pfsense forums data breach confirmed
-
@joolee Well let see I have a specific email set on my account - that has only ever been used on the forums. I have been on the forums for YEARS!! same email - specific to this forum. No spam - I just searched that email address in my mailbox, that goes back for years as well - not one spam message to that address. Sure some stuff from negate has been marked as spam - notifications, etc..
So from my "evidence' ;) what has been breached is your mailbox ;)
I have evidence going back 10+ years - hehehe
edit: What would be "evidence" of a breach to me is everyone on the forums got the same spam message. That would scream someone/thing got a hold of the db of the email addresses.
-
@johnpoz said in pfsense forums data breach confirmed:
So from my "evidence' ;) what has been breached is your mailbox ;)
I have evidence going back 10+ years - hehehe
"Well I haven't received spam" is not evidence. Absence of evidence is not evidence of absence. What you have going back 10+ years is absolutely nothing, and I find it sad that you find it funny. It doesn't mean your address hasn't been leaked. It doesn't mean spam hasn't been sent to it. It just means you haven't seen spam yet for any of a number of possible reasons, most likely being a properly and normally functioning spam filter. The first report of a potential breach that I found was in June, yet it was October before at least two of us received spam. Why the delay? Again, any number of possible reasons. Perhaps the scraped list was divided up and sold off in pieces. Who knows. In the end it doesn't matter and doesn't change anything, and based on the evidence presented in this and the linked thread, you will eventually receive spam as well.
As for what evidence for a breach you would accept, you'll never see "everyone" reporting because probably at least half, and I would argue most, of the people here probably don't use a unique address for the forums or use a throwaway account and therefore would not be able to prove the source of the leak. (I'd love for an admin to comment on that. Should be a fairly simple database query to dump email addresses of active users and return only the mailbox without the domain to see how many look "unique" to the forum. I would love to be told I'm wrong and many people are using unique addresses, even though it would take some weight away from my claims of a data breach.) I would also argue there are people with unique addresses who received spam but didn't report it, further reducing the number of reports that can be expected on a breach. Your expectations don't remotely align with reality.
There are now four reports of a breach, three of them presenting hard evidence (and the fourth hopefully not too long after this post), and absolutely no hard evidence whatsoever in support of there not being a data breach. If you have evidence please post it.
@joolee There are two more reports in the thread I linked at the top of this thread. @ipfftw and @gruensfroeschli both reported spam a few months ago in that thread. I created this new thread because the forum itself suggested doing that rather than resurrecting an otherwise dead thread. Perhaps I should have posted in the old thread. Then again, perhaps not, as it would have notified more people and we'd have even more wild and baseless assumptions to wade through...
Also, if you still have the spam email, could you post the redacted headers please? I'd like to maintain our side's so far flawless victory against the naysayers who have yet to present any evidence whatsoever. If we start simply claiming we received spam without providing evidence we end up being the ones making wild and baseless assumptions. We're making a harsh claim, (data breach), so we need to back it up with solid evidence. Thanks!
To everyone else reading this: If you're going to post another "Well I haven't been spammed" post, please remember to include the evidence in support of your claims. "There's none in my mailbox" is not evidence. PROVE that you haven't received spam and a spam filter hasn't silently blocked it. I have seen commercial spam filter providers silently drop email in the past.
Here are some questions you can answer to give your claims of knowing for certain you haven't received spam a little more weight. If you don't control every link in the email chain past your MX records you can't really know for certain that you never received any spam and your claim is a baseless assumption without any evidence.
Q: Who controls the email service that your MX records point to? "Service" being the program/daemon/whatever that listens on port 25. "Controls" means who has write access to the actual config files for the service itself at a global level. (Access to a web control panel on shared hosting isn't control of the service.)
My answer: I do. It's running on a self-managed VPS to which I have root access.
Q: What mail filtering do you have? As in both spam filtering that will simply "mark" spam and rules that will completely deny delivery. (Block lists, SPF checks, DNSBLs, etc.)
My answer: Basic spamassassin configuration, manually-created block rules, SPF checks, and a small set of DNSBLs that I have found not to be overly trigger-happy. Also firewall rules to prevent connections from IPs that have been attacking the service/server, but I never use firewall rules to deal with spammers. Anything that gets blocked by the spam filter or mail service gets listed in log files.
