Data Breach Notification - TotalFreedom Developer Server

I wanted to let folks know that we are currently investigating a data breach on the Dev-Freedom-01 Server. We have been made aware of a leak published.

We are still performing a full investigation into the data which has been leaked, but current indications would suggest that it was isolated to the developer server, and was accessed using one of our dev team's credentials.

From the initial review of the data, we've been able to narrow the breach down to being not before March 31st 2021 at 22:19 UTC, and not after April 3rd 2021 at 01:02 UTC.

We are currently investigating if any PPI Data has been included in this leak, and where appropriate will be working with the Information Commissioners Office when we have confirmed if a GDPR breach has occurred.

For clarification, we are notifying everyone about this potential breach as a copy of Freedom-01 was cloned to the dev server some time previous in order to give the dev team a realistic non-prod environment to test against. It is also important to note that the vast majority of this information has previously been made public through historic archiving / publication of the server files.

I will keep people informed via this thread as we establish further information.

There will be a separate thread open to discussion, but I will say that until further information is established the dev team and others involved in the investigation have been asked not to disclose any further information for the time being, especially as this will potentially require some coordination with external organisations if this does prove to contain any personal information.

We have suspended access to the dev server through a network and service suspension to prevent access. This server will remain suspended pending the outcome of the investigation, and once concluded the server will be fully destroyed.

I thank you all for your understanding, and would like to stress that this appears to be isolated to the dev server, and we have no reason to believe that any other servers have been compromised and the account which we believe to have been compromised on the dev server, was not a valid account on any non-dev servers.

Added clarification as follows

Quote

For clarification, we are notifying everyone about this potential breach as a copy of Freedom-01 was cloned to the dev server some time previous in order to give the dev team a realistic non-prod environment to test against. It is also important to note that the vast majority of this information has previously been made public through historic archiving / publication of the server files.

I hope to be able to provide a further update tonight / tomorrow. I appreciate folks patients and want to confirm that so far no data we have been able to confirm has been accessed or published is believed to be significant enough to normally justify notification of the ICO here in the UK. And again, a lot of this data was included in previous leaks of the server (Mainly the one where Seth accidentally uploaded the full server backup to his web server, which was then downloaded and archived).

I appreciate all of your understanding while we make sure get this right.

I wanted to give everyone a bit of an update, while we are still progressing through the investigation and there is a lot of information still to be confirmed or unknown, I wanted to give some information based on what we have found so far.

The dev server was at some point previously (I believe around Feb 2021) cloned fully from the Freedom-01 server at the time, as Freedom-02 has been as well. The reasoning behind this was to allow us to create an accurate non-production environment that the development team could test and experiment in without it risking the impact of players on the live servers.

Due to failings on my part some steps that should have been taken to roll various credentials and sanitise / destroy some data, was neglected and is ultimately why we are here today. We are working to put steps into place to ensure that this doesn’t happen again, and in the interests of clarity, access to the production servers are significantly tighter controlled, with access to Freedom-01 and Freedom-02 currently only being granted to Steven, Fleek and myself where we are the 3 who actively require such access.

We know that the attackers had gained unauthorised and illegal access to our infrastructure, which from all indications and investigations so far, suggest was limited to just our development environment. The credentials which were breached were only valid on the development server and we have seen no current indications of any of our other infrastructure being in any way accessed or compromised.

From what we have seen the attackers took a full dump of the entire file system which they had access to with those privileges, which included the “tfserver” Linux user, which runs the server, therefore all plugin data, world data and config files for example were retrieved and for a short time published through sites only accessible via TOR.
We are still working through all of the data and working with individuals who took copies of this data for archiving / their own OSINT purposes to evaluate the full data that was included, and at the current time the development server has been suspended and network disconnected to prevent any potential future accesses.

Based on the data we have been able to confirm, we believe it is limited to data such as the users UUID’s for Mojang, and IP’s which they have previously connected to us on as stored in Essentials, and for admins also within TotalFreedomMod’s database.

It is important to stress that this information alone does not pose any direct threat to our end-users, however as with any data like this being made more easily available than before, we would suggest folks use their judgement and are extra vigilant. Where possible it is also recommendable to have your IP address change, for most ISP’s this can be handled through a re-set of the router (Power it off, wait 10 mins, power it back on). Where this is not possible contacting your ISP and notifying them that your home IP Address was included in a breach, often will enable the ISP to change it for you.

Based on our analysis to date, we identified several short falling in our process, many of which resulted in some credentials being accidentality shared between servers (Telnet for example), these were changed as soon as we identified the credentials had been left as identical. Likewise, the Votifier keys were inadvertently left the same, and were promptly changed.

We have also been able to identify that attackers while on the server could (Though we’ve not been able to confirm this) have also had access to the Dev Servers CoreProtect Database, The live NetworkManager Database, and the live Player Plan database. Access to these would only have been possible from the server itself, and from the data which was published there is no indication to suggest access was even attempted, the CoreProtect and Plan databases that we have seen in the data published so far appear to be legacy local SQLite instances, which were replaced by our central MySQL server at a later date.

We are still working through the data and will be working through various remediation steps to better secure our infrastructure that remains, along with making sure our processes for building servers going forward is more secure and that we learn from the mistakes on this occasion.

I also wish to stress that access to sensitive information such as the forums was not possible from the dev server, nor was access to any other databases that weren’t directly related to the dev server. We have engaged with the UK's Information Commissioners Office, and at the current time legally there is no requirement for disclosure given the nature of the information published, though as I've said on other threads I believe it's only right to be transparent as we have information that we know and can share.

I will post an update here in due course when we’ve worked through the remainder of the data, and when we’ve finished remediation action, but wanted to update you with what we know to date.

Thank you again for your understanding.