting this/these dirtbag hackers. We stand with Clem and Team.
Some of us have already donated and others have pledged to do so. Things will be better, Mark. Hang in there pal 🙂
$10 donated so I am not a complete hypocrite for once in my life.
To Mint users – keep your heads and keep the faith.
To Clem and co. – keep your sleep and keep your nerves. We’re backing you!
Hey All,
Well I just went ahead and wiped my LinuxMint regardless, I have seen some abnormalities with certain things mentioned, like the “shield” and when I went to update it stated it wasn’t from a secure source, so what I did when I did do certain updates is I checked specific sites to in-fact cross-reference that particular file to see if it appeared as a valid update or patch and if it did come back with a matching date and file name then I went ahead with the download/update.
I also just installed sophos, you can get the free version from there website for “LINUX” based systems, I dont know if it will detect rootkits but I figured I needed something and its better to have something then nothing. And in no way am I affiliated with sophos and again “its free” unless you want technical support.
Keep up the Great work and even though I am a 2 month at the most New user of LinuxMint I doubt that I would want any other distro on my system, I kind of tried a few of them or studied them and I found LM to be the best fit for my needs and the GUI is freaking amazing.
I look forward to when you all are back on-line, I will donate no doubt.
3
+1 @Jedinovice
+1 @xdicey
Luckily I’d adopted a policy of complex passwords unique for each site. These days it seems the only prudent approach; this event just confirms it.
Have been using Mint for some months now and am quite impressed. Just made my first donation; it won’t be the last.
Hi,
newbie here. is it already safe to download linux mint now?
thanks!
*******APPEALS TO ALL THE LINUX LOVERS about what Happened to LinuxMint Websites on FEB,20th 2016 ********
First of All;
My Deep Thanks for All the Great works the Lmint people/team and dedicated Linux Lover do here and there.
This Episode mark a starting next generation to SERIOUSLY enhance the SECURITY LEVEL in all directions. I knew as Linux will get to be famous and used that BAD GUYS will do whatever they can to Thief anything the may found for some bucks..
Chinese people, are using mostly Linux Platform instead of more Expensive commercial producer ( MS, Appl.. ). My point is not to say Chinese people are bad, **not at all**. But That Linux OS and the Leaders Distros Like Lmint are NOW Famous and use my Billion of people. That Shiny and ‘blinky’ fact that WE all are PROUD of. Paying for All Linux Communities and members efforts back from 90′ and maybe earlier up to nowadays.
==> Still I AM POSITIVELY CONVINCE THAT Bad guy ARE GOING to Hurt whereEver they can ( maybe not only Lmint Dominion) is just a Reality in few time to come, rather sooner than later..think about the past,
let’s recall shall we ?
I read (http://blog.linuxmint.com/?p=2994) that the ‘The intention of this Hack wasn’t clear’ That True. But Remember That most FIRST Intrusion are Mostly made from INSIDE to ALERT a problem to come, That is a fact from the past. Of course Not in all case, but mostly. The First Attack is mostly unintentional. Some Frustrated people who discovered it and realizing that the breach is not fixed . Do a Reasonable Attack to Draw Attention. AFTER THAT POINT, The Bad Guys, are Coming in Faster than we may think …
This is my sole point of View. I am not a Computer skilled guy, I can’t even write some javascripts (yet, I would love to though). I love to learn How Computer works in my spare-time as many of us, isn’t it ?
Nevertheless Back from 2003 I discovered Linux Far before Lmint was created. And Felt in love for the Way the Linux Community are bond together in a FREE Community to help each other to create an SOLID alternatives to Commercial Computer Software who Despite making A LOT of MONEY do not Focus Completely on Security Fisrt but Money.
This IS NOT OUR MOTTO. Sure we need reasonable Funds to do A reasonable Output, even an Excellent output in regard to the money dedicated to it compare to commercial-thinkers.
SO NOW IT IS TIME to a CALL :
A Truly BIG CALL to all Linux Community Members from the Little one to Computer well skilled one WHO want to HELP, Well LET’S HELP and Get Involve Even if is 10mins a day and to do a basic things, Every Members could Help if One Wanted to.
