Hello members of the Shroomery and Growery! Please read this important security announcement.
Recently, someone named 0xidium approached me, and reported that it was possible to retrieve a copy of our database. Although our site itself is believed to be secure, I have an account on a different site which is vulnerable. This allowed people to retrieve the list of users and passwords in plaintext. To my embarassment, I disregarded basic security practices, and re-used my password on certain sensitive parts of the Shroomery and Growery. This problem has existed at least since August, and possibly much longer.
We are extremely lucky to have been alerted to this problem when we were. Unfortunately, due to our limited retention of log files for privacy purposes, there is no way to determine who might have discovered and exploited this issue in the past. It is with great contrition and embarassment that we wish to inform you the following information could possibly have been leaked to untrusted third parties:
E-mail addresses associated with your account
Unencrypted private messages
Posts in restricted or private forums and journals
IP addresses associated with your posts
Image uploads, including those which were not made public
The SHA-256 hash of your password
The last item is especially important. Although an SHA-256 hash is believed to be one-way (meaning you cannot deduce the actual password from the hash), this is not always the case in practice. If someone has a large dictionary and a fast computer, they can try millions of passwords every second, and eventually find a hash that matches. If your password is a common word, or combination of words and numbers, or a geometric pattern on the keyboard, or leetspeak, it can potentially be retrieved with a dictionary-based attack by someone who has our database. If you use the same password on other sites, especially e-mail, banking, or social networking, please make sure to change it on those sites immediately!
We wish to be clear that, except for the individual who alerted us to this problem, there is no indication anyone has actually made use of this exploit. We are simply offering full disclosure and recommending an abundance of caution.
Going forward, we are implementing new security policies to prevent the re-use of passwords, and require multiple types of authentication for sensitive admin scripts. We have switched to bcrypt hashing with per-user salts for passwords, which will help prevent dictionary-based attacks in the future. The site is more secure now than it ever has been, and we will continue to work to protect our members to the best of our ability. We hope you will forgive us for this recent failure.
For security purposes, you were required to change your password. You cannot re-use the same password you had before. I know that's annoying, but it's important. If you really really want, you can change it back again later, but I don't recommend it. Please make up something new, and only use it for this site. If you have any questions, please post in this thread.
www.shroomery.org
