We’ve recently had two reports of Discourse sites that were compromised, likely due to weak admin account passwords. So we’d like to document:
what to do when compromise happens
what we can do to better prevent this in the future
In case of compromise, you should always assume that a rogue admin account has downloaded a full copy of the site database / backup.
Thus, you should IMMEDIATELY reset all account passwords using the following command:
./launcher enter app rails r 'User.update_all(password_hash: SecureRandom.hex * 2, auth_token: nil)'
Account Passwords in the Database
Per our security doc, Discourse uses very strong, slow to attack hashes on passwords stored in the database:
Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web tend to agree that PBKDF2 is a secure choice.
And the minimum default password length is 10 for users, and 15 for staff (as of April 2016) – so this makes it difficult to brute force reverse the password hashes to get the hash. But that doesn’t prevent users from setting a password of
monkey1 or something else that is trivial to reverse, even with a strong hash.
Emails in the Database
The attacker can see all email addresses for all users on your site. This is normally privileged info that even moderators have to click a button to reveal.
Message Content in the Database
Since the attacker has a copy of the database, they can see all information stored in all posts.
If you have external passwords or account info relayed in your replies, private or public, you should change those passwords immediately.
If you have sensitive information in your replies, private or public, be aware that the attacker can see that information.
I’ll continue to update this topic as we think about this more, and @sam will reply with recommended steps to take if this happens to you (putting up a site banner, logging out all users, forcing password reset for all users, etc)