And I do CALL ALL LINUX’s COMMUNITY not only our Distro ‘LMINT’ but ALL who love and Want to Make Linux/UNIX operating System Always FAR in advance to other Operating system in all directions and Starting to SECURITY up to Beautiful and Handy Graphical Design.
All readers are welcome to spread the word to all other Distro they like to used too and want to gather man-power to ENHENCE SECURITY DRASTICALLY as Fast as Possible for all the Linux’s World.
This is ALL our INTEREST.
So Everyone That feels to Help,
DO IT with no DELAY !
For Linux Community EVER !
And Please Forget my French .( poor English )
–Foxy
UNDER THIS LINE IT IS NO NEED TO BE SPREAD ALL OVER the Network
——————————————————————
To Blog_Admins:
My email address is voluntary time-limited due to my untruthfulness nowadays. I do not want to -possibly- got hack as a collateral target.
Still Admin can contact me up to the March nineth
My iso for Linux Mint 17.3 Cinnamon 64 bits was downloaded in Feb 15 2016, well before the infected iso of Feb 20. (Creation date and oldest files are marked by Feb 15, so it is not a Feb 20 iso)
Clem mentioned some IP-addresses and a mystical URL (“absentvodca”) that are connected to this infection. I put the IP’s in my firewall and did a look up for the absentvodca – no IP found for it.
I put absentvodca into the /etc/hosts, like this
0.0.0.0 absentvodca
giving it an IP of 0.0.0.0 and run Wireshark after that, using Firefox to read some web sites.
Wireshark found lots of DHCP calls from absentvodca in the test, about two calls per minute (it used the IP 0.0.0.0 for absentvodca so it was harmless).
I repeated the test, now with no connection to Internet at all – and it gave the same result – a steady stream of DHCP from absentvodka!
Now the question – is my Feb 15 iso infected as well?
I followed the suggestion to update the Update Manager some days after the Linux Mint installation, and now some days after that I am offered to update that thing again. Strange?
Let’s block my IP! yay!
cu, w0lf.
.. your “firewall” seems to be overactive. We are NOT amused.
cu, w0lf.
I changed my password. All looks good.
Hi everyone,
Just a quick note to let you know that the forums are back online.
The sucuri sitecheck is flagging blog.linuxmint.com as defaced.
Clear the cache or see http://i65.tinypic.com/2myz3bb.jpg
Edit by Clem: Yes they’re aware of it, it’s a false positive.
Just testing to see if it is working here after changes for Clem as per post on forum
Per https://haveibeenpwned.com/, my e-mail address was breached. Is it safe now to rename your password on https://forums.linuxmint.com/ ?
Also, after installing the MintUpdate (detect Tsunami), what are we to expect? a message *only* if infected? Is there a manual way to locate this worm (e.g. a file in a particular foler or in a log file…)?
Edit by Clem: Yes, please change your password. Don’t use the same as anywhere else though. There will always be a risk. The forums are now isolated on a new server, protected and monitored by sucuri, and you are now protected by HTTPS when typing your password. We also forced password resets and increased password complexity requirements (so if despite all these measures they ever get leaked again, there will be none that are easy to crack). Regarding the update, it’s meant to warn people who might still be running the hacked ISO. We think that represented a few hundred people at the start and we’re hoping a lot of them heard of the events and were able to know their ISO was hacked by checking its MD5 or by by finding /var/lib/man.cy in the filesystem. That update might manage to warn a few more people hopefully. We worked with Avast on this (I hope I’ll get the opportunity to talk more about Avast and Sucuri at some stage) and they also sent updates to their users and updated their antivirus to block the addresses the backdoor connects to.
. . .and my Minty world is about to become right again.
Clem and Team, thanks so very much!
Password changed, A Big Thank You to linuxmint crew for fixing the problem and to Clem who kept everyone informed.
Hmmm… forums have gone down again.
I am guessing teething trouble maintenance. I rather expected this, in fact, but just mentioning here in case Clem and co. are unaware.
