On the 17th of September 2017, an account with administrative privileges was comprised and abused to delete forum threads, email some users, copy a list of our emails and cause some damage in game. Our staff were quick to respond to the situation and we were able to prevent any further damage from happening and restored the game servers to their normal state. The forums on the other hand was simply my fault. To restore a backed up database you have to delete the existing database (in this case the griefed forums) and then replace it with the backup database. As I was unzipping our huge backup, I went ahead and deleted the existing forums database and to my surprise, everything was backed up except the forums. We have multiple backups but they all skipped on backing up the forums database for some reason. We then had no forums and have since been remaking it. What was hacked? An account with FULL permission access to the website/server What did the hackers do? Deleted forum threads and announcements Mass emailed some users advertising their website/service Copied a list of about 52,000 emails from our forums database What does this mean and should you be worried? As mentioned above, the hackers do not have any passwords, only a copy of the emails used to sign up to the forums. However, the problem is that since people use the same emails and password for other web services, if one web service has leaked account and password information, it becomes easier to hack into accounts from other web services. We encourage you to change passwords to websites that store sensitive data (like emails, Minecraft, Skype, Discord etc). We also encourage looking into 2FA (a second step/layer of protection on top of your password, e.g sending a text to your phone or a code to an app or a confirmation to your email) our new forums will now support 2FA, which you can do here (once logged in). If you receive emails with suspicious links, don't click them. What's next? We've already begun taking extra precautions, all Admin/Developer accounts now have 2FA enforced, and we've updated our more than 2 year old infrastructure (which could have lead to more security issues had this not been a wake-up call). Our forums is in the process of being remade so please excuse any missing features or systems, since we are starting from scratch. The Admins will update some of the forum categories and support sections for the better. We will have a new register process to ensure all our forum accounts are Minecraft players from our server. The servers are unaffected and they should be running as normal. We'll get back to releasing updates as usual very soon. New forum registration process To register a forum account, simply to login to mineheroes.net and type: /register (email) This will create a new forum account for you, using your Minecraft name/uuid and generate a new and safe password for you. You will then receive a confirmation email from [email protected] with the subject MineHeroes - Minecraft Server Account Confirmation Required. (Could also appear in your junk mail) Then click on the link in the email to confirm your account and login to the forums with the password generated by the server. If you want to change your password, visit this link: https://www.mineheroes.net/account/security or hover over your name in the user menu above and click on Password If you are banned from the server, you can login to register.mineheroes.net and run the command /register (email) Parents (or anyone that does not have a Minecraft account) can email our support team ([email protected]) and they will generate an account manually for you. Lessons learned from this experience: Enable and enforce 2FA everywhere Use different passwords for different services Regularly ensure backups are working Final comments As one of the bigger servers in the Minecraft community, it's our responsibility to ensure things like this don't happen, especially after 5 years of being in this industry and knowing how common it is. This was a pretty big fail on my end personally and a let down to other servers/communities in our space. We should be leading and innovating the game and not be dragged back by simple security flaws. This is a big wake up call for the MineHeroes team and myself going forward.