• ZooVille Additional Cost's CLICK HERE
    Please Donate, Funding is critical to continue site operations.

Security Incident and Site Rebuild (September 2019)

admin

Administrator
Staff member
On September 25th 2019, VBulletin, (the forum software Zooville had previously been running) announced a critical security vulnerability in their forum software. Zooville staff had planned to install a security update shortly after learning about the issue however our site was attacked quickly and our database was compromised. It is known that the attacker made off with at least the users table, containing user email addresses, password hashes (NOT plain text passwords), and last logged-in IP addresses. While VBulletin uses a strong password hashing function which is considered rather secure, it is theoretically possible given enough time and computing resources to brute force these password hashes. Because of this we highly recommend you change your password immediately on any account that uses the same email and password combination!

After this incident and after reviewing the security exploit itself, Zooville staff has lost confidence in VBulletin as a software package and have migrated to XenForo. We've made the decision to start from scratch, neither users, or posts will be migrated from the old forum, and you will need to sign up for a new account. Data from the old forum still exists, and we're currently investigating how to bring it back online as a read-only archive so users can still access their data and migrate it to the new forum. This will however take a back seat to getting the new forum up and running.

We'd like to take this opportunity to apologize to the community for this breach of both trust and security. Zooville staff takes security very seriously, unfortunately it isn't always possible to prevent against previously unknown security vulnerabilities like the ones we were attacked with.
 

dogluver101

Give a dog a bone
Staff member
We have put in some Frequently Asked Questions. For any other questions, please feel free to ask away in this thread.


Q: Can they use the breached database to access the old site or this new site?
A: No, we have made the old forum "read-only" and is only up temporally for users to gather content of theirs to transfer here. Such as stories, educational posts, etc. We do recommend to use a new password if you signed up on this site with the same password. We do recommend to use a password manager to help with creating a strong password. This isn't required. But is something useful to help with generating strong passwords.

Q: Has anyone been doxxed?
A: Not to our knowledge. As they only have been known to access the users table, anything regarding posts, messages, etc we're untouched. Anything after that we're not sure of. As stated, if you used the same email and password anywhere else. It is strongly recommended to get them changed.

Q: Was the Zooville Chat accessed?
A: No. Zooville's chat is on a separate server and runs a complete different software. No information was breached. However, if you used a password on the site and the same on the chat. We STRONGLY recommend to change your password on both platforms. To change your password via the chat. If you're logged via web. Click on your name on the top right corner and a drop down box will appear. Click on "Settings" and you should see text boxes with "Current password" and "New password" Enter your current password, and a new password you would like to use. REMEMBER: If you forget your password, it may not be possible to get a reset... Please contact dogluver101 if you forgot your password, and I can attempt a reset if possible.

Q: Why did it take so long to tell us?
A: We wanted to investigate and ensure if anything was comprmised after this attack. Before just doing an update and going on like nothing happened. As we have first discovered this attack, we were quick to take down the site to prevent any further access to gain extra information. We didn't want to leave members out without answers by simply saying there has been an attack. But at least gather answers for our members and provide them all at once for everyone to go over.
 
Last edited:

ZTHorse

Administrator
Staff member
There is more details I would like to make in addition to these previous posts.

1. The Vbulliten bug was documented here, and affected over 30,000 Vbulliten sites on the same zero-day attack. We were not the only site to be zero-day attacked by this bug.

Here is the news release about vbullitens bug

2. Prior to this attack, when forming the forum originally, the team reviewed the history of vbulliten to withstand bugs, and upon seeing other large corporations using the software such as Valves steam, sony pictures, etc... we felt the security model would suffice. However, after seeing such a basic and easy attack vector, we could no longer continue to use vbulliten.

3. IP sweeps were done on a weekly basis on the old Vbulliten, if you were not logged in within one week, you had No IP data to leak. In advancement of this security measure, we have lowered the IP sweep rate to 24 hours. If you haven't logged in within 1 days, your IP data is deleted and there is nothing to leak.

4. As a precaution, on the old site, we recommended users make their accounts with a protonmail email account. Anyone who used this service was provided MUCH more protection from any possible links to their IRL persona as they could not connect them with the anonymous email provider.

As such, we are now making it a REQUIREMENT to use a protonmail account to signup for zooville. Incase there is ever a data breach from a zero-day attack or bug in the software, the database will only consist of anonymous email addresses not tied to anything public. This way a data breach would have Negligible impact on a persons persona irl.
 
