Account Security Locks - Forced Password Resets

Status
Not open for further replies.

Tommy

Royal Flush
Admin
Moderator
Joined
Mar 23, 2013
Messages
14,918
Reaction score
23,903
Location
USA
First, I'd like to thanks all the members. You guys were on this quick.

I wanted to let everyone know that all members were sent a password reset notification email on Tuesday, 4/13, shortly after 10 pm. Accounts are locked until you change your password and confirm the change via email. This was in response to the approximately 6 accounts that were compromised. All the unauthorized access occurred on 4/13 for those accounts.

***At least two of the accounts had fake ads listed in the classifieds***

After going through the server logs, talking with the hosting company, and looking into it on their end, there doesn't appear to have been any compromise with the PCF server. As some of you know, I moved PCF to a new dedicated server last August. It's not the first time I moved servers, but each time I do, I have always changed every login credential that was used at the previous hosting company, so it no longer works on the new server. Especially the database credentials.

Out of an abundance of caution, I changed it all again before sending out the password resets. Plus added some additional security measures.

From those who I spoke to so far, it appears that the accounts in question had stale passwords. For example, if someone changed their password 8 months ago, the log would show that action. I did not see any password change records other than yesterday. I'm still looking into a few more things, particularly the timeline and if it pre-dates the last server move.

I know it can be an inconvenience, but I highly recommend that you set up a 2FA login for your account. Using an app like Google Authenticator to get a code on your phone is very effective. I believe it's available for iPhones too.

For now, please keep an eye out for things that don't seem right. If transacting via the Classifieds, Auctions, or PMs, consider a PayPal Goods and Services type payment, so you have payment protection.

If you have any questions or concerns, please feel free to PM me.

PS:

If your reset email has expired, you can request a new one by clicking on the "Forgot your password" link.

reset pw ex.png
 
Status
Not open for further replies.
Top Bottom