Fur Affinity user Xaevo was suspended from the main site and banned from #furaffinity after being accused of password harvesting and insulting Summercat, a support administrator.

Xaevo posted a link in the chatroom to a site that he claimed would allow people to see their FA stats regardless of who they were logged in as. Summercat criticised the site asking for users' FA passwords and requested that the site be taken down as it was phishing.

[14:18:14] <Summercat> Xaevo, please take it down.
[14:18:23] <Xaevo> no, i see no reason to take it down

Xaevo continued to protest the accusations of phishing, saying that phishing only applied when you were masquerading as a trustworthy entity. He maintained that his source code was public and did not save any passwords. When Summercat called it password harvesting, Xaevo called him a 'noob', and was banned from the chat room and suspended from the main site.

Update: 45 minutes later, Xaevo's suspension was lifted.

Furry roleplaying description site F-List is down after an attack from a disgruntled developer.

While the developer's SSH access had been removed, he regained access through a backdoor. The coder gave all users administrative rights, including access to email addresses and IP logs.

In a maintenance notice, F-List founder Hexxy urged calm:

F-List will be fine. The only interest we have is in bringing the site back up, and ensuring everything is secure. A former coder uses his access to F-List's servers to mess things up. No permanent damage has been done, but things are a little emotional right now. Don't do anything stupid, that doesn't help anyone, it just creates more damage.

Repairs to the site are expected to take at least two days, but a temporary copy is available.

AddToAny – the blue + on Flayrah that allows you to share articles – adds an undocumented third-party tracking cookie (map.media6degrees.com) to aid behavioural advertising.

I have disabled the cookie and filed a feature request to disclose this option in documentation. Users concerned with privacy may consider opting out of behavioural tracking.

Furry auction site FurBuy has resumed service after going offline for the best part of a day.

FurBuy went down around 9PM EST Wednesday, due to what site owner Jurann called a "massive DDoS attack that exploited a vulnerability in the DNS hosting".

Security flaws in a feature introduced to Fur Affinity this week have led to the indiscriminate hiding of comments throughout the site, after an attacker exploited flaws in the comment system.

The attacker said their intention was to raise awareness of the issues, after being initially rebuffed by site coders. However, their actions hurt innocent users, including artists who found their commission references hidden.

Furry art community Fur Affinity has implemented a secure login server. This should prevent computers on the same network (such as those on an hotel wireless system) from intercepting credentials, and deter some man-in-the-middle attacks.

The change comes shortly before FA: United – perhaps in the hope of avoiding a repeat of 2007's breach. Several other security issues remain.

The new login path does not work for the recently-added 'safe-for-work' subdomain. Users can manually load https://sfw.furaffinity.net/login and accept a certificate exception to login; they must subsequently reload http://sfw.furaffinity.net/

Update: 'Safe-for-work' logins should be fixed in the next update.

Online furry art community Fur Affinity took a step forward today, announcing a new way to fav posts, watch users and delete works.

Regular users welcomed the feature, which has been in testing for over a year:

Once, I actually had to get my friends to view my work. Now I just make a LiveJournal post, and *poof* – it's fav'd!

Those seeking friends may gain watchers in a similar way; those who feel a piece requires more work can just email its author to remove it.

Users of SoFurry and its predecessor Yiffstar are being told to change their passwords, as the site's MD5 hashes have been compromised. [gsw/furryne.ws]

Toumal admitted the site had been vulnerable for the past eighteen months, but said the "security hole" had been fixed. New passwords will be salted to reduce the damage of any future breach. He also cautioned against using the same password on different sites.

Furcadia players logged-in early this morning were surprised to find a list of usernames, emails and passwords arriving through the online news channel.^[1]

The person behind the attack - who identified himself as "Uildiar"^[2] - claimed to have root access to the server on which Furcadia runs, and access to the game source code, though a subsequent post by Felorin suggested otherwise.^[3] He also claimed being behind past attacks on Fur Affinity.

The attacker's statements indicate that passwords were stored as the output of a SHA hash function with no salt. While this format does not grant immediate access, it is vulnerable to a precomputation attack. Reportedly many accounts using short or dictionary words as passwords - including some forum moderator and Dragon's Eye Productions staff accounts - were compromised, although some had already been changed.^[4]

Free furry web-hosting group Furtopia has been hacked and "destroyed" according to the website's administration. The website purportedly fell into the hands of splinter group LOLfurries, whose website was later suspended and reinstated by it's host a few days later. The forums were the only area of the website affected, the hosting remained unharmed.

Furry art communities Fur Affinity, fchan and E621 all went offline just prior to Christmas following an early morning distributed denial of service attack (commonly called a DDoS) against the three websites. Fur Affinity was back online by the evening of the same day, fchan was running with degraded functionality for roughly 24 hours and E621 was back online a few days later. The source of the attacks remains unknown.

The forums of online furry community Furtopia are down, and will not be restored in their current form, says site administrator WhiteShepherd.^[1]

The site suffered several attacks believed to be rooted in vulnerabilities in the forum software, Ikonboard. A hacker reportedly vandalized the forums, defaced the websites of hosted furry artists, and ultimately erased the hard drive on which the site was stored. Just hours after a three-day rebuild following the attack, the site was "destroyed" again.

In his announcement, WhiteShepherd blames splinter forum LOLfurries for the attack, saying that "passwords and private messages" were stolen, and "re-posted on their forums in the interest of providing [them] amusement."

However, regulars of LOLfurries disclaim responsibility for the hacker's actions.^[2]

A distributed denial of service attack struck furry art archive Fur Affinity and image boards E621 and Fchan on Sunday, lasting for several days. Fchan suffered from degraded functionality until early Monday morning,^[1][2] while Fur Affinity's main site was mostly unusable until the evening of the same day.^[3] E621 had returned by the middle of the week.^[4]

The initial burst of traffic was via UDP, a protocol not typically used by web servers, but blocking such traffic only worked for a short time.^[5] During the downtime, Fur Affinity popped up sporadically, with users reporting abnormalities such as getting logged in under other user's accounts.^[6]

At some point last night, we were hacked. The hackers appear to have done little other than deface the index file. We're up and running again. Sorry for the downtime.

Got this in my email around 1pm 5/21:

Hello,

This is an administrative message from FurBid:

We had a bit of unexpected down-time yesterday afternoon.
Somehow, the name server on Transform got re-enabled, allowing us to get hit by
the l10n worm again. We had to re-load from Saturday night back-ups, so
unfortunately, any bids placed between 8am and 4:30pm may have been lost.
Please, check any auctions that you have bid on between 5-19-2001 and
5-20-2001.

My sysadmin swears to me that yes, this time he has removed the vulnerable
server, and it will not be going back on. However, I have started an hourly back-up of FurBid's data files, independant of his bi-daily backup. This should
never happen again.

Anyfur that was affected by this, please e-mail me at aatheus@transfur.com.
Please include your username, the auction # and category that was/were
affected, plus any other info that would help us re-construct your bid(s).
On behalf of FurBid, I apologize for the frustration this may have caused you
all. -Aatheus

Thank you and please tell a friend about us!

Sincerely,

FurBid