Atari-Forum

Recently the forum had a security breach. At first it was believed to have been contained, but we have now learned that whoever did this, may have downloaded a copy of our user database.

The database contains your username, your email address and a hash of your password.

While the version of the forum software (phpBB 3.3.13 at the time of the breach) that we use has a very strong encryption to try to protect the data, it is likely only a matter of time until the encryption is broken.

We have already upgraded the forum software (phpBB) to the latest version. And we intend on undertaking whatever steps we need to, to prevent this from happening again.

A compromised password for a member was a factor in the attack on the forum.

We strongly recommend that all our members, that haven't changed their password over the past month, to immediately change their password on Atari-Forum and also on any other sites where you may have used the same password. Further, we recommend that you use a strong password and that you don't reuse the same password for multiple sites or services.

We also recommend that you keep the email address that you have provided to us up to date.

Why did this happen?

Atari-forum started out small, and was small for a long time. During this time, things have been managed very informally and relaxed. While we will do our outmost to keep that atmosphere going forward, this shows that we need to take security much more seriously going forward.

We sincerely apologise for any inconvenience this might cause you, and for letting this happen to us.

Atari-Forum team

I just did the password reset. Maybe it would be a good idea to send everybody a password reset link.

What version of phpBB was compromised? Was it version 3.0 or earlier?

Chris23235 wrote: Fri May 09, 2025 10:25 pm I just did the password reset. Maybe it would be a good idea to send everybody a password reset link.

Normal users cannot do any harm to the forum. This announcement is to protect you.

logronoide wrote: Fri May 09, 2025 11:11 pm What version of phpBB was compromised? Was it version 3.0 or earlier?

No. 3.3.13.

Great, good to know bcrypt is taking care of passwords

Thanks for letting us know. Unfortunately, security breaches happen. That’s especially true for hobbyist sites like this one where people have real jobs. Your transparency is appreciated.

Thankfully, I’ve been using a password manager even before setting up an account here in 2011. Therefore, I didn’t use my password anywhere else. However, I changed it out of caution.

Bob C

Thanks for the advice

Thank you for letting us know.

One followup question, though: When did this happen? I had to reset my password on March 20th, when the forum had - for whatever reason - locked me out. Can you say whether the database breach happened before or after that?

czietz wrote: Sat May 10, 2025 6:52 am Thank you for letting us know.

One followup question, though: When did this happen? I had to reset my password on March 20th, when the forum had - for whatever reason - locked me out. Can you say whether the database breach happened before or after that?

That was the date this happened, yes.

Thanks for the update. I note this warning is being passed around on social media (well X at least), so hopefully be a good position.

Been a long while since I've dabbled with the admin side of the board software, but can a "enforce password change" be activated?

Noted and updated, thank you.

Noted, updated, Thanks very much.

logronoide wrote: Fri May 09, 2025 11:19 pm Great, good to know bcrypt is taking care of passwords

I was half-asleep when I read your message and totally missed saying the most important thing: thank you, and you have all my support.

#hugeops

Please someone let me know how to change my password... I can't find it anywhere! Perhaps the board admins should force a 'change password' for all members.

stormy wrote: Sat May 10, 2025 5:38 pm Please someone let me know how to change my password... I can't find it anywhere! Perhaps the board admins should force a 'change password' for all members.

Try this section in your profile:
https://www.atari-forum.com/ucp.php?i=u ... eg_details

CLick on your username top right and select "User control panel" for various settings including changing passwords and account details.

Thanks Simon, done it now.

How to change your password

The following assumes you are using a PC or other device with a large screen.

On the top right, click your username (under the search box). It should produce a drop down menu. Click on “User Control Panel”.

On the new page, click the “Profile” tab.

On the next page, on the left hand menu, click on “Edit account settings”.

You shown now be on the page that displays your user name, your email address and empty boxes for your new password, conformation of your new password and your current password.

Please check that the email address is correct, then enter your new password, confirm your new password and enter your current password. Then click the Submit button.

Mark

simonsunnyboy wrote: Sat May 10, 2025 5:49 pm

stormy wrote: Sat May 10, 2025 5:38 pm Please someone let me know how to change my password... I can't find it anywhere! Perhaps the board admins should force a 'change password' for all members.

Try this section in your profile:
https://www.atari-forum.com/ucp.php?i=u ... eg_details

CLick on your username top right and select "User control panel" for various settings including changing passwords and account details.

Thanks, I couldn't see it for looking.

Thanks for being transparent on the issues, I've updated my password.

I couldn't find it using android.

Now updated.

Thanks for the info.

1. Send an email to all users.
2. Reset all passwords older than now().
3. Read up on GDPR to check if you'll have to contact someone to disclose this information. (As I remember it, this board was started by a Swedish person, so maybe cert-se and/or PTS and/or IMY in that case).
4. Profit.

The main issue is that money or other data are stolen from users, as the email address, name, date of birth (if noted) and password are used elsewhere, say in their banking apps.

So users need to be aware where they used the password elsewhere and change that too.

Well, we only require a forum name and email to join. There are fields for birthday and links to other sites you may fill in if you want, but most haven't.

So we don't have much, if any, in the way of sensitive data.

As for GDPR, I'll forward that to Dal, the server is located in the UK, so it's their rules that would apply I think.

But I would like to know how we could profit from this...

In older versions of PHPBB the password was stored as an MD5 hash. The actual password could not be retrieved. Even with brute force or rainbow tables the best they could do is find a string that generates the same hash which might not be the same password. I think most people on here are tech savvy enough to use different passwords for different accounts and know that it is good practice to regularly change passwords. MD5 has been considered "weak" and broken since the early 2010s.

I don't know about PHPBB 3.x or how it stores passwords.
Thanks to the AF Team for updating us and keeping us safe.

I think most people on here are tech savvy enough to use different passwords for different accounts

Many people here probably know they should - but I can guarantee you that they don't

/cybersec professional

that haven't changed their password over the past month

Yeah not done this in 16 years , just done.