TapaTalk hacked

[WoodiE55]

Just received this email from TapaTalk. Better go change your passwords.




Dear Tapatalk Forum Community,

Today we discovered that someone had used an exploit in a third party plugin on the Tapatalk support forums, leading to the disclosure of email addresses and encrypted passwords, and possibly passwords in cleartext if you attempted to login since December 9th.

Due to this incident, please log into www.tapatalk.com/v2 and change your password.

• Please choose a strong password, containing a mix of upper and lower case letters, numbers and even symbols if possible.
• Never use the same password on more than one site. Passwords should be unique to each site they access in order to comply with basic security best practices.

No other systems appear to have been affected and we will continue to perform audits. In the meantime our support forums will be brought back online but we will be rolling back the site approximately a week as a precaution. Posts and messages since that time will not be restored in this process.

Again, all passwords have been invalidated and will no longer work. Please reset your password using the reset password page and then following the instructions provided in the email.

We are sorry for this inconvenience and thank you for your patience,

The Tapatalk Team



---

Curious to see how passwords would have been "seen" in clear text. Even more scary is Tapatalk has many forum owners personal information too if said owners are showing ads. Hopefully more information will be published about how much was taken and what is "safe" at this point.

 

[WoodiE55]

For what it's worth this line, "all passwords have been invalidated and will no longer work." does NOT appear to be correct as I was able to log into my profile using my "old" password and reset it to a new one.

 

[DudeThatsErin]

Oh wow! Good luck everyone~

 

[Azareal]

Honestly, I've seen Tapatalk as a joke for years and they're just getting more and more irrelevant as time goes by.
This is just yet another reason for sites which use Tapatalk to stop using it, as soon as possible.

 

[Danielx64]

Password changed

I don't use it today as there are better options but I didn't think about shutting my account down.

 

[sgray]

Anyone have a clue what "third party plugin" provided the gateway to this?

 

[TimWolla]

Hi

I don't use it today as there are better options but I didn't think about shutting my account down.

Actually it does not seem to be possible anyway. My emails regarding account deletion are being ignored, despite this seems to be the official way according to their forums…

 

[Rasty]

I deleted my plugin from my site. I'm officially done with tapatalk.

 

[BirdOPrey5]

What forum software is Tapatalk using these days?

 

[sgray]

What forum software is Tapatalk using these days?

Xenforo

 

[BirdOPrey5]

[exhales]

 

[Amaury]

Doesn't affect us. We don't use TapaTalk.

 

[bucket]

so, what was exploited? just their own forum, or the whole TT network, or ????

 

[BirdOPrey5]

Don't know why you are "exhaling". The link they are using is not to the forum, but to their custom script that controls the actual Tapatalk accounts dashboard for forums. Makes me wonder if it is actually a XenForo plugin or something that they have written (and if they use their normal coding procedures it's no surprise it has problems).

I think that was a screw up on their part- I went to the forum last night and read a post that they kind of hastily sent out the email to let everyone know but the staff that could answer questions wouldn't be in until later (Monday?). They were pretty clear it was the forum that was hacked.

From this thread- https://support.tapatalk.com/threads/passwords-stolen.27443/

Post confirming it is the forum:

What happened was that someone used an exploit in a non-Tapatalk bit of code to gain access to the database on the support forum were they extracted from the database amongst things, encrypted passwords but they also modified Xenforo on the evening (US time) of December 10th so that it logged unencrypted passwords when you logged in. These were streamed off directly to a server in Sweden.

Only the support forums were affected, not the admin panel (unless you use the same password everywhere, a very bad practice) and not the Tapatalk plugin installed onto your site or the app on your phone.

The timing wasn't great, I agree. I found the intrusion early European time over a weekend and sent out the emails as soon as I could, to be completely open and honest. The team on US time will be addressing issues as they roll in here.

A lot of people complaining that the links in the email sent out look fishy- and they did... Also complaints that despite the email saying all forum passwords were reset/erased people were still able to login with their old passwords.

 

[BirdOPrey5]

In another post he says specifically it was a XenForo Plugin that was exploited. The exploit allowed the attacked to download the database and also install yet another plugin that sent copies of passwords in clear text of anyone who logged into the support forums since December 10th (inclusive.)

Had not mentioned which plugin, but I only read 2 pages into the thread I linked above.

 

[Danielx64]

You know I got confused, I may not even have a support forum account.

 

[zappaDPJ]

At this point in time I'm not convinced that the email sent out is legitimate and I'm certainly not going to change my password via the link contained within it (which by many accounts doesn't seem to be legitimate).

 

[BirdOPrey5]

At this point in time I'm not convinced that the email sent out is legitimate and I'm certainly not going to change my password via the link contained within it (which by many accounts doesn't seem to be legitimate).

Well it was a legitimate email, just with the wrong link. Also they were using a script to track clicks like it was a marketing email. It's pretty clear what happened when you look at it.

An unfortunate combination of mistakes made everyone further confused and paranoid.

 

[WoodiE55]

TapaTalk doesn't seem to have all their ducks in a row. The email sent out stated the accounts have been compromised and tells you the old password has been deactivated and gives you a link to reset your password. The link used to reset your password is to reset your TapaTalk ADMIN panel password - NOT forum but then they post this in their support forum.

"The logins to support.tapatalk.com and every other tapatalk system are NOT related unless you used the same email address and password.

Affected
- support.tapatalk.com

Unaffected
- www.tapatalk.com
- Admin control panels.
- Tapatalk plugins
- Tapatalk mobile apps" - https://support.tapatalk.com/threads/passwords-stolen.27443/page-2#post-145163

I have a feeling they don't have much of an idea what really is or isn't effected.

 

[zappaDPJ]

Well it was a legitimate email, just with the wrong link. Also they were using a script to track clicks like it was a marketing email. It's pretty clear what happened when you look at it.

An unfortunate combination of mistakes made everyone further confused and paranoid.

It's still not clear to me and I'll keep leaning towards paranoid until I've been convinced otherwise. It could very well be legit or it could be that an admin account has been compromised and the email is a scam to get everyone to change their passwords during at which point they will be intercepted.