On December 16, we had been made mindful that any individual had not too long ago won unauthorized get right of entry to to a database from discussion board.ethereum.org. We straight away introduced an intensive investigation to decide the starting place, nature, and scope of this incident. Here’s what we all know:
- The ideas that used to be not too long ago accessed is a database backup from April 2016 and contained details about 16.5k discussion board customers.
- The leaked knowledge comprises
- Messages, each private and non-private
- IP-addresses
- Username and e mail addresses
- Profile knowledge
- Hashed passwords
- ~13k bcrypt hashes (salted)
- ~1.5k WordPress-hashes (salted)
- ~2k accounts with out passwords (used federated login)
- The attacker self-disclosed that they’re the similar individual/individuals who not too long ago hacked Bo Shen.
- The attacker used social engineering to realize get right of entry to to a cell phone quantity that allowed them to realize get right of entry to to different accounts, one in all which had get right of entry to to an outdated database backup from the discussion board.
We’re taking the next steps:
- Discussion board customers whose knowledge will have been compromised via the leak might be receiving an e mail with additional info.
- We’ve got closed the unauthorized get right of entry to issues concerned within the leak.
- We’re imposing stricter safety tips internally comparable to putting off the restoration telephone numbers from accounts and the use of encryption for delicate knowledge.
- We’re offering the e-mail addresses that we consider had been leaked to https://haveibeenpwned.com, a carrier that is helping keep in touch with affected customers.
- We’re resetting all discussion board passwords, efficient straight away.
In the event you had been suffering from the assault we advise you do the next:
- Make sure that your passwords aren’t reused between products and services. You probably have reused your discussion board.ethereum.org password somewhere else, alternate it in the ones puts.
Moreover, we advise this very good weblog publish via Kraken that gives helpful details about how to offer protection to in opposition to these kinds of assaults.
We deeply be apologetic about that this incident passed off and are operating diligently internally, in addition to with exterior companions to handle the incident.
Questions may also be directed to safety@ethereum.org.
