Phases
NO LONGER ADMIN
Unfortunately, we were recently informed by our server engineers that the server hosting Android Forums was compromised and the website's database was accessed. While this breach was relatively small, affecting less than 2.5% of our active users and limited data accessed, we want to provide as much helpful information as possible so you can take some steps to protect yourself.
Those who received our notification email, see the notice at the top of this site, and are able to access this page, were affected. No other accounts were.
Breach attempts are far too commonplace these days, and we work daily to protect our users, but every once in a while a bad guy pokes through. The trust of our users is extremely important and we want to ensure everyone that we are working to be transparent, while addressing the issue and preparing to move forward.
All breached accounts (who have not logged in to see the notice at the top of the site as of 3/10) have had their passwords randomized. Those of you who have been active we did not reset. If you have not yet, take a moment to do so. This can be done while logged in through your account settings page, or using the "forgot your password?" page when logged out.
Here are the known facts:
- The exploit used has been identified and resolved. The server is being further hardened and extra "just in case" actions are being taken.
- No other sites in our network appear to have been accessed.
- We were able to replay the attack and log the output - identifying all accounts compromised. We have targeted an email, and this notice, to those accounts.
- Only 1 staff member was affected. Only about 40 people who have registered in 2016 and 2017. The rest are older accounts.
- Over 50% of accounts compromised never posted on the site, leading us to believe many of those were bots.
- Information taken: Email address, hashed password, and salt. Usernames were NOT taken.
But, why:
This could simply be an e-mail harvesting attempt. A spammer could run the acquired email addresses through a validation tool, then bulk e-mail all valid emails in a spam or phishing campaign. Luckily, Gmail and similar e-mail services offer strong spam prevention that automatically filters potential spam and phishing attempts or provides warning.
At any rate, with emails phishing attempts could be made. They could pretend to be us, with emails sent out. Be cautious with what is asked of you in an email. We will never ask for your password in email.
This could be someone who is upset with us who hopes to use the information against staff. They could blackmail us and threaten to publish the information publicly.
So why the password hash, but not usernames? Unsure - perhaps just in case a null entry was to be found/flagged. Perhaps they were bound by the limitations of the vector they used. Perhaps they were practicing on us. Or, they could be comparing hashes against the previous set to see what has or has not changed.
It's also absolutely possible that nothing of consequence will happen. There is some chance they did this for fun to see if they could, or will not move forward with any plans after finding out we're actively investigating. People do what they love, and hackers love to hack, there doesn't necessarily need to be a goal in mind.
What should you do?
It is highly recommended that you change your password here and on other sites where you use the same username/password combination, email especially. This can be done here while logged in through your account settings page, or using the "forgot your password?" page when logged out. You can also contact us via the Contact Form and we will help you if you need.
While usernames were not taken, and these were salted passwords which hugely adds to the complexity of attempting to match/crack, it is better to play it safe.
No website wants to make an announcement like this. I assure you we, as the Neverstill Team, could not apologize profusely enough. Websites come under attack all time time - and sometimes the bad guys have some success. That does not serve as an excuse, however, and we're using this opportunity to reinvigorate our security efforts.
Among our newest efforts is site-wide HTTPS support, as well as a new 2-step authentication requirement for our staff. Further, all OLD (over a year of no activity) accounts have also had their passwords randomized. This is so should this happen again, it will be largely useless information in the attackers hands.
We understand that some people may want their account deleted after hearing this news. If you are requesting an account deletion, please post on this thread from the account you want deleted. While we would hate to see you go, we understand if this is your preference and will perform the delete.
Thanks for your understanding and loyalty,
The Android Forums Team
Edit: Also, please understand, we are getting hundreds and hundreds of emails and delete requests. We are processing these as fast as we can.
Edit 2: To address one concern I saw - account upgrades financial data is all stored on PayPal's website, which is FIS compliant.
Those who received our notification email, see the notice at the top of this site, and are able to access this page, were affected. No other accounts were.
Breach attempts are far too commonplace these days, and we work daily to protect our users, but every once in a while a bad guy pokes through. The trust of our users is extremely important and we want to ensure everyone that we are working to be transparent, while addressing the issue and preparing to move forward.
All breached accounts (who have not logged in to see the notice at the top of the site as of 3/10) have had their passwords randomized. Those of you who have been active we did not reset. If you have not yet, take a moment to do so. This can be done while logged in through your account settings page, or using the "forgot your password?" page when logged out.
Here are the known facts:
- The exploit used has been identified and resolved. The server is being further hardened and extra "just in case" actions are being taken.
- No other sites in our network appear to have been accessed.
- We were able to replay the attack and log the output - identifying all accounts compromised. We have targeted an email, and this notice, to those accounts.
- Only 1 staff member was affected. Only about 40 people who have registered in 2016 and 2017. The rest are older accounts.
- Over 50% of accounts compromised never posted on the site, leading us to believe many of those were bots.
- Information taken: Email address, hashed password, and salt. Usernames were NOT taken.
But, why:
This could simply be an e-mail harvesting attempt. A spammer could run the acquired email addresses through a validation tool, then bulk e-mail all valid emails in a spam or phishing campaign. Luckily, Gmail and similar e-mail services offer strong spam prevention that automatically filters potential spam and phishing attempts or provides warning.
At any rate, with emails phishing attempts could be made. They could pretend to be us, with emails sent out. Be cautious with what is asked of you in an email. We will never ask for your password in email.
This could be someone who is upset with us who hopes to use the information against staff. They could blackmail us and threaten to publish the information publicly.
So why the password hash, but not usernames? Unsure - perhaps just in case a null entry was to be found/flagged. Perhaps they were bound by the limitations of the vector they used. Perhaps they were practicing on us. Or, they could be comparing hashes against the previous set to see what has or has not changed.
It's also absolutely possible that nothing of consequence will happen. There is some chance they did this for fun to see if they could, or will not move forward with any plans after finding out we're actively investigating. People do what they love, and hackers love to hack, there doesn't necessarily need to be a goal in mind.
What should you do?
It is highly recommended that you change your password here and on other sites where you use the same username/password combination, email especially. This can be done here while logged in through your account settings page, or using the "forgot your password?" page when logged out. You can also contact us via the Contact Form and we will help you if you need.
While usernames were not taken, and these were salted passwords which hugely adds to the complexity of attempting to match/crack, it is better to play it safe.
No website wants to make an announcement like this. I assure you we, as the Neverstill Team, could not apologize profusely enough. Websites come under attack all time time - and sometimes the bad guys have some success. That does not serve as an excuse, however, and we're using this opportunity to reinvigorate our security efforts.
Among our newest efforts is site-wide HTTPS support, as well as a new 2-step authentication requirement for our staff. Further, all OLD (over a year of no activity) accounts have also had their passwords randomized. This is so should this happen again, it will be largely useless information in the attackers hands.
We understand that some people may want their account deleted after hearing this news. If you are requesting an account deletion, please post on this thread from the account you want deleted. While we would hate to see you go, we understand if this is your preference and will perform the delete.
Thanks for your understanding and loyalty,
The Android Forums Team
Edit: Also, please understand, we are getting hundreds and hundreds of emails and delete requests. We are processing these as fast as we can.
Edit 2: To address one concern I saw - account upgrades financial data is all stored on PayPal's website, which is FIS compliant.
Last edited: