[Important] Our forum database was breached - what you need to know

What happened?

Our Discourse forum was breached on October 25, 2022. A group of attackers exploited a zero-day vulnerability in Discourse (our forum platform). This granted them elevated access, which they then used to export a portion of the user database. The stolen data includes emails, IP addresses, and other forum profile metadata - but did not include any passwords. You can read about Discourse’s security here.

User accounts (including staff) were impersonated, which in turn were used to send threatening messages to the admins and staff.

Baseline information

Our policy regarding the forums:

  • The forums are kept up to date on the latest public release of Discourse
  • Admin accounts have always been required to have:
    • Strong passwords
    • MFA
  • Limited and controlled access to Admin and Staff roles
  • Login and action logs/audits forum-wide

None of the above caused or attributed to the breach.

Investigation and findings

@faultline started to investigate for suspicious activity within the logs and access reviews across the entire SB Staff. Below are details for the exploit.

TLDR: Zero-day exploit in the Patreon-discourse connector which allows for Patreon SSO. The vulnerability was not disclosed until after we were breached.

How did we respond?

Out of an abundance of caution, we immediately set the forums to read-only and reset all passwords, sessions, and auth keys. Best practices were followed from the link below. (Weak admin passwords did not apply in our case)

Where are we now?

The vulnerability has been patched, and the forum is back to normal status. Because this was a zero-day exploit, we didn’t make this public until the vulnerability had been patched. We took actions to remove the possibility of further attacks immediately, instead of waiting for a patch to be published.

Recommendations

Since we randomized ALL passwords, your password will need to be reset the next time you access the forum.

We strongly recommend you turn on Multi-Factor Authentication (MFA) with your app of choice. Also, consider using a password manager with strong, unique passwords.

What happens next?

This is a reminder of how vulnerable internet services can be. We will continue to periodically review our infrastructure, access logs, and best practices.

We will continue to monitor for further activity from the attackers. We are reporting all postings of this data breach to the authorities.

We apologize to all of our members for being dragged into this. You have our commitment that we will continue to make sure that any and all vulnerabilities are patched, best practices are followed, and breaches will be swiftly dealt with.

Some elements of this notice were adapted from the joplin project disclosure:
Our Discourse forum database was breached - News - Joplin Forum

This forum thread is open for comment and questions. We will do our best to be as transparent as possible with this matter.

9 Likes

Thanks for the quick notification.

On top of MFA, folks: use a password manager and use unique passwords everywhere!

5 Likes

Thanks for covering this again :slightly_smiling_face:

3 Likes

Seriously, probably the quickest response notification I’ve ever gotten for a breach. Impressive. Large million dollar companies take months or years to notify if at all. Great job everyone!:raised_hands:t3:

I checked the discourse Patreon link and it’s not mentioned there but do/should I change my Patreon password?

Also, when I went to patreon to sign into the forums it says “discourse v2” instead of serverbuilds. Is that a new thing?

I’d change it just to be safe, but from what I can tell there’s no indication that Patreon has been compromised.

thanks for the fast and through answer. Question what about the e-mail addresses, knee jerk is to change that password but is there anything else I might should consider?

Well… Patreon did just fire their entire security team. Are we surprised this happened? Patreon Lays Off Its Entire Security Team | PCMag

I hope / am glad no real damage was done. Also a good lesson to use something like Last Pass, or better, a self-hosted option AND unique passwords for everything. I have been using Last Pass for years, but for the first time, last pass went offline for like 6 hours about 6 months ago. I had no passwords - it was truly a moment of - damn, i really need to switch to self-hosted instead of last pass.

Just some lessons!

But haha at the security team! not at them losing their jobs, thats bad, but at Patreon firing them, then less than 2 months later, this happens

Do we think Patreon was the weak link, or truly it was due to weak passwords? Seems suspect that it was ‘weak passwords’

Neither. It was a Zero-day exploit in the code.