Full disclosure: Probable security breach on makehumancommunity.org

This is an announcement to let you know that there has been a security incident related to the services hosted under http://www.makehumancommunity.org

What has happened?

Looking through my spam inbox (which I do infrequently) I found a pretty standard spam email threatening to out me for doing bad stuff unless I paid a sum in bitcoin. Nothing strange about this, but the scary part was that the password I use on the mh community site was included in the subject. As I don't use this password elsewhere, it thus looks as if the mh community password database has leaked somehow.

When did this happen?

The spam email I got was already more than a week old when I saw it. There is no knowing when the actual breach happened, although it is unlikely it was at the same time as the email was sent. It is more likely the the breach has happened a while back, and that it then took some time to brute force the passwords, produce threatening emails etc. If this was two weeks, a month or half a year ago is impossible to say. But if I ventured a guess, I'd say that the chain of events include a general scraping of passwords on the net rather than a targeted attack on mh community, and that the password(s) from mh community have ended up in a general "here's a lot of email and password combinations we've found" heap before being processed by spammers. So I'd lean towards guessing that the breach was longer ago than a few weeks. 

Do you know that a breach has actually happened?

No we don't. At this point it is just very likely. It is theoretically possible the password got leaked through some other means, for example by being hijacked by some form of cross site scripting, or through picking it up while I've been using my phone on a public wifi. However, at this point we must assume that the site has been compromised. 

What happens now?

The virtual machine that hosts the site cannot be trusted, nor can any software installed on it or any database hosted by it. We see no alternative to starting over with a fresh install and then somehow porting textual and graphical data to the new site. We currently have no finished pipeline for doing this, it will have to be constructed. Needless to say, this will take a while. Especially since it has to be done alongside having a full time employment elsewhere. For now, we will keep services up as before as we don't have any alternative solution in place.

What has NOT been affected?

All this is related to the website hosting the forum (phpbb), the wiki (mediawiki) and the asset repo (drupal). The following are specifically not affected:

  • The source code. It is hosted on github, and there's no connection between the site and the github account.
  • The download binaries (ie MakeHuman). The downloadables are hosted on tuxfamily, and there's no connection between the site and tuxfamily.

Outside of the password, the only information that should have been available to an intruder is what you've written/uploaded on the site. Which normally was public to start with.

What should I as a user do now?

The first thing you should do is change your password on the forums. You do this by going to "user control panel" -> "profile" -> "edit account settings". The second thing you should do is think very long and hard about whether you've used the previous password anywhere else. You should assume that the combination of email address, user name and password is now known. If you used the password elsewhere, you should immediately change it there too.

Finally

Although we don't have all the answers yet, we felt that it was important to inform everyone of what has happened. We will write updates once we have them.