In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service.
Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place.
We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.†††
Further, and as is required by law, we have informed the ICO about this incident and we are in the process of fulfilling our obligations related to the matter.
What does this mean for you?
While we noticed the suspicious activity on 8th November 2019, and we have no evidence of past activity in our logs, we cannot say for certain whether the exploit had been used before, and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed.†
Recognising our obligation to all of you, however, we are strongly urging you to be vigilant of potential phishing and credential stuffing attacks.
- If you havenít already, please†log out and back in, in order to update your account and password and migrate to the†new user service. If youíve already used the new user service, then there is no need to change your password again.
- If you were using the same password you had on our old user service on other sites, please, change your password on these other sites as soon as possible.
- We strongly recommend using a password manager†and to not reuse passwords across sites.
- Always use unique and strong passwords of at least 12 characters for each service you use.
- Consider using Two-Factor Authentication, especially if you are a mod author.