
Ethereum.org Forums Database Compromised - uptown
https://blog.ethereum.org/2016/12/19/security-alert-12192016-ethereum-org-forums-database-compromised/
======
_audakel
So glad that when they realized they made a mistake they immediately came out
and said exactly what happened, and the detailed steps they are taking to fix
it. Nothing but respect for them.

Haha in complete contrast to what Yahoo prob would have done. (Given that
Yahoo is a much larger company with more legal and bureaucracy so they may be
unable to do this. but still, 3 yrs???)

------
qz_
> The attacker used social engineering to gain access to a mobile phone number
> that allowed them to gain access to other accounts, one of which had access
> to an old database backup from the forum.

Forgive me if I'm missing something blatantly obvious, but how was a hacker
able to gain backup access with just a phone number? What kind of auth is
that?

~~~
chmars
2FA with SMS?

~~~
mastre_
Are you asking what it means or disagree with it?

If a: 2-Factor Authentication with Short Message Service (called "text" in the
US).

If b: It's how Google's 2FA works by default, falls back to SMS.

Basically, getting control of (i.e. stealing) the 2nd factor in the 2FA
scheme, and bypassing the 1st factor, the password (by resetting it).
Plausible.

------
eximius
To be fair to the Ethereum folks, this is the least embarrassing way to be
compromised - that is, when it isn't your fault.

~~~
benchaney
Yes, and also when it is unrelated to your main service.

------
yankoff
wow, what a terrible year for Ethereum.

