We've been hacked
About an hour ago, someone was able to log in to an admin's account. They were able to log in to the ACP with this account and change the theme to what many of you saw. I did not contact the person but going by their twitter, they do this for fun and they are not affiliated with any current or past members of YouChew.
Before changing the theme, they download a copy of every single member on YouChew along with usernames, email address, and password hashes. All passwords are salted and hashed making it difficult to crack, however weak passwords can be brute-forced very quickly if the hashing algorithm is known. How YouChew hashes their passwords is not a secret, so to be safe, it is very strongly recommended that you change your password and the password on the email account you use for YouChew. I can't stress this enough.
To prevent any further break-ins, the admin in question is no longer an admin for the time being and their password was forcibly reset. It's possible they compromised their email account to log in, so they will not be able to get back in until they change their email address here as well.61
He should become a music artist and make his own site then. Is he so sad and lonely he'd have to hack YouChew?
He's just one of those black hats that hack people/sites for shits and giggles. Kind of like Poodlecorp, but not on the networking aspect of attacks. Either way, they're all losers.3
Would there be any extra security risk for the people who have donated to the site?
If there's any credit card or PayPal information on the servers, then maybe. But I have no idea how they have this site set up, so I probably have no buisness answering a question like that. I guess it's just my perspective on the matter. :/
I would also like to remind everyone to turn on two-step authentication for your email accounts. This can involve a simple text to your phone whenever your account is logged into anywhere else or having a special app on your phone that spits out an unlock code whenever you log in somewhere.
Often times, these send login alerts as well, which are almost as valuable. Know that despite all of the safeguards and passwords and everything, social engineering can enable the most persistent hackers into your account (not here, of course; I don't believe YouChew has a customer support line yet to enable such activity, but images of Whelt answering a phone on a hook about passwords is coming to mind). Having a heads up to when this happens - and having the ability to disable your account before damage can be done - is crucial.5
Almost makes me long for the olden days, when the worst thing that happened to this site was the forum clock somehow setting itself in the future. Then again I think our first DDoS happened roughly around that time as well, so never mind.
In any case, passwords changed. Appreciate the prompt information from Tab and the admins.
I made a ~$5 donation on Wednesday or Thursday night, if I remember correctly. That's all handled on PayPal's end, right? So I shouldn't have to worry about any of my personal information because I essentially sent one of the admins money entirely through a third-party medium?
EDIT: I just found whelt's post about this earlier in the thread. Good to know.