Mibbit Chrome App hits 10k users

The Mibbit App, available on the Chrome Web Browser, just reached 10,005 users today.  We’re pleased people are installing and using the app with Chrome, it’s become one of the largest browser shares amongst our users and people say the Desktop Notifications feature works really well for them (available on WebKit based browsers).

Thanks for your support and keep using Mibbit!

Check out the Chrome WebStore here.

How to recover nickname and channel

Now that services are back online, to reset your nick password follow the following actions and commands;  (recovering your channel needs the owner nickname recovered first :) *

1.  From a connection to irc.mibbit.net type the command

/msg nickserv RESETPASS <thenick_you_had>

2.  You will be sent an e-mail to the registered account for that nickname.

*Please check your Spam folder in case you don’t see it at first*

* also – add ‘services@mibbit.com’ email address (us) to your whitelist if you have one *

Follow the actions in the mail.

a)  re-identify to your nick with /msg nickserv IDENTIFY <password>

b) an error will be displayed (this is ok)

c) within 20seconds of the error type the ENTERCODE command received in the email

e.g. by typing the command as stated  (e.g.  /msg nickserv ENTERCODE <the_code>  )

3.  You’ll be given a temporary new password (shown on screen).  Identify using this code like this

/msg nickserv IDENTIFY <temporary_new_password>

*Note: if you see it the trailing dot is *not* part of the password  :)

You will now be successfully identified and your account restored to you, you must change your password now.

4. Change password using

/msg nickserv SET PASSWORD <TheNewPassWord>

(please follow good password practice, e.g. do not set it to your old pass or any other you use)

5. Your nickname and channels are restored successfully to the registered e-mail account and credentials are stored in the new, rebuilt IRCd services.

*channel recovery

For any channels your nick is owner to you should immediately change the channel owner password using

/msg chanserv set #<name-of-channel> PASSWORD <the_new_password>

do this once your nick has been recovered.

Please note resets *expire* after one hour – if you don’t receive an e-mail after this time please try a second time.  And do check <spam> – Yahoo and Hotmail have been unkind to this kind of email in the past.  Thank You.

~

PS.  Update:  we have changed our spvf entry and tested Yahoo mail successfully with resetpass.  If you had no e-mail before please try again now.  Thank You.

IRCd services are now available again

Update: After a serious effort in responding to the situation cause by the hack of our test server Nickserv and Chanserv are available again on the Mibbit IRC network.

To gain access to your nick and channel again you need to follow these steps;

* reset your nick password

* identify to the nickname

* if your nick is used to admin a channel you need to set the channel password

Further instructions here; http://mibpaste.com/euw6EN

The services have retained all existing nicknames and channels intact. To protect the data all nickserv passwords have been reset.  So to gain access to your nickname you need to have the e-mail address handy that you used to register originally, recover the nick and then set a new password. The new services have been rebuilt, recompiled and encrypted using a cryptographic hash function for passwords.

More details will be added once we have time including the significance of the nickserv data, why it was stored the way it was and how, now we have rebuilt the services, the system will not be vulnerable to the same exploitation excercised previously.

~

update: ‘at risk’ nickserv nicknames contacted by Mibbit – details

We’re working hard to restore services and protect our user data more effectively.  We’ve determined those nickserv nicks ‘at-risk’ from the backup exploit and have begun e-mailing people with the following information.  We appreciate your patience and apologise for the disruption, inconvenience and concern this hack has caused.

For clarification of what was accessed maliciously and what was *not* compromised please see earlier posts.  Also for information about how we protect users personal logs where they choose to use them please see our response to questions at http://mibbitblog.blogspot.com/2011/08/in-response-security-and-logs.html

=-=  e-mail sent to nicknames at risk from exploited backup  -=-=-=-=-=-=-=-=-==-=-=-=-=

Important security alert regarding Nickserv credentials on Mibbit.com – please read.

