General fluff => Announcements => Topic started by: Josh @ Dreamland on April 19, 2021, 10:01:59 PM

Title: Recent website attack
Post by: Josh @ Dreamland on April 19, 2021, 10:01:59 PM
Hi folks,

We have some bad news, today. Due to a problem in the default configuration of this website's database engine, remote attackers were able to communicate directly with the databases backing this website, and eventually breached it. This means that malicious actors had access to the forums' SQL tables, including user data (private messages, email addresses, and password hashes). We have every reason to believe that these attackers have made their own copy of the data and will use it for further malicious purposes. Please help us ensure that the damage caused by this attack is low. It is unfortunate when these things happen, but it's a natural part of life in this day and age.

If you have an account on the forums, please make sure that you are not using your forum password for other services. There is no need to change your password on the forum right now: we are about to migrate to a new server as an extra precaution, and will blow away any changes made to this instance in the meantime.

We apologize for the inconvenience, but let us remind you that you should ABSOLUTELY NOT be reusing passwords anywhere. Please use a single master password along with a password manager with at two-factor authentication enabled, or end-to-end encryption enabled.

Ideally, your forum password should look like this: 9V0zWMIt+Uc7uDS+rBMYYA
And NOT like this: secretpassword123 dragonmonkey2 username11 tr0mb0n3

Your master password should look like this: WabysANbrpomt1s
Which you should remember like this:

You may also get creative and replace NOT with !, or "and" with &. We recommend you do not use the above sentence and password directly.

We apologize again for the incident and thank you for helping us limit its damage.


Title: Re: Recent website attack
Post by: Josh @ Dreamland on April 19, 2021, 10:26:30 PM
For what it's worth, we're going to be looking into replacing our auth table with OpenID entirely, so that any future data breach is a complete joke.

(But then, I'm not expecting someone to threaten to distribute people's private messages.)