My apologies to everyone for the raunchy private message spam that most have received during the past 24 hours. The first thing that needs to be made clear is that this was NOT a hacking incident. Rather, it was a low-tech, semi-automated bot attack that was using the normal mechanisms for creating new BLF user accounts and then sending spam via the normal private messaging functions that all users --have-- had access to.
I'm currently trying to figure out the best way to mitigate these attacks. A new system is now in place to prevent this sort of attack from occurring again.
This incident has exposed a bug not related to security in the private messaging system where the system shows you a list of all your own private messages when you access an email notification link to a message that was deleted by me. A workaround is now in place for this bug.
I have removed the bot accounts and the PMs they sent, but if I missed any please let me know. Please do not PM me about email notifications links to messages and users that no longer exist.
Again, I sincerely apologize for the inconvenience. I know it causes quite a scare (for you and me) when this sort of thing happens. But please be assured that I take the security of this site very seriously, and I am extremely vigilant with applying all security updates to the forum software and the server OS. So I'm not saying it can't happen, but as best I can tell at this point, this incident is not worrisome from a security standpoint.
Thank you for reporting it, that account has already been shut down for a few hours. I assume you just now checked your email? Could you please confirm the exact time stamp and time zone on that BLF notification email? Appreciate it.
Diane98 sent me a spurious PM too. Message was sent at 6:01 AM on 25 Feb 2021.
BudgetLightForum had already deleted it so I was not traumatized. LOL.
By the way, I don’t know if this is still true, but a long time when I tried to register my usual email with BLF it would not except one with the “.net” extension. After a couple of years I caved and finally registered using my gmail account.
Thanks for the administrators efforts with the forum!
I agree there doesn’t appear to be any security risk. I see no reason to think anything was compromised.
This type of attack is (er, was) almost trivial to do. The site’s infrastructure was designed to make it easy to automate things without any special permissions. That’s fixed though, and it sounds like sb is looking into more long-term solutions.
As for the weird behavior when clicking one of the deleted messages, that’s an old issue which was unrelated to the spam. It only showed people their own messages. A little weird, but not a risk to security or privacy.