Uh oh… tried reaching the forums and getting this:
Sucuri CloudProxy – Backend Server timeout
Error Code: HTTP 504
Error Message: Backend or gateway connection timeout.
Server ID: *removed*
BTW, I’m using yahoo in Mozilla. But it’s fine on another computer. It’s fine on Windows on the same computer, too. So the problem seems to be yahoo on Mint.
@darkk
I am not surprised. Just after the great Mint forum outage the website was wobbly for a couple of days. In my experience, after a major migration like this, it takes a while to iron out the system. I have seen this on every single revamped website ever! The first 24 hours the website id more down than up!
I was expecting exactly this when the forum was ‘rebooted.’
Patience. 🙂
Regarding the “MintUpdate (detect Tsunami)”: Reminds me of “Windows Defender”. Maybe not a bad idea for certain purposes, even if the need in GNU/Linux is not that big as in Windows.
Clem, care to comment on this? http://news.softpedia.com/news/linux-mint-forum-database-compromised-for-at-least-a-month-before-announcement-500901.shtml
The forum was hacked a month ago, and only now people are being told? That’s not exactly being transparent.
As a new Linux user (only since 9th February) this is confusing; how do I change my Forums password etc.. when I can’t access Linux Forums???!!
re previous: I got same problem as Darkk at comment 146….
Contacted Sucuri – no problems their end! Please help..
Despite the security breach to my e-mail address, I still trust Linux Mint. I don’t blame LM for my e-mail being stolen. It could have happened on ANY site, at ANY time.
I’ve moved most of my accounts over to a new e-mail, and will do the same for the forums once I can get to them.
Well, there is some good news and some bad news for us who have yet to change our account information.
The good news? From appearances, the Linux Mint forums have been updated to a later version of phpBB and are now back online.
The bad news? Nothing can be accessed yet, including the account Control Panels. Looks like the moderators of the forums are working feverishly to repair the damage, though, so we should be able to see the site back up soon.
Clem, care to give us an update? Or, have I pretty much summed it all up?
Edit by Clem: Hi, we’re still working on a lot of things. I’d say it might take a week, so please be patient and expect a few issues. Regarding the forums being unresponsive, we think it’s caused by server configuration (we moved to a new server so we need to tune it) and in particular by search indexes and backends. We’re fixing that right now and hopefully it should get rid of the problem.
Clem, not a problem for me. The majority of my accounts I had to this email address have already been moved. According to the website haveibeenpwned.com (thanks Karl d, post 143; I never knew such a website existed!), my I.P. address has also been revealed. While there is nothing I can really do short of buying a new laptop, I’m not too concerned, as I already realize that my I.P. is visible just by being online.
Que sera sera, as they say. Do what you can do. I’ll keep checking and trying. Thanks for the update. God bless.
Why don’t you send out emails to all registered forum users, telling them about this, and telling them to change their passwords elsewhere ?
Those ~150k users are probably not going to check the blog regularly, and they may never find out about this, and they may never change their passwords.
In fact, I only found out about this because it’s on Slashdot.
I still trust LM, and thank you for creating such a great distro.
Hi Clem
I see the forums are back online but I can’t seem to login with my user even if I ask for a new password and enter it…
Forums are back! HOORAY! 😀
Managed to finally change my email and password to something more stable! YES!!!
Linux Mint maintainers, you people are awesome! TRUE!
Okay, got it all out of my system, now… 😛
Hi Clem & Team,
Sorry you have to go through another round of nonsense. You still have a wonderful, supportive community behind you!
Please be aware of the following re passwords:
Forums:
I tried getting on the forums. I was able to change my password, but when trying to log in, I get:
“The specified username is currently inactive.”
The email the forums have for me is old, so no concern there except you cannot contact me via that email.
I was not able to change the email when I changed the password.
Community site:
I was having trouble logging in the last couple of days. Today, I figured it might be a cookie issue despite my allowing linuxmint.com cookies. I specifically allowed https://community.linuxmint.com cookies. That seems to work (intermittently, at least). And I was able to change my password there too.
