Mibbit reveals blog & test servers compromised
Yesterday, the Mibbit blog posted:
- The personal information of 9 Mibbit operators including their names, accounts and e-mail addresses
- A backup of nickserv data from April 2011 with up to 10,000 user nicknames and their credentials
- Two sets of backup data for one operator user account PMs and Channel logs, used for testing
Read more on Mibbit.
Today, they posted an update:
…. *After investigations, which have taken place in parallel with work to restore services, we now confirm that the actual date of the backup nickserv data accessed was earlier at January 2010. This backup contained approximately 6000 actual registered nicknames and credentials. The PM and Channel history information was a single limited set of that stored by one Mibbit operator for test purposes.
Mibbit has been asked whether it stores all Channel logs – it does not. Questions have also been asked whether logs of all PMs are made – no such thing is true. Mibbit does not store data without users permission and requires the active setting of a user on their account to opt-in to log PMs and other items. Beyond this one Operators logs no other channel history data was accessed maliciously.
Read more on Mibbit.
…. NickServ passwords in clear text were released later the same day by the HTP, as well as personal information regarding several staff members. Both their IRC O-line passwords as well as their NickServ passwords, home addresses and phone numbers were published to the public via a range of file hosting services, and Pastebin.
Something perhaps even more concerning is that the group has revealed not only channel logs, but logs of private messages. It appears like Mibbit has been logging what people have said in PM to each other over their network. According to official statements, this was only a test. While this is fully legal, the level of ethicality has been questioned.[…]
All NickServ passwords were stored in plain text, and that raised a concern for those who are interested and engaged in enforcing security. According to staff member pottsi password hashing was not done because that would “means sendpass and getpass would not work”. Another staff member, Joshua, claimed that password hashing was not done because it was too much work to convert all passwords. This has however proven to be incorrect, at least if they used a plain copy of Anope. In Anope’s module database, there is a module called enc_switchover. It’s fairly easy to migrate from one encryption method, or none, to another, using that module. In addition to that, the Anope module ns_resetpass will allow users to reset their passwords despite encryption taking place.