WTF Happened? Recent events FAQ
Posted: Mon Oct 30, 2017 3:16 pm
So, what happened? Here's my hip and cool summary.
On October 28th, the forums/site mySQL database was hacked, either due to a Wordpress or phpBB vulnerability. The attackers wiped the user and posts table (but not before dumping the user table). Once we were made aware of the attack, we took the site down to evaluate the damage. Unfortunately, the prognosis was not good. SQL backups had a problem, and we would not be able to restore the forum to anywhere close to the present state. The oldest file backup was circa 2014 (since not much on the actual file side of the site had been changed except some images). This means that, unfortunately, a vast majority of content has been lost. In light of that, we decided to start a new forum from scratch. However, things are not as bleak as expected, and we'll address that further down in this post.
What, specifically, was compromised?
The front page and forums mySQL database. Filesystem was not accessed, as far as we can tell, and bronibooru was not touched. The database was completely compromised; theoretically they could have accessed any table but we do not have any evidence that they dumped the other tables. The users table is known to be dumped, other tables were cleared.
Were our passwords revealed?
The user table, which includes usernames, email addresses, and hashed passwords was dumped and leaked. phpBB hashes passwords, so that means plaintext passwords were not revealed. However, given enough effort those hashes could theoretically be cracked. I would recommend that if you shared your TRS password amongst other sites that you change those passwords ASAP. The userlist has been uploaded to haveibeenpwned so you can tell if you have been compromised.
Do I need to re-register?
Yes. Register a new account and an admin will approve it. Based on some previous knowledge we can try to confirm specific users to make sure someone doesn't gank your username.
Was Bronibooru affected?
No. Bronibooru ran on a separate database and was not compromised. We will be moving it over to the new host, but not at the moment. Passwords will be force-reset on Bronibooru.
What's the state of the site's hosting and ownership?
The site is hosted in a new, different Linode instance which is paid for by me. All relevant items for the site (domains, AWS content for broni) will be transferred to me. Once the transition period has ended, Cosmo will be admin emeritus and will not be involved in running or financing the site. VoidChicken will be stepping in to be a new technical admin. Some new staff may be brought on for technical assistance in some areas, but that will be handled down the line.
What will happen to threads I care(d) about?
Due to a great effort by many mods and volunteers, several threads have been archived from archive.org or google web cache for the site. Unfortunately, anything that bots couldn't see (such as the meetup forum) is lost except for 2014-backwards. These archived threads will be made available in some form soon. We've been considering some form of the 2014-era forum as an archive in some form, but that is a low priority at the moment.
When will the site be back up to full speed?
We don't know yet. The important thing is that, as far as posting function goes, the forum is basically ready to go but with some rough edges. Right now things like smileys are in an old state, and we're working to bring them all back.
Ranks are already back, but you will have to be reassigned your rank. I may try to implement user-selected ranks as well.
User profile fields (pronoun, gender, custom titles) are still a work in progress.
Themes will return, eventually, but they will need to be refactored to phpbb3 format.
What about the front page?
We have a front page?
But seriously, the live front page won't be coming back. Previous front page articles are currently accessible on archive.org. We may try to make a front page archive hosted here in the future, but that is low on priority. Not having wordpress on the site reduces our attack vectors considerably.
Is there any good news?
Yes, actually. The good news is that since we're fully on the latest phpbb, we can now use extensions and the default theme now has mobile support. We will try to adapt said mobile support to our normal themes. We're going to add some new plugins to give much-needed functionality, like tweet embedding and tapatalk support. There's also the chance to clean out some cruft, like old smileys and such.
Also, because people have expressed interest, I'll be setting up a Patreon for the costs of running the site/forum. Between the AWS, Linode, and other costs, I estimate the site is about $50/month. I am not looking to take in any more money than that, and if we have a surplus it would be reinvested back in some other way (e.g. a prize for a contest). I am capable of handling the costs of the forum, so it is not a problem for me to pick up the tab for a while.
I know it sucks that this happened, but I believe we can look at it as an opportunity to start fresh and move the site onwards and upwards. It's not old posts that make a place, it's the people, and I'd be happy to have everyone back and start anew.
