Hello everyone,
It's recently come to our admin teams attention that during a forum breach at the end of 2015 (You can view the announcement about it here), that username/email lists were leaked from the Admin Control Panel on the forums. We take our users privacy seriously, and would like to stress that these lists do NOT include user passwords, which are not available at all from the ACP or anywhere else on the front-facing side of the forums. We knew in 2015 that the breach did not reach the backend of the forums, where all passwords are protected and hashed correctly. This was not a database breach, only a breach of the front end of our forums control panel.
After the breach in 2015, we upgraded our forums to include 2 Factor Authentication to improve our security. We'd like to take this moment to recommend users to take advantage of this extra security, both on our forums - and any other website that offers the service (email, other forums, etc.) You can go here to add it to your account on our forums: https://escaperestart.com/forum/account/two-step
How was the list obtained? Within the ACP is a feature to send email blasts to users. This tool can also be used to generate a list of email addresses, in the same format as was found to be leaked. Because of how Xenforo saved admin logs in the version we were using during the breach, the email list access was not logged. As was noted in the thread at the time, investigations of backend access showed no malicious access of our webserver.
It looks like this on our Admin CP
All in all, there is nothing to worry about, but we decided to act upon it quickly to make sure users no rumours or the likes are spread - and make sure we notify users because they have the right to know when things like this happen. If you have any questions, feel free to leave them below.
Thank you for reading,
Your friendly neighbourhood CA's
It's recently come to our admin teams attention that during a forum breach at the end of 2015 (You can view the announcement about it here), that username/email lists were leaked from the Admin Control Panel on the forums. We take our users privacy seriously, and would like to stress that these lists do NOT include user passwords, which are not available at all from the ACP or anywhere else on the front-facing side of the forums. We knew in 2015 that the breach did not reach the backend of the forums, where all passwords are protected and hashed correctly. This was not a database breach, only a breach of the front end of our forums control panel.
After the breach in 2015, we upgraded our forums to include 2 Factor Authentication to improve our security. We'd like to take this moment to recommend users to take advantage of this extra security, both on our forums - and any other website that offers the service (email, other forums, etc.) You can go here to add it to your account on our forums: https://escaperestart.com/forum/account/two-step
How was the list obtained? Within the ACP is a feature to send email blasts to users. This tool can also be used to generate a list of email addresses, in the same format as was found to be leaked. Because of how Xenforo saved admin logs in the version we were using during the breach, the email list access was not logged. As was noted in the thread at the time, investigations of backend access showed no malicious access of our webserver.
It looks like this on our Admin CP
All in all, there is nothing to worry about, but we decided to act upon it quickly to make sure users no rumours or the likes are spread - and make sure we notify users because they have the right to know when things like this happen. If you have any questions, feel free to leave them below.
Thank you for reading,
Your friendly neighbourhood CA's
