The hacking on September 17

Last night, we were hacked. We managed to identify and fix the vulnerability and get PS back up and running in a matter of hours, but the attacker did make off with a database dump.

Our passwords are stored in an encrypted format and are relatively difficult to brute-force (technical details: we were using bcrypt) but you should change yours anyway. That includes on PS, and everywhere else you were using the same password (you should not use the same password everywhere else). Other than that, there's no need to worry: our passwords are encrypted enough that you have plenty of time to change your password before it's a problem.

Password security

Some people believe bcrypt encryption is enough to keep a password secure even if the encrypted password is stolen. This is... complicated. If you're not a high-value target and your password is secure enough, you should be mostly safe. For an average password, though, bcrypt can only buy you time (weeks? let's say weeks). And your password is probably less secure than you think it is. Either way, you should change your passwords just to be safe.

As a note, we don't enforce any minimum password requirements for regular users because there's nothing particularly valuable in a PS account. You don't need to train Pokémon on your account to battle or anything. It's up to you how valuable you consider your account.

The hack

At approximately 8pm Pacific Time, a hacker replaced the main page with a message bragging about hacking the site. Around an hour later, I shut the site down. I could have brought PS back up immediately, but I wanted to ascertain damage and figure out how it happened and to make sure it couldn't happen again.

Another hour later, I figured out and patched out the vulnerability, and brought the site back up. Total downtime was a bit over two hours, as far as I can tell.

To be clear, the privilege escalation vulnerability required an admin account to pull off, so the main issue is still the hacker getting an admin's password. My best guess is phishing or social engineering.

What we're doing

The privilege escalation has been patched, and the main issue now is how the admin account got stolen. We're going to investigate 2-factor authentication (most likely through Google login or something) as a way to secure that.

What to do

Once again, change your password in PS and everywhere else you use the same password. bcrypt can probably buy you weeks, so you don't need to worry.

If you run a server, you want to be on the latest public key.

Zarel on Sep 18, 2016