Fur Affinity attack results in privacy violations

Thu 23 Dec 2010 - 06:20
Fur Affinity users are demanding answers after intruders stole and posted private message histories of over 40 users, including site owner Dragoneer and several staff.

All regular administrative access has been removed, and Dragoneer says it will not be restored until all problems are found:

Until we're 100% sure that the entire admin backend is revised, checked, double-checked and triple-checked we're playing it safe

The leaked notes appear both authentic and comprehensive, dating back to 2005, and their contents are already the subject of widespread debate.

Many well-known members were marked as "deceased", had journals posted under their names, and had their galleries deleted during the attack. Screenshots from Fur Affinity's administrative forums, subsequently suspended, were also posted.

Initial comments suggested that a cross-site scripting vulnerability in the trouble ticket system was used to compromise an administrative account. However, it has also been suggested that passwords from the last week's Gawker database leak may have been used to gain access.

Update (21 Dec): Dragoneer has posted more information, confirming the trouble ticket issue but denying Gawker's involvement.

Update 2 (23 Dec): Those directly impacted by the leaks have been offered a sponsor-level membership to FA: United 4.

Fur Affinity suffers from many long-running security issues. Just two months ago, a new feature was exploited to hide comments throughout the site.


First! Luckily I'm so boring I have nothing to hide.

Well obviously we have a hacker in Furaffinity, he's climbing in yo servers. He's snatching yo usernames up, trying to break 'em. So ya'll need to hide yo yiff, hide yo murr, hide yo scritches. Cause they hacking everybody up here.

At this point the Administrators have control, but unfortunately there is still information the hackers took in which they're going to be be leaking at a later period of time.

Wow you really missed the joke there buddy.

(Didn't mean to edit mean to reply to my old reply)

EDIT: Yeah, I saw the Bed invader song like yesterday, I usually ignore the YouTube videos cause generally the masses love crap I don't want to watch. So the roo up there is an idiot.

Sounds like they're doing more than hacking everybody up here -- but I suspect with female victims, and how females are regarded in the fandom, no one will give a shit (and people are already doing the "its not rape rape" excuse,anyways). I suspect that story will just disappear. A male artist, a female victim? Guess who wins that fight in the furry fandom? We always lose. I'll never go to a con again. Neither will others, and all we've ever gotten was anger for it. No wonder there are so many zoophiles in the fandom -- dogs can't talk. "Bitches" can.

If you were a victim I would advise you come forth and try and press charges, and hope that it remains not posted on the in internet for the whole world to bear witness too, unless that's what you really want.

I mean, I am fine this thing got out in the open, if the victim is fine with it, but sometimes the victim doesn't want that, and announcing it to the world as Lulz did is almost making them a victim again. Luckily the victim came forward and said she didn't know what to do and in hindsite it was a mistake to ask Dragoneer about this.

It was, but it wasn't her fault, it's really our society which doesn't teach even our young adults who are going into sexual maturity what to do if this awful event occurs. They don't tell you about rape kits, getting the police involved, how to best approach it so the bastard pays.

It's something that most definitely needs to change.

10 bucks says this is because of FA's recent ban fetish.

No. The userbase just really hates some people on FA.

I'd hate to say it but so long as Dragoneer is still a site owner is going to keep trying to ddos Fa.
He really really needs to think about what is best for Fa, either be owner of a site that at this rate won't last another month, or step down and keep the fandom together?

1) FurAffinity is not the furry fandom.
2) Reacting because of a DDoS attack sets a bad precedent, because the next time they want to violate Net Neutrality principals by trying to politically persuade by effecting speed of content, then they'll know it worked the last time.

FA is not the Furry Fandom? I'm sorry, it must be the Pokemon fandom or something, amirite?

Also this comment wins;

"By good job to you mean by him sticking his fingers in his ears and going "LAW LAWL LAWL" everytime someone mentioned a serious security flaw?

It's a mess of their own fucking creation that many many many people warned against."

FA brought this on themselves. It's a good thing someone decided to give them a swift kick in their complacency.

I think it would have been a better thing if they didn't need it in the first place.

Well, it's certainly not the Sonic fandom anymore . . .

I think his point was that the fandom is more than FA, just as it is more than Anthrocon. While it can be nice to be all together, there are benefits to distribution, and one is that fans are not beholden to a single site's flaws.

Your rating: None Average: 2 (5 votes)

"Well, it's certainly not the Sonic fandom anymore . . ."
And nothing of value was lost. ;3c

But I agree with greeny and Sonious (which fills me full of a great shame. J/k). Furaffinity, while better then the other furry art sites out there imho, is Not the furry fandom.
Don't get me wrong though, I think some serious changes need to happen around FA.

On a side note, Reaper, when are you going to open an art site. You can add it to your furry portfolio :p

Ummm... he's like one of the runners of Inkbunny :P

Your rating: None Average: 3.3 (4 votes)

I did consider looking to take over an art site before I was invited to help moderate over at Inkbunny.

