This is an update to the previous article on the suspected security breach. The information below is what is currently known, and it replaces the information in the previous document.
The executive summary is that we now believe that there has not been a breach at makehumancommunity. Instead we believe the source of the leaked password is the LinkedIn hack a few years back.
What has happened since last update?
Since the posting of the last update, we have been following two parallel tracks:
- Thoroughly investigate the source of the breach to determine what has happened
- Research options for a complete reinstall
Results from the investigations of the (suspected) breach
We have not been able to find any signs of a breach on the site. While there are a lot of files to take into account, we would have expected to find at least some signs of an intruder somewhere.
Since we couldn't find a good explanation of what had happened when looking on the site, we instead started to look for likely explanations outside the site. The core of this methodology consisted of these steps:
- Pick a largeish sample of email adresses from the user database on the site
- Feed each such adress to https://haveibeenpwned.com/
- Try to find a pattern in which adresses that are marked as leaked and which are not
In summary, the findings were:
- The majority of the email adresses from the makehumancommunity site were not marked as known to be leaked
- Of the email adresses that were marked to be leaked, the majority were marked as having been present in the LinkedIn breach (although there were a bunch of other markings too, without any particular pattern)
- The particular password that we know has been leaked was present in the LinkedIn leak
With this taken into account, it is thus looking a lot more likely that what has happened is that a spammer has mined the old LinkedIn DB for email/password combinations, than for the same spammer to have gotten access to, brute-forced and used the makehumancommunity password database.
The other immediate conclusion is that what has happened is mainly an embarrasment for myself. Despite having a PhD in computer systems, I have a) re-used the same email/password combination in more places than one b) forgotten about it and c) not changed password for several years. Apparently I used the same password on the makehuman site and on linkedin around 2016 (when the LinkedIn hack happened). I then changed the password on LinkedIn, but not on the makehuman site.
Results from investigating options for a reinstall
There are many good reasons for giving the site a thorough overhaul. However, it is also not that easy to do so.
Currently the site consists of several combined systems:
- The front page and the user contributed assets repository is a mostly vanilla Drupal 7, but with large sections of complex Views implementations. The authentication module is a custom-made phpbb bridge so as to allow forum users to login without having to re-register.
- The wiki is mediawiki. This, too, is mostly vanilla. But it has been modified to use phpbb for authentication.
- The forum is phpbb. This has been locally modified in several places.
- Coordinating this is an apache frontend using ProxyPass to link in the different parts (this is also the reason for not using https atm... We tried implementing it, but at that time, mediawiki didn't want to play along with having different urls internally and externally and kept redirecting back to http)
This rather erratic setup, which has grown organically over many years, should ideally be replaced with a coherent whole. The optimal solution would be if one system could be used instead of several combined ones. However, finding such a system is not an easy task.
What we have concluded so far is that replacing everything with Drupal 8 is out of the question (since the "Advanced Forum" module hasn't been ported) and that replacing it with Drupal 7 isn't really feasible either (since even with the "Advanced Forum" module available, drupal forums are a really depressing experience compared to dedicated forum software. Also, Drupal 7 is reaching end of life in the next few years).
If you have a suggestion for a system able to provide all these components, comments are welcome in the thread about upgrade paths.
What does this mean for the site?
We will keep looking into reinstalling stuff anyway. But as we now believe there is no urgent security-related reason for doing so, it will have a lower priority. The main priority is getting MakeHuman Community 1.2.0 through the door, and time spent on the site is time not spent on coding.
Anyway, the moral lesson of this story is: Don't reuse passwords on several sites. And possibly: don't believe you're immune to stupidity just because you have a PhD.