Late yesterday (Aug 13)  two Mibbit servers were hacked; our blog and a test/admin server.  a set of nickserv credentials, from a January 2010 backup on the test machine, were accessed maliciously.  Information was posted online, we acted quickly to bring the affected servers down and to remove the posted information, however, credentials used to register your nickname may have been accessed and shared including the email address, nickname and in many instances the nickserv password.  We would urge you to review your password usage, especially on the e-mail account and any related systems making appropriate changes if necessary, particularly if your passwords have remained the same since Jan 2010 when the exploited backup was made.

Live systems and the Mibbit client were not compromised, nor was the main Mibbit account database, logon system or any user chat histories.  These have remained secure and available.

What happened?


Two of our servers were compromised and a backup of nickserv credential information removed.

What does this mean?

Your Mibbit IRC nickname and password are likely to be amongst those at risk.  If you use these same credentials in multiple systems you should check and change them.
Nickserv does not provide access to your Mibbit account, prefs, logs or profile. These remain protected and available under your Mibbit account only.

What should I do?

If you think your e-mail or other accounts are at risk we strongly advise you to check those systems and take appropriate action.

Are any other Mibbit credentials or information at risk?

No.  The main Ajax client, widget and main database are unaffected, any personal channel and PM logs stored by users remain secure and unshared.

Why were the credentials and passwords clearly accessible?


The credentials for nickserv have historically been stored on our IRC network services using the default configuration available at the time the service was started, this was a choice to allow the flexibility of having sendpass and auto-identify but putting in place controls to manage the risk against other compromises and exploits which have been seen.  By putting an old nickserv backup on the less-secure machine (tools.mibbit) we failed to manage that risk, we are making many changes now to remove the possibility that this can happen in a similar way again.

What has Mibbit done to prevent my information being accessed like this?

The affected machines were taken down immediately, the links to data in information posted by hackers have been removed from the host sites and are no longer available. The security of our main systems has been checked and strengthened.

Our nickserv and chanserv services have also been rebuilt, recompiled and encrypted using a cryptographic hash function for passwords, services will be available shortly.

Where are further updates and help available?

Further updates are available on our blog at http://blog.mibbit.com and in our #help channel.

Will I be able to get my nick and channels back?


Yes, we will publish ‘how-to’ information as soon as the new encrypted services become available.

Please accept our apologies for placing credentials at risk in this way. However small the subset of data was we should not have placed it on a less secure test server. We will be instigating a full review of this incident, the mistakes which led to it and how the test server was compromised. This review will encompass not only our technology and security choices but our practices and procedures in defence of hacking groups.

Mibbit.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=

In response: security and logs

Mibbit takes the security of it’s users data and connections to IRC networks extremely seriously.  That’s why the main Mibbit services were protected much more heavily than it’s blog and tools server and were not compromised.

The data that was accessed was on a server used for testing and in hindsight, however old or small a “test” set it was it shouldn’t have been there.  This was a personal PM log and was that of one operator account, the use of it for testing was an agreed deviation to recognised procedure and this will be reviewed and appropriate action will be taken to remedy the risk involved.

It’s been a long night and we’re sorry for the disruption and concern this hack has caused our users and the IRC networks they connect to.  We’re working hard to ensure no similar data breach occurs and to restore services and also the confidence people have placed in our IRC network and our Ajax client.

In response to many valid questions which have been asked:

1. Have live PM and Channel logs been compromised?

No.  Any logs our users have chosen to store in their Mibbit account are secured correctly.

2. What was the compromised PM log?

This was the private PM log of one Mibbit operators conversations with other users.  This log should not have been on a test server or used for testing.

3.  Does Mibbit log what everyone says to each other over Mibbit or on PM?

No.  Mibbit allows users to opt-in to store their own channel and PM logs if they wish, only when the user has opted in does Mibbit allow them to store logs.  These are never shared or accessed inappropriately.

4.  Has the Mibbit Ajax client been hacked?

The Mibbit Ajax client has not been hacked or compromised.

Anope IRC nickserv and chanserv services have been compromised due to the hack and this is why they are currently offline.

In further clarification;

We do not keep logs of server connections, or channels joined.  Temporary lists of failed connection attempts are held for a short time anonymously in order to resolve compatibility issues.