OS passwords:
Very little is mentioned about passwords in your official PDF documentation. Please consider recommending users change their LM login password every 3-12 months. Also it seems that even with such a change that the old password is still needed. This happens when the “administrative password” is asked for (eg, for Software Manager, Synaptic Package Manager, Login Window) as opposed to an “Authenticate” password request.
Please consider letting users know about this quirk and how to change the “administrative password.”
Thanks.
All the best to you and the team. 🙂
@Eric Sebasta (comment #13), password crackers know about that “trick.” Please don’t use it or any other “trick.” Instead use random passwords.
All, please consider the following:
1) Use random passwords.
2) Use a different password for each use/website.
3) Use passwords with uppercase letters, lowercase letters, numbers and symbols.
4) Use a password at least 12 characters long (14+ characters is better, more is better).
5) Change your passwords every 3-12 months for frequently used sites or important use cases.
6) If you use random words (such as from Diceware), use at least 7 words.
7) Remember that cracking techniques get better all the time, so increase your security every year.
8) Remember that passwords are just one aspect of security. Do some research. Use common sense. You don’t have to be a security expert to do these things. It is worth a little of your time.
You don’t have to take my word for it:
Password strength
https://en.wikipedia.org/wiki/Password_strength
Perfect Passwords GRC’s Ultra High Security Password Generator
https://www.grc.com/passwords.htm
25-GPU cluster cracks every standard Windows password in <6 hours
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
Diceware passwords now need six random words to thwart hackers
http://arstechnica.com/information-technology/2014/03/diceware-passwords-now-need-six-random-words-to-thwart-hackers/
Thanks. All the best.
I have to say, that the forum attack was very recent, not a month before like that one news site said. Or that’s at least what I think. I changed my email to a new one where I’m moving to. I have email from evening of 14th of this month saying I need to reactivate my account. And it was the new email that got leaked according to https://haveibeenpwned.com/. The account I used on the day of 14th of this month and earlier, hasn’t been breached at all, according to the same site.
What I think of this, even though the dump was for sale a month ago, that they did the hack between 15th and 20th of February. Wouldn’t they otherwise have my earlier email?
Maybe they knew how to get the data, but didn’t use/sell/take it before just last week, and were selling data without having it yet?
Well, the password to my email is very, very long and complex, so I hope they don’t bother to try to hack into it.
Password changed.
I’m surprised to see we’re not allowed to use special characters in our new password though. I thought this time around the security would be top notch.
@Sjur (155)
I was able to use special characters in my new password. You may want to retry.
KDB
Liam Dawe (148)
The real question is why these people who knew have never informed the team (Clem, dev team on IRC, mod team on the forum).
If we don’t know something, we can’t react on it. But since a few days, it seems that everyone knew everything 1 month ago except us.
Therefore the real question is: why didn’t they say anything to us?
KDB
Re my previous and despite being a newby….now Forums are back up and running, password changed – no problem. Well done guys…. GG
I can understand some folks are upset about not getting notified of an earlier breach on the forums but it’s not uncommon.
This was unknown until something is “wrong” which in this case the modified ISO and hashed MD5 which triggered the investigation and shut down the server to prevent further damage / spread.
This time around the team made changes to prevent this from happening again which I have faith it will hold up just fine. I deal with infrastructure security on daily basis. Nothing is 100% guaranteed but with proper safeguards and monitoring things should be fine.
As for the forums the only thing that are important are e-mail addresses and passwords (hashed). It didn’t contain anything else like credit cards or social security numbers. Few used the birth dates which is optional. For forums you can use disposable e-mail account like gmail with a forward to keep your real one private.
I fully support Linux Mint and even made a large donation to help.
The OS itself never been an issue. Just the website is the cause.
Keep on chuggin Clem and Team!! 🙂
I know its not the place, but since we dont have much updates on this blog, I would like to use this space to make an request for Linux Mint 18 MATE/XFCE/KDE/CINNAMON editions: Please, add an DARK theme but without that “green” cr@p.
