Some notes on today's security issues.

Hey all,

Today we experienced a bit of a security breach on the site. You may have noticed that there were a number of banned users during today’s livestream. (These bans are not forum bans, and you should be able to access future chats without any problems.) After we cut off the chat to figure out what was going on (apologies about that - that was a fun video, and BioForge is a great game), the esteemed gentleman moved on to our forums. Some wikis may have been deleted, wiki points may have been reset, and I learned some startling new facts about the length of my penis. We’re looking into reverting any damage, but the damage to my ego may be, alas, irreversible.

One point to make clear: we have no reason to believe that user passwords, personal information, or any billing information was accessed. All of that stuff is stored in separate data stores, not accessible from our website itself. At the moment, we believe that this intruder only had access to the ability of staff members to manipulate the wiki and forums. Yes, that is bad, but hopefully you’ll agree that it could be worse. We’re going to be auditing all of this stuff, of course, and will let you know if we discover anything more serious.

These kinds of events are part and parcel of doing business on the internet. Obviously we wish it wouldn’t happen, but when it does, we at the very least learn new things about securing our site so that things like this don’t happen again. I’m not going to guarantee that it won’t, as our Moriarty seems to be both talented and dedicated, but at least we know more about how to protect our site than we did this morning.

Again, apologies if any of this caused a disruption in your normal methods of accessing the site. If you have any continued problems that you think might be related to this, please email support@giantbomb.com. If you have any personal concerns that you don't wish to air on the site, please email me at matthew.rorie@cbsinteractive.com. And if you were responsible for these events, we'd definitely love to talk to you. I'm sure you can figure out how to get in touch with us as you like.

Awesome, good to know that (at least for now) the top men have sealed the proverbial leaks. I've still got Faith of the heart in Giantbomb.

Thanks for the update Rorie. Glad you guys are on top of things.

Thanks for the update, Rorie. It stinks that they focused on you a bit, but I'm sure your genitalia is reasonable and dignified.

So, is there reason to believe that this is currently under control? And are there signs that this has a connection to the attacks last week? Will we find out in the next few days about any new efforts to secure Giant Bomb from more attacks like this in the future?

Wow, I was busy today and missed the live show, but that sounds like insanity. Hope everything ends up fine.

I had no idea about the breach because it happened while I was at work, but thanks for the update. Love the persistent transparency of Giant Bomb.

We just need to digitize you into the computer world to battle him head on @rorie.

Thanks for the update Rorie.

I liked the part where the guy made a poll asking if 50 should be ban... and the wining answer was yes.

Was looking at the threads just a second ago and then this popped up on Twitter. Looks like you guys had a hell of a day. Glad that things are being fixed though and that there's communication about this towards us. That's one thing that's always seemed lacking when the site went hangwire in the past. Thanks Rorie keep up the good work.

Those are some petty, sad, bored people to hack their way into a videogame website just to cause a disturbance.

Glad to hear about what was going on, I had thought a mod was trying to be funny until you all had to drop the chat entirely. Really a shame they chose such a fantastic stream to muck up.

@truthtellah: The person did indeed identify himself as the same person who was around last week, and we have no reason to disbelieve him. As far as the events go, we haven't noticed anything untowards in the last hour or two.

As far as the security issues go, I'm not sure how explicit we want to get with that - anything that we make note of will likely be used against us in future attacks. I'll discuss it with the engineers, though. Might be an interesting blog in it somewhere.

Thanks for the update, Rorie. You're doing an awesome job--it's great to have you around!

I dunno I'm thinking you still might be hacked I see a severe lack of puppies in this post.

Parameterize your queries!

Good job everyone! GB is clean again...or at least, as clean as we left it which is...ugh...

Still good to be back to normal!

This is why we can't have nice things.

@rorie: As long as there is some kind of confirmation that new steps have been taken, I'd say that might be enough for reassuring people. As you said, specifically laying out new measures may actually be used against Giant Bomb; so, I think people would understand not being explicit about it. Members just want to feel reasonably safe around here.

@tycobb said:

Parameterize your queries!

I just covered that in a book I am reading so I find that immensely humourous.

It is good to hear things are under control. It was getting pretty goofy for a bit there.

@rorie Don't let the lies posted by the intruder get you down. I'm sure your genitalia is like this (poor) dog

Far too large for what is considered normal, and yet somehow still adorable.

Wait...what?

Nice. It truly is amazing how many applications exposed to the public just run ad hoc queries with little or no validation while using values given right from the user.

I'm absolutely appalled at what little attention is being brought to the severe issue of Rorie's penis. As a paying member of this website, I feel we are entitled to know what exactly was said.

@eujin: Awww that video is depressing. Poor pup.

Crazy. Just read this post.

@truthtellah:I've been popping "GmZ was here" into good old Google occasionally to see what comes up. This one from last week doesn't show up in my search results anymore but is still cached. The same tag spent some time on @gamer_152's post here (since deleted).

I want to trust that our login information is kept fully separate from the site content itself but the fact that www.giantbomb.com and auth.giantbomb.com point to the same Amazon ELB IP addresses is a little disconcerting. I'll admit that while I understand various load balancing techniques I don't have much experience with ELB specifically so maybe those two hostnames are actually going to separate EC2 instances. There's nothing I'd like more than for the engineering team to shut down my paranoia with some knowledge bombs (once they've cleaned up here and had some sleep of course).

