/ TruckersMP

About Security

So in February, TruckersMP was pwned, first time a service I've been fully
or partially responsible for has been pwned. The pwn was attacking a bad
password usage practice used by one of the upper team members and affected the
forums (password re-use).

Late Sunday/early monday morning, the list of affected users where added to
HIBP, submitted by us. Why you may ask? We value the security of our users
above anything else, so we reached out to Troy Hunt, and became the
first self submitted site, and the 100th breach to be added.

The response from the security community has been generally quite positive,
it's sad to have a breach, but it's nice to see recognition that we made the
right decision on making a list of users available so that they can be notified
as well as help them in the future to know what has leaked and when.

What did we learn from the breach and from submitting ourselves instead of
waiting for the perpetrator to float the DB?

  • Have a clear plan on how to handle a breach
  • Notify your users as quickly as possible, the faster the better
  • Don't give access to users who don't strictly need that access
  • If you don't see the DB around, do consider self-submitting to HIBP,
    that way there's more than 1 avenue for users to learn about the breach
    and change their passwords
  • Use 2FA where possible
  • Use different passwords everywhere, and require it within your organization
    especially for people with access to the user/customer data, even if your
    most sensitive piece of data is a password hash

Be open about it, skip the "We care about our users"-jargon and show that you
care, by being transparent, treat your users like they where a corporate
customer, even if it's embarrassing to be pwned, by having your users change
their passwords, you will also devalue the value of your database because
it'll become dated much more quickly.

What we could have done better:
We could have been more transparent to our users about self-submission to HIBP,
we recieved some flak for not informing our users that we would be doing
that, both Kat_PW and I have taken this to heart, and should we ever have
to do it again, we will of course notify our users about this prior.

Finally we should have emailed our users, it wasn't done because we didn't have
the infrastructure, though it would have been costy to get that sorted, but
the value of doing that would have shown to our users a lot quicker that we
care.

If you have any questions or comments, you can reach me on twitter or by
mail: tuxy [at] truckersmp.com