Our Discourse forum database was breached

Unfortunately we have to announce that our Discourse forum was breached on 25/10/2022. A group of hackers exploited a zero-day vulnerability in Discourse and got elevated access, which they then used to steal the user database. The stolen data includes emails, IP addresses, and other forum metadata (post views, etc.) but did not include any passwords.

We have been working with the Discourse security team to investigate the issue, and they have successfully found it and fixed it. The forum is now working as usual and the vulnerability has been patched. Because it is a zero-day exploit we didn't make this public until we knew the vulnerability had been patched, but we took our own actions to remove the possibility of further attacks as soon as we knew about it.

We leave the responsibility of disclosing the vulnerability with Discourse.

We are deeply sorry for this trouble. We take the protection of your personal information very seriously, and as a measure of extra safety we have reset all the passwords and sessions, so you will need to login again the next time you access the forum.

To answer a few extra questions:

Does it affect the Joplin application?

No it does not. We have strong security measures in place to protect the code and services that are used to release new mobile or desktop versions. Specifically no GitHub or npmjs account was compromised. We will nevertheless review and, if necessary, update our processes to make this part of the project as secure as possible.

Does it affect Joplin Cloud?

No, it does not. Joplin Cloud security is handled separately and the service was not affected by the breach. Moreover we do not have access to financial information, such as debit card numbers, as this is entirely handled by Stripe.

What happens next?

This is a reminder of how vulnerable internet services can be, and as a result we will do a review of our infrastructure - that includes the open source applications and Joplin Cloud. We will verify who has access, and limit the rights to only those that are strictly required.

27 Likes

thanks for announcing the breach. And thanks for the info that the password reset was initiated for security reasons.

4 Likes

Does it affect the associated GitHub account?

But how do we know now this is the real @laurent ?
:grin::wink::sunglasses:

Thanks for your explanation and handling it this way. Must have been stressfull I can only imagine.

2 Likes

No, it's not related to GitHub.

Yes that wasn't the best way to start the day!

2 Likes

Thanks for all your hard work!

1 Like

For information, Discourse has now released the CSE:

3 Likes

Any information about the hackers or their purpose?

Nothing special - they were anonymous obviously and wanted money

Thanks for being open about the event, not everyone is.

Organisations get hacked all the time, it's how they respond that matters. Public admission, password reset and knowing what data was taken, it shows that you take your users seriously.

Zero-days are a nightmare - and potentially every discord service is now at risk.

1 Like