Discussion - Data Breach Notification for TF Dev Server

@Telesphoreo#17457 I would encourage you to show the full context of the quote then. My point was that you were clearly not knowledgeable in the area you claimed to be in, and based on your argument here that hasn't changed. Your argument was a panel was more secure, it wouldn't have made any difference at all in this context.

An investigation is still under way, and when I have more info and we know what actually happened then feel free to judge, but right now I don't believe you or anyone else has enough data to make an informed statement, much less what your claims are.

@Luke#17494 Wouldn't make a difference if an ssh account is compromised, which we believe so far is what happened here, and server file access was needed so the devs could do testing.

Linux also logs all logins and durations anyway so I have all that info.

A panel if anything as I say may have caused more issues if the individual who's ssh creds may have been used were then the same as a panel, at which point they could in theory have done damage to live services as well. Thats sorta the point.

@fionn#17498 Ultimately that's what we are interested in. If someone really wanted to do damage social engineering is a common approach and would give the perception of trust...

@Telesphoreo#17505 the issue is you missed the point I've made here and on the original panel thread where that quote was taken from out of context...

This (as with all breaches) was a matter of when, not if. Every company / system will at some point be compromised, the difference is that I've been transparent in that, despite having no legal or regulatory requirements to do so, because I'd rather be transparent with data security with the community and while that will make me personally look bad because it happened on my watch, and may even lose us players I believe I'd want to know if a leak happened that contains my data, even if there is not a legal requirement for someone to tell me.

Quote

@k3das#17546 Ryan, if you hadn't disclosed this breach it would've been a lot worse for you, so stop making it seem like you're being nice to us.

It really wouldn't. It wouldn't have been hard to have denied any breach at all. UK law (which we are primarily governed by) has no requirement for disclosure in these circumstances. That's what the majority of companies do.

Quote

@k3das#17546 None of this would've been an issue if the dev server didn't have live data. I completely understand the importance of a good dev server, but real player IPs do not belong there.

The dev server will always have "live" data as players are regularly invited to join the server for testing. While lessons have been learnt and when more information is known and confirmed, we will publish more information and cover off those lessons and the changes to be made going forward.

Quote

@k3das#17546 There is way too much general misinformation going around on this thread, and on the discord, so here is my attempt to try to clear things up:

The original announcement has all of the information known to date. Any information stated otherwise should be assumed to be false.

Quote

@k3das#17546 The newest player data in the leak was from 03/25/2021, but it looks like almost all player data was added on 02/13/2021. In total, almost 8k

At this time there is no evidence to confirm this. We are still investigating the exact content of the breach and other content which may have been impacted. Right now you are simply adding to the mis information...

Quote

@k3das#17546 The leak also contained ban data.
f. Yes there were Votifier keys, but I hope that those were changed since then.

Please again see my previous point. You are currently doing nothing more than spreading mis information.

Quote

@k3das#17546 For most players, their IP very likely already changed due to ISPs mainly using dynamic IPs

This isn't entirely true. And should not assume to be true.

Quote

@k3das#17546 Ryan, please stop saying things along the lines of "people are stupid." It doesn't inspire professionalism, and a better solution for you would be to try to clear up some misinformation

I haven't claimed anyone to be stupid. I've highlighted where misinformation is being spread or where statements are blatantly false.

Quote

@k3das#17546 There has hardly been any transparency before this,

Pretty much everything we do is in the public domain. I don't really see how there is much we could have done to be more transparent. In this case we will only publish information when we've been able to confirm it. Else we're just speculating.

Quote

@k3das#17546 and you should have the systems in place to detect somebody using a dev's credentials to download 1.1GB of data off a dev server.

Why? It is entirely reasonable to expect the developers to need to upload / download large files from the Dev server for troubleshooting and debugging... That wouldn't have done anything meaningful beyond plenty of false positives from what I can see.

