so i got this text fle in my home assistant root this morning.
Your system is very inscure.
Your shares are available from web.
Delete your samba shares from web !
I can edit and delete all your HA files without password.If you dont know how to do, have a look at here: https://community.home-assistant.io/
Proof:
New Password: HaCKeD!
You should never expose home assistant to the internet without a password!
Pretty sure I had turned off samba guest share… but logging in this morning it seems the hassio samba thing had reset itself with no password no user name and guest access enabled!!!
I had passwords, SSL, duckdns lets encrypt. i thought I had everything done right.
Every port that forwarded from router should be with password
If only one service without password it’s enough for someone to get in, so probably you locked HA but missed samba
yeah agreed.
I smiled when I read this as I thought you were being sarcastic. But I checked mine anyway, you know, just in case.
Guess what? My Samba settings were all back to their default so yes I am wondering if hassio did open up my shares overnight.
in another topic i saw that hassio did recreate the appdaemon configuration file and did reset the password.
so it is very well possible that hassio has a major security problem.
yep. ive unplugged mine for now
You didn’t get hacked. This sounds like the equivalent of leaving the front door open and unlocked and saying someone picked the lock and broke in.
I have been thinking of making a thread on how to do some general pen testing to check the security of ones instance. After a few recent threads and the completely unsecured instances on shodan* I think people really don’t get that they need to “lock the doors” or they don’t realize what they have exposed.
*One person has the map with their location exposed, sensors showing their location and controls for their locks all exposed to anyone. Crazy.
Please don’t cause any panic.
This is actually correct (the replacement/reset). Since the add-on uses an internal token as an password in order to avoid / remove the need for an actual password. The issue being complained about has to do with being able to still use a secrets files to protect the tokens. This feature is now being added to the add-on.
So this specific fake news thingy is now out of the way.
Nevertheless, I’m truly interested in the case of the OP.
@frenck you rock by the way 
to be honest @silvrr is probably right i might have just missed the samba thing and left a door open. but being hacked sounds cooler doesn’t it?
i didnt want to cause any panic, but i combined the 2 things.
so i thought that that could happen on more places and then its a risk.
automatic recreating config settings is risky in general in my eyes. and has to be observed very carefully.
You are comparing 2 totally different things as the same things.
The AppDaemon config you are talking about is a file of AppDaemon, not Hass.io.
The Samba case is the Hass.io add-on configuration that lives in Hass.io itself.
Those are 2 totally different locations and aspects.
I do take security very seriously, hence the AD add-on helps users with that (maybe not always wished for, but well… that another issue). I have my fair share of security experience… let me quote Breaking Bad for you in this case: “I’m the one who knocks”.
@Dominic I truly hope you’ll find out the root cause.
simple check. anyone else running the samba share had a reset? if not then i stuffed up and forgot to check.
im not arguing that you dont take it seriously, but in my eyes its very risky to automaticly manipulate settings that a user has set himself.
i guess you are trying to protect people from themself and thats the biggest risk of all.
i didnt know that there was a difference between addons 
i saw the samba addon the same as the AD addon.
i guess thats a lack of knowledge from me.
i just suspected that the samba addon also had a configuration part that is automaticly created by hassio.
like i suspect that every addon that is installed, automaticly gets configured.
but i hope that there are no problems, and that the mentioned cases were just user error
I don’t have a username/password on Samba and I am exposed to the internet. But I only have 3 specific HA ports open so I’m not sure what the risk is??? 80, 8123, 3218 and 7681 (80 for LetsEncrypt, 8123 Hassio, 3218 Configurator and 7681 Terminal - all have a password and lockout features.) 80 is only active if LetsEncrypt connects outbound…
I find using a VPN to be much easier than to be sure that all of my port forwards are secure. It’s only a few more seconds to get on when I’m not on wifi.