- Joined
- May 18, 2010
- Posts
- 1,151
- Reaction score
- 617
We are writing to inform you about a data security incident that recently affected the AcornDomains.co.uk forum.
How We Discovered the Breach:
On July 6, 2024 (yesterday), we became aware of the data breach thanks to a private message received from a forum user. The message pointed out that the "Full Name" field in user profiles was publicly visible, potentially exposing user names to the public. We appreciate the user's time in bringing this matter to our attention in the most effective and helpful way (by also helping with potential next steps) - thank you!
What Happened:
An existing misconfiguration in the Xenforo forum software caused the "Full Name" field to be:
This meant that from an unknown date (likely around September 30, 2020), users' full names were potentially exposed to anyone visiting their forum profile or through search engine indexing.
Screenshot:
Was the Breach Caused by a Cyber Security Attack?
No, this breach was not caused by a cyber security attack. It occurred due to an oversight in the "Full Name" field configuration. It was mistakenly set to be both required and publicly visible. This misconfiguration allowed user names to be displayed publicly, exposing them to public.
Are We Able to Identify Staff Members Involved in This Breach?
The misconfiguration likely existed before AcornDomains.co.uk acquired the forum in April 2023. Due to this timeframe, identifying specific staff members involved in the original configuration is not possible. The earliest point of the breach we have been able to backtrack is September 30, 2020.
What Personal Data Is Involved in the Breach?
In this specific case, the data breach only affected one data type:
It's important to clarify that no other user data was exposed in this breach. This includes:
How Many People Could Be Affected?
As of May 16, 2024, the forum had 15,758 registered users. This number represents the potential number of users whose full names might have been exposed.
How Many Personal Data Records Have Been Affected?
One record per user was potentially affected. This means the number of potentially affected data records is: 15,758.
What We Have Done:
We take data security seriously and immediately took steps to address this issue:
What preventative measures did we have in place at the time of the breach?
AcornDomains.co.uk acquired the forum in April 2023. While we cannot definitively speak to all preventative measures in place before that date, at the time of the breach, we have hired a 3rd party UK based Xenforo specialist for regular updates and consultations, maintained a regular update schedule for the Xenforo software, monitored user access controls, and had strong password security policies in place. Passwords were stored securely using hashing and salting techniques.
What You, an Acorn user, Can Do:
While the data exposed was limited to full names, we understand this incident may cause concern.
Here are some recommendations:
We are committed to protecting your data and are taking steps to prevent similar incidents in the future. This includes ongoing security reviews, user security awareness training programs (to be implemented), and maintaining a strong security posture.
We apologize for any inconvenience or concern this incident may have caused.
Sincerely,
Helmuts
The AcornDomains.co.uk Team
How We Discovered the Breach:
On July 6, 2024 (yesterday), we became aware of the data breach thanks to a private message received from a forum user. The message pointed out that the "Full Name" field in user profiles was publicly visible, potentially exposing user names to the public. We appreciate the user's time in bringing this matter to our attention in the most effective and helpful way (by also helping with potential next steps) - thank you!
What Happened:
An existing misconfiguration in the Xenforo forum software caused the "Full Name" field to be:
- Required during registration.
- Publicly visible on user profiles.
This meant that from an unknown date (likely around September 30, 2020), users' full names were potentially exposed to anyone visiting their forum profile or through search engine indexing.
Screenshot:
Code:
ref: https://web.archive.org/web/20200930164429/https://www.acorndomains.co.uk/members/admin.1/
Was the Breach Caused by a Cyber Security Attack?
No, this breach was not caused by a cyber security attack. It occurred due to an oversight in the "Full Name" field configuration. It was mistakenly set to be both required and publicly visible. This misconfiguration allowed user names to be displayed publicly, exposing them to public.
Are We Able to Identify Staff Members Involved in This Breach?
The misconfiguration likely existed before AcornDomains.co.uk acquired the forum in April 2023. Due to this timeframe, identifying specific staff members involved in the original configuration is not possible. The earliest point of the breach we have been able to backtrack is September 30, 2020.
What Personal Data Is Involved in the Breach?
In this specific case, the data breach only affected one data type:
- Full Names: The misconfiguration exposed users' full names, potentially including first names, last names, or middle names entered during registration.
It's important to clarify that no other user data was exposed in this breach. This includes:
- Usernames: Usernames (login credentials) were not affected.
- Email Addresses: Email addresses were not exposed.
- Passwords: Passwords are stored securely using hashing and salting techniques, so they were not compromised.
- Private Messages: Private messages were not impacted.
- Financial Information: The forum does not collect or store any financial information from users.
How Many People Could Be Affected?
As of May 16, 2024, the forum had 15,758 registered users. This number represents the potential number of users whose full names might have been exposed.
How Many Personal Data Records Have Been Affected?
One record per user was potentially affected. This means the number of potentially affected data records is: 15,758.
What We Have Done:
We take data security seriously and immediately took steps to address this issue:
- Corrected the configuration: We fixed the issue that allowed full names to be publicly displayed.
- Deleted data: All data from the "Full Name" field has been permanently deleted from our forum database.
- User notification: all users will be noticed via email with a link to this Announcement.
- Archive.org request: We contacted archive.org to request the removal of any archived snapshots that might have exposed user names.
- ICO notification: We submitted a report to the Information Commissioner's Office (ICO) despite their initial assessment that a formal report wasn't necessary.
What preventative measures did we have in place at the time of the breach?
AcornDomains.co.uk acquired the forum in April 2023. While we cannot definitively speak to all preventative measures in place before that date, at the time of the breach, we have hired a 3rd party UK based Xenforo specialist for regular updates and consultations, maintained a regular update schedule for the Xenforo software, monitored user access controls, and had strong password security policies in place. Passwords were stored securely using hashing and salting techniques.
What You, an Acorn user, Can Do:
While the data exposed was limited to full names, we understand this incident may cause concern.
Here are some recommendations:
- Review your account information: We recommend logging in to your account and reviewing your profile information to ensure accuracy.
- Strong passwords: If you use the same password for other online accounts, consider changing them to unique and strong passwords.
We are committed to protecting your data and are taking steps to prevent similar incidents in the future. This includes ongoing security reviews, user security awareness training programs (to be implemented), and maintaining a strong security posture.
We apologize for any inconvenience or concern this incident may have caused.
Sincerely,
Helmuts
The AcornDomains.co.uk Team