Forums
First  <<>>  Last
Forum Main>>Announcements>> Note: Update on Downtime, reset etc.
Davzz

ID: 323969
Level: 17
Posts: 746
Score: 400
Davzz [323969]Reply | Quote | Report

Thread created on Sun Jun 02, 2013 13:49:28
Last replied to on Sun Jun 02, 2013 14:49:28
** TORN Downtime over the last few days **

EDIT - a note on Security
Good news:
* TORN does not, ever, store anything about your payment details. We use three providers (PayPal, Zong and Google Checkout) and they handle everything. All we store is the email provided by this service, the amount you donate, and the transaction ID. Even this information was not revealed, because it is stored on a physically isolated database server from the one that was compromised. We can say with concrete assurance that your credit card information, and similar, is totally safe - and would remain so regardless of what happened to torn.
* Your password is protected properly (we salt and hash each password, with a per-user salt). Your password is safe. [It is still a good idea to use a different password for each web service, for the record]
* Your email, username and playername are potentially at risk because they are stored in the DB server that was injected. Logs however show that the goal of this attacher was not to reveal this data, and we do not believe that this data was extracted (we log to syslog each query executed, and these logs were certainly not compromised). Therefore, I can say with good confidence that even this data is safe.

The goal of this attacker was basically to cheat in the game, by being able to update random rows of data.

--

TORN has been very unreliable for the last few days for many users. We have now figured out why: attackers were exploiting a SQL injection in profiles.php (this is now fixed). We tried various other options but in the end we have decided to restore the site back to Wednesday morning TC time (0400), which is the last time before the first of these SQL injections came in. This is the most fair way to handle what has happened.

Some important notes: your passwords are safe (we salt and hash passwords) but these attackers did have a good look at approximately 20% of the overall data (about a third of the data that we store in MySQL). This includes email addresses, usernames, profile names and so on.

We will in the next few hours apply all donations, so you do not need to report missing donations.

Please report other bugs as usual.

Once again, apologies for the inconvenience. We will do everything we can to detect and prevent this sort of attack, but the nature of the TORN code base makes it impossible for me to guarantee that we are immune from these attacks.

Davz, and the other admins
(many of us have not slept much for the last 3 days!!)

Last Edited: Mon Jun 03, 2013 03:58:19
-Davz
Forum Main>>Announcements>> Note: Update on Downtime, reset etc.
First  <<>>  Last

This thread has been locked.