

Hello everybody, welcome back to the Shroomery! We're so sorry for the delay!



Q: Why was the site down?



A: We got hacked. An attacker stole a copy of our e-mail server's database.



Q: How did it happen?



A: The Shroomery uses a separate server for hosting uploaded files, like images and attachments. An attacker discovered a vulnerability on that server. It allowed them to upload a specially crafted file which appears to be a valid image, but also contains executable code which could be run remotely. They were able to install a web-based file manager and retrieve an unencrypted backup of our mail server database which was stored on that machine. Once they had access to the e-mail credentials, they were able to request a password reset on the forums and vandalize the site using my own account. Pretty embarrassing, but it also got our immediate attention and limited the scope of the attack.



Q: Why did this happen?



A: It appears we were not a primary target. Our attacker originally set out to hack spore vendors, blackmail them, and exploit any opportunity to steal their website traffic, business records, and cryptocurrency. When one of our sponsors refused to give in to extortion, the attacker wanted to damage their business. One way of doing this was to gain access to the Shroomery and change all the sponsor's links to point to a sketchy competitor. Once the attacker found an exploit on our site, they also tried to blackmail us too, but I don't think this was their original goal.



Q: Are Shroomery members at risk in any way?



A: If you ever had an e-mail account hosted by us @shroomery.org or @growery.org and you re-used your e-mail password for other websites or services, you should immediately change this password anywhere else it was used. Even if your e-mail account is no longer active, a file may now be floating around which contains your old Shroomery e-mail address and the most recent password you used for that account. We sincerely regret this lapse in security and we have completely transitioned our e-mail services to a specialized professional third party to prevent anything like this from happening again.



Other than that, the risk should be minimal. Forum accounts were not affected, unless you happen to have the same password as your e-mail account. Our old mail server is no longer accessible from the internet and the only e-mail account the attacker actually logged in to was my own. All sensitive information and destructive admin functionality is locked behind additional layers of security, so even using my account, they couldn't read sensitive posts in the admin forum or access any powerful administrative tools.



Now that we're back online I expect our attacker will be closely scrutinizing our infrastructure and looking for new exploits. That's not unusual - we're constantly getting poked and prodded by people trying to find vulnerabilities - but now it may be more of an enticing challenge. We've locked things down as best we can and we'll be keeping a close eye on the situation.



Q: So if it wasn't the hack of the century, why did it take so long to bring the site back online?



A: Well, we didn't want to half-ass it. For the server that got hacked, we opted to replace it entirely which was a bit of an ordeal. We also had to carefully audit the rest of our infrastructure and make sure it wasn't vulnerable to the same class of exploit. And we had to investigate some claims made by the attacker about different vulnerabilities they'd discovered. And migrate e-mail to a separate platform. And update our scripts to work with the new setup. And address some other outdated and lapsed security practices. There were a million small but time-consuming details before we felt comfortable bringing the site back online.



Also, we just weren't really anticipating this. With planned maintenance, we always try to perform it seamlessly behind the scenes. But in an emergency, we have to bring the site offline immediately, and keep it down while we take care of all the required work and testing.



At the end of the day this is a niche site with limited revenue potential. We can't afford professional full-time administrators. None of the admins are employed by the Shroomery as their main job. We're all approaching middle age and have our own real-life obligations. Once the immediate threat was contained, we stopped working so frantically and just did the best we could in the free time we had available. We regret if this impacted anyone who was relying on the Shroomery for time-sensitive information.



Q: Why didn't you post more updates? People were getting worried!



A: Yeah, we didn't do a great job with communication this time around. We got some information out on Twitter and Facebook, but it wasn't a very high priority, and when we had time we were mostly focused on getting things fixed. Frequently we just didn't have anything to report except "still working on it, ETA undetermined". But I recognize that's still better than nothing. Next time we're facing prolonged downtime, we'll provide more frequent updates directly on the site's front page.



Q: When I click on an image or try to download an attachment, it doesn't work?



A: We're still transferring data to the new file server. Rather than wait any longer, we decided to bring the site back online with some uploads missing. No data was lost. The files will finish transferring over the coming week. Newly uploaded files should appear immediately.



Q: I just bought a supporter account from the new Shopify store. Did I lose all the time the site was down?



A: No, all supporter accounts have been credited for the downtime.



Q: I can't access my Shroomery e-mail account anymore?



A: For now, the Shroomery is no longer providing hosted e-mail as an extra feature for supporters. We may re-visit this in the future but we don't want to offer functionality if we can't keep it properly maintained and secured. Because the store has been offline for so long, most supporter accounts are technically expired and were on borrowed time anyway. If you are one of the few people who purchased a supporter account from our new Shopify store during the brief period it was online, you may open a support ticket and request a refund if you feel your supporter account no longer provides a good value. If you had important e-mail stored on our server, please open a support ticket and we can send you an archive of your old messages.



Q: So everything's fixed now?



A: Fuck, I sure hope so. We made some substantial changes and it's possible there are some bugs, but hopefully nothing major. If you notice a problem, please give it a minute or two and see if it's in the process of being fixed, otherwise please report it and we'll give it our immediate attention!



Q: How can I help support the site in the wake of this attack?



A: I love our community, and the fact that I anticipated this as a frequently asked question. You already gave us your patience, and that's really all we needed. Please just stick around, remain active on the site, and help us get things back to normal!



Post Extras: