SRB2MB Security Breach: What Happened, How We Fixed It, and How We’re Minimizing the Chance of It Ever Happening Again « Sonic Robo Blast 2

SRB2MB Security Breach: What Happened, How We Fixed It, and How We’re Minimizing the Chance of It Ever Happening Again

SeventhSentinel - April 21, 2022

Hello everybody. Many of you have noticed that the Message Board and Master Server have not been available for the last few days. They’re back now. In the interest of transparency, I’m going to explain why they were down.

As Easter came to a close, we suffered a security breach. The password of one of our administrators was brute-forced, giving the attackers access to administrative permissions. These permissions included the ability to see email addresses of members, but not their passwords nor the hashes thereof. The attackers proceeded to spam the forums, edit posts with offensive text, and change emails and passwords of some other staff members.

We took down the forums briefly to assess damage and reset the password of the affected administrator. However, we did not notice the email on their account had been changed, so the attackers were able to break back into the account and continue using it. They set the forum software to begin deleting all user accounts. The Message Board was then taken back down. The Master Server partially relies on the Message Board in order to run, which is why it became unavailable.

To fix this, the forum has been rolled back to the state it was in on April 14th, so expect some posts and addons to be missing. If your account was deleted in the attack, you can expect it to be back, complete with all of your posts and other data (as of the 14th). The staff member whose account was compromised has voluntarily stepped down and will no longer be an administrator. We rounded up the staff, including SRB2 & SRB2Kart developers, to assess their security, change their passwords, and enable 2-factor authentication. All staff members are now required to enable 2FA in order to use moderator/admin powers. Additionally, we’ve set stricter password requeriments for all new accounts.

Although the Message Board was functional by the end of April 19th, we kept it closed to the public because not all staff were immediately available for the security check-up. Some staff have still not responded, so instead of keeping the place closed, we have temporarily disabled their accounts as a precautionary measure. Staff members whose accounts are disabled should contact an administrator at their earliest convenience.

We appreciate your patience and support during the recovery process. If you have any questions, comments, or concerns, please reach out to us via this forum on the SRB2MB, our Discord server, @SonicTeamJr on Twitter, or our Facebook page. Have a great rest of your week!