Last edited:

CetaceanLover23

Citizen of Zooville
I’m okay with starting from scratch. But I do have to thank the administrators and moderators for fixing the problem. I personally feel indebted to you. Thank you.
 

bobdobbs

Tourist
Any idea where the attack came from? I am curious how targeted it was, I know there are people out there that really want to harm us :(
Thank you for getting back up and running on a whole new platform so quickly!
 

thebestguy

Citizen of Zooville
Not going to lie... This fucking sucks... Hope you guys are able to get the old forums up and running again even if only in read only. Would hate to have to repost everything from scratch...
 

zaxaca

Tourist
It was kind of expected, some people just love targeting minority communities for fun. They probably know it's hard to live when you can't talk with people who think alike, so it's probably their way of "killing people they don't like".

Ok, while I think it's essential that people don't use the same google account that tracks all their life to register here (google knows anyway since you have this mandatory captcha service installed) it's much more important with relation to the other accounts linked to that email, since it can be a public information for anyone to see. And I don't think proton mail can be any better for anything, I mean, we already had the lavabit case before and it even can be hacked like any other (well it's probably harder to hack google).

Well, anyway, I just wanted to tell you, I appreciate your hard work. Keep it up.
 

cheval

Moderator
Staff member
Any idea where the attack came from? I am curious how targeted it was, I know there are people out there that really want to harm us :(
I don't think that ZooVille was a specific target.
When the exploit was released, "hackers" have searched for random targets through Google.
They just have to search for "Powered by vBulletin".
 

redxiii

Lurker
@admins:
I can imagine this whole incident ruined your weekend.
So let me just thank you and let you know that I appreciate what you're doing to keep this place running.
Is there a way to donate yet? Yeah, I'm a lurker but at least I can buy you a beer ;)
 

Tofudebeast

Tourist
I don't think that ZooVille was a specific target.
When the exploit was released, "hackers" have searched for random targets through Google.
They just have to search for "Powered by vBulletin".
Agreed, quite possibly the hackers may not have even spoken English and been completely unaware of the topic of the board.

Not ruling out a personally targeted attack (and/or subsequent usage of the stolen data), just pointing out that it's relatively unlikely.
 

Tofudebeast

Tourist
Also it would be very wise for members to enable two-factor authentication (2FA) in both this new board software and in Protonmail. Preferably getting codes via an authenticator app (i.e. Authy/Google/Microsoft) instead of via e-mail.
 

zaxaca

Tourist
Agreed, quite possibly the hackers may not have even spoken English and been completely unaware of the topic of the board.

Not ruling out a personally targeted attack (and/or subsequent usage of the stolen data), just pointing out that it's relatively unlikely.
Have you heard about kiwi farms?
Also it would be very wise for members to enable two-factor authentication (2FA) in both this new board software and in Protonmail. Preferably getting codes via an authenticator app (i.e. Authy/Google/Microsoft) instead of via e-mail.
Very unwise, really. Imo, ofc.
 

zaxaca

Tourist
Yes, but that kind of targeted attack surely stands out as the exception rather than the rule?



How come?
This place was the first thing I thought of when I heard about that vulnerability. And I'm not really active or anything, I don't come here too often. Guess I was right.

Two-factor authentication helps to reliably tie every your trace to your online profile (and your online profile to your physical location and all your possessions), who knows when this shit is going to become illegal or leaks to the public. This is off-topic, sorry OP.
 

vic96

Citizen of Zooville
wow!! sorry you guys had to deal with all of that and thanks for all your hard work! im glad youre back 💕
 

zaxaca

Tourist
What about members reputations etc it wouldn’t even let me in and I had to reregister 🤬🤬
Calm your tits dear friend, I feel where you come from. It was a separate database and got compromised. While it should be possible to transit everything to the new one, I guess you can't do it that easily since it's a very complex software. And if it utilizes a different method to store your credentials, you wouldn't get your old account anyway.

Also, karma whoring is a sin.
 

bobdobbs

Tourist
Two factor authentication can be completely anonymous and offline, most authenticators just use a rolling code based on a pre-shared key and an internal clock, but it's not needed for something like a web forum IMO.

The best advice is to use a unique, long random password and a unique username with a random email. I'm glad we require a protonmail for the forum now, don't reuse it for anything else.

If someone is cracking all the encrypted passwords and you have reused your username and password elsewhere on the internet, you can bet they'll google your username and try to access your other accounts to see if they find anything interesting. It's incredible how much effort some people will spend connecting the dots and following the path back to a real identity, either to extort, shame or scam you.
 

umafera

Zooville Settler
as mentioned above, there are many 2fa which are completely anonymous and independent of internet connection, like time based rolling codes. only 2fa based off stuff like phone numbers are trackable.

there is NO reason to avoid 2fa.
 
Top