Security breach?


I have already raised the security issue when, I asked why the Google Analytics code was inserted.

I am not a frequent guest on the forum.Yesterday I had to ask a question to the community. But I forgot my password and recovered it via email. It was at 8:55 a.m. GMT And already at 1:37 a.m. my email was hacked with the username and password specified on this forum!

I do not dispute that my Firefox 125.0.3 browser may be compromised. But - “accidents are not accidental”…

Your email account has the same username/password as your FreePBX community account?

Any account on forum is linked to user’s email. Do you know another way to register?

What you have said implies that you are using the same password for the account as you use for the forum account. Email account passwords are the holy grail for hackers, so should never be used for anything else.

If just the forum password is compromised, there is really no way of an attacker gaining financial benefit, from you.

Sure the forum has your email but not your email password or login information. So not sure how this forum got your email hacked.

Check out this brochure - Are Your Passwords in the Green? it is not difficult to get a password from a hash. And - possible intercept input characters “on the fly”.

You requested a password change from the forum. You claim your email was hacked because of this. The forum would not have sent anything related to your email password to you. I’m not sure how your email account was hacked by doing a password reset on the forum.

1 Like

Hi @Argent

The report is that, you requested a FreePBX forum password reset and then a day later your email account was hacked. Do you have any more detail to add other than that? If not, all we can do is use this report as the first data point should other reports come forward. I’m not sure what else we can do with this information.

I will kick off an engineering task to investigate 2FA for the forum. Now that we’ve moved off of Atlassian Crowd, that’s an option now.

edit - 2FA forum login is supported, but is not mandatory. To enable click user icon in upper right, click profile icon, select Preferences and then Security tab.

Unfortunately, this is all the information I have on this incident. I didn’t do any specialized checking during the password change.

What antivirus software do you use on your local computer?