In the main client (http://chat.mibbit.com/) registered users can opt in to keep personal logs of the PMs and channels they personally access.  Sharing PM or channel logs is not permitted or available.  Users can delete any PM or channel logs at any time.

When entering a channel, users may receive ‘recent chat’. This feature has to be enabled by channel operators (opt in) before it will work, and nothing is stored permanently.

We hope to restore services quickly and will be open and honest about this exploitation and what were doing to prevent similar occurances which place at risk the trust which has been placed in the services.  We’re grateful for peoples patience at this time and would ask users, networks and IRC admins if they have any questions which are not answered here to get in touch via help@mibbit.com or our #help channel where we will respond as quickly as possible.

Blog & test server compromised: update

Aug 14. This is an update to the previous post.

Nickserv and Chanserv services remain unavailable and will be brought up as soon as the solution has been tested and secured.  A copy of this is being tested now.

To confirm, it must be made clear that the Mibbit Client, the Mibbit Widget and the Mibbit User databases and user logs were not compromised or accessed without authorisation.  What was accessed maliciously were two servers:- the blog and tools.mibbit.com (a server used for testing and admin).

The following information was stolen;

* The personal information of 9 Mibbit operators including their names, accounts and e-mail addresses

* A backup of nickserv data from [April 2011 with up to 10,000]* user nicknames and their credentials

* Two sets of backup data for one operator user account PMs and Channel logs, used for testing

*After investigations, which have taken place in parallel with work to restore services, we now confirm that the actual date of the backup nickserv data accessed was earlier at January 2010.  This backup contained approximately 6000 actual registered nicknames and credentials.  The PM and Channel history information was a single limited set of that stored by one Mibbit operator for test purposes.

Mibbit has been asked whether it stores all Channel logs – it does not.  Questions have also been asked whether logs of all PMs are made – no such thing is true.  Mibbit does not store data without users permission and requires the active setting of a user on their account to opt-in to log PMs and other items.  Beyond this one Operators logs no other channel history data was accessed maliciously.

It is our policy to allow Operators and any Mibbit user to retain their PMs providing they are not shared. The use of this Operators logs in this way and the subsequent access through the test server should not have happened. As more information is available we will update with what happened and how we plan to make changes to reduce the risks in this area and make our service safer for all.

Going forward we hope to have the services backup within a short time and a process in place for recovering any lost access.

Blog & test server compromised

At approximately 3pm GMT today unauthorised access was detected to the server which runs our Blog.  In response to this we shut it down and began investigating.  Later today at around 8pm GMT we shutdown our IRC services after it became clear that several pieces of backed up data had been accessed maliciously from another server, tools.mibbit.com. We now know this data included;

* The personal information of 9 Mibbit operators including their names, accounts and e-mail addresses
* A backup of nickserv data from April 2011 with up to 10,000 user nicknames and their credentials
* Two sets of backup data for one operator user account PMs and Channel logs, used for testing

Currently we are working on securing and restoring the affected services.  We are treating this as a significant and malicious attack on our services which impacts our users and which has placed user data at risk.  If you have a registered nickname with Mibbit we advise you to review your use of those credentials used.

This attack affects only our Blog, Wiki and our IRC services including Nickserv and Chanserv (Anope).  This attack has not compromised the Mibbit client or the Widget, nor has it resulted in general channel or PM logs being made available, neither has the main Mibbit client account log-on system been compromised or Mibbit user profile data been accessed maliciously.  These live systems remain operating as normal.

We do advise all users who registered either a nickname or a channel on our network and who have not changed passwords in recent months to review the use of passwords on other systems if the same or similar credentials are used. And further, to take appropriate action to review and change access details on those systems if necessary.  It is expected to be some time before Nickserv and Chanserv are fully restored, when they are back there will be remedial action required for users to be able to recover nicknames and channels.

We are continuing to work to remedy this situation and bring back affected services online as quickly as possible.  Please accept our apologies for the disruption, inconvenience and difficulty this attack has caused to you and your users. As we have updates about the attack, the backup data which was stolen from tools.mibbit and the next steps to recover services we will share it via the blog and the #help channel.