Changing your display name ONLY works if you haven't been attacked yet. I will be sending out another PM to the people we've caught login attempts on so we can discuss changing your username as well. Changing usernames is a function only admins can do.
Ah god damn, I gotta change my password, eh?
Also, I'm getting a lot of 403, aka "Forbidden" errors. Would that be part of this attack or no?
No, that's just forum load issues. Try clearing your cache and stuff.
Thank you very much for the professional, reasonably detailed report as to what was happening, and what the fixing measure are.
I would like to suggest, next time you're working on the SMF files, that somehow, a notification that your login and visible names should be different should be provided at registration. Forgetting how the registration works on SMF, I'm betting that there's a line for visible name during registration - simply adding a boldfaced "For security reasons, do not make this the same as your login name" should be a reasonable warning.
It won't stop idiots, but this might be a case where, if we can get a majority of accounts to avoid this, then this hack becomes ill-worthwhile - the machine effort put in becoming more useful to put to attack other forums. Essentially, the same principle as herd immunity in disease-research fields.
(I also changed my secret question and answer to "WHY ARE YOU ASKING THIS WHEN YOU HAVE YOUR PASSWORD STORAGE PROGRAM?!", and then made sure the secret answer would be ridiculously hard to get by any means ever.)
We're looking into alternate login methods, probably something involving email address. Username is exposed in user profiles as people tend to change their display name a lot (oftentimes to things that aren't readily recognizable) and it's a nice tool to figure out who's who since they're normally unchangeable. Email addresses, on the other hand, do not need to be exposed directly ever as the forum can email on the behalf of other users, and thus can remain totally hidden and unique per user.
But until that is in place, profile viewing has been blocked from people with less than 10 posts. This makes the task of farming usernames much much much more difficult, far beyond any automated tool.
oh man, my glorious username ;-; tarnished by the seeking of security.
(I know admins have the ability to send an announcement to everyone on the forum via e-mail - maybe this is the kind of thing that warrants such an alert?)
Already sent it :V
I have no idea what this TOR thing is, and I've yet to experience random logouts. I'm changing my password anyway to be safe.
The Onion Router, an anonymizing proxy that works by scattering your connection across thousands of "exit nodes" so noone can reasonably track your original IP.