for those of you using strongbox, please be aware that I have run into a small security issue that you should address immediately.

When Ray sets up strongbox, he adds an installer's account to your password file with the userid sbinstall. This account is also given the rights to login to your site's strongbox admin reports. Of course, this is required for him to set things up.

I have a client who discovered that hackers are using this userid to get into the reports area and download a list of valid userids for hacking purposes. I have spoken with Ray about this and his recommendation is to remove the sbinstall userid from your password files. This will disable the sblogin userid from being used to access both your website and the admin reports. This is easily done by logging into your admin reports and using the password file manager.

So far this has only affected one client running a straight teen website.

cheers,
Luke