Data theft - password reuse

Saturday 30 May 2020

What happened?

By construction, the Root-me foundation has always trusted all of its members and for that matter the most active ones generally have administration privileges.
A platform administrator that has, in his time, contributed a lot to the project and since then had faded away to pursue his professionnal and family life has fell victim to a password reuse attack : his email password appeared in a leak and sadly it was the same as on the Root-Me platform. This compromised account was used to gain an undue access to the backend from which all of Root-Me is administered.

When did it occur?

Intrusion started on May the 23rd and went on until the following day, May the 24th, 2020.

What is the impact?

Challenge solutions as well as email addresses have been stolen. Password hashes are not impacted. The other stolen data, like public GPG keys or usernames are already public information displayed on profiles.

And now?

To protect our backend and therefore your data, we decided to setup GPG based two factor authentication for accounts with administration privileges.