Q: Do you have access to the low-level mail service logs on your mail server and spam filter? If so, how often do you review them?
My answer: Yes. From daily to every few days, but all logs are reviewed, mainly to see if I need to firewall an attacker or adjust fail2ban.
Q: Do you have logs of all mail delivery attempts that are blocked by the filtering mentioned in the second question? How often do you review those logs?
My answer: Yes. From daily to every few days, but all logs are reviewed to see if I need to adjust the spam filtering. (And to see if a new address has been leaked.)
Q: What email client do you use and what filtering do you have set on it?
My answer: Thunderbird in POP3 mode. I have various rules that move messages to junk, trash, or other specific folders, but nothing that auto-deletes. Every deletion is a manual action.
Q: How often do you look at your spam folders?
My answer: Once or twice a week, sometimes less often, but since nothing gets auto-deleted I won't "lose" a badly-filtered message.
As you can see, I have a system specifically designed to be less aggressive so that I can detect breaches such as what we're discussing here. It's a trade-off. More spam can get through, but in exchange I can see "unauthorized" use of specific email addresses that would indicate either a breach or unauthorized "sharing" of the address. On the other hand, it makes it possible to simply change an email address that has been leaked and set a rule to completely block further delivery to the leaked address, actually lowering spam in the long run. This system is what I have decided, for my specific use case, requires the lowest time investment for the lowest rate of false positives and false negatives.
Since I feel like continuing to assault this expired equine, I'll explain why the alternatives that have been brought up are wrong:
Alternative: Mailbox was breached (at the server side).
Why it isn't that: The last legitimate email I received to the address in question was on October 12, 2017. My current VPS hosting the email service was first activated on January 21, 2019. Prior to that the email was running through a different VPS instance. Thunderbird is configured as a POP3 client and deletes email from the server older than two weeks when it checks for new messages. (I leave messages on the sever for a short time in case my Thunderbird profile corrupts. In case of corruption I simply replace the profile with the previous night's backup and re-download all messages. Nothing gets lost that way. It has saved my bacon more than once ) I have a catch-all on the domain which sends everything to my main mailbox.
The email address in question never "appeared" on the current server, which has been in use for over two years, until the spam email was received. Therefore, we can rule out a server-side mailbox breach.
Alternative: Mailbox was breached (at the client side).
Why it isn't that: If someone got into Thunderbird, or any other application on my computer for that matter, why compromise an alias, an alias that hasn't seen email in over two years at that, and not the main address to my mailbox? Why not move laterally into userland at my user level and hit me with ransomware? Why not pivot from my main computer into other systems on my local network? Why not drop a keylogger and pivot into much more valuable targets? Basically, why stop at a single application?
The more you think about it from an attacker's point of view the less likely it becomes that my email application or breach of my local computer was the source of the leak. Therefore, we can rule out a client-side mailbox breach, and fully rule out the wild and baseless assumption about my mailbox getting breached.
Alternative: (Insert anything here that isn't some sort of data breach of the old pfsense forums.)
Why it isn't that: So you're saying that four different people, all (likely) running different email systems, with the only thing in common between them being using the leaked email address on the pfsense forum, and two of them seeming to be involved in the same spam campaign, all had that one email address compromised through some unspecified "other means" and it can't possibly be a compromise of the old forum? What's this "other means" and what extraordinary evidence do you have supporting that extraordinary claim? As I said before, "I haven't received spam" is not evidence. You simply haven't received spam yet.
I'll end this novel with the hope that it will put an end to the wild and completely baseless assumptions that have been posted so far. If not, well, I guess I'll continue to disprove more wild and baseless assumptions as they arrive. If nothing else the continued activity will perhaps attract a few more reports from people who have received spam. If you have received spam, please post the redacted headers (and if you have them, email server logs, again properly redacted) as evidence in support of your claims. Too many people are posting without evidence that it didn't happen, so we need to include evidence with our claims so we can continue to easily dismiss the naysayers.