I love mint but not for its theming. In fact, I hate the “green” icons and the “green” themes (ah the “green” wallpapers, what a cr@p thing to hate).
Or, atleast, give us options so we can work with mint withou the “green” aspect of it.
Its strange to ask for this change, but please, take it for considerations atleast.. 🙂
Waiting for Linux Mint 18 and praying for GOD that AMD will update that Crimson cr@p driver to support kernel 4.4 and newer x.org on legacy (fusion a4-7300) so I can jump to upcoming mint.
If they dont do it please make an “oldtimes” Mint 18 with legacy kernel and xorg? Is that possible?
Hi everyone. I just added a one time 5$ to my 1$ monthly support of Mint to help the team through this rough patch, and I invite anyone who can to do the same.
Hello, Clem, developers, and fellow Linux Minters:
It is great to see the forums back online; thanks to everyone involved. I have been saddened to see how some have reacted to the recent website hack, but, I want to add my deepest appreciation to Clem and all the people behind the scenes, as I know these past few days have not been fun. I greatly appreciate all your efforts when things are going well and when things are not going so well, as in the past few days, I appreciate you, even more…if possible, as I witness how you and the rest of the developers react to the situation, with professionalism, humility, and honesty. I greatly appreciate your transparency and I will not change my feelings toward Linux Mint, based on Internet rumors and flames. We all make mistakes and, hopefully, we learn from them. We should keep in mind that Linux Mint was a great distribution before the website hack and knowing how Clem and others have worked in the past, I have no reason to change my feelings on the operating system, now. I loved Linux Mint before February 20, 2016 and I still love Linux Mint, today. Clem and the rest of the developers, stay true to your vision of Linux Mint and know that real, devoted fans/supporters, are still behind you, today. We support you, as we did before February 20, 2016 and wish you and the developers all the best, as you recover from this past weekend. We will get through this, together; it is what makes the open-sourced community so special and why the Linux Mint community is one of the best. It is not about tearing others down and laying blame, but, it is about working together, to make the entire project better.
New passwd and all is well here.
Fantastic work, cool managed, fantastic OS.
I have Mint 17 lts, but I certainly also will try 18 lts on a partition.
I was saddened by the news of the attack on Linux Mint. I trust that Linux Mint, its repositories, and its user forums can be made as secure as possible and that public trust in Linux Mint can be restored. I continue to use Linux Mint 17.3 Xfce, which is the best distro and DE I have ever used or tested.
Just made a Donation to support Linux Mint. Hope that helps the Mint team to invest into more IT-structure and website securities.
I have spent a considerable amount of time looking for where I can change my password on the new phpBB site. Where does one go to change their password? It might also help to put a link at the top where you currently have a notice to change your password. Thanks for your quick response!
Edit by Clem: Logout if you’re logged in, and then go to https://forums.linuxmint.com/ucp.php?mode=sendpassword
Is it not possible for a user to set their own desired password? I understand that I should not use the same password for multiple sites, but it would be nice to pick my own password for several reasons.
Edit by Clem: Once logged in, click on your name -> User Control Panel -> Profile -> Edit Account Settings and you can set your password there.
I was able to access the Forums today. Thanks to Clem and all involved helping to solve these issues. All the best.
I’m turning ON the Two Factor Authentication, every service as possible.
LOL One commenter suggested we put a bounty on head(s) of the entity responsible for the attack against us all…
[..]
As for the donation to help the linux foundation….I’m all for it (now start taking credit cards since I can’t donate using paypal/ebay monopoly anymore). 2 or 3 years ago I requested to permit my continuing to donate to a worthy cause but with an alternate payment means….I was flatly told they cannot do it (has it changed yet?).
God bless the linux liberators/code writers….you shall overcome!
amen
Edit by Clem: wow wow wow…. no politics!! I removed some of the bits sorry 🙂 We spent a lot of money on security and extra servers since the attacks, and all our time sunk into it. Since last week, no work was done on the distribution itself. We’re funded to work on the distro. We have a budget for developers. We pay for services which help Linux Mint. If you think you can catch the people who did that, it’s worth getting in touch with us. I would definitely allocate funds to prevent them from doing it again.
p.s.
