TLDR; RoosterTeeth community accounts, passwords, and email addresses were NOT leaked.
So last week we announced we had a bit of a security event.
When we made that post, we had wiped passwords for accounts, but we were still combing through logs, we only knew that someone had gained access to our database who shouldn't have had access, and wanted to take immediate precautionary action.
I wanted to take a moment before Thanksgiving gets all started, and talk about the aftermath; what was found, what is being done to prevent things like this in the future, and exactly what the situation is. I'm not going to go into the full nitty gritty, but I want to discuss and answer a few really common concerns floating around the community before stuffing my face with turkey.
The security flaw that was exploited had to do with a legacy system still running on our old code infrastructure. Once the attack vector was discovered, I made the decision to kill off our legacy servers and code. It's old, insecure (encryption instead of hashes, etc), and not to modern code standards. This does mean that some things like the AH Uploader (AHUploads.com) are offline until we can write proper, modern software to replace it. Our web team is getting those things ironed out ASAP.
After a few days of research and verifying system, traffic, and query logs, we were able to verify that the RoosterTeeth community accounts, passwords, and email addresses were NOT leaked. The viewed data consisted of exclusively RT Staff accounts. Still not great, but the community accounts are safe.
To speak to account security in general, because there's a lot of assumptions that got thrown around in the last week, some of which were wrong, and many of which deserve a direct answer:
First; We are using HTTPS for authentication. All login routes are required to go over SSL, and we expanded it this morning to make sure the entire login page (not just the form) goes over SSL as well.
Second; No passwords have ever been plain-text in our database. The old code used encryption, and the new site uses per-user-unique salt hashing. Now that the old code is depreciated, we exclusively use per-user-salt with a modern hashing mechanism for our passwords.
Third; Payment information is not stored on Rooster Teeth servers. Things like Credit Cards, Addresses, etc., are all stored on PCI compliant third-party partner servers. We recognize that this is highly sensitive information and want to keep it secure in the best way possible.
And lastly; This is more of a general rule, not one related to RT technology, but a general recommendation. Please use unique passwords for every site you visit. This isn't an excuse for us to be insecure, but in the current age, unfortunately this kind of events happen. Databases get compromised, from the small guy to the huge multi-billion dollar company. If you can't remember a unique password for every site you frequent (like me), use a password vault like 1Password, LastPass, KeyPass, or Dashlane. Most of them are free, allow mobile access, and make password security online so, SO much better. This is also relevant.
Love and Kisses;
P.S. I'm going to bourbon smoke a turkey in a few hours and I'm really damn excited about it.