Page 1 of 1

devkitPro forum breach

Posted: Fri Feb 08, 2019 2:46 am
by WinterMute
As you may be aware, the devkitPro forums were breached on Sunday 3rd February and unfortunately the attacker stole the forum database and deleted the data from the server. The database contained user emails, all the forum posts, including private messages, profile information which may include user websites and social media accounts. The passwords in the database are hashed and salted but may still be vulnerable to dictionary attacks. No other data on the server was accessed and the pacman packages remain safe - the signing keys for those are only kept on developer's personal machines.

Unfortunately I used a weak password on my forum account which was shared with my reddit and gitlab accounts, both of which were accessed and deleted.

We have now restored the database, upgraded phpbb to the latest 3.2.5 and reset all user passwords. You'll need to use the forgotten password link to regain access to your account. We recommend resetting passwords on other accounts you may have and, if possible, enabling 2FA where you can.

If you have trouble getting your password reset please feel free to contact us by any of the methods found at wiki/Community_Portal or indeed by emailing me on [email protected].

We apologise for the inconvenience caused and sincerely hope that any damage was limited to the devkitpro forums and my own accounts.

Dave "Wintermute" Murphy.

Re: devkitPro forum breach

Posted: Fri Feb 08, 2019 9:51 am
by sverx
Everybody that had shared the same password on this forum and others places please change your passwords NOW

Thanks Dave for setting this up again :)

Re: devkitPro forum breach

Posted: Sat Feb 09, 2019 7:16 pm
by WinterMute
Dumps of the forum database containing usernames, emails and the hashed/salted passwords have been uploaded to pastebin and anonfiles. Please make sure you change all your passwords and enable 2FA if possible. If you know others that may have been affected then please point them to this thread and emphasise that they need to think about their password security.

Consider a password manager like https://haveibeenpwned.com/1Password or even the Chrome built-in manager if paying for this service doesn't appeal. Memorable passwords are risky.

Plug your password into https://haveibeenpwned.com/Passwords and check if it's been pwned.