On May 5th, 2016, TAZ had its security breached for the second time.
Unlike the previous intrusion, this was a sophisticated attack where the hacker was somehow able to upload a malicious file onto TAZ's test board (perhaps by exploiting a Brivium add-on installed on the old Admin Extra site which was still on the server) which then allowed them to give themselves SFTP access to the nginx user account and run commands. They then altered several core XenForo files in order to begin logging member username/password combinations, logging out members forcing them to log in again, and finally by preventing the File Health Check from reporting the file modifications.
Due to some of the safeguards we installed last time we were attacked, were were able to identify this intrusion almost immediately and take steps to block the hacker, limiting the time the login logger was operational to a matter of hours. We then forced a password reset for all members.
It's certainly unfortunate that TAZ was hacked again and I take full responsibility for it - the test site should not have been kept on the primary TAZ server nor should the old TAZ sites have been there. The previous intrusion was a much simpler exploitation of a staff member's username/password being harvested from another site and being used to gain access to the AdminCP to alter the login templates. We took a number of steps to prevent this kind of thing from happening again - forced 2FA for staff members and htaccess on the AdminCP for example. There are good things to do, but in a way it gave us a false sense of security that left us vulnerable to the second, much more sophisticated attack.
The hacker was not able to gain access to the server root. Using the logs we were able to see exactly what changes the hacker made and undo them. Many other security measures have been put in place to prevent this from happening again, and several more are planned.
Please keep in mind that unlike commercial sites, TAZ does not collect sensitive data about its members - we don't collect your full name, address, social security number, or credit card numbers for example. All a hacker can get here is your username, password, and email address. You can protect yourself by using a unique password on each site (or at the very least, use unique passwords on all of your important sites), and not using your primary email address as your registration email address (better to use a secondary email address for forum registrations, a different one for really important sites like banking sites, government sites, etc. and perhaps even a third one for semi-important things like your server hosting, registrar, etc.). Finally, do not put any "secret" information (such as access codes for your server) into a forum's personal or private message system - use secure email for that. If you follow these simple steps on TAZ (or any discussion forum) you won't be at risk even if the site is hacked.
Again, my apologies for this security breach. I made some mistakes which made TAZ vulnerable. We are doing everything possible to prevent any further intrusions.
Howard (The Sandman)
