FFR Data Breach / Account Security Announcement
Hello everybody.
As some of you may have seen from the forums, there is reporting that there was a breach of FFR in July of 2019, resulting in the compromising of Usernames, Email Addresses, Dates of Birth and IP information, as well as Salted MD5 password hashes. We had a similar breach in 2016, and this latest breach appears to have compromised an additional ~85,000 accounts.
What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away.
What it means for FFR passwords is a little more complicated. Some leveling with you is going to happen now.
Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we’ll ever be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. Our version of vBulletin is as updated as we can make it, and our version of WordPress is one we’re stuck with because none of those things can be changed without Synthlight’s involvement, so in the near-term in today’s information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.
Out of the salted hashes compromised in the breach, nearly 150,000 of them remained uncracked. Those were likely users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked today, sufficiently strong passwords are at least some deterrent to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass or lastpass to generate you very strong passwords unique to each source. If you don’t want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblance to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).
We are definitely sympathetic to anybody who had passwords and information compromised that are used in any other places, especially if they are newer users who joined the site after the last breach, at which time we also had to be frank about the reasons why we’re unable to properly secure user data. But as much as we would love to make the changes needed to secure FFR, our hands are sadly, tied.
Devonin and the FFR Team
Update: It is believed that the particular vulnerability that led to this breach has been found and closed. It appears that whoever carried out the breach took advantage of a disabled WordPress plugin which has since been deleted completely. As well, as a precaution, every such plugin has been completely removed. This seems the most likely source of the breach as a number of other sites have also been breached in recent months via WordPress Plugin issues. While this does appear to be a fix that will prevent further breaches exploiting this same vulnerability, the general weakness of site security remains, so all precautions above regarding passwords and data management still apply. Thank you everybody for your patience, and willingness to hear our explanations regarding our difficulties in safeguarding your data.
11 Responses to “FFR Data Breach / Account Security Announcement”
You must be logged in or registered to post a comment.
Posted at 5:39pm on July 21st, 2019
thanks ffr team for putting up with the site to keep it alive for all of us for so long. <3
Posted at 5:51pm on July 21st, 2019
hang in there FFR
Posted at 8:32pm on July 21st, 2019
thanks ffr
Posted at 8:57pm on July 21st, 2019
Thanks for the post~
Posted at 9:35pm on July 21st, 2019
Good work! Very hasty too
Posted at 10:25pm on July 21st, 2019
its a good thing i legit didnt change my password since last breach lol
Posted at 8:02am on July 22nd, 2019
Can someone tell me a good password for my account?
Posted at 10:06am on July 22nd, 2019
Ive never gotten an email or notification about a breach, does that mean it doesnt apply to me? lol
Posted at 11:24am on July 22nd, 2019
Shout out to the staff for getting on this in a timely fashion.
Posted at 12:11pm on July 22nd, 2019
oo00oo00oo00 buttermuffinsss n_n
Posted at 9:56am on July 23rd, 2019
OH TEH N0ES!!11!