Last night, a number of our users received the following email:

You've requested a password retrieval for your account at otl.dkpsystem.com.

Your new account info for otl.dkpsystem.com is as follows


Login Name: [login name]
New Password: [password]

Be aware that this password is case sensitive!

If this request was not made by you, then someone is probably trying to hack your password. The IP Address used to request this password was [IP Address]. If this is not you, you'll want to report this to the admin of your site, or to DKPSystem.com staff, or if you are an admin of your site, you can ban the IP address by going to Admin > Security > Ban List.

Thank you,
DKPSystem.com

I am unclear on the process of password retrieval and wondering what (if anything) I need to do to ensure the security of our users. Our GM received 450 individual password retrieval messages.

I have banned the IP Address that was listed as responsible for the attack.

Is there a way to disable the password retrieval service for our site? I am happy to handle password resets on a case-by-case basis.

Thanks

I would look up the IP address being used and report it to the proper authorities.

Here's a link to the ARIN whois. You should find at least some relevant information about who to contact, even if it's just the name of the provider.

I wouldn't sweat it. As long as the hijacker doesn't have access to your email address, it's thoroughly unlikely he'll simply guess the generated password. Doing like you did (banning the IP in question) would be more than satisfactory.

The password recovery process ultimately requires the user to receive the email with the password. Interestingly, it would actually be easier to brute-force break a single password than constantly trying to request new ones.

Now, if the GM's email address has been compromised, then it's time to change his email password immediately, or get a new email address, but if that's the case, I think his "guild website" would be the least of his worries (banking website passwords and other such vital things being of vastly more importance).

There is not a way to disable the Password Recovery options.

I need to know how to temporarily prevent visitors from posting new applications. I tried everything, but I could not stop these same idiots from using the application to flood our forums.

Please help

Have you tried simply disabling the Currently Recruiting menu?

Yes, this was the first step I took, but the applications kept coming.

I also changed permissions to prevent anyone but members from accessing the recruiting and application menus as well as preventing the general public from posting in the Application forum. No luck.

It seems that the app.php website is wide open, and I don't see a way to prevent new apps.

/bump

Any further thoughts on this, Chops?

I'll have to add an option to disable the applications. I'll get that in for the update tomorrow.