Security Announcement - Login attempts exceeded - comments

[uncle_fungus]

A number of our members have reported receiving the "You exceeded the maximum number of login attempts" message while trying to login to the forum, and are then prompted to enter the confirmation code as well as their username and password.

Unfortunately it seems that several phpbb based forums have been attacked in the same manner which involves a bot persistently trying to login to member's accounts. The forum software catches this and after 3 attempts prompts with the challenge question.
There is no indication that the bot has ever got past this challenge (as it is specific to our forum) as it would require both the correct password, and the correct challenge answer.
Furthermore there is no indication that any accounts have been compromised by the bot correctly guessing a password in less than 3 attempts.

However, if you have a "weak" password, we would recommend that you change it to something that would be much more difficult for a bot to guess, using either a dictionary or brute force attack.

Recommendations for increasing the strength of your password are using a combination of letters and numbers, using upper and lower case letters, and adding non-alphanumeric characters (i.e. *&$% etc.)

[Qinsp]

This happened to me yesterday on Attempt #1. Something is wrong with the site cookie. Sometimes it can recall the PW, other times it can't.

And the cookie retrieval is sometimes very slow. The reason it saw an incorrect password, was that the cooking PW was not retrieved in time, so I had a blank field, I typed in my PW at the same time it retrieved it from the cookie, and ended up with a double entry. IE8/Win7

[uncle_fungus]

Your password is not stored anywhere in the cookie, only a unique session id is stored to maintain a persistent login.

If you saw the message described in the OP either, you entered your password incorrectly 3 times (which isn't what happened in your case), or someone else did, in this case a bot. Regardless of the session cookie, at this point the forum software will force you to authenticate with your username, password and challenge question/answer.

Your browser is auto-completing the password field for you, and this is independent of any session cookie.

[COOLDUDEGAMER]

I just got hit with this thing. I thank this thread for helping me out as I was confused at first!

Signed,

COOLDUDEGAMER

[GTron]

The bot must still be targeting the folding forum -- I just got hit with this.

Greg

[uncle fuzzy]

I've seen it 5-6 times over the past 2 weeks. The last time was 3-4 days ago.

[Leonardo]

Thanks for the announcement/warning. What you described happened to me yesterday (19 January).

[toTOW]

I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ...

[kiore]

I got hit yesterday too..

[Nathan_P]

I got hit yesterday too..

Yeah they are going after a fair few forums recently, Hardocp has been hit several times in the last couple of week.

[bruce]

I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ...

They haven't given up ... but uncle_fungus is still making security changes and the types of attacks that the bots use are becoming less effective here at foldingforum.org (though on a global basis, every time security is improved, terrorists are forced to find ways to improve their attacks).

[chrisretusn]

I just got hit with it.

[mhouston]

+1

[rjbelans]

I'm a member of the club now too.

[Amaruk]

YAIM

(Yet Another Involuntary Member)