It's probably for the best that I didn't. I have a limited amount of time and web development skill.

Seems like FA is really getting reamed recently, you have to wonder how much longer it takes before they just decide to take the whole site offline till further notice. Security holes, losing their AP account, hacking. I mean, I know that furry sites are targets but FA is getting it about 10x worse. Either that or they're just the biggest so it's reported more. :/

I read this piece of news and I have this imagination of Dragoneer and other admin's private message cables being posted up on Wikileaks.

Except the DDoS attacks were against Wikileaks, not the organization that was leaked.

Dragoneer just posted more information about the attack on the FA LJ.

Those directly impacted by the leaks have been offered a sponsor-level membership to FA: United 4.

Your rating: None Average: 5 (2 votes)

From Dragoneer's Twitter:

"@almightytora I would love to offer Super Sponsor, but FAU is on a different budget from FA, and super isn't something we can do.
6:07 PM Dec 22nd via web in reply to almightytora"

That's super-sponsor, not sponsor. They're different things. You need to go to more conventions. :-)

Your rating: None Average: 5 (2 votes)

The word 'more' implies that I currently had a number that could be added to. Replace the 'more' to 'a' and you'll be all set.

Your rating: None Average: 5 (2 votes)

Zero is a number!

Probably time to close my FA account (but I can't.)I would only use it for communications. As other said I feel FA is part of the fandom but smut peddling embarrassment and I cannot come up with one reasio why I should defend FA and as far as my opinions go I would not call FA part of the fandom. if it goes away no love lost.
One problem is they have no means to deactivate and lock accounts.

Your rating: None Average: 5 (2 votes)

You could always do as anyone else and make your page say you aren't there anymore, why would you need to lock your account from yourself? Unless you mean the whole shouts and comments thing, which there should be a way to lock that anyway.

If you can upload Youtube videos and deactivate comments, why not uploaded art?

I did not care about hard core porn especially the child porn , oh excuse me, cub art of interaction by a minor and minor or minor and adult. I pulled all my art out. I not like certain crusades, I left and felt making a big stink about fur affinity was be futile at best.

The problem is abandon accounts are a back door for hackers especially if the address info was never updated; there

Your rating: None Average: 5 (2 votes)

Um, Furaffinity banned cub porn... like a month ago. As far as porn goes, if you disagree with it then why did you join FA in the first place, it was kind of there to begin with?

Your rating: None Average: 3.6 (5 votes)

First, glad to see someone has a news site up. You guys should contact me through my Furtopia page and see if we can't find some people to get together and wrap this and other furry sites up into a one-stop resource site.


Furaffinity got attacked, right as they suspended my account. I posted a trouble ticket because someone created an account solely to post hate speech about furries. Pinkuh answered the trouble ticket, saying the page didn't violate the TOS. I had previously (like 3 months before) posted a trouble ticket on Smash/Infocides posting comments, and avoiding a ban (he has several names he uses now, Smash, Infocides, Shooshooangel, bpetersxx, and many, many more). At some point in this mess, I called Pinkuh ignorant for not shutting down Smash's hack accounts (he uses IP blocking software to avoid IP bans). He then responded to my trouble ticket about the fur-bashing FA account and said it didn't violate the TOS. I reiterated my assessment of his ignorance and posted a copy of the TOS which clearly stated hate speech was not permitted. He then proceeded to suspend my page for "harassing speech." Now, I'm sorry, but how can a PROFILE contain harassing speech? Unless you consider my opinions about Dragoneer and facts about Smash has harassing, my profile was not in violation of the TOS.

Dragoneer is a man who is so full of himself, its not funny. He has a secret security clearance, yet commits fraud by seeking donations and claiming FA is non-profit (it is clearly not, as it is owned by Furrox LLC, a FOR PROFIT corporation.) What bothers me is that Dragoneer is obsessed with both cub art, and zoophilia. He will ban anyone from the site for even a hint of zoophilia, despite it not being illegal in most states in the US; yet cub porn, which is illegal in the United States under 18 USC 1466a, was only recently banned, and only because of financial reasons. Combined with his comments on Tora's page, leads me to believe some pretty disturbing things about him, which are very well backed up by his promotion of criminal activity on Furaffinity. I'm not saying he is this or that, all I AM saying is that for anyone who wishes to make that assumption, or leap, or conclusion, the evidence is all right there. He is popular solely because of Furaffinity, period. But he runs the site so badly, its not funny. He makes himself quite the target.

I despise Furaffinity a great deal. I am not capable of launching any kind of hack against the site, nor would I because of my ethics. But dayamn; if I can hate on FA so much for all the right reasons; why wouldn't hackers, many of whom consider themselves to be revolutionaries, protecting us from bad people - or something like that.

FA deserved the attack. And FA users deserve everything they get from the site, its lack of security, its crappy admins, the constant harassment, libel, and more; and they deserve it because they tolerate it and promote it.

