Good day, Terrarians,
Some of you have become aware of a recent incident involving CloudFlare, the content delivery network that we use for security and reliability of our site.
To put the extent of this incident in proper perspective:
Purely as a precaution, a general TCF forum logout was forced, and the forum staff has been requested to change their passwords. We firmly believe we are safe, but we remain vigilant.
We are not requiring the regular membership to change their passwords at this time. That said, it is generally a good idea to change passwords regularly, and not use the same passwords for multiple sites (especially sites that contain sensitive/financial information).
[I'm going to post this now to allay immediate conncerns, but I will be adding some thoughts on recent Yahoo! breaches as well.]
Update - more general information about the incident:
Issue report from the Google Project Zero folks who discovered the incident
A work-in-progress list of sites that may have been affected by this incident
Again - we feel that the chances that this affected any individual TCF user - here or elsewhere - are exceedingly small, but not zero.
=============================
We do suggest that you consider changing your password for TCF, and for any other site you use that may be affected. Some of the sites that may be of primary interest to our community are:
A good password manager can help tackle those inconveniences. Here are some suggestions. An incident like this is the perfect wake-up call to step up your personal privacy game. I'm a long-time user of KeePass myself - it's open-source, self-contained, and immune to incidents like this.
Some of you have become aware of a recent incident involving CloudFlare, the content delivery network that we use for security and reliability of our site.
** We have no indication at this time that any TCF personal information was exposed by this incident **
To put the extent of this incident in proper perspective:
The incident report also states that the leak was identified and plugged, and is no longer considered a threat. This affected all sites protected by CloudFlare - Reddit has been identified as one of those. (Sorry, I have no idea how to identify other sites affected, other than if they communicate publicly about it.)The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
Purely as a precaution, a general TCF forum logout was forced, and the forum staff has been requested to change their passwords. We firmly believe we are safe, but we remain vigilant.
We are not requiring the regular membership to change their passwords at this time. That said, it is generally a good idea to change passwords regularly, and not use the same passwords for multiple sites (especially sites that contain sensitive/financial information).
[I'm going to post this now to allay immediate conncerns, but I will be adding some thoughts on recent Yahoo! breaches as well.]
Update - more general information about the incident:
Issue report from the Google Project Zero folks who discovered the incident
A work-in-progress list of sites that may have been affected by this incident
Again - we feel that the chances that this affected any individual TCF user - here or elsewhere - are exceedingly small, but not zero.
=============================
We do suggest that you consider changing your password for TCF, and for any other site you use that may be affected. Some of the sites that may be of primary interest to our community are:
- Discordapp.com
- Reddit.com
- Patreon.com
- Uber.com
- crunchyroll.com
- puu.sh
- 4chan.org (lol)
- authy.com (worrisome because this might make even some accounts protected by 2-factor authentication vulnerable)
A good password manager can help tackle those inconveniences. Here are some suggestions. An incident like this is the perfect wake-up call to step up your personal privacy game. I'm a long-time user of KeePass myself - it's open-source, self-contained, and immune to incidents like this.
Last edited: