Select rating Poor Okay Good Great Awesome Your rating: None Average: 3.7 ( 21 votes)

I'm hoping @furaffinity's data is still safe. Just before it went down, every submission I tried to view said "submission not in database" — Alioth Fox (@AliothFox) May 17, 2016

Fur Affinity has been "pulled offline temporarily" after users' accounts and submissions went missing.

Update (21 May): FA returned for a day, but is now in read-only mode. Passwords were said to be hashed and salted, but if you've used the same one elsewhere, now is the time to change it to be unique per-site.

Update 2 (23 May): Fur Affinity has returned; however, all passwords have been reset, which is causing problems for those with an old/invalid email address.

It has been confirmed that an exploit was used to copy Fur Affinity's source code, later distributed at Biggest Little Fur Con. A subsequent attack deleted user profiles, submissions, and watches.

FA users took to Twitter and the Fur Affinity Forums looking for answers – which appeared to have been preemptively provided by a post asking "What would you do if you found an exploit on FA?", posted last Sunday on the Phoenixed Forums. However, more recent posts by the original poster disclaim responsibility.

The recent "ImageTragick" vulnerability in widely-used processing library ImageMagick was soon turned into an exploit and has been identified by FA as the original attack vector.

Fur Affinity community manager Dragoneer reports that backups exist, but are six days old:

The majority [of the site's data is secure], yes. The backup we have is 6 days old. We're still going through and trying to determine the extent of the issue, and once we have more information, we'll post it publicly and give a full, transparent run down of what happened.

Staff have since "restored a majority of the content which was lost" and are continuing their security audit.

Traffic on Inkbunny and Weasyl spiked 40% on the news, while Furry Network removed its invite requirement for registration earlier today.

We had to pull Fur Affinity offline temporarily. We will provide more information on the downtime once we are able to do so. — Fur Affinity (@furaffinity) May 17, 2016

@furaffinity yeah so the "User does not exist!" error was given to me on my own page, which does (did?) exist. Really wondering what's up. — Ray Uildriks (@TuxedoDemon) May 17, 2016

@durangodingo @furaffinity I didn't do anything. I refreshed the page and then it said "Fatal System Error" on my own page. — Birthday Hybrid (@RedMercury7192) May 17, 2016

@Sixelsixel @furaffinity it logged me out, said my username didn't exist, and suddenly it was down. Oh FA. So reliable :'D — Nathaniel Manns (@NateAnimate) May 17, 2016

Somebody got the source code through the ImageTragick exploit (which we patched on May 5th). We assume they put them on flash drives and distributed them out, or left them in public places hoping for them to be found. We don't really have any other information. On of the BLFC security staffers found the drives and notified and FAU staffer who was at the con, and we were able to get a copy of the contents sent over via Skype to start analyzing.

Flash drive said by Dragoneer to contain Fur Affinity source code. Several were found at BLFC.