Update on the Data Breach
This one is quite serious, so it is going to be a lot of words - I apologize in advance for the wall of text, but it’s important and well worth reading.
I have spent a fair amount of time over the past week or so going back and forth with our hosting provider, and as of right now we have no evidence to suggest that there was actually a security breach on Fortress of Lies . So, that may leave you wondering, why did we think there had been one?
Well, the long story short is, we now believe we got hit by a really unlikely (and quite funny) set of coincidences that appeared likely to be the result of a data breach on our site, but were actually the result of an entirely unrelated data breach.
Specifically, on the afternoon of the 26th, one of our users reported that they had been notified by their password manager that one of their passwords for the site had appeared in a data breach. Because this password was only ever used by them on this site, they made the very reasonable assumption that our site must have been hacked in order for this password to have been compromised. Shortly thereafter, another user checked their own password manager, and discovered that one of their passwords was also now showing a “compromised password” notification that had not previously been present. As soon as I was notified of this (within an hour of the initial post), I moved to contact our hosting provider and began digging through our logs to see if I could find any evidence of a breach. Although I could not find any at the time, I still elected to send out a notification on the website and a (rare) @everyone ping on the Discord, as the fact that not one but two users had suddenly been notified that their passwords were compromised, including at least one password that had only ever been used on this site, was concerning enough to warrant immediate action.
Over the coming days, I was able to re-affirm that nothing looked wrong that I could see, and our hosting provider confirmed that everything on their end also seemed perfectly fine, with no sign of any malicious data breach. Additionally, even if there had been some kind of data breach, Discourse uses one-way-encrypted passwords that are considered impossible to decrypt, meaning that it is quite unlikely that a breach would allow anybody to get ahold of the passwords on this site. However, just to be safe, we waited a few days to be certain that no other users’ passwords suddenly started showing up as compromised.
Given this has not occurred, our best guess is that the first user with the unique password just so happened to have the exact same password as some other random user of some other random site somewhere out there on the internet, and a data breach password dump just so happened to hit that other random person’s coincidentally identical password while simultaneously just so happening to contain the password of our second user (this one they did admit to using on a large number of websites).
While this may sound wildly implausible, in following up with that first user I confirmed that the password is definitely such that it would not be impossible for somebody else to think of using the same password. Given that user’s passwords for their other accounts have not been showing as compromised, we must conclude that the most likely scenario is that this exact password was, entirely by coincidence, used by somebody else who was caught in some other random breach.
I am currently happy with how this incident was handled on our end - it is far better for us to announce a potential data breach and walk it back than to ignore a real data breach until actual harm has been done - but I do apologize to any confusion that has been caused by this incident. As per always, practicing proper password protection protocol is vital in the modern era, and I hope that this can, if nothing else, serve as a good reminder that some random internet forum being compromised should never be allowed to compromise other important aspects of your life. Please do remember to use different passwords (best done with a proper and secure password manager) and enable 2-factor authentication (2FA) on anything you wouldn’t be happy to lose.
