Attention: All existing users will need to reset their password before being able to log in. Click here to reset. For more information on why, click here. (September 26) x


Forum Announcement: The Great Outage Information Dump
TL;DR: You should change your password on any sites that shared a password with these forums.

Hello!

On Wednesday the 22nd of September, the server powering Goonstation was compromised by an attacker exploiting a vulnerability in the wiki, of all things. With this access, the attacker was able to modify multiple sites, use the discord Spacebee bot to remove multiple discord channels, leak the secret github repository code, and leak various API keys and database passwords.

As a result, it's possible that the attackers were able to download data from various databases. People reading this should be most aware of the possibility that the forum database was leaked. This is due to the fact that the forum software stored passwords insecurely. To be safe, you should consider your forum passwords leaked. Additionally, emails, byond usernames, and IP address are associated and should also be considered leaked.

Following this attack, I chose to shut down all of the servers powering Goonstation until I could rebuild services from the ground up with a focus on security. While the attacker left enough fingerprints for me to be relatively confident of what they did and did not do, there's no way to be 100% certain there aren't remaining issues, so I felt it prudent to re-do things. This is the reason for the relatively slow recovery time for services, and for that I apologise.

In bringing this forum back online, I have reset every user password, and patched the insecure password storage mechanism, so your new passwords will all be nice and safe. Because of this, everyone will need to reset their password using the password recovery page.

As of writing, the game servers (and associated API services) will be back up tonight or tomorrow. Moving forward, various remaining services will boot back up over time, probably during this week. The wiki might take a bit longer.

Thank you everyone for your patience and please have a lovely day.


FAQ

Q: Are my email and passwords fine if I never made a Goonstation forum account?
A: Yes
Q: I used a unique password for my Goonstation forum account, are my other accounts fine?
A: Yes. Though if you used the same email address and don't want your Goonstation identity linked to those accounts, you should change your email address for those other accounts.
Q: Is my BYOND account compromised?
A: Not unless you used the same password for your Goonstation forum account and your BYOND account. In which case, change your BYOND account password.
Q: What passwords do I need to change?
A: You will need to reset your forum account password. You only need to change your password for other services (e.g. Twitter, BYOND account) if you used the same password as that of your forum account.
Q: Do you have recommendations for a password manager so I can have strong unique passwords for every account and service that I use.
A: Try KeePass (https://keepass.info/), KeePassXC (https://keepassxc.org/), or Bitwarden (https://bitwarden.com/)