Hey everyone,
We’re still working on tracking down the details, but just so everybody knows we have had a data breach. We aren’t sure of the full extent yet, and will keep people up to date as we discover more, but assume that your passwords have all been compromised.
We currently have no reason to believe that this was targeted directly at our site, as it seems far more likely that it was a general attack targeting Discourse-based websites at random to fish for password/e-mail/username combinations in order to try them on other sites. As such, although you may change your password here if you wish, we do not know enough yet to promise that this new password would not also be compromised. Given the risk of your FoL account being hacked is quite low, I actually might suggest holding off on doing that until we’ve worked with our hosting provider to discover the source and ensure any new passwords won’t be immediately snatched.
As for what you should do:
-
Always use different passwords for different websites. With modern password managers, there is no good excuse not to be doing this. If you haven’t started yet, make this incident your reason to start now.
-
Turn on 2-Factor Authentication everywhere you can. Fortress of Lies offers this service, and it is required for all Moderator and Admin accounts. If you have 2FA enabled, even knowing your username and password will not be enough to directly allow a malicious actor access to your account.
If anybody has any questions, please reach out to me with them. Thanks.