On October 28th, the forums/site mySQL database was hacked, either due to a Wordpress or phpBB vulnerability. The attackers wiped the user and posts table (but not before dumping the user table). Once we were made aware of the attack, we took the site down to evaluate the damage. Unfortunately, the prognosis was not good. SQL backups had a problem, and we would not be able to restore the forum to anywhere close to the present state. The oldest file backup was circa 2014 (since not much on the actual file side of the site had been changed except some images). This means that, unfortunately, a vast majority of content has been lost. In light of that, we decided to start a new forum from scratch. However, things are not as bleak as expected, and we'll address that further down in this post.
What, specifically, was compromised?
The front page and forums mySQL database. Filesystem was not accessed, as far as we can tell, and bronibooru was not touched. The database was completely compromised; theoretically they could have accessed any table but we do not have any evidence that they dumped the other tables. The users table is known to be dumped, other tables were cleared.
Were our passwords revealed?
The user table, which includes usernames, email addresses, and hashed passwords was dumped and leaked. phpBB hashes passwords, so that means plaintext passwords were not revealed. However, given enough effort those hashes could theoretically be cracked. I would recommend that if you shared your TRS password amongst other sites that you change those passwords ASAP. The userlist has been uploaded to haveibeenpwned so you can tell if you have been compromised.
Do I need to re-register?
Yes. Register a new account and an admin will approve it. Based on some previous knowledge we can try to confirm specific users to make sure someone doesn't gank your username.
Was Bronibooru affected?
No. Bronibooru ran on a separate database and was not compromised. We will be moving it over to the new host, but not at the moment. Passwords will be force-reset on Bronibooru.
What's the state of the site's hosting and ownership?
The site is hosted in a new, different Linode instance which is paid for by me. All relevant items for the site (domains, AWS content for broni) will be transferred to me. Once the transition period has ended, Cosmo will be admin emeritus and will not be involved in running or financing the site. VoidChicken will be stepping in to be a new technical admin. Some new staff may be brought on for technical assistance in some areas, but that will be handled down the line.
What will happen to threads I care(d) about?
Due to a great effort by many mods and volunteers, several threads have been archived from archive.org or google web cache for the site. Unfortunately, anything that bots couldn't see (such as the meetup forum) is lost except for 2014-backwards. These archived threads will be made available in some form soon. We've been considering some form of the 2014-era forum as an archive in some form, but that is a low priority at the moment.
When will the site be back up to full speed?
We don't know yet. The important thing is that, as far as posting function goes, the forum is basically ready to go but with some rough edges. Right now things like smileys are in an old state, and we're working to bring them all back.
Ranks are already back, but you will have to be reassigned your rank. I may try to implement user-selected ranks as well.
User profile fields (pronoun, gender, custom titles) are still a work in progress.
Themes will return, eventually, but they will need to be refactored to phpbb3 format.
What about the front page?
We have a front page?
But seriously, the live front page won't be coming back. Previous front page articles are currently accessible on archive.org. We may try to make a front page archive hosted here in the future, but that is low on priority. Not having wordpress on the site reduces our attack vectors considerably.
Is there any good news?
Yes, actually. The good news is that since we're fully on the latest phpbb, we can now use extensions and the default theme now has mobile support. We will try to adapt said mobile support to our normal themes. We're going to add some new plugins to give much-needed functionality, like tweet embedding and tapatalk support. There's also the chance to clean out some cruft, like old smileys and such.
Also, because people have expressed interest, I'll be setting up a Patreon for the costs of running the site/forum. Between the AWS, Linode, and other costs, I estimate the site is about $50/month. I am not looking to take in any more money than that, and if we have a surplus it would be reinvested back in some other way (e.g. a prize for a contest). I am capable of handling the costs of the forum, so it is not a problem for me to pick up the tab for a while.
I know it sucks that this happened, but I believe we can look at it as an opportunity to start fresh and move the site onwards and upwards. It's not old posts that make a place, it's the people, and I'd be happy to have everyone back and start anew.