Skeptical Science hacked, private user details publicly posted online

Posted on 25 March 2012 by John Cook

Sometime over the last few days, the Skeptical Science website has been hacked. The hacker has taken much or all of the Skeptical Science database, zipped various excerpts into a single file, uploaded the file onto a Russian website then linked to the zip file from various blogs. While we are still attempting to verify the authenticity of the file, initial scans seem to indicate the hacker has included the entire database of Skeptical Science users. Access to the full database (which includes private details) is restricted only to myself and I am the only one with access to all of the raw data - this fact alone indicates that this breach of privacy came in the form of an external hack rather than from within Skeptical Science itself.

Of great concern is the fact that the hacker has published personal details such as emails and IP addresses of each user. Many users for various reasons have posted under pseudonyms and the Skeptical Science Comments Policy forbids cyberstalking. Consequently, that the private details of every Skeptical Science user has been stolen and publicly posted is a deeply regretable and unfortunate occurence.

Although user passwords are encrypted in the database, it is unknown whether the hacker has been successful in decrypting passwords. As a safeguard, it is highly recommended that everyone update their user passwords. You can do this via the Update Profile form.

Rest assured, we are working hard to upgrade Skeptical Science's security in order to more robustly protect users' private details. We are also in the process of soliciting legal advice on these matters and contacting the appropriate authorities. We would like to thank those who have come to us with information about this hack and those who have decided against spreading the aforementioned files (e.g. Anthony Watts). We all believe that protecting the privacy of individuals is of the utmost importance and we would hope that all illegally obtained documents and files are removed from uploaded servers and disposed of.

UPDATE: Anthony Watts has since reneged on his pledge to not use illegally stolen private correspondance and has posted excerpts on his website.