Forum rules
Under no circumstances is spamming or advertising of any kind allowed. Do not post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated or any other material that may violate others security. Profanity or any kind of insolent behavior to other members (regardless of rank) will not be tolerated. Remember, what you don’t find offensive can be offensive to other members. Please treat each other with the kind of reverence you’d expect from other members.
Failure to comply with any of the above will result in users being banned without notice. If any further details are needed, contact: “The team” using the link at the bottom of the forum page. Thank you.
User avatar
hector
Posts: 370
Joined: Wed Jan 01, 2014 12:27 pm
Location: Spain

Re: We have been HACKED

Sat Jan 22, 2022 6:43 pm

These things happen all the time. No problem for me. (S)He can get my email address. So what?

And (s)he can know what films I watch. I think I have good taste, so that's no problem either.

For the last years I've been using strong passwords, even in a site like this. Yeah, MD5 was compromised some years ago. Bad thing.

The saddest thing about this is that (s)he could take a lot of knowledge and culture from this site but all (s)he cares about is money :-( Fucking money. Not surprising though.

I hope everything goes back to normal and we can keep sharing good films and culture.

By the way...
OpenSubtitles.org is END OF LIFE project - we are moving completely to www.opensubtitles.com ASAP (which can take 1 year
I don't know why you are switching. I find the old site great. Except for javas..t and iannoying ads, it is usable, fast and responsive most of the time. I don't see the need for another site but that's not my business. I just hope the new one is not, like many sites now on the internet, a nice-looking emptiness. The real value of this site is the result of the work of many people, i.e. every translator and uploader. Of course we need infrastructure, servers and all that, but there is no opensubtitles without subtitles, let's not forget that. Improving security is important but that could be done in the old site, I think.

fyvopu
Posts: 2
Joined: Sun Jan 23, 2022 4:22 pm

Re: We have been HACKED

Sun Jan 23, 2022 4:33 pm

Hi

Just wanted to let you know that the account activation link sent in the email after registration is sent as an HTTP link rather than HTTPS. (Only for the main site, the forum activation link is HTTPS). This is probably an easy fix, but also an important one, since the Webserver doesn't seem to have HSTS enabled either. In fact, while you're at it, I would recommend adding an HSTS directive to your Webserver as well.

Cheers

User avatar
hector
Posts: 370
Joined: Wed Jan 01, 2014 12:27 pm
Location: Spain

Re: We have been HACKED

Sun Jan 23, 2022 6:26 pm

I finally managed to change my password. Then I found a topic named "password change" but I could not post anything there because it is locked. Too many locked threads lately. Some of them justified but this case I don't understand. Well, I do it here.

I had some difficulties. I guess the new password didn't comply with your rules for a strong password. OK, I think it's good that you enforce strong passwords but the code has some bug and it just said "fill the fields correctly". Well, it's difficult if I don't know what do you mean by "correct". One of those general messages that doesn't help at all. If the password must contain one special character why don't you tell me? At last the message appeared but then it would be good to know what is a "special character". One of [!@#$%^&*] or [?/_=!@#$%^] or what? Anyway the code that checks the fields has some bug or it doesn't work (at least in my computer) as I expected. The checking should be done when you press the button, not when the cursor enters or leaves a field, I think.

User avatar
oss
Site Admin
Posts: 5879
Joined: Sat Feb 25, 2006 11:26 pm
Contact: Website

Re: We have been HACKED

Mon Jan 24, 2022 3:18 am

@fyvopu - thanks for info, we will check
@hector - please send us URL where you have this troubles, it is /newpassword or /login/a-rp ? Then we can investigate - I can not locate error for now. Which browser you use, do you experience this behaviour also if you open NEW PRIVATE WINDOW ?

User avatar
hector
Posts: 370
Joined: Wed Jan 01, 2014 12:27 pm
Location: Spain

Re: We have been HACKED

Mon Jan 24, 2022 12:18 pm

URL is /newpassword and browser is Firefox 68.3.0esr

fyvopu
Posts: 2
Joined: Sun Jan 23, 2022 4:22 pm

Re: We have been HACKED

Mon Jan 24, 2022 11:39 pm

@fyvopu - thanks for info, we will check
My pleasure.
This will give you a good idea of what can be improved with the Webserver. Not all of it is relevant or necessary, but probably a lot of it is:

https://observatory.mozilla.org/analyze ... titles.org


Cheers

tribesman22
Posts: 3
Joined: Tue Jan 25, 2022 3:26 am

Re: We have been HACKED

Tue Jan 25, 2022 3:30 am

Fine you got hacked. Whatever.

Now I keep getting these emails 4 times a day:

"
Your account has been locked due to an excessive amount of unsuccessful sign in attempts.

Click the link below to unlock your account:

"

I've changed both my username and password on the new com website but there's no way to do that on the org website. I'm assuming someone is running a script trying to login to my account and your site is locking my account.

WTF am I supposed to do? I'm a VIP and am close to not renewing my support because of how annoying this whole thing is.

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Tue Jan 25, 2022 6:39 am

Fine you got hacked. Whatever.

Now I keep getting these emails 4 times a day:

"
Your account has been locked due to an excessive amount of unsuccessful sign in attempts.

Click the link below to unlock your account:

"

I've changed both my username and password on the new com website but there's no way to do that on the org website. I'm assuming someone is running a script trying to login to my account and your site is locking my account.

WTF am I supposed to do? I'm a VIP and am close to not renewing my support because of how annoying this whole thing is.
well it's first time I get this error reported, please at least give me a day to try and investigate it... we did change a lot of things to secure the site and some bugs may have been added.

so, first thing, what site is sending you the lock ? .com or .org ?

tribesman22
Posts: 3
Joined: Tue Jan 25, 2022 3:26 am

Re: We have been HACKED

Tue Jan 25, 2022 6:43 am

Fine you got hacked. Whatever.

Now I keep getting these emails 4 times a day:

"
Your account has been locked due to an excessive amount of unsuccessful sign in attempts.

Click the link below to unlock your account:

"

I've changed both my username and password on the new com website but there's no way to do that on the org website. I'm assuming someone is running a script trying to login to my account and your site is locking my account.

WTF am I supposed to do? I'm a VIP and am close to not renewing my support because of how annoying this whole thing is.
well it's first time I get this error reported, please at least give me a day to try and investigate it... we did change a lot of things to secure the site and some bugs may have been added.

so, first thing, what site is sending you the lock ? .com or .org ?
Email is coming from [email protected] but the link is for the .com site. I already sent an email using the .org site's contact form asking for my username to be changed (no response in 2 days) hoping maybe that'll help.

Thanks for looking into this.

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Tue Jan 25, 2022 8:00 am

[

Email is coming from [email protected] but the link is for the .com site. I already sent an email using the .org site's contact form asking for my username to be changed (no response in 2 days) hoping maybe that'll help.

Thanks for looking into this.
oh, so 1st bug found, the contact form was broken, sorry we didn't get the message. (to be sure, a message saying "Your message was successfully sent and we will try to answer ASAP" should be displayed after sending the form)

the email is signed from "[email protected]" as we use .org for our main domain for emails, but if the link goes to .com, it only affects .com, changing username on .org won't change.

I've just improved the security for the locking mechanism, now if there's multiple attempt with the same wrong login/password, it won't count them as failed attempts, so if there's a script somewhere trying to login with your credential it won't lock your account.

if the problem persists, please send us a message with the contact form and I'll figure out something better

tribesman22
Posts: 3
Joined: Tue Jan 25, 2022 3:26 am

Re: We have been HACKED

Tue Jan 25, 2022 8:35 am

[

Email is coming from [email protected] but the link is for the .com site. I already sent an email using the .org site's contact form asking for my username to be changed (no response in 2 days) hoping maybe that'll help.

Thanks for looking into this.
oh, so 1st bug found, the contact form was broken, sorry we didn't get the message. (to be sure, a message saying "Your message was successfully sent and we will try to answer ASAP" should be displayed after sending the form)

the email is signed from "[email protected]" as we use .org for our main domain for emails, but if the link goes to .com, it only affects .com, changing username on .org won't change.

I've just improved the security for the locking mechanism, now if there's multiple attempt with the same wrong login/password, it won't count them as failed attempts, so if there's a script somewhere trying to login with your credential it won't lock your account.

if the problem persists, please send us a message with the contact form and I'll figure out something better
Thank you. I still want to change my username on the old site. How do I do that? Contact form?

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Tue Jan 25, 2022 8:42 am



Thank you. I still want to change my username on the old site. How do I do that? Contact form?
yes, just saw that you did, and updated your username as requested :)

User avatar
oss
Site Admin
Posts: 5879
Joined: Sat Feb 25, 2006 11:26 pm
Contact: Website

Re: We have been HACKED

Wed Jan 26, 2022 5:53 am

hi, yes contact form on opensubtitles.org was down, now it is back, so please contact us via that form, and we will reply :)

User avatar
Safrina
Posts: 2
Joined: Thu Jan 27, 2022 3:02 am
Location: Northern Germany

Re: We have been HACKED

Thu Jan 27, 2022 3:27 am

Hello folks,

I registered here just today because I wasn't able to register to the main site.

I'm asked to create a password in the registration process and then to repeat the password.
Unfortunately it always states both "versions" don't match.
Which can't be true as I tried it several times with the "easiest" words...

What can I do? Am I being stupid anyhow? :( :oops: :wink:

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Thu Jan 27, 2022 10:59 am

Hello folks,

I registered here just today because I wasn't able to register to the main site.

I'm asked to create a password in the registration process and then to repeat the password.
Unfortunately it always states both "versions" don't match.
Which can't be true as I tried it several times with the "easiest" words...

What can I do? Am I being stupid anyhow? :( :oops: :wink:
hmm, do you get that after submitting the form, or does it come as a red message as you type, stopping you from submitting the form ?

at this point it's me who feels stupid, there's nowhere in the code where I mention something like "both versions" and the non matching password error message is normally only displayed on the right field, so I just don't understand how to reproduce the error to try and fix it....

could you send me a screenshot of the error you get maybe ? (if it's a problem here, you can write me to [email protected])

Return to “General talk”

Who is online

Users browsing this forum: Ahrefs [Bot] and 32 guests