We are (temporarily) offline
Added 2023-12-11 10:54:30 +0000 UTCUPDATE 19/01/25: We're coming back online for patrons on February 19th at the latest! Read our new post for more details. The post below is for archival purposes.
Now that I have your attention, that isn't a lie. InflateVids is currently offline. It isn't how I imagined the 3rd anniversary of going live to go.
The website got hacked and defaced last night. The database has been exported and the user table published, which includes data like usernames, IP addresses (for most of you your IP address will have changed by now) but most importantly emails and hashed passwords. Rest assured, ID verification wasn't taken, we delete requests (and corresponding images) after submission and the hacker doesn't appear to have downloaded our files anyway.
What should you do?
For everyone, if you used your password on InflateVids for anything else, immediately change these passwords and please use a password manager to generate unique passwords for each site. Please stay vigilant for phishing attacks via email, like you always should.
For patrons, since the website is currently offline I have paused the billing cycle. Currently billing is paused until January 11th which means you won't be billed for your patronage. Please consider staying as patron so we can continue hosting when we go back online. Don't worry about the costs, they won't be high since bandwidth was the biggest cost and well... nobody will be watching video for some time.
What happened?
The truth is that we aren't sure yet. I have some educated guesses where this might have happened, especially considering the website got defaced, but I haven't had the time to properly look yet.
There is no indication that the attacker got access to the server itself, instead just the instance of the website. Sadly that was enough to pull the database, get access to the storage access key, and delete all the files.
For anyone technical interested: the web server of InflateVids runs in a Docker container, which means it is separated from the actual server. The beta and redirect from inflatevids.xyz ran in different Docker instances, just like the NGINX server routing traffic and handling SSL certificates. The conversion server is indeed a separate server, and also runs in a Docker container. SSH access to both servers is limited to myself through firewall. At the moment therefor there is no indication the server itself got accessed. I still need to check the conversion server, but I suspect it is untouched.
The attacker themselves is fairly well known for database breaches, and at the moment it seems like we had bad luck and randomly got selected as a target. There is currently no evidence to suggest this was requested or commissioned. Most likely it was just for "creds".
What's next?
Everything is currently locked down, I've made sure to wipe any existing (API) keys for services we used and changed my own account passwords just in case (there is no indication they got accessed, especially since they use 2FA).
Part of the attack was deleting all of our video and thumbnail files. I am in the process of getting those back, initially through a support ticket with the host requesting recovery, if that fails a backup that might not include data over the past couple weeks nor some unlisted/private videos.
We'll also have to critically review every single part of the codebase. See where the attack could've come from, and patch any holes. Anyone that wants to help review PHP code, let me know.
For passwords, sadly the website still used an outdated hashing technique, SHA-1. We will patch this to use more modern hashing techniques and add a salt to comply with more modern and secure standards. When the site relaunches, everyone will have to reset their passwords for obvious reasons.
When will InflateVids be back?
There is no ETA. This isn't something solvable in a couple days, hell maybe not a couple weeks or months. I want to take this seriously, and sadly that takes time. Time that is already fairly limited. Whenever we know more, we'll let you know. Until a next update, I'll try to make sure the Patreon billing cycle is paused, so you don't get charged for a website that is down.
Hopefully see you soon,
Rick
Comments
We are looking at trying to restore up to fairly recently, but it could take some time and we aren't sure what that would look like.
AnotherLooner
2023-12-13 12:50:48 +0000 UTCyou stated that vids were deleted. Does that mean that the creators will have to reload their vids? Will there be any restoral of accounts and/or contributions?
Ralph Casillas
2023-12-13 12:27:42 +0000 UTCUsername, email, IP address (on initial sign up), hashed password, registered date (month & year), last active date, amount of uploads, and any public profile info. Access and refresh tokens would've been pulled, but the Patreon integration has already been taken down. The client ID and secret weren't in the database. There is no action needed for anyone who connected accounts.
AnotherLooner
2023-12-11 19:03:10 +0000 UTCThere really isn't. We ran off the shelf software that still used SHA-1 for hashing, and didn't check or change it (assuming auth was fine). Obviously that'll change.
AnotherLooner
2023-12-11 18:57:14 +0000 UTCCould you please share more details regarding the user related data from the DB that was stolen and published? I would like to know the amount of my leaked private data. What about the auth/link with patreon, do we have to take any action there?
Christian
2023-12-11 18:55:45 +0000 UTCwhy did you use SHA-1 to hash passwords in prod? there is no excuse for this, unless you ran the server off of windows 95
klint
2023-12-11 18:42:30 +0000 UTCSSH was with PKA, there was no password authentication (also the port for SSH is blocked by firewall)
AnotherLooner
2023-12-11 17:47:34 +0000 UTCWas SSH set up using Public Key Authentication or Password authentication? It's relatively common for people to just scan for any open SSH ports and brute-force them using a dictionary attack.
someone11
2023-12-11 16:33:24 +0000 UTC
