[2021-02-25] Private message spam, **NOT** hacked

Hi everyone,

My apologies to everyone for the raunchy private message spam that most have received during the past 24 hours. The first thing that needs to be made clear is that this was NOT a hacking incident. Rather, it was a low-tech, semi-automated bot attack that was using the normal mechanisms for creating new BLF user accounts and then sending spam via the normal private messaging functions that all users --have-- had access to.

I'm currently trying to figure out the best way to mitigate these attacks. A new system is now in place to prevent this sort of attack from occurring again.

This incident has exposed a bug not related to security in the private messaging system where the system shows you a list of all your own private messages when you access an email notification link to a message that was deleted by me. A workaround is now in place for this bug.

I have removed the bot accounts and the PMs they sent, but if I missed any please let me know. Please do not PM me about email notifications links to messages and users that no longer exist.

Again, I sincerely apologize for the inconvenience. I know it causes quite a scare (for you and me) when this sort of thing happens. But please be assured that I take the security of this site very seriously, and I am extremely vigilant with applying all security updates to the forum software and the server OS. So I'm not saying it can't happen, but as best I can tell at this point, this incident is not worrisome from a security standpoint.

Good to hear that BLF was not hacked!


By the way, ToyKeeper explains what was going on in a post that is in a thread that is now gone.

I'll quote her here...

thanks for the update and thanks for looking out for us!

Now if we can only stop the vile attack and trauma from the spam Google put on my web pages after Alexa hears me talking about it to my wife.

Thanks sb56637 for the update and for your swift actions :beer:

Darn, thought I had a friend. :frowning:

Good to know BLF wasn’t hacked. I received the inappropriate PM.

I just received an email of this nature. Feb. 25th, 2021.
Diane98 was the alleged poster.

Thank you for reporting it, that account has already been shut down for a few hours. I assume you just now checked your email? Could you please confirm the exact time stamp and time zone on that BLF notification email? Appreciate it.

Damn, I need to get on my messages more often, I miss all the good stuff….sigh….

Christina99 messaged me 6 hours ago, glad I didn’t have the suprise of what was contained within.

I never get any messages though and this one with that name suggests something amiss.

So I did not open it, instead I found this thread.

Thanks sb.

I got notification Feb 25 at 3:34am, that Angela98 sent me a message

when I tried to follow the notification link, I got my entire sent message history instead, and there is no Angela98 username on BLF

from which I infer thas sb deleted the account, along with whatever message Angela98 wanted to share…

I hope she is not lonely without me… LOL

Diane98 sent me a spurious PM too. Message was sent at 6:01 AM on 25 Feb 2021.
BudgetLightForum had already deleted it so I was not traumatized. LOL.

By the way, I don’t know if this is still true, but a long time when I tried to register my usual email with BLF it would not except one with the “.net” extension. After a couple of years I caved and finally registered using my gmail account.

Thanks for the administrators efforts with the forum!

You can. Get rid of Alexa. And your Google phone while you’re at it

And thanks SB! Your effort is appreciated! :+1:

I got the same from Diane98. Deleted the PM and Blocked :+1:

No PMs from Diane, Chantal etc. What did I do wrong? :frowning:

The raunchy PM I received came from alisausa11. I deleted the PM and blocked the sender.

I agree there doesn’t appear to be any security risk. I see no reason to think anything was compromised.

This type of attack is (er, was) almost trivial to do. The site’s infrastructure was designed to make it easy to automate things without any special permissions. That’s fixed though, and it sounds like sb is looking into more long-term solutions.

As for the weird behavior when clicking one of the deleted messages, that’s an old issue which was unrelated to the spam. It only showed people their own messages. A little weird, but not a risk to security or privacy.

Yeah, I feel the same. No love for me. :cry: :wink:

That explains things OP. Thanks.