I myself am trying desperately to create a site to replace FA and other art hosting sites. I believe users should have full control over content on their own pages, and not have to take extra steps to prevent harassing comments, etc. I also despise how poorly run FA is and have an idea for better infrastructure. But I don't want credit for this, I just have an idea of how to give furries something better, and how to keep the furry fandom from degrading even further than it has.

Bleah. This shouldn't be so stupidly dramatic.

For the record, I will not be monitoring this post or site, so don't expect me to converse or otherwise further participate.

I was going to reply to Sonious above, but the site's code is FUBAR. Here is my reply...however...

I beg to dispute your assertion here. Furaffinity disallowed cub porn at first. All who came to Furaffinity at the time knew it was banned, and by signing up, agreed to "censor" it from the site. Then members started complaining, later, that it was unfair that cub porn was banned, calling it censorship. Well, it was censorship that, by signing up for the site, they agreed to.

FA was already growing so fast that it had become a mainstay of the furry fandom. In legal terms, it was no longer a choice. The momentum of the fandom flocking to Furaffinity meant they could make whatever rules they wanted, and no one could do a thing about it. This is only partially the fault of the ignorant masses. Furaffinity capitalized on it at the worst, and at the very least, did nothing to stop it. And even with cub porn allowed, people, myself included, could not refrain from using Furaffinity if we wanted market exposure for our financial needs of furry resources (I make fursuits.)

Now, FA has reversed, and for the most pathetic reasons: financial. This may actually be my doing - an effort I DID undertake. I contacted Disney when I noticed a great deal of Disney-based cub porn being displayed on FA. I contacted Disney, advised them of 18 USC 1466a, and suggested that legal means could be used to prevent FA account holders from posting parody of their work through pressure on FA's holdings via the child pornography law. Mind you, I disagree both with Disney's persecution of parody that is perfectly legal, and I believe that 18 USC 1466a is both wrong, and unconstitutional. But I find it well within my ethics to utilize this practice by Disney, and this law, as a means by which to affect change: to get Furaffinity shut down, or to otherwise wake people up to how Furaffinity contributes to the degradation of the furry fandom through promotion of trolling, harassment, libel, and most importantly, the culture of "ooh, nice artwork" commentary in place of true criticism; which leads to the factual degradation of the quality of artwork (and nevermind that all the other stuff drives good artists away, a fact I have witnessed personally on numerous occassions.)

In many ways, Furaffinity IS the furry fandom. And that is wrong. Yes, there can be one site that provides a single portal into the fandom, or a single set of resources; but that site should NOT be run by a self-centered egomaniac (I would much prefer an altruistic megalomaniac, thank you). It should be run BY the fandom and FOR the fandom, and I think furries should play a role in running it.

So please Sonious, don't be so quick to judge people for joining FA even when it allowed cub art. If you want something that isn't available anywhere else, what choice do you really have? One person's choice not to join FA does not make for a good protest.

...I noticed that the site is run by GreeReaper. Forget what I said about working together. GreenReaper has proven himself to be no better than Dragoneer. He runs WikiFur for his own benefit, and makes up the rules as he goes. He promotes harassment and libel. He is just as much a criminal as Dragoneer.

I wonder when this site will be hacked.

No offense, but if you ever had a site I probably wouldn't visit it, and if I did I probably be on it for long. It seems to me your idea of "harassment" and "libel" are so paper thin you'd probably only end up having a website of yes-men eventually. You seem to have an all or nothing idealist mentality, that if there is a little sin in the group then everyone deserves what they get. By that logic why stop at FurAffinity? Why stop at furry? Why not go for all of humanity?

Because someone in this world is a brutal dictator, all human beings deserve to fall on their knees to them, to be slayed because they are all equivalent to the dictator for sharing a planet with them? Because someone is using a service means they agree with everything the people running that service have to say? Because I'm a resident of the US mean I agree with everything politicians do with my name?


The answer to those questions is no. I wouldn't have frowned upon this action as much if it only effected Dragoneer and those making the decisions that lead to this outcome, but others, who also don't get along with Dragoneer that well were effected.

To me I've see the use of libel and harassment has been used so much, it's almost become an act of terrorism used to try and frighten people from speaking their mind. Used to slander others who's only crime is speaking their mind, even if their opinions are sometimes factually askew.

In fact, you stated "What bothers me is that Dragoneer is obsessed with both cub art, and zoophilia."

Since Dragoneer has not been shown to have gotten off to animals, or had sex with them, nor has he been charged with related crimes, I think it kind of makes you hypocritical to your own set of ideals. If you don't want to see people make baseless accusation, maybe you shouldn't either.

Your rating: None Average: 3.8 (4 votes)

I'm guessing this is about FurFest Northwest? My only edit to that article was add the guests of honour.

You came in, didn't like what you saw, made a legal threat on the talk page. Funny how history repeats itself.

A wiki is far more than its founder, just as a convention is far more than its chair.

Your rating: None Average: 4 (4 votes)

An expert "Slander lawyer" accusing everyone of slander slanderously?

Isn't that ironic...