Superficial website attacks growing into privilege escalation exploits and full on server rooting are pretty rare but I have had to help deal with the aftermath and it sucks. Hard. I have no reason to believe this was anything but a trolling run but like I said before, just my paranoia is all.

Pfft, I know the truth. @rorie got the illest dick.

@tycobb said:

Never ever look at the results of an automated (customer approved) injection scan through a medium-large shared hosting environment. The horror...

This is yet another opportunity to stress the importance of using a password manager, especially considering how many web accounts the average Internet user maintains, and the frequency of security breaches nowadays. Even if there wasn't a password breach, having that kind of security is well worth it.

I personally recommend KeePass.

For the record we do clean all our queries and any input coming in :)

Considering the amount of time I browse these forums I always seem to miss all the drama. Glad to see everything is doing alright now.

@rorie I'm glad that you have updated us on the situation and I hope it gets dealt with in a timely manner. Also here is a gif of a puppy enjoying a vacuum.

The oddest thing to me is that the person behind this is clearly a current or former Giant Bomb user. Probably a former Premium Member, as well. And one that has some sense of humor. A pretty iterative sense of humor, but a very Giant Bomb style of humor nonetheless. There's a real personal vendetta here. But then, it isn't purely destructive. It's just wanting to mess around and get attention.

Seems like they're from North America or Europe; my guess would be the United States by their style of English. And they were at least around for the last site redesign. They're fully aware of who Rorie is, and I get the distinct impression they are familiar with the former user Hizang. But that may just be a coincidence. Their speech was very male, as well, with a sort of puerile homophobia. I'm guessing they used to do a decent bit of wiki editing, as well. It seems like their joy in this was feeling like their grievances over what they regard as past "censorship" of their unpopular opinions were finally being seen by the staff.

I think it's also worth noting that there didn't really seem to be a great deal of vulgarity. The focus was more on being childish and disruptive than vulgar or destructive. That suggests to me someone who has enjoyed Giant Bomb in the past but feels that they have been wronged in some way deserving of harassment. It's more of a needy cry for attention from a site they care about, as they quite clearly could have done more damage and made a bigger mess than they did.

@villainy: The auth address is purely for https purposes (which is why the two addresses go to the same ELB). The web servers go to different backends to do their jobs (data for giantbomb, password/login auth for auth). Much like rorie said, we keep the passwords, billing, and other personal information on different data stores. We'll probably do a post-mortem blog sometime down the line once we're sure we've closed the security holes both to drive discussion and provide visibility.

Rorie, I'm so sorry about your penis. :(

I bet it was Dave!

It would be funnier to think that a mod just went crazy and started banning people and making jokes about Rorie's penis.

http://www.wired.com/threatlevel/2009/01/professed-twitt/

http://www.theregister.co.uk/2009/01/07/twitter_hack_explained/

Someone with the handle GMZ guessed an admin password on twitter apparently, could be a coincidence or a copy cat of course.

That's what some people thought at first, but then it became clear that something else was happening. Plenty of people thought ZombiePie had finally lost it, but he had nothing to do with it.

That would certainly make a more entertaining story though.

@mrpibb: Thanks very much. I try to assume you guys are smart enough to do stuff like this right but I've seen too many horrendous data security situations is all. Sometimes I need some reassurance. I truly appreciate the follow up and I would love a post-mortem. This crap is both frightening and fascinating.

@ltsquigs: You'd better or little Bobby tables is gonna have your ass!

I for one think the mod team and staff have done a great job keeping the conversations for this on track while still letting the GB forums be the forums. Great job and many thanks to everyone who has surely had a hell of a night.

@truthtellah: While I agree with your general assessment of "childish and disruptive" (and I would also append "sad and petty"), I think it's rather premature to read such a specific intent to this individual's action. Maybe he's perfectly happy with Giant Bomb, but is the kind of 15-year-old dick raised by 4chan who causes trouble when he notices a security loophole, instead of quietly sending a PM to someone on the Giant Bomb staff. We just don't know.

Also, could everyone please not discuss this to death? The party responsible for the attack is probably going to keep an eye on the forums to soak up all the attention in the aftermath of the attack, so denying him that attention seems like the appropriate move.

Whoa, crazy. I had no idea this was going on. When the chat poll asked to ban people I answered "yes." IT'S ALL MY FAULT.

@bisonhero: I think discussion around it is still rather minimal, and as long as it is within the context of demeaning an el1te haxxor kiddie, I don't see the harm in it. We just shouldn't go spreading his name or giving direct attention like that.

As for why I hypothesized his specific intent, it's because I'm going off direct comments from him to me and others throughout the day. They gave every indication that it's someone who was formerly a member of the site and holds a childish grudge. They didn't make any demands, but they absolutely presented that this is about some kind of disruptive vengeance. And it wasn't about ruining Giant Bomb. It was just about making sure Giant Bomb knew that they are displeased and don't know a constructive way to express that displeasure.

You monster!

Take him away, boys.

In terms of the individual behind all this, it seems relatively clear that he or she has visited Giant Bomb in the past. I didn't see too much in the way of clear reasoning behind the events, but I'd love to hear more. Feel free to reach out to me via PM or the contact addresses above if you're reading this.

Only this site would turn a post about security issues into a puppy topic, I love this site so much lol