Hey, I’m Kev, the Lead Developer for SiegeGG. I want to address an incident that occured yesterday (May 8th) at about 14:00 GMT.
TL;DR — We believe we experienced a breach of our website database, including encrypted user passwords. We are taking steps to improve our security and will require all registered users to reset their password. For a detailed account, keep reading.
Around 14:00 GMT, the website went down and would only respond with 500 errors. We started investigating the issue at 14:11 GMT to find an empty database. Somehow, the entire database had been wiped. If it were caused by a bug in MySQL or our code, we would have simply rolled back the data as we run backups on 20 minute increments. However, we suspect that an attacker may have gained access to our database. Through further investigation, we tracked the potential vulnerability down to an open MySQL port. The port was only open for a small period of time to test a software integration but was then not closed since we were in the process of migrating to another database management software. We fixed the open port vulnerability at about 14:40 GMT (29 minutes after first report).
Our next steps
We cannot exclude the possibility that all or parts of our database was stolen by an attacker. While all user passwords are hashed using the secure BCrypt algorithm, we will require any registered user to reset their password using the “Reset Password” function. If you signed up using your Discord account and never set a password, you can safely continue signing in with Discord.
We regret having to make this announcement at all, and are committing more development time to ensure your data is secure. Starting with the publication of this article, we will be gradually releasing security-oriented features and deploying systems to protect our user‘s data and privacy.