At least linux foundation people informed us of the breach….the capitalist monopolies would’ve simply hushed down lest they find a loss of ability to continue to rob us/manipulate/profiteer/and some other words such as TREA….
I love Cinnamon which is the only reason to use Linux Mint in my opinion. I absolutely just love Cinnamon and the smoothness of Linux Mint.
However, due to this I am moving to shitty unity for a few months until Linux 18 comes out. I am assuming this event will change how that release is handled.
I was a distro-hopper once and linux mint gave me the stability. I appreciate all your hard work and Linux mint has been my first choice. But now, I am seriously concerned about my privacy and security. It takes lion’s heart to tell this to the users, And Linux mint developers are brave enough. Sadly, I have to start distro hopping again.. Let me start with Arch..
It’s a bummer that this took place. Just learn from it and develop a very good layered approach. Encrypt the data in the data in the DB properly, require strong PWs and a decent frequency. Mint is my main OS and I don’t want that to change. Keep you chins up and test your sites, might want to get someone dedicated to it.
For those of you giving these guys grief, this isn’t a fun adventure for them. Yes, it stinks that it happened the only thing they can do is prevent it going forward. Keep your chins up.
I am really struggling to understand the logic of anyone now saying that they plan to move away from using Mint due to what has happened. Sorry but I think your logic is really flawed.
First there was no affect to the operating system itself unless you were unfortunate enough to have downloaded Mint in a very short affected window.
Second everything was made public immediately so much less time for any use of the stolen data base to be put into effect.
Third the most sensitive information were the (poorly encrypted) passwords, however if you don’t know by now to put in place a process of different strong passwords for all logins then where have you been?
Fourth there has been a clear painful learning curve for Clem and the team which, while very unpleasant for them, means that I have much more confidence in how they will approach this going forward than I would in an entity that hasn’t been through the pain.
So taking all these factors into account, pause for a minute and ask yourself which is the sensible option. Staying with a system that has no issues (in terms of the hack), where the “owners” have shown themselves to be totally open and responded quickly and where they have gone through the learning curve, or move to one where you know some or none of these facts.
I am staying firmly put and looking forward to the team being able to get back onto working on LM 18. Thanks Clem and team. You will come through this stronger.
Although I do not have Linux mint yet I will still be installing it soon, everyone involved especially Clem have been fantastic in there responses to this attack by a piece of xxx it has not changed my mind that Mint is one of the most professional linux distros out there thank you.
@Clem :
I have registered to Linux Mint Forum a long time ago and I don’t remember my username there or which of my email addresses I used to register to it.
In “I forgot my password” -> https://forums.linuxmint.com/ucp.php?mode=sendpassword it asks for both username and e-mail so how the… I can find out how to log in to your forum if I can’t recover my password. In your community you can check this with only an e-mail address.
Can you make a link to check if we have registered with an e-mail address to your forum?
Hope to get an answer. I want to find out which e-mail / password combination I used to know if I am vulnerable or not.
And I think every e-mail registered to the forum must get an e-mail with a link to change their passwords ASAP!
Well this just gets better and better doesn’t it? &%$!!
Done and done!
@touristas0
The link below is the best place to check to see if your e-mail been leaked into the wild:
https://haveibeenpwned.com/
Hopefully your e-mail address haven’t been hacked by anybody.
Simon E says:
February 28th, 2016 at 11:29 am
I am really struggling to understand the logic of anyone now saying that they plan to move away from using Mint due to what has happened. Sorry but I think your logic is really flawed.
You are quite correct Simon. Unfortunately there are concerned trolls who inhabit all parts of the internet. They love nothing better than to belly-ache their own fatuous concerns upon their target audience, hoping to get fed. What happened with the Linux Mint servers was an unfortunate, but not catastrophic, event.
