At approximately 9:38 pm EST on December 14, the forum suffered a minor data breach. While making several modifications to the forum software, I accidentally introduced a bug which allowed any member (including guest users) to log into the account of any other user. The bug is now fixed.
I have checked the server logs in detail, and can confirm that this bug was used by a single person, the same person who reported it to the staff. This person used the bug to log into the account of a moderator, but did not access any areas of the forum specific to moderators. Specifically, they visited the main page, viewed the "Today's Posts" search results, and viewed the Member List. They did not view any thread or use any mod abilities. The person then logged into their own account twice using the bug.
As soon as I was alerted to the bug, I reverted the modifications and forcibly logged out all members. At the time, it was not immediately clear if any other accounts had been breached, and forcibly logging everyone out was the best solution. We apologize for the inconvenience this may have caused.
To make things absolutely clear:
1. The bug was only exploited by one person.
2. This person managed to access a moderator account, but did not perform any moderator actions. They also did not access any areas of the forum which may have revealed sensitive information.
3. The Admin area of the site was not breached, nor was it ever affected by the bug. It uses a totally separate login system.
4. No passwords were disclosed, or could be disclosed, via this bug.
We once again apologize for the inconvenience this may have caused, and I apologize for introducing the bug in the first place. I will try and answer any questions you might have regarding this incident.
- Tiberius
I have checked the server logs in detail, and can confirm that this bug was used by a single person, the same person who reported it to the staff. This person used the bug to log into the account of a moderator, but did not access any areas of the forum specific to moderators. Specifically, they visited the main page, viewed the "Today's Posts" search results, and viewed the Member List. They did not view any thread or use any mod abilities. The person then logged into their own account twice using the bug.
As soon as I was alerted to the bug, I reverted the modifications and forcibly logged out all members. At the time, it was not immediately clear if any other accounts had been breached, and forcibly logging everyone out was the best solution. We apologize for the inconvenience this may have caused.
To make things absolutely clear:
1. The bug was only exploited by one person.
2. This person managed to access a moderator account, but did not perform any moderator actions. They also did not access any areas of the forum which may have revealed sensitive information.
3. The Admin area of the site was not breached, nor was it ever affected by the bug. It uses a totally separate login system.
4. No passwords were disclosed, or could be disclosed, via this bug.
We once again apologize for the inconvenience this may have caused, and I apologize for introducing the bug in the first place. I will try and answer any questions you might have regarding this incident.
- Tiberius