Quote

@k3das#17546 Also, isn't posting banned player's IPs in public chat breaching PPI? I don't think I can find any TOS, T&Cs, etc on your website or forum, and no cookie notice. All of which are a breach of GDPR.

At the current time we have consulted with the information commissioners office and they have confirmed based off the data we have confirmed to be leaked, there is no requirement for disclosure to end users or to them. We've disclosed to end users because I personally believe that the right thing to do.

Quote

@k3das#17546 Please acknowledge you and your team's mistakes.

I have and continue to do so... Otherwise I wouldn't have confirmed there was a data leak in the first place.

Quote

@k3das#17553 The issue would've been that there would be even less confirmed information going around. For a lot of companies they're pressured to include responsible disclosure in their breach mitigation plan, because otherwise people hear "there was a breach," and don't understand what really happened.

I don't disagree, my point however does stand, I've disclosed the current information we have and that our investigation has been able to confirm. The investigation is ongoing, and rather than prevent conversation about it or flat out deny it happened (As has previously happened when most of this data was published under previous owners) I wanted to be transparent.

Again I'll remind folks that nearly all of this information was already made public in a leak of server backup files, which was what allowed us to stand up TF when Seth deleted the files... I'm quite sure there wasn't the same level of due-dilligence performed then.

Quote

@k3das#17553 Then you have a different explanation to why 7,932 player profiles have appeared in /plugins/Essentials/userdata at exactly 19:50:12 EST on 02/13/2021. All of THIS data shouldn't have been copied, but it was. Yes, there are 12 new profiles that were likely caused by the dev team. About votifier keys, this shouldn't be a problem because they were thankfully changed:

As I said, there is no current confirmed evidence that it is the case, I'm still working with my team to confirm what is accurate and what is not, and to establish what we know was taken, and to establish what could have been.

Quote

@k3das#17553 About votifier keys, this shouldn't be a problem because they were thankfully changed:

A number of credentials that were originally overlooked or intentionally shared have been changed, I've been waiting for confirmation of this, the comment by RedEastWood should not have been posted as there was yet to be confirmation of them actually being changed. I hope to update people on the steps taken to date later today.

Quote

@k3das#17553 Yet people don't assume things to be false, it should be partially your responsibility to spread real information so people don't need to guess. You did this well with the original announcement, I'm not really blaming you for this part.

I know, which again is why we've been mindful to publish what we know and can confirm when we've been able to do so. It's important we get this right and make sure we're complying with the relevant authorities as our investigation progresses. To date we've done that, and I expect the investigation will take some time yet to fully conclude. We have a number of lessons learnt we need to put into place before publishing any details on them, again to help make sure we're learning from this mistake.

Quote

@k3das#17553 I guess a screenshot wont be enough to convince you that there are people who collect data breaches for their own OSINT:

As I say, it's not something we've been able to confirm and until I am able to confirm this as stated above, it should be assumed that speculation around data that might have been published is un-confirmed and potentially false.

Quote

@k3das#17553 I'm not well-versed in GDPR, but to my understanding, you'd need T&Cs regarding what data you collect on the forum, and who you share it with, although I might be wrong.

The forums (Fortunately?) pre-date my ownership of the server, we've put steps in place where we can to make sure we're legally compliant, but ultimately it's another driver of moving off Flarum, because we just don't have a lot of info around what Flarum collects / needs to collect. If people have concerns over the data collected on the forums then they can reach out to informationsecurity@atlas-media.co.uk which is the current process for data protection queries around the forums while we work on putting a more formal and robust process in place, again part of moving to the new forums. We've got processes in place to comply with right to be forgotten requests, and subject access requests.

Quote

@k3das#17553 Well I guess so, It was my poor judgement in the middle of the night.

It's fine, I appreciate this is a hot topic, and I appreciate there aren't a lot of answers right now, I want to give more answers, but I want to make sure I'm not going to be sat here retracting those statements because I didn't do the level of checking I should have.