Fur Affinity restoring from six-day-old backups after server compromised; site source code distributed at BLFC
I'm hoping @furaffinity's data is still safe. Just before it went down, every submission I tried to view said "submission not in database"
— Alioth Fox (@AliothFox) May 17, 2016
Update (21 May): FA returned for a day, but is now in read-only mode. Passwords were said to be hashed and salted, but if you've used the same one elsewhere, now is the time to change it to be unique per-site.
Update 2 (23 May): Fur Affinity has returned; however, all passwords have been reset, which is causing problems for those with an old/invalid email address.
FA users took to Twitter and the Fur Affinity Forums looking for answers – which appeared to have been preemptively provided by a post asking "What would you do if you found an exploit on FA?", posted last Sunday on the Phoenixed Forums. However, more recent posts by the original poster disclaim responsibility.
The majority [of the site's data is secure], yes. The backup we have is 6 days old. We're still going through and trying to determine the extent of the issue, and once we have more information, we'll post it publicly and give a full, transparent run down of what happened.
Staff have since "restored a majority of the content which was lost" and are continuing their security audit.
We had to pull Fur Affinity offline temporarily. We will provide more information on the downtime once we are able to do so.
— Fur Affinity (@furaffinity) May 17, 2016
@furaffinity yeah so the "User does not exist!" error was given to me on my own page, which does (did?) exist. Really wondering what's up.
— Ray Uildriks (@TuxedoDemon) May 17, 2016
— Birthday Hybrid (@RedMercury7192) May 17, 2016
— Nathaniel Manns (@NateAnimate) May 17, 2016
Somebody got the source code through the ImageTragick exploit (which we patched on May 5th). We assume they put them on flash drives and distributed them out, or left them in public places hoping for them to be found. We don't really have any other information.
On of the BLFC security staffers found the drives and notified and FAU staffer who was at the con, and we were able to get a copy of the contents sent over via Skype to start analyzing.
Flash drive said by Dragoneer to contain Fur Affinity source code. Several were found at BLFC.