-
@anonymous-5132 said in pfsense forums data breach confirmed:
"Well I haven't received spam" is not evidence. Absence of evidence is not evidence
Its same sort of evidence that your trying to present ;)
I have used this email (unique to these forums) for 10 some years - no spam.. So where is this breach you say happened.. ?? What these spammers said hey we just got X thousands of new email address to send our spam too - but don't send to johns
-
I'm kind of wondering about the motivation of this thread now.
Is it simply:
Hey the old pfsense forum may have suffered a data breach, so you may want to be aware of any place you use that password/email combo and change it.That is a good thing, a heads up to everyone.
Not sure if there is much value in posting redacted headers and such since the old forum has no way for users to change anything, all you could do is change your password on the current forum if you've used the same email/password combo.
Just my opinion feel free to ignore as you wish.
-
@mer said in pfsense forums data breach confirmed:
wondering about the motivation of this thread now.
Same here - seems like the subject is meant to draw attention, get on google, etc.. When clearly there is no such evidence of any sort.... @mer have you got any spam on your unique email - oh yours doesn't look unique never mind..
Now if we had a huge number of users saying hey I got spam xyz.. To my unique only used on this forum.. Then you might have something to talk about..
-
Our IT team has been looking into a possible breach of the Netgate forums. They have found no evidence of any breach or of users' email/passwords being compromised in any way.
All users that migrated their accounts to the new (current) forum were forced to change their password at that time, mitigating anything that may have happened prior to that.
-
-
@johnpoz said in pfsense forums data breach confirmed:
@anonymous-5132 said in pfsense forums data breach confirmed:
"Well I haven't received spam" is not evidence. Absence of evidence is not evidence
Its same sort of evidence that your trying to present ;)
I've presented hard evidence in the form of server logs and email headers. You've presented absolutely nothing but your word. They are not the same in any way and any reasonable person would know that.
What if, for sake of argument, I don't believe you? I showed you the proof that I have received spam, so you don't have to take me at my word. Show me the proof that you haven't received spam so I don't have to take you at your word. If I was paranoid I might think you're hiding something...
I, and three other people, have presented evidence that the old pfsense forums suffered a data breach, while you've presented absolutely nothing that it hasn't. If not that, then what? What other explanation do you have that fits the evidence that has been posted so far? Present evidence, not words. Proof.
Why are you arguing so hard against this from such a weak position? What is it to you?
@mer said in pfsense forums data breach confirmed:
I'm kind of wondering about the motivation of this thread now.
Is it simply:
Hey the old pfsense forum may have suffered a data breach, so you may want to be aware of any place you use that password/email combo and change it.That is a good thing, a heads up to everyone.
Something like that. "Hey, change your passwords, start using a password manager with unique passwords for all sites, and turn on 2FA. If you used a unique email, change it and block delivery to the old address if you have the ability. Also be aware that it's possible any information you provided to the old pfsense forum and anything connected to it may be in the wild now, which may include private messages."
Not sure if there is much value in posting redacted headers and such since the old forum has no way for users to change anything, all you could do is change your password on the current forum if you've used the same email/password combo.
In my opinion one should present evidence when claiming a data breach, otherwise it tends to look like simple trolling. It also gives admins a reference to look at while investigating.
@johnpoz said in pfsense forums data breach confirmed:
When clearly there is no such evidence of any sort....
The only ones not presenting evidence are you and the other naysayers. There's plenty of evidence. Have you looked at the other thread? Have you looked at the evidence I presented?
Now if we had a huge number of users saying hey I got spam xyz.. To my unique only used on this forum.. Then you might have something to talk about..
Do you know how I know you didn't read my previous post? Give it time. This thread has already attracted another confirmation, albeit without providing evidence yet. More will eventually filter in, especially if you keep keep this thread alive.
@dennis_s Thanks for the update, but this seems to be only related to the old forums. Once enough users come forward with evidence I think an official breach notification might be nice. It would also give a place to explain anything else that may have been compromised as well as listing everything that couldn't have been involved.
