What Happened?

When we converted our Apache configuration to NGINX, we used an automated tool and it did not convert the "no PHP execution access" on our avatar and cover uploads. This allowed a 3rd party to upload and execute a PHP shell in which they could possibly downloaded a copy of the accounts database. A user testing the site recently reported this vulnerability to us. From what we can tell from logs, he was the only one, but that information is unconfirmed and the user is a 3rd party individual we have not verified.

What Information Was Involved?

We believe the entire database was downloaded. Basically it's just user emails, names, and password (which are salted and hashed, but given enough time can be decrypted).

What We Are Doing

We took the old, potentially still compromised, box offline. We build a new one, with a fresh install of everything. Copied over files. Audited uncommitted changes. Revoked all secrets, tokens and passphrases that our systems use internally. We also cleared out everyone's password and updated our authentication system to be smarter in how to handle this type of case; prompting the user to reset their password.

What You Can Do

We highly recommend you reset your password ANYWHERE you used it. The passwords may have been encrypted but given time, they could be decrypted. This is a standard recommendation for any situation like this. We recommend you also use a password manager (BitWarden, LastPass, 1Password, DashLane, etc) so you can generate secure and unique passwords for each site you use.

Other Important Information

We found out by reviewing our log file. The vulnerability was actually discovered by a user called "Creatable" and we put a fix in Thursday. However Sunday morning it was discovered what he didn't tell us and that it is likely he has a copy of the data. We are still in contact with him and he has disclosed several more issues he has discovered and we continue to patch these as they're reported.

It's possible there is no call to alarm here, he may not wish any users harm, however he is currently an untrusted 3rd party and we can't be sure of his motives. UPDATE: confirmed that he admitted to having a copy.