27-08-23 breach

TL;DR: We got ransomwared, and usernames, emails, and password hashes are compromised and may be leaked

What happened

In the afternoon of the 27th of August, our database was ransomwared.

We have a backup process in place, so no data was actually lost. When we discovered the attack this morning, (28/08) we ensured the attacker had no more entry vectors, before removing the ransomware message and restoring our data.

Result

All our user data is in hostile hands. The attacker has access to:

Username
Email
Password hash (this is a non-reversible encrypted version of your password, not your actual password)
Permissions integer
Finds & first finds
Email verification uuids
Password reset uuids

All email verification and password reset information has thankfully expired, so the attacker has not been able to use this to gain access to any accounts.

The attacker also had access to all the duck information and find information, but that's not as sensitive. If someone shoots to the top of the leaderboard, we'll know. If you see an uptick in spam email to your associated email, sorry about that.

You may wish to review CERT's list of common scams and frauds to better protect yourself.

This is exactly why you should use different passwords for everything, or better yet, use a password manager!!(guidelines for which are available here)

This attack was due to a tiny error, and we don't expect it to happen again. If you have any concerns or want to know more, please contact us at [email protected] or the Privacy Commissioner's office.