FurBuy down for 'months' after spat with security researcher
Furry auction site FurBuy remains offline, a month after it was abruptly taken down, leading to severe corruption of the 19-year-old site's database.
Site owners say May 23's emergency shutdown was intended to recover from a freeze triggered by a self-styled security researcher's access, and announced a months-long renovation.
The researcher revealed their involvement, claiming to have been blocked by FurBuy after contacting them on Twitter. They said they did not access the database, but that someone using the vulnerability they found would be able to do so - which is disputed by the site owners.
Modern database systems and server hardware are meant to cope with unanticipated downtime by writing to disk in such a way that the data can always be recovered to a consistent state; however, this requires appropriate configuration, and tends to decrease overall performance. It is also possible for hardware to fail under stress.
The last successful backup of the site was made in October 2017, but this remained unnoticed after the death of long-time system administrator Mordrul last August, from thyroid cancer.
[The] attack locked-up our database server while we were in the middle of performing an emergency database backup, and we required our on-site host to perform a hard reboot of the server. The combination of an old server, a very strong attack, and having to hard power-off the server during a backup caused the disk volume (hard drive) to become corrupted. We repaired the disk to the best of our ability, but the database was damaged irrevocably and all of our attempts to restore the database have failed. We were able to repair a few tables completely, most partially, and several others were completely lost.
[...] For now, we are retiring the old (very old) software we wrote (mostly in 1999) which means there will be no FurBuy for the time being. It's honestly amazing that the site was able to run for as long as it has on as old a system as it's on. The same physical hardware has been running the site since 2007 when we upgraded it from the original hardware it was built on. The database server was on its last leg.
Also, if it ain't broken, why fix it? That server ran the system for 12 years without issue. It was working fine until it was attacked. That's our fault?
— FurBuy (@furbuy) May 30, 2019
FurBuy claim users' own "personal data, emails, passwords" were not accessed, other than any personal data within images uploaded (not emailed) to the site.
While FurBuy did not dispute that source code with credentials was accessed, they say that they could not be used to access the 3.5 GB site database without being in a certain location with VPN access. Regardless, passwords were stored using a possibly-unsalted SHA-2 hashing function, which is not recommended for this role.
FurBuy is not offering refunds of past subscriptions; rather, new subscriptions for the site they promise to create, for which they are soliciting testers and say they've purchased 10U of hardware for. Those wishing to obtain a refund regardless will have to consult PayPal's own terms for their jurisdiction, to see if they are entitled.
For now, it seems erstwhile competitor The Dealers Den and non-fan auction and social media sites are receiving the lion's share of FurBuy's traffic.