WordPress is great at what it does and is a real work engine for many companies and individuals and Linux Mint is the best linux distro for many business and home users. Has anyone lost actual cash through this unfortunate website highjack? Apart from the Linux Mint team, then nope, didn’t think so.
If I may use an example (some may say this is classic whataboutery, but I believe it is relevant). Yahoo had a major hacking of their servers, a fact that seems to be suppressed when searching using Google, Yahoo and Bing search engines. This has affected many Yahoo e-mail account holders and has resulted in major spamming to many millions of e-mail recipients. Passwords were stolen, accounts hacked. It seems that, even allowing for the best efforts of Marissa Mayer, Yahoo still survives.
Mint will go from strength to strength.
Don’t feed the concern trolls.
The beauty of Linux is we all have a choice. I make mine and choose Linux Mint. I’m surprised the trolls don’t just opt for Windows 10, then all of their concerns will be resolved.
Mint has topped the distrowatch list for years, and for the last 18 months has been double the numbers of Ubuntu (now also overtaken by Debian). Therefore Mint is now a “big enough” target for the jealous, the baddies, the hackers.
Great responses from the team to the hacks – quick and effective, keeping us all informed. I was a bit concerned reading WordPress was the site framework – it is too simple to hack. Maybe consider this product: http://opensolution.org/cms-system-quick-cms.html .. it was the best alternative to WP that I have found.
Forum and Community should also have an option to de-register – life situations change. I keep my passwords and reg data for sites in KeepassX, will review the LM ones and change as needed.
Edit by Clem: It was the cinnamon website which ran wordpress (not the main site), and only for 2 days if I remember right. I had just been set up.
OK my e-mail is leaked but I can’t change my password because I don’t remember which username I used for Linux Mint Forum! Great, thanks Linux Mint for keep me locked out and the hackers into my info!
E-mail for changing password should be sent to everyone registered the Linux Mint Forum! How much will this cost you?!
Nevermind I found it.
Hope you’ll send e-mail notifications as soon as possible to everyone or else I don’t think you’ll doing serious job about it.
Trust is lost.
Edit by Clem: We will. As soon as the server was back up we tried to mass-email via phpbb. That failed, probably because of the huge number of accounts. We need to find a way to parse the list and send emails by bunch, hopefully without getting our MTA flagged as a spambot. It’s taking more time than I’d like and it’s been delayed because we’ve had to address other very sensitive issues at the very same time (deploying an update to detect hacked installations for instance), but it’s on our list and we’ll try to get it done asap.
Hi
I have a (basic) question. I am now logged back into the forums, but can’t work out how to actually change my password.
Could someone point me to the password change form?
touristas0
this is a Win Win for both you and me, not so much for Mint.
1. you think of some way to keep your accounts straight.
2. I take the opportunity/reminder to review and confirm that I have Never used the same password, email, and user combination on any sites that have any personal information. (actually I messed up on one)
3. Mint (with much pain) tightens up their end and confirms what is super secure and what is not.
so… we all end up with better security, and we think about what distro works best for us.
Win Win!
your blog.linuxmint.com does not use https. not good either.
a lot of trust is lost. better to focus (letting public know) what steps of security you guys are implementing, exactly.
alot of people moving away from mint because of this. perhaps its time for Mint to also consider “hardening” Mint OS also same time. good marketing for you guys.
@ #197 Tim
To change your password do the following:
1) Login to the forum.
2) Look at the top right-hand side of the webpage. You will see a icon with your username next to it. Next to the icon is a drop-down arrow – click on the arrow and select “User Control Panel”.
3) In the User Control Panel click on the “Profile” tab.
4) Once the Profile webpage information shows click on “Edit Account Settings” There you will see the text-boxes to use to change your password.
I’ll be happy to change my password.
In fact if an admin is available, I’d like to change my username too. When I created my account I inherited a “Guest” username. Once I worked things out it was too late, as my e-mail address was “taken” and I couldn’t create another account using it.
As I say, if a forum admin is here and reading this, please get in touch.
Edit by Clem: Hi, please get in touch with admin@linuxmint.com by email.
Thanks for the answers.
