If you are a homebrew developer then you're most likely familiar with devkitPro, the cross-compiler toolchain used to build virtually all homebrew projects for most of major home consoles out there. However, if you had registered an account on their forums you may want to take immediate action to protect yourself, as today their forums were hacked and suffered a data breach.

At around 5:27 AM (UTC) devkitPro admins alerted their users that an unknown individual managed to gain access to the forum's phpbb3 database, which was later stolen and vandalized. The database also contained the user's login credentials which were salted and hashed, so while they are not immediately accessible to the attacker, they are still vulnerable to other types of attacks. As such, it's highly recommended to change your passwords if you had registered an account on their forums and you reused the same one for other accounts.

In addition, the admins stated that their only working database backup is from 2017 so the forums were temporarily closed and are still down at the time of writing. It's currently unknown when they will become accessible again.

Source

[UPDATE 8/2/19]: The forums are now back up.

[UPDATE 2 9/2/19]: The forum's stolen database has been posted publicly on Pastebin and Anonfiles. Again, if you haven't changed your own passwords already, do so now!

 

[VinsCool]

Jesus, that's disgusting.
Why out of anything would they attack devkitpro?
That makes no sense at all.

 

[xXDungeon_CrawlerXx]

RIP

 

[Alexander1970]

View attachment 157038
RIP

As sad as it is


why,why,why make people still don´t make regular backups if they had important data ?!?!?!?

 

[FAST6191]

As sad as it is


why,why,why make people still don´t make regular backups if they had important data ?!?!?!?

Given they apparently failed to back up the source code to their project as well...

 

[RattletraPM]

Jesus, that's disgusting.
Why out of anything would they attack devkitpro?
That makes no sense at all.

No one knows. No motive was given and the passwords weren't in plain text so "information gathering" can be ruled out.
As you said, it doesn't make sense. It only hurts the homebrew scene as a whole.

 

[Owenge]

View attachment 157038
RIP

Press F for respects

 

[fledge68]

the good news its just their forums. the source code and everything else is on github.

 

[Alexander1970]

It only hurts the homebrew scene as a whole.

That´s the point.Who else had interest than great Companies like maybe Nintendo.........and we know since Resident Evil 2 remake money can change the most ambitious hobby programmer.......

Ok i´ve watching too much X-Files.

 

[ghjfdtg]

@Owenge
Your avatar is the perfect reaction for this

Anyway, that sucks. But having no recent backups is far from good practice.

 

[VinsCool]

Given they apparently failed to back up the source code to their project as well...

I really hope this isn't related to that situation to the point an angry kid decided to wreck the shit out of it.

 

[FMCore]

No one knows. No motive was given and the passwords weren't in plain text so "information gathering" can be ruled out.
As you said, it doesn't make sense. It only hurts the homebrew scene as a whole.

Passwords were hashed and salted, but if they know the salt used, they can use rainbow tables to try and get passwords. If they got the database, they'll more than likely have the salt.

Jesus, that's disgusting.
Why out of anything would they attack devkitpro?
That makes no sense at all.

Given they were running PHPBB3, this may not have been a personally done attack against the site, PHPBB3 is known to be vulnerable and sites using it have been hit in the past. If the site wasn't running an up-to-date it could've been likely they were vulnerable to one of the many CVEs found at https://www.cvedetails.com/vulnerability-list/vendor_id-1529/Phpbb.html

Course the owner tweeted out one of the logs and the IP in the log came from an ISP in Portugal, so it could've been a personally done attack, but it's hard to say.

 

[RattletraPM]

Passwords were hashed and salted, but if they know the salt used, they can use rainbow tables to try and get passwords. If they got the database, they'll more than likely have the salt.

Yeah, I already said that in the OP. What I meant is that it wouldn't be as easy as having the passwords in plaintext so if that were the case then they might've wanted to attack some other website (sure, phpbb3 is vulnerable and all but there are still services storing plaintext passwords out there, either because they don't know the implications or out of laziness - in either case, if that's how much they care about user security you can rest assured they'll also have a crappily designed and easily exploitable website). It's also a forum used mostly by developers, meaning as soon as they hear the news they'll know better than to just sit idly and let their accounts get stolen. Again, maybe this whole situation could've been avoided by using up-to-date software and frequent backups, but from the users' point of view it's a different story.

So whoever decided to do this most likely did it to hurt dkp forums itself and unless I take out my tinfoil hat and start writing a conspiracy which says one of the major software houses did it, I don't know why anyone would do that. Or maybe it was a skiddie just trying to act cool and all. Either way, I hope whoever did it gets caught, fast.

 

[MaxiBash]

Yep, there goes my password on an account I made yesterday.

 

[linuxares]

It doesn't necessary be an attack against homebrew but someone might done it just because of the lulz. Heck I don't even know if they used a metasploit or something like that.

 

[newo]

well that sucks although it was not a busy forum. gotta upgrade those old bb boards or write something custom.

 

[FAST6191]

gotta upgrade those old bb boards or write something custom.

Write something custom? Because that always works so well.

 

[FMCore]

Write something custom? Because that always works so well.

Woah lad, there's no need for hostility and sarcasm.

Sometimes writing custom solutions are better if you have the time and money.

But in this case, they didn't really have that option.

But again, there's no need to be hostile/sarcastic.

 

[ghjfdtg]

He is right though. It's similar to crypto where you need to absolutely know what you are doing. Otherwise don't touch it.

 

[FAST6191]

Woah lad, there's no need for hostility and sarcasm.

Sometimes writing custom solutions are better if you have the time and money.

But in this case, they didn't really have that option.

But again, there's no need to be hostile/sarcastic.

Sarcasm is the language of my people. I don't know that I would have viewed that as hostile either. Might just about rank as a curt response to a very odd statement but that is as far as I would take that.

Still, writing custom works for ultra simple stuff (here I am, this is what I sell sort of thing) which could spare you the overhead of something greater is not a bad plan, when you have to eat your own dog food, when you have some restriction like must be sourced within [country] or when you truly need something custom that existing APIs will not handle. If you have to do something vaguely complex and probably out of your wheelhouse (the crossover of compiler writers and php programmers, much less web security capable ones, being rather small) then custom stuff is where we see the feature free or, probably actually and, bonehead mistakes made.