We’re working hard to restore services and protect our user data more effectively. We’ve determined those nickserv nicks ‘at-risk’ from the backup exploit and have begun e-mailing people with the following information. We appreciate your patience and apologise for the disruption, inconvenience and concern this hack has caused.
For clarification of what was accessed maliciously and what was *not* compromised please see earlier posts. Also for information about how we protect users personal logs where they choose to use them please see our response to questions at http://mibbitblog.blogspot.com/2011/08/in-response-security-and-logs.html
=-= e-mail sent to nicknames at risk from exploited backup -=-=-=-=-=-=-=-=-==-=-=-=-=
Important security alert regarding Nickserv credentials on Mibbit.com – please read.
Late yesterday (Aug 13) two Mibbit servers were hacked; our blog and a test/admin server. a set of nickserv credentials, from a January 2010 backup on the test machine, were accessed maliciously. Information was posted online, we acted quickly to bring the affected servers down and to remove the posted information, however, credentials used to register your nickname may have been accessed and shared including the email address, nickname and in many instances the nickserv password. We would urge you to review your password usage, especially on the e-mail account and any related systems making appropriate changes if necessary, particularly if your passwords have remained the same since Jan 2010 when the exploited backup was made.
Live systems and the Mibbit client were not compromised, nor was the main Mibbit account database, logon system or any user chat histories. These have remained secure and available.
Two of our servers were compromised and a backup of nickserv credential information removed.
What does this mean?
Your Mibbit IRC nickname and password are likely to be amongst those at risk. If you use these same credentials in multiple systems you should check and change them.
Nickserv does not provide access to your Mibbit account, prefs, logs or profile. These remain protected and available under your Mibbit account only.
What should I do?
If you think your e-mail or other accounts are at risk we strongly advise you to check those systems and take appropriate action.
Are any other Mibbit credentials or information at risk?
No. The main Ajax client, widget and main database are unaffected, any personal channel and PM logs stored by users remain secure and unshared.
Why were the credentials and passwords clearly accessible?
The credentials for nickserv have historically been stored on our IRC network services using the default configuration available at the time the service was started, this was a choice to allow the flexibility of having sendpass and auto-identify but putting in place controls to manage the risk against other compromises and exploits which have been seen. By putting an old nickserv backup on the less-secure machine (tools.mibbit) we failed to manage that risk, we are making many changes now to remove the possibility that this can happen in a similar way again.
What has Mibbit done to prevent my information being accessed like this?
The affected machines were taken down immediately, the links to data in information posted by hackers have been removed from the host sites and are no longer available. The security of our main systems has been checked and strengthened.
Our nickserv and chanserv services have also been rebuilt, recompiled and encrypted using a cryptographic hash function for passwords, services will be available shortly.
Where are further updates and help available?
Further updates are available on our blog at http://blog.mibbit.com and in our #help channel.
Will I be able to get my nick and channels back?
Yes, we will publish ‘how-to’ information as soon as the new encrypted services become available.
Please accept our apologies for placing credentials at risk in this way. However small the subset of data was we should not have placed it on a less secure test server. We will be instigating a full review of this incident, the mistakes which led to it and how the test server was compromised. This review will encompass not only our technology and security choices but our practices and procedures in defence of hacking groups.