So in February, TruckersMP was pwned, first time a service I've been fully or partially responsible for has been pwned. The pwn was attacking a bad password usage practice used by one of the upper team members and affected the forums (password re-use).
Late Sunday/early monday morning, the list of affected users where added to HIBP, submitted by us. Why you may ask? We value the security of our users above anything else, so we reached out to Troy Hunt, and became the first self submitted site, and the 100th breach to be added.
The response from the security community has been generally quite positive, it's sad to have a breach, but it's nice to see recognition that we made the right decision on making a list of users available so that they can be notified as well as help them in the future to know what has leaked and when.
What did we learn from the breach and from submitting ourselves instead of waiting for the perpetrator to float the DB?
- Have a clear plan on how to handle a breach
- Notify your users as quickly as possible, the faster the better
- Don't give access to users who don't strictly need that access
- If you don't see the DB around, do consider self-submitting to HIBP, that way there's more than 1 avenue for users to learn about the breach and change their passwords
- Use 2FA where possible
- Use different passwords everywhere, and require it within your organization especially for people with access to the user/customer data, even if your most sensitive piece of data is a password hash
Be open about it, skip the "We care about our users"-jargon and show that you care, by being transparent, treat your users like they where a corporate customer, even if it's embarrassing to be pwned, by having your users change their passwords, you will also devalue the value of your database because it'll become dated much more quickly.
What we could have done better:
We could have been more transparent to our users about self-submission to HIBP, we recieved some flak for not informing our users that we would be doing that, both Kat_PW and I have taken this to heart, and should we ever have to do it again, we will of course notify our users about this prior.
Finally we should have emailed our users, it wasn't done because we didn't have the infrastructure, though it would have been costy to get that sorted, but the value of doing that would have shown to our users a lot quicker that we care.
If you have any questions or comments, you can reach me on twitter or by mail: tuxy [at] truckersmp.com