My e-mail and passwords never connected to each other in anyway, even my usernames but I wanted to be 100% sure. That’s why I didn’t remember which username I used (my bad, I should keep a log with it).
Anyway I hope the best to Linux Mint’s future and more attention in it’s security it’s welcome.
Edit by Clem: Hi, we’re almost ready to send the emails and they will contain the username.
@ #199, I know of no one who understands linux who is turning to another OS. your claims are an exaggeration. Those who are leaving clearly does not understand linux, go on, go back to Windows where Virii and malware reigns supreme. Linux seen th eproblem and fixed it in less than 20 hours, you can not and will not get that kind of customer service from Windows.
The Linux mint Team deserves a lot of credit for stepping up to the plate.
How can I delete my community account?
Edit by Clem: Please send an email to root@linuxmint.com.
Can we change our username in addition to changing our password on the Linux Mint Forums?
Edit by Clem: You can ask by email at admin@linuxmint.com.
I already changed password.
E-mail about changing password received. Good job! 🙂
Hey. Does any know if passwords used on linux forum before March 2015 might have been reached as well. Or was only current password’s hashes stored?
Edit by Clem: The forums only store the encrypted version of your current/latest password. Some of the passwords in there can be several years old, others are much more recent, but there’s only one password by user account.. the latest they set.
I’m still wondering, WHY A MAYOR DISTRO IS USING WORDPRESS. People… have a bit of common sense and DEVELOP A SITE for linux mint. The only secure site is a site where you OWN the source code and you are the only one who can see it (and i mean server side code secured as hell)
Using WP compromises the security of your website and ALL your distro users. and that sucks. BADLY.
I guess that more than one of the complainers on this blog can develop a decent site for this distro. i even offer miself to do it…
Edit by Clem: The website doesn’t use wordpress, the blog does.
You guys really should stop using wordpress, it’s terrible.
For static sites I recommend Nikola 🙂
I run a small community website, which is regularly attacked, usually from Ukraine. Apart from attempted SQL insertion, virtually all of the attempts use WordPress vulnerabilities.
I do not use WordPress – I prefer to use code I wrote myself.
I did not receive an email. Does this mean,
(a), they’re still being sent, or,
(b), I did not get one because there was no need?
I do use the forums often enough and only joined a few months ago, and yes, when I check the pwned site, my email was affected but not my username. I did change my pword on the forum; no, I don’t use the same pword for any other sites.
Edit by Clem: Check your spam folder. It’s also possible some mail hosts rejected the email (we had to send more than 100,000).
Not in the Spam, Clem. I am not unduly worried as it’s not my main email for super important stuff.
I’ll take this moment to say a very big thank you to you and the Mint Team. We are very lucky to have you guys. All the best!!
dear sir/
I went to change my password but I could not remember my login name. I inputted my email address but it was rejectede. What do I do now?
Hello everyone,
as I am quite paranoid when it comes to internet safety, I’d like to know how safe it was to browse the Linux Mint main website/blog/forums during the hack. I understand that those who downloaded the fake iso file were pretty much screwed but what about people who just browsed the site/posted in the forums etc. Is there any chance that attackers could insert some malicious code into the site that would force driveby malware downloads or some other nasty stuff like that or did they just take what they wanted to take and called it a day?
@214 Arnold: There’s always a chance for malicious code via any intrusion, which is why the Linux Mint team took the servers offline. It’s my understanding that everything was thoroughly verified by the internal team and third parties, and nothing malicious was found.
Clem, update is not possible, apt-get cannot find the required mint sites !!!!
How do I change my password when the forum says my old password is not good enough?
It’s a forum, not a banking site or a nuclear weapons site, why would I have a super password?
How about including some information on how to change passwords? I searched endlessly for the change password option on the crappy forum software, and eventually found it in “your-user-name-in-upper-right-corner -> User Control Panel -> Profile -> Edit Account Settings”
Here’s a screenshot
http://www.pc-freak.net/images/change_phpbb_admin_password_screen.png
For password changes, every individual should be able to make changes periodically to minimize things like this from happening