Acyd Burn @ phpBB.com,Feb 10, 2009 23:11:01 wrote:As you probably know, we were attacked for unknown reasons by an individual using an exploit against our PHPList installation within hours of the exploit being publicly posted on a well-known exploit site. Facilitated by mistakes and - in retrospect mistaken - performance considerations in our server setup, the attacker was able to steal all email addresses from our mailing list, as well as the password hashes from this board's database.
And then the most important thing:
In a reckless act of showmanship, he later posted all this information on a blog.
We urge all our community members to change their passwords as soon as possible. If you have used the same password on any other site, then we strongly recommend changing it there as well.
The public disclosure of private data is an unspeakable attack against all of our users. We cannot comprehend the attacker's motives. The phpBB teams are entirely composed of volunteers working on an honour basis to provide the web with a scalable, secure and user-friendly free forum software. We are not, however, so easily cowed. More so than ever, we are here to create communities with and for our users.
We are greatly pleased to once more provide support in the environment we all love so much. In the past ten days, countless hours have been spent by team members and helpers to restore and sanitise the website and the database. We especially want to thank OSUOSL for providing us with a temporary server for the remainder of the investigation. We welcome everyone to show our community's appreciation by sending them a donation. [...]
Full announcement: here
Please note that using the same password everywhere is not security wise. Please note that search system at phpbb.com is down
