Orain Compromise Initial Statement

Hello from Orain Staff! We wish the situation were better, and we wish we had been able to bring you this statement sooner, but we hope this will begin to answer some of the questions you may have.

As you are almost certainly aware by now, Orain was compromised by (an) unknown individual(s) on 16 September 2015. We don’t know who it is, nor do we have any evidence or strong indications about whom it might have been, and this is not the place for such speculation. We will investigate as best we can, and we may request the help of the appropriate law enforcement authorities in the matter, but until then, the perpetrator is unknown – and, in the end, their identity really is irrelevant.

Orain is, at this time, completely inoperative. It seems that the attacker used a social engineering attack of some kind in combination with a malicious alteration to our DNS MX records (which tell email servers where to send emails) to gain access to our CloudFlare and DigitalOcean accounts, allowing them to gain full access to our domain zone and full root access to all our servers.

The unfortunate reality of this is that all data Orain had should be considered compromised. This includes users’ email addresses and hashed passwords, as well as IP addresses and User-Agent data. We thus advise that anyone who used their Orain password on any other site to change their passwords immediately, even though it is unlikely that the attacker would be able to break the password hashes.

Further, one of our sysadmins, Addshore, was able to access a couple of our servers (though not all of them), and was able to confirm that, unfortunately, the database for All the Tropes Wiki, including all article data, has been deleted. Unfortunately, we can neither confirm nor deny the existence (or nonexistence) of any other Orain data, including the databases for all other wikis and file uploads for all wikis including All the Tropes. Dusti, one of Orain’s founders, is still working with DigitalOcean support to regain access to our old DigitalOcean account, and only if that happens will we be able to see the full scope of the damage.

Assuming the worst, though, we do have complete backups for all wikis that existed on 15 June 2015, and we will be happy to give those to people who request them. We are also examining the possibility of reviving Orain, though we will need more time to come up with a viable plan for this (or to decide against it). It is probably safe to say, though, that if Orain comes back, it will be a fresh start on a new host, with new infrastructure, and (of course) new security practices.

Speaking of security, among the lessons we’ve already learned is that using a self-hosted email server for critical parts of our infrastructure, like CloudFlare and DigitalOcean, is a terrible idea – we believe that the attacker was able to gain access to our DigitalOcean account because of this. Let this be a lesson that those who forget history will be doomed to repeat it.

In closing, we’d like to say that the decision to revive Orain will likely largely depend on the support of you, our users. We understand that this attack has been devastating to all of you; for what it’s worth, it has been very devastating to us as well. If you decide to leave Orain for other pastures, we will assist you in any way we can and we wish you well. But, if you decide to stay, your support will be greatly appreciated, and the more support we have, the easier it will be for us to pick up the pieces and start anew.

Thank you all for your patience and understanding. If you have any questions or comments, please feel free to leave them in the comments section below, and we will get back to you as soon as we can. Once again, we are all truly sorry that this happened. We will keep you informed with further posts to this blog as the situation changes or more information becomes available.

But until then, we wish all of you the best. Thank you for using Orain.

— Orain Staff

(This message edited collaboratively by Orain Staff and other trusted users assisting in the cleanup/planning efforts, and was copied to this blog by staff member FastLizard4.)

Orain Compromise Initial Statement