What happened?
Our Discourse forum was breached on October 25, 2022. A group of attackers exploited a zero-day vulnerability in Discourse (our forum platform). This granted them elevated access, which they then used to export a portion of the user database. The stolen data includes emails, IP addresses, and other forum profile metadata - but did not include any passwords. You can read about Discourse’s security here.
User accounts (including staff) were impersonated, which in turn were used to send threatening messages to the admins and staff.
Baseline information
Our policy regarding the forums:
- The forums are kept up to date on the latest public release of Discourse
- Admin accounts have always been required to have:
- Strong passwords
- MFA
- Limited and controlled access to Admin and Staff roles
- Login and action logs/audits forum-wide
None of the above caused or attributed to the breach.
Investigation and findings
@faultline started to investigate for suspicious activity within the logs and access reviews across the entire SB Staff. Below are details for the exploit.
TLDR: Zero-day exploit in the Patreon-discourse connector which allows for Patreon SSO. The vulnerability was not disclosed until after we were breached.
How did we respond?
Out of an abundance of caution, we immediately set the forums to read-only and reset all passwords, sessions, and auth keys. Best practices were followed from the link below. (Weak admin passwords did not apply in our case)
Where are we now?
The vulnerability has been patched, and the forum is back to normal status. Because this was a zero-day exploit, we didn’t make this public until the vulnerability had been patched. We took actions to remove the possibility of further attacks immediately, instead of waiting for a patch to be published.
Recommendations
Since we randomized ALL passwords, your password will need to be reset the next time you access the forum.
We strongly recommend you turn on Multi-Factor Authentication (MFA) with your app of choice. Also, consider using a password manager with strong, unique passwords.
What happens next?
This is a reminder of how vulnerable internet services can be. We will continue to periodically review our infrastructure, access logs, and best practices.
We will continue to monitor for further activity from the attackers. We are reporting all postings of this data breach to the authorities.
We apologize to all of our members for being dragged into this. You have our commitment that we will continue to make sure that any and all vulnerabilities are patched, best practices are followed, and breaches will be swiftly dealt with.
Some elements of this notice were adapted from the joplin project disclosure:
Our Discourse forum database was breached - News - Joplin Forum
This forum thread is open for comment and questions. We will do our best to be as transparent as possible with this matter.