As some of you have heard, there was a data breach on the tremulous.net forums. Now that we have all of the details, we would like to share what happened with the members of the forum. If you don't want to read everything, then just go change your password and call it a day :>
Some time ago - when tremulous.net was hosted with Sourceforge - someone got a copy of the database through a vulnerability with their servers. This included information from phpbb2, such as the table of private messages and most importantly the user list, including all of the hashed passwords. Since many of the passwords were fairly weak, consisting of dictionary words with or without some minor obfuscation, it would not have taken long for many accounts to be compromised, and in fact the number is just under 1400.
Archangel/Solar/Inaki was in possession of this database dump and cracked passwords on Saturday evening, when he used it to login as Khalsa, remove his own ban information, and promote himself to having an avatar before logging out and back in as himself. He then posted a new thread proclaiming how he was unfairly banned.
We quickly realized that something was amiss when none of the moderators or developers who were online knew anything about Archangel being unbanned. I surmised that perhaps an admin's account was used in the break-in, and Khalsa quickly confirmed it was his own. While in the process of cleaning things up, it became apparent that at least one other user's account was being used without their permission, and it was decided to lock down the forums until we could gather more details and come up with a plan for bringing everything back safely.
During the course of Sunday, the events of the previous day became known to us and the extent of the breach was revealed. Unfortunately SMF has no way for us to force password changes on every user, but we did what could be done - let all users know that their password could be compromised, and they should change it. This is always sound advice after a break-in of any kind, even though there are certain circumstances under which you would be perfectly safe from this breach. But rather than cloud the good advice with dates and statistics, it's easier to say "change your password - and if you used that password elsewhere, go there and change it too, preferably not to what you just set here."
What has happened now? Archangel has been banned again, and has agreed that he'll not be coming back - in part of his own free will this time. Everyone with administrative access (and many without) have already changed their passwords, and we all highly recommend that you do too - if we could force that to happen, we would. If you have questions about the breach, we'll try to answer them as best we can. Do note that regardless of your feelings of the original ban of Archangel, the fact remains that what he did since then is over and above what would be considered a bannable offense, so ideas entertaining the notion of reversing his ban will likely just be deleted.
EDIT: Forgot to link to the
passwords topic I wrote yesterday, which could be of general interest to people wondering about how passwords and hashes and whatnot work and how they can be compromised.
