Improving Our Site's Security

Improving Our Site's Security

It's such a depressing day for us; two of our friends' site were hacked by some hackers. We share their pain and hope that they will recover from this situation soon.

We are worried that the recurring incident might have a domino effect to all your account if you are using the same login credentials across multiple sites. Hence we have taken some new security measures to ensure that your privacy is protected.

All site accesses that were shared on our forum will be removed immediately. Apart from that we will also implement a much more tighter security to those who have access these site's information. In short, only trusted team members are allowed to view all of the sensitive information.

On top of that, we will also reset all of the API keys. Please ensure that your API keys are up to date by regenerating your API key via your dashboard.

To ensure that everything is secured, we have made it compulsory for our users to change their Stack Ideas's login password. When you start logging in to our now, you will be requested to change your password once. Please use a strong and secure password. For precautions; though this is not entirely necessary; we highly, highly suggest our users to change all of their passwords to their site.

Prevention is better than cure!

We also suggest for everyone to update Joomla site and their extensions to latest version. Updates will usually provide some bug and security fixes; it will also assist with the protection of your site.


Comments (36)

  1. Neel

Which partner sites were those?

  1. Mariosgr

Please tell us the sites

  1. Mark

Unfortunately we are unable to disclose these sites yet as we haven't really got the full information from them yet but I have confirmed reports that one of our customer's account was hacked and he was using the same password across these sites.

  1. ssnobben

Thanks for info...Please check and update and test your software against these attacks especially EasySocial I can guess... I also have some strange java script in back-end from anyone knows about that?


  Comment was last edited about 4 years ago by ssnobben ssnobben
  1. Neel

Mark, I wish you do disclose that because I have accounts with a lot of your partners sites and if I knew which of them were compromised, I need to take immediate steps in tracing back the sites I've used the same passwords and change them all asap. Better safe than sorry also applies to users too and was hoping you do tell us if you know.

  1. Mark    Neel

Neel, to be honest with you, as of now we don't have any solid information from them but better be safe than sorry! Change all your passwords across all extension sites and ensure that they are strong and secure!

  1. Neel    Mark

I am on it right now.. Changing every passwords for extensions I can think of.

  1. Mark    Neel

Yep, do that! Make sure the passwords are not too easy to crack :p

  1. wim ooms

How important is it to regenerate my API key?

  1. Mark    wim ooms

The API key is currently being used in EasyBlog's updater and EasySocial's updater as well as the language downloads.

  1. wim ooms    Mark

but is it important, is there a vulnerability that makes this necessary or is the old API key not working anymore?

  1. Mark    wim ooms

The old API key will no longer work because we do not know if there are any other accounts which are affected. One of our customer who had their own account hacked allowed the hacker to download and abused his API keys.

If you ask me if it's necessary or important or not to change your password, my answer would be prevention is better than cure :) Our goal is to ensure that all your accounts are safe with us and we are trying our best to strengthen our security.

  1. wim ooms    Mark

my question wa snot about the password, I already changed it; but the answer on the API key is clear as well: have to change because it will no longer work

many thanks

  1. David Bishop

What happens when I do regenerate the API? Do I need to change that on my site?

  1. Mark

Yep, that's correct!

  1. David Bishop

Where exactly? I did not see it.

  1. Mark
  1. David Bishop    Mark

Sorry, I mean on the website my extension is installed. Do I need to change anything on that website. I have already regenerated the API, kind of hard to miss. ;)

  1. Mark

Depending on which product that you are using you need to set the updated api key accordingly :)

  1. David Bishop    Mark

OK, again, I do not know where to change that on my website. I am using Easy Discuss. Thanks

  1. Mark    David Bishop

EasyDiscuss currently does not rely on the API keys :)

  1. David Bishop    Mark

Hopefully they sort out the hackers. I am involved in this I believe, at least one of my extensions developers sites was hacked.

  1. Mark    David Bishop

Yeah, we're just taking precautions to prevent anything bad from happening :)

  1. ssnobben


you know I got 25 updating notice about new comments! Isnt it enought to have a system that prevent to spam email box with only one update a day or 6 hours etc or you have deleted spams here before?


  1. Dianne Henning

Thanks for keeping us updated!

  1. Mark    Dianne Henning

No problem Dianne!

  1. Chris Hall

Password changed and API regenerated. Thanks for providing the info to keep everything safe.

  1. Mark    Chris Hall

You are most welcome Chris :)

  1. Chris Mathis

I know that this is a different security issue, but being concerned with security, I have always wondered why does not have a SSL Login. Sure we can change our passwords, but when we log in, our passwords are being transferred in plain text. Anyone sniffing the line, or MTM can just scoop up our login information.


Thank you,

Chris... :p

  Comment was last edited about 4 years ago by Chris Mathis Chris Mathis
  1. Mark    Chris Mathis

Hey Chris,

There are some drawbacks with running the site on https and that is the main reason why we are reluctant to switch to SSL. We are considering switching to https though :)

  1. ssnobben

Well thats a good option so you can secure others for your components too like Akeeba doing for example

  1. Ahmad Justin    ssnobben

Hi ssnobben,

We agree; but there are some drawbacks which requires us to sit down and discuss with the team before implementing it. Nevertheless, thank you for your idea. :)

  1. Zielony Szejk

ok correct

  1. Ivan Salcedo


  1. John Jessie

Nice blog post

There are no comments posted here yet