I have been using xoops for several years on hobby sites, last year I started using xoops as a backend for my business website www.eurodirectrentals.com, as a security thing I added a little code to a page so when my clients edit their details I get an automated email, today I got several in a short space of time which is unusual...
On checking the details I noticed that the clients original emails had been replaced with a 'free' gmx.com email address....
The clients original password has not changed (I have a backup of passwords for reference).

As yet I am stumpped as to how this has happened, any light would be good as I have had to close the backend until I get to the bottom of this issue.
Currently using 2.4.4

Thanks in advance

Have you contacted any of those customers and ask if they have had anything strange happen?

What modules do you have installed?

It is possible you have an unsecure module on your system that somehow allowed a hacker access to your database. This is not necessarily a xoops issue but we can start there.

And what have you modified in your system?

You may want to upgrade to 2.4.5 and make sure you have the protector module installed if you don't already.

Hi redheadedrod, thx for the quick reply, firstly I don't think it is a xoops issue, I have several hobby sites for flight sim enthusiasts & other sites constructed for friends all of which use xoops as the core, none of these have ever been 'attacked'.

I have checked some of the passwords used by my clients in an md5 hack tool which unfortunately reveals their passwords correctly, that said the 'attacker' must also have the clients username to be able to log in, this is where I am stumpped.

There are several code snippets that use the core data, I am currently working through these to see if there is any information 'leaks'.

Modules used...
System 2
User Profile 1.57
Smart FAQ 1.08
News 1.64
XForum 5.46
Protector 3.4

Today I will upgrade to the latest version of xoops.

UPDATE:
Installed upto 2.5.4, unfortunately got a white screen after updating everthing, reverting back to 2.4.4 and updating to 2.4.5

Thanks for your interest.

A hack could be the case but don't opt out social engineering. Are you sure webmaster logins and passwords are still private? Same question for provider adminpanel...

UPDATE 2:
2.4.5 now installed and working, Protector 3.51 on, since installing there have been 2 attempts to get into the site, a me testing Protector is working and b not me but someone trying to login as a user.

a. ISOCOM
b. BRUTE FORCE

It looks like Protector has done the job of stopping the entry.

I will take into consideration the posibility of social engineering, but after the Protector report I am convinced there has been a hacker of some sort at work.
As for if the Usernames & passwords are in fact private.. how would I know if they were not?
Admins count for 3 of the members, myself included, the other two are family so I doubt they would be involved.

It would be a good idea for anyone having admin access to change their passwords as well as the users accounts that were effected.

Another thing to look into is xortify which is supposed to block such hackers altogether.

But you are moving in the right direction at a minimum.

In one of my security classes they mentioned that a very large percent of break ins can be due to social engineering where they guess a password...

After all this I have just had 2 members details changed, nothing in Protector so I have to assume the database has in fact been breached....

UPDATE 3:
After checking the 'hacked' accounts I think redheadedrod & flipse are probably right, possibly a social engineering problem, on the client accounts that have been affected I ran their passwords through an md5 decoder which revealed their actual password. I have to say that most of the passwords were very 'un-original' and in most cases were simply a name....

There has been no breach of the database, so the only way in is to have username and password.

So the question is now do I change all my clients passwords?

Is there a xoops module that can do this and email the clients the new password?

So far only 5 accounts have been affected, with 600+ clients this is looking like a huge task !!

Changing all passwords seems a bit drastic, I would only do this for the 5 affected accounts.

You could send all your clients a warning and ask them to change their passwords in case they are easy to guess. So you make them responsible themselves, it's in their own interest private data keeps save.

Drastic yes !!

I just want to be sure that this never happens again, I am currently going through all passwords and checking them in the hash tool to see if they are in fact secure.
I reality we only store names, phone numbers and addresses... nothing else so there is no benefit to anyone seeing these accounts.

Thank you for your help, it is very much appreciated.