SRB2MB Security Breach: What Happened, How We Fixed It, and How We’re Minimizing the Chance of It Ever Happening Again

[LoganA]

Posted by SeventhSentinel.

Hello everybody. Many of you have noticed that the Message Board and Master Server have not been available for the last few days. They’re back now. In the interest of transparency, I’m going to explain why they were down.

As Easter came to a close, we suffered a security breach. The password of one of our administrators was brute-forced, giving the attackers access to administrative permissions. These permissions included the ability to see email addresses of members, but not their passwords nor the hashes thereof. The attackers proceeded to spam the forums, edit posts with offensive text, and change emails and passwords of some other staff members.

We took down the forums briefly to assess damage and reset the password of the affected administrator. However, we did not notice the email on their account had been changed, so the attackers were able to break back into the account and continue using it. They set the forum software to begin deleting all user accounts. The Message Board was then taken back down. The Master Server partially relies on the Message Board in order to run, which is why it became unavailable.

To fix this, the forum has been rolled back to the state it was in on April 14th, so expect some posts and addons to be missing. If your account was deleted in the attack, you can expect it to be back, complete with all of your posts and other data (as of the 14th). The staff member whose account was compromised has voluntarily stepped down and will no longer be an administrator. We rounded up the staff, including SRB2 & SRB2Kart developers, to assess their security, change their passwords, and enable 2-factor authentication. All staff members are now required to enable 2FA in order to use moderator/admin powers. Additionally, we’ve set stricter password requeriments for all new accounts.

Although the Message Board was functional by the end of April 19th, we kept it closed to the public because not all staff were immediately available for the security check-up. Some staff have still not responded, so instead of keeping the place closed, we have temporarily disabled their accounts as a precautionary measure. Staff members whose accounts are disabled should contact an administrator at their earliest convenience.

We appreciate your patience and support during the recovery process. If you have any questions, comments, or concerns, please reach out to us via this forum on the SRB2MB, our Discord server, @SonicTeamJr on Twitter, or our Facebook page. Have a great rest of your week!

View on SRB2.org

 

[Epix]

 

[GreenKnight9000]

This was quite a ride and will definitely be a talking point for years to come. Kudos to the Staff for keeping a cool head and handling the situation in a professional manner!

 

[Mystic Akito]

Well, that was something. At least the MB is safe once again. Thank you for your time and effort for trying to keep this community as safe as possible.

 

[CaioGamesBLOXXER]

at least people’s accounts are safe, right?

 

[PencilVoid]

If the Message Board was reverted to a backup from a week ago, what happened to accounts created between April 15 - April 20?

 

[Octo]

Holy shit hearing SRB2's mb getting hacked is something I would not think I'd hear, dayumnn

 

[TheFourPointedStar]

Why would anyone do this? Is it because they thought it was funny?.. Noone smiled or laughed! Do they get entertainment by watching people be annoyed at the -basicly core- of srb2 being dropkicked???

 

[Octo]

Why would anyone do this? Is it because they thought it was funny?.. Noone smiled or laughed! Do they get entertainment by watching people be annoyed at the -basicly core- of srb2 being dropkicked???

 

[TheFourPointedStar]

View attachment 67402

But... Everyone just wants to do what -they think- is good and or right...

 

[MK.exe]

Now ULDC spring 2022 can re-release!

 

[Othius]

Now ULDC spring 2022 can re-release!

hell yeah

 

[lnferno]

But... Everyone just wants to do what -they think- is good and or right...

That is false, sadly.

 

[AirFox]

Glad everything went fine, even if there was 3 days worth of posts that disappeared. Though Im sad I had to reupload my PFP and Banner that I didnt have anymore, so I had to refind the PFP and I just decided to change my banner to a screenshot of a map im working on instead.

 

[Ace Dragon]

It was fortunate the backup was recent, not too much was lost that way.

It does suck, but it is actually quite common for popular community sites to eventually fall prey to a hacking attempt. This is why you see so much investment in making the internet more secure and less breakable. Sonic Team Jr. did a pretty good job of getting on top of the situation quickly, so I believe this forum is in safe hands from an IT standpoint.

 

[SChrono08]

Glad the forums and master server got fixed! Thank you for making it much safer! Hope I can regain access in the game.

 

[AtomicRing]

Good to be back... For a second there, I thought I was banned!

 

[SeventhSentinel]

If the Message Board was reverted to a backup from a week ago, what happened to accounts created between April 15 - April 20?

Gone. Would need to be remade.

Im sad I had to reupload my PFP and Banner that I didnt have anymore

Sorry about that. Rolling the forum back didn't roll back the image database iirc.

 

[Smash Corliss]

Yikes. This was certainly alarming. Glad everything's back to normal.

 

[Vincent The Rabbear]

Yikes. This was certainly alarming. Glad everything's back to normal.

Definitely glad about it too.