*Magnify*
SPONSORED LINKS
Printed from https://www.writing.com/main/forums/action/view/message_id/3282654
Printer Friendly Page Tell A Friend
(362)
Rated: 13+ · Message Forum · Writing.Com · #303715
Members help other members with technical questions and problems using Writing.Com!
<< Previous  •  Message List  •  Next >>
Jul 22, 2019 at 2:24pm
#3282654
Edited: May 12, 2021 at 1:23pm
Re: Update on May 2019 Security Breach
[[EDIT - This message has been linked to, so I'm updating it with further information about the breach and my response.]]

If you have NOT changed your password since June 2019, please DO SO NOW.
          My Account *Right* Change Password


Hello all,

By now everyone should have received a notification about the "data security incident". I wanted to share an update here and we'll get a centralized news announcement together soon.

While break-in attempts happen daily, one particular attempt was made on to break in Tuesday July 23rd 2019 to another site I created - a site that's hosted on the servers WDC uses. I was alerted to it by recently installed monitors; they were added after having fixed security related bugs. The new attack was stopped via the code updates I had made and the trigger was a notifier to that effect.

Following up on the alert, I tracked it down in logs. With the log of the attack, I was able to trace it back to confirm the breach that we believed happened before June.

The log confirms a breach occurred May 23rd through May 25th 2019 through the other site. Due to the nature of the bug that was exploited, both the commands into our database and the output from those commands were logged. With this, I was able to review what the attackers sent in and the actual data our service replied with.

The logs confirm the only data taken during the breach was "email / password" and "username / password" combinations for our user database. All members should consider themselves affected. While I'm disappointed to have had any data taken... I am a bit relieved to find the amount of data was limited in scope.

If you've changed your password since June and don't use the same password in multiple places, you should be OK.


Many things have changed since this occurred in May 2019...
(Much of this is technical, sorry...)

For starters, plaintext passwords are no longer stored here. Instead, WDC now uses industry standard one-way, uniquely salted hashed passwords. When you login, the one-way hashes are compared and your password is never stored or logged. While storing these has been a bad thing for "many years", when Writing.Com was created in
2000, these were not things most of us young developers were thinking about. As years went on and it did become an issue, life got in the way of making the major updates required. Always use a different password for every login you have.

Further...
I've rebuilt each of our web servers FROM SCRATCH. Everything put onto the new servers has been thoroughly vetted. I retired a lot of old code and made security updates as needed, making it all current and secure. I re-examined all database interactions. I added additional monitoring to help identify both attempts to break in and successful attacks to the other site, and updated and expanded those same systems that already existed for Writing.Com.

While recreating the systems, our backend server software was completely updated to the most current stable versions... including the underlying language and systems that run Writing.Com's web code. The entire server architecture was updated, with a focus on creating a more secure environment, isolating systems from one another and protecting the most sensitive data.

Overall database security has tightened dramatically. I went back to square one, removing the old accounts completely. The shared access account that allowed an attacker to access Writing.Com via another site was removed. Brand new database accounts were created and Writing.Com's is the only one that can access Writing.Com! The usage and access restrictions on that new account are also much tighter than on the past account. Updates for the better!

Many of these things in hindsight should have been done before now... but most of you know my story. I have no team to handle these things... I do it all. Meanwhile, multi-billion dollar firms with teams of security experts are broken into often.

I'm personally disappointed by this breach. I've always taken pride in running a tight ship, creating most all code from scratch so that other people couldn't inject their security bugs into our environment. All in all, my track record for 19 some years has been pretty good. I would love to tell you I'm now 100% certain no one will be able to get in "behind the scenes" again... but that's impossible. There's endless hackers trying to find holes and there's just 1 of me. But... I can tell you that I feel confident I've made changes that make things much better and I will continue to do my best to protect Writing.Com and it's community of members.


Again:
If you have NOT changed your password since June, please DO SO NOW.
          My Account *Right* Change Password

Thanks for your understanding and support,
~~SM
MESSAGE THREAD
Question about the breach · 07-22-19 2:14pm
by Amyaurora
*Star* Re: Update on May 2019 Security Breach · 07-22-19 2:24pm
by The StoryMaster
Re: Re: Question about the breach · 07-22-19 2:25pm
by Amyaurora
This thread is locked and new replies may not be submitted.
The following section applies to this forum item as a whole, not this individual post.
Any feedback sent through it will go to the forum's owner, Writing.Com Support.
Log in to Leave Feedback
Username:
Password: <Show>
Not a Member?
Signup right now, for free!
All accounts include:
*Bullet* FREE Email @Writing.Com!
*Bullet* FREE Portfolio Services!
Printed from https://www.writing.com/main/forums/action/view/message_id/3282654