Improving Our Site's Security

Improving Our Site's Security

It's such a depressing day for us; two of our friends' site were hacked by some hackers. We share their pain and hope that they will recover from this situation soon.

We are worried that the recurring incident might have a domino effect to all your account if you are using the same login credentials across multiple sites. Hence we have taken some new security measures to ensure that your privacy is protected.

All site accesses that were shared on our forum will be removed immediately. Apart from that we will also implement a much more tighter security to those who have access these site's information. In short, only trusted team members are allowed to view all of the sensitive information.

On top of that, we will also reset all of the API keys. Please ensure that your API keys are up to date by regenerating your API key via your dashboard.

To ensure that everything is secured, we have made it compulsory for our users to change their Stack Ideas's login password. When you start logging in to our now, you will be requested to change your password once. Please use a strong and secure password. For precautions; though this is not entirely necessary; we highly, highly suggest our users to change all of their passwords to their site.

Prevention is better than cure!

We also suggest for everyone to update Joomla site and their extensions to latest version. Updates will usually provide some bug and security fixes; it will also assist with the protection of your site.

 

Comments (36)

Which partner sites were those?

  Attachments
Your account does not have privileges to view attachments in the comment
 

Please tell us the sites

  Attachments
Your account does not have privileges to view attachments in the comment
 

Unfortunately we are unable to disclose these sites yet as we haven't really got the full information from them yet but I have confirmed reports that one of our customer's account was hacked and he was using the same password across these sites.

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks for info...Please check and update and test your software against these attacks especially EasySocial I can guess... I also have some strange java script in back-end from abrandnewsite.com anyone knows about that?

rgds

  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 2 years ago by ssnobben

Mark, I wish you do disclose that because I have accounts with a lot of your partners sites and if I knew which of them were compromised, I need to take immediate steps in tracing back the sites I've used the same passwords and change them all asap. Better safe than sorry also applies to users too and was hoping you do tell us if you know.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Neel

Neel, to be honest with you, as of now we don't have any solid information from them but better be safe than sorry! Change all your passwords across all extension sites and ensure that they are strong and secure!

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

I am on it right now.. Changing every passwords for extensions I can think of.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Neel

Yep, do that! Make sure the passwords are not too easy to crack :p

  Attachments
Your account does not have privileges to view attachments in the comment
 

How important is it to regenerate my API key?

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    wim ooms

The API key is currently being used in EasyBlog's updater and EasySocial's updater as well as the language downloads.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

but is it important, is there a vulnerability that makes this necessary or is the old API key not working anymore?

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    wim ooms

The old API key will no longer work because we do not know if there are any other accounts which are affected. One of our customer who had their own account hacked allowed the hacker to download and abused his API keys.

If you ask me if it's necessary or important or not to change your password, my answer would be prevention is better than cure :) Our goal is to ensure that all your accounts are safe with us and we are trying our best to strengthen our security.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

my question wa snot about the password, I already changed it; but the answer on the API key is clear as well: have to change because it will no longer work

many thanks

  Attachments
Your account does not have privileges to view attachments in the comment
 

What happens when I do regenerate the API? Do I need to change that on my site?

  Attachments
Your account does not have privileges to view attachments in the comment
 

Yep, that's correct!

  Attachments
Your account does not have privileges to view attachments in the comment
 

Where exactly? I did not see it.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

Sorry, I mean on the website my extension is installed. Do I need to change anything on that website. I have already regenerated the API, kind of hard to miss. ;)

  Attachments
Your account does not have privileges to view attachments in the comment
 

Depending on which product that you are using you need to set the updated api key accordingly :)

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

OK, again, I do not know where to change that on my website. I am using Easy Discuss. Thanks

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    David Bishop

EasyDiscuss currently does not rely on the API keys :)

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

Thanks
Hopefully they sort out the hackers. I am involved in this I believe, at least one of my extensions developers sites was hacked.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    David Bishop

Yeah, we're just taking precautions to prevent anything bad from happening :)

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hi

you know I got 25 updating notice about new comments! Isnt it enought to have a system that prevent to spam email box with only one update a day or 6 hours etc or you have deleted spams here before?

rgds

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks for keeping us updated!

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Dianne Henning

No problem Dianne!

  Attachments
Your account does not have privileges to view attachments in the comment
 

Password changed and API regenerated. Thanks for providing the info to keep everything safe.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Chris Hall

You are most welcome Chris :)

  Attachments
Your account does not have privileges to view attachments in the comment
 

I know that this is a different security issue, but being concerned with security, I have always wondered why StackIdeas.com does not have a SSL Login. Sure we can change our passwords, but when we log in, our passwords are being transferred in plain text. Anyone sniffing the line, or MTM can just scoop up our login information.

Thoughts?

Thank you,

Chris... :p

  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 2 years ago by Chris Mathis
  1.    Chris Mathis

Hey Chris,

There are some drawbacks with running the site on https and that is the main reason why we are reluctant to switch to SSL. We are considering switching to https though :)

  Attachments
Your account does not have privileges to view attachments in the comment
 

Well thats a good option so you can secure others for your components too like Akeeba doing for example https://www.akeebabackup.com/

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    ssnobben

Hi ssnobben,

We agree; but there are some drawbacks which requires us to sit down and discuss with the team before implementing it. Nevertheless, thank you for your idea. :)

  Attachments
Your account does not have privileges to view attachments in the comment
 
  Attachments
Your account does not have privileges to view attachments in the comment
 

ok correct

  Attachments
Your account does not have privileges to view attachments in the comment
 

Exelent

  Attachments
Your account does not have privileges to view attachments in the comment
 

Nice blog post

  Attachments
Your account does not have privileges to view attachments in the comment
 
There are no comments posted here yet

Subscribe To Our Blog

Subscribe to our blog by entering your email address:

Thanks! You have subscribed to our newsletter.

Joomla World Conference 2017

Tuesday, 03 October 2017 by Sylvie

We have acquired PayPlans from ReadyBytes

Wednesday, 06 September 2017 by Mark

EasySocial 2.1 Alpha Released

Wednesday, 30 August 2017 by Mark

Introducing EasyArticles

Thursday, 25 May 2017 by Mark

Echo Template Released

Tuesday, 24 January 2017 by Sylvie

Recent Posts From StackIdeas