I have no evidence that the Netgate forum, or any other part of the Netgate website, has been breached, nor am I claiming that. If it seemed that I was claiming that the Netgate forum has suffered a data breach that was not my intent. This is all about the old pfsense forum and any software tied in to that system at that time. We know that at least email addresses have been leaked, but so far we don't know what other data may or may not have been involved.
-
@anonymous-5132 Thanks: I was just making sure, I was not trying to imply or assume motive to anyone
-
Wow, what junk forum software. My post above isn't spam until I try to edit it to remove the duplicated word. Teach me to proofread three times...
---Edit---
Just testing to see if all my edits are considered spam for some reason...
-
@anonymous-5132 said in pfsense forums data breach confirmed:
Have you looked at the other thread? Have you looked at the evidence I presented?
Yes - and there is no "evidence" you getting some email to some address "you" say has not been used elsewhere - or not leaked "elsewhere" or someone didn't specific add to a spam list, etc. etc.. is sure and the hell not "evidence" of a breach... When more than you come forward and say hey we all got this spam, from our only used on this forum you might have something worth talking about.
My "EVIDENCE" show no spam to my private address - so clearly your email address was obtained elsewhere.. Do you see how thin you accusation is?
getting email to the clearly unique and unknowable "pfsense" at some domain - yeah just screams their db has been compromised <rolleyes>
-
@johnpoz said in pfsense forums data breach confirmed:
@anonymous-5132 said in pfsense forums data breach confirmed:
Have you looked at the other thread? Have you looked at the evidence I presented?
Yes - and there is no "evidence" you getting some email to some address "you" say has not been used elsewhere -
So we're supposed to believe you at your word but not me? You who has yet to post anything but words and has given absolutely no reason whatsoever to be trusted and in fact has shown good reason not to be trusted?
or not leaked "elsewhere" or someone didn't specific add to a spam list, etc. etc.. is sure and the hell not "evidence" of a breach...
So I leaked my own email address, defeating my own system I put together to detect leaked email addresses? Or are you claiming I faked the email headers and server log lines I posted? And you think I'm the one being completely unreasonable? ROFL!
When more than you come forward and say hey we all got this spam, from our only used on this forum you might have something worth talking about.
You mean like the three other people who have posted? Did the two others who posted evidence so far fake their evidence as well?
My "EVIDENCE" show no spam to my private address - so clearly your email address was obtained elsewhere.. Do you see how thin you accusation is?
Your "evidence" is your word and absolutely nothing else. You claim that you haven't received spam, and quite frankly, I don't believe you. I, and two other people, have posted hard evidence. You have posted crazy assumptions and ignored facts.
getting email to the clearly unique and unknowable "pfsense" at some domain - yeah just screams their db has been compromised <rolleyes>
A data breach of the old pfsense forum is the simplest explanation given the facts. What else could explain multiple different people all receiving spam to an address only used in that one place? Do you honestly believe that three different people all decided to forge evidence to falsely claim that they got spam to a unique email used at a single website and then all chose the old pfsense forum out of millions of choices? Oh, but I'm the one being unreasonable.
One of us has posted evidence, and one of us has not. One of us has read the evidence posted by two other people, and one of us has not. The fact is the evidence posted so far supports the theory that a list of email addresses used on the old pfsense forums has been leaked. No amount of words from a clearly unreasonable person will change that.
-
I think it's about time that a moderator LOCK this post as there has been no credible evidence that there has been a leak posted and lets quit feeding this troll.
-
The full (redacted) E-mail I received is:
https://pastebin.com/ApKP3fmG -
let me guess !! let me guess !!
the email of @johnpoz johnpoz [snipped mod]
-
@kiokoman no that is not private address that the forum knows about..
-
@johnpoz
it was here
https://forum.netgate.com/topic/61267/minor-issue-with-client-export-config-commands
maybe you should clean that also
I wanted to show that it is not impossible to find them
also
https://marc.info/?l=pfsense-discussion&r=1&w=2
it's full of information about personal emails for example -
@kiokoman thanks - from 2013, wow.. Not sure how I missed that way back then.
But yeah great example..
-
@johnpoz your email address is also exposed in your Redmine profile, in case you're wondering. You can set it to private in the settings.
-
@joolee
Might be nice to edit the above to just say your mail address