We’ve completed sending out notifications to all affected users of Friday’s exploit. Email notifications started going out at 19:31 on the 25th of January at a rate of 1 per second and finished at 18:32 on the 26th of January.
There were 81,205 email addresses included in the exploited data – of those, 598 were exact duplicates. We therefore tried sending to 79,809 different addresses (we didn’t filter the list any further at this point as we just wanted people to be notified as quickly as possible).
After the emails were sent, we did analyse the data and found:
* 12 email addresses did not actually have a valid domain name structure
* 2,906 email addresses were sent to domains which cannot receive email (such as no longer being registered)
* 14,427 email addresses were actually duplicates (such as gmail.com and googlemail.com, email@example.com and firstname.lastname@example.org and email@example.com and firstname.lastname@example.org)
* 31,582 email addresses were on “common domains” (defined as gmail.com, aol.com, aol.co.uk, hotmail.com, hotmail.co.uk, yahoo.com, yahoo.co.uk, outlook.com, aol.co.uk, btinternet.com, fastmail.fm, wanadoo.fr, bbc.co.uk, mac.com, ntlworld.com, tiscali.co.ul, mailinator.com and msn.com)
* 19,467 email addresses were classed as “likely spammers” (the domain was listed on http://www.stopforumspam.com/spamdomainsandips but wasn’t in the list of “common domains”)
* 5,029 “other” email addresses looked valid, had good DNS entries and were not listed on the common domains and “likely spammers” list
* 12 of those email accounts accounts were over quota and have not yet received the notification.
We are therefore counting the number of exposed “data users” as “common domains”+”others”:-“over quota”: 35,599.
We are saddened to announce that on the 24th of January 2013 between 04:02 and 04:56 GMT, that the main PublicWhip site was exploited. We became aware of this around 07:30 GMT on the 25th.
Impact to you
Anybody that has signed up to the PublicWhip website (forum or membership) will have had their plain text email address exposed, their PublicWhip username and an md5 hash of their PublicWhip password exposed. Whilst the passwords were “hashed”, they were not salted (due to interaction with other code) and hence should be declared as “in the wild”.
You are advised to change any passwords which are the same as the PublicWhip one.
You will no longer be able to log in to PublicWhip as the accounts have been wiped from the server.
No financial information was exposed.
We are sorry for this inconvenience and any problems caused.
This exploit took advantage of an SQL hole in the code (basically, the inherited PublicWhip code did not properly “escape” data sent from the user: we’ve now been through and changed the vast majority of these to “PHP PDO parametrised queries” – we’re still trying to catch any remaining queries). This allowed the third party access to the MySQL database.
Impact to PublicWhip
What we’ve done:
- We’ve amended quite a lot of the core code of PublicWhip to prevent this from happening in the future and have setup a number of alerts to try and catch code that we’ve missed.
- We’re going to be checking for the next two weeks or so to ensure we’ve caught all changes before making the new codebase available
- Disabled the “account section” of the site as there are a number of exploitable holes that we have not currently fixed
- Changed all the passwords stored on the live database to a random 32 character string
- Changed all the email addresses stored on the live database to a random 32 character string
- Changed all the user names stored on the live database to a random 32 character string
What we are going to do:
- Over the course of the next few days, we will be emailing all 79,810 email addresses held on the PublicWhip database with details of blog post and asking them to review their passwords
- Report this loss of data to the Information Commissioner’s office (it is unclear whether we need to do this, but we’re going to be doing it anyway)
Recently, we’ve made the following changes to PublicWhip:
* Removed logging of inbound requests
Previously all page requests were logged locally – however, we were alerted to a problem when people had search for names containing apostrophes in names (such as Baroness O’Cathain). This has been fixed (and the appropriate page displays) instead of people receiving a “Something’s gone wrong” message (thanks R.Vanderbeck for alerting us to this issue)
* Powered by CloudFlare
We’ve started using CloudFlare as a CDN front-end solution for the main PublicWhip site: this should lead to faster page loads for everybody, along with reducing the load on our server (CloudFlare has saved 4Gb of bandwidth in the last 7 days: from a total of 20.6Gb). It also includes some anti-hacker/anti-web spammer technologies which should stop some issues: however, it may also flag up some “false positives” – please let us know if you encounter any issues.
* Rebuild started
We are in the “ground breaking” stages of PublicWhip v2 – where we are rebuilding the codebase from scratch and making it entirely self supportive (instead of having to rely on Hansard being parsed by third parties). There’s not much code yet, but we’re piecing things together. Looking at our “paid workload” (i.e. the stuff that pays our rent/wages), we’re going to be a bit busy next month (February), but should be able to continue development in March.
* Switch back to Google Adsense
PublicWhip is now back using Google Adsense to try and raise funding to pay for development. To give you an idea of the revenue, in the last 30 days, Adsense has earnt enough money to pay for one fifth of it’s monthly hosting bill. So it’s definitely not making money for us: but at least it’s not quite so much of a drain on our limited resources.