Security Breach Oct-17-2020

  • Admin


    On Oct 17, 2020, around 07:00 GMT we became aware of a person that gained access to an admin account. We are not certain of how they gained access. With the hijacked account that person changed the frontpage of the forum.

    In response to this we restored the forum from a recent backup and changed the password of the compromised account. Several hours later the account was again compromised and this time the attacker began making malicious edits to category titles and malicious posts.

    We again restored the forum from backup and again changed the password of the admin account and removed admin privileges from that account.

    The admin account is a default account created with the 'nodebb' (that runs this forum) and we had left it enabled with a relatively secure password.


    While the attacker had access to the "admin" account they had access and could download the list of all usernames and emails.

    Passwords were not exposed and are stored encrypted.

    It's a guess that the main goal of this attack was largely site defacement. The attacker seems to have a collection of defaced sites and was running up their score.


    We were on version 13 of nodebb which had an open security advisory that could allow for account takeover. We do not know the exact method used for account takeover, exploiting that security advisory seems to have been the most likely attack vector used.

    Corrective Action

    • We have upgraded the forum software to 14.3 picking up a number of security patches, notably picking up a patch for the security advisory mentioned above.

    • We now require all admin accounts to use MFA (multi-factor-authentication). This new requirements means if a password is compromised, an attacker would still not be able to log in to that account without the MFA device.

    • We have increased password complexity requirements from 6 characters to 8 and now require passwords to not be "easily guessable".

    • We have deleted the unnecessary 'admin' account that had been compromised.

    Lessons Learned and Future Investments

    We will continue investing in the security of the forum to improve intrusion detection, security vulnerability notification, improve logging (so we can better investigate breaches), and facilitate deployments so that we can increase the deployment frequency and keep the forum software much closer to the latest version available.

Log in to reply