Mibbit takes the security of it’s users data and connections to IRC networks extremely seriously. That’s why the main Mibbit services were protected much more heavily than it’s blog and tools server and were not compromised.
The data that was accessed was on a server used for testing and in hindsight, however old or small a “test” set it was it shouldn’t have been there. This was a personal PM log and was that of one operator account, the use of it for testing was an agreed deviation to recognised procedure and this will be reviewed and appropriate action will be taken to remedy the risk involved.
It’s been a long night and we’re sorry for the disruption and concern this hack has caused our users and the IRC networks they connect to. We’re working hard to ensure no similar data breach occurs and to restore services and also the confidence people have placed in our IRC network and our Ajax client.
In response to many valid questions which have been asked:
1. Have live PM and Channel logs been compromised?
No. Any logs our users have chosen to store in their Mibbit account are secured correctly.
2. What was the compromised PM log?
This was the private PM log of one Mibbit operators conversations with other users. This log should not have been on a test server or used for testing.
3. Does Mibbit log what everyone says to each other over Mibbit or on PM?
No. Mibbit allows users to opt-in to store their own channel and PM logs if they wish, only when the user has opted in does Mibbit allow them to store logs. These are never shared or accessed inappropriately.
4. Has the Mibbit Ajax client been hacked?
The Mibbit Ajax client has not been hacked or compromised.
Anope IRC nickserv and chanserv services have been compromised due to the hack and this is why they are currently offline.
In further clarification;
We do not keep logs of server connections, or channels joined. Temporary lists of failed connection attempts are held for a short time anonymously in order to resolve compatibility issues.
In the main client (http://chat.mibbit.com/) registered users can opt in to keep personal logs of the PMs and channels they personally access. Sharing PM or channel logs is not permitted or available. Users can delete any PM or channel logs at any time.
When entering a channel, users may receive ‘recent chat’. This feature has to be enabled by channel operators (opt in) before it will work, and nothing is stored permanently.
We hope to restore services quickly and will be open and honest about this exploitation and what were doing to prevent similar occurances which place at risk the trust which has been placed in the services. We’re grateful for peoples patience at this time and would ask users, networks and IRC admins if they have any questions which are not answered here to get in touch via firstname.lastname@example.org or our #help channel where we will respond as quickly as possible.