In October 2015, a discussion board called PHP Freaks, was hacked and approximately 173,000 user accounts were breached including information about the users’ email addresses, dates of birth, IP addresses, passwords and usernames.
Although hearing about another online cyber attack is not exactly big breaking news these days, what was surprising by industry insiders and PHP Freaks’ owner members was the fact that that PHP Freaks refused to remove or close any of the affected accounts because it violated their Terms of Service (TOS).
If you are one of those people who swiftly breeze through a site’s Terms of Service this cyber breach may change your cursory reading habits. While the company informed it’s users of the hack that occurred on their network systems, possibly exposing more than 170,000 accounts and gave instructions on how forum users should proceed (changing passwords, etc.), PHP also included the following information which came as a surprise to many:
*PLEASE NOTE*
We will not be deleting accounts upon request. We stated that we would not delete accounts for any reason in our TOS when you signed up. Deleting accounts is not going to retrieve the user table data.
When conducting business online, Internet users need to be especially wary of the “fine print” in the terms you are agreeing to before signing on the dotted line and registering on an online site is no different, in this case those who have signed up on PHP Freaks have done so for life!
The following was posted by an “Advanced Member” of PHP Freaks, titled as administrator:
It has come to our attention that someone managed to get their hands on a database dump of the PHP Ffreaks members table used in our forum database.
We apologize for the inconvenience and concern this may cause you.
*UPDATED*
Based on research, we believe that the individual(s) responsible utilized some exploits available in the forum software that allowed them to run a php script that dumped the data from the forum user table.While the passwords are hashed a number of time and in many cases salted, someone who is highly motivated to do so, may be able to derive your original password, especially if you did not use good password practices.
A hash password can not be decrypted, but by generating rainbow tables, crackers can determine if your password matched one of many they may have in a database.
The table also includes your name, so it may or may not associate you with the email address you used to register.
We highly recommend that you take the following actions:
1. Change your password
2. Change the password on any system where you used the same account name/email/password combination.
3. Use unique high/quality passwords on any and all systems you frequent now and in the future.Should we make any additional determinations or discoveries in relation to this issue, we will provide updates here.
*PLEASE NOTE*
We will not be deleting accounts upon request. We stated that we would not delete accounts for any reason in our TOS when you signed up. Deleting accounts is not going to retrieve the user table data.
Additional Resources About This Breach:
http://www.databreaches.net/php-freaks-forum-database-hacked/
http://www.hackbusters.com/news/stories/445426-php-freaks-forum-database-hacked