Whoever has a copy of the FA database put up a Tor hidden service at http://fapassap77jfeffk.onion. (If you're a non-freak, you can try it at https://fapassap77jfeffk.onion.to/)
This lets you see what email address you registered for FA with, the last known email you used for FA, and whether your password is unique or not (this implies the attacker has already cracked all the password hashes they have, and tested them)
This tool also provides a fun way of auditing FA's internal security policies.
Some five years ago, FurAffinity suffered from several high-profile account intrusions due to various password leaks from other sites. One of these events was the intrusion of then-admin Rhainor's account
which was pulled off by someone getting into Rhainor's Gmail account
and social engineering another admin to reset his password.
I seem to recall discussion after that event indicating that FA was developing some rudimentary security policies regarding email. Certainly, one policy that should have been considered in a situation like that is for staff to not be allowed to use their personal email accounts as their FA account's email address. Since FA operated it's own mail server at the time, it should not have been difficult to implement such policy, giving them FA email accounts operated from a server where account passwords could not be automatically reset.
Fast forward to the present, and we now have a tool to not only see what email addresses the administrator accounts were using, but also show us an indication of how secure their password was.
Let's start with the top brass.Dragoneer
gets points for using his @furaffinity.net email address, but loses 10000 points for using the same password as the Fender account.Chase
scores lowly even though the bar isn't set that high. Not only is he using a password that 8 other accounts use (suggesting he has many alts/socks or an easy-to-crack password), he also is using his Gmail account. Tsk.Sciggles
is just as bad as Chase. Once again we have a personal Gmail account and several accounts sharing the password, though I have a hunch those are sockpuppet accounts, since that just seems like the kind of thing Sciggles would do. Her primary account
actually preforms better with a unique password.
As for the administrators...AsiaNeko
is using a Gmail account too.... But at least has a unique password.QuotingMungo
is just... A hot mess. Livejournal? Really?FoxAmoore
doesn't even have an email address on file, meaning it's possible his account could not have it's password reset without the intervention of another admin. He's also using a unique password.
The technical team does about as well as you'd expect.Yak
is using a personal email. Go figure.Net-cat
has no email on file and a unique password.Pickra
is the loser in the FA Account Security golfcart races. An AIM email address and a password that, judging by the number of people using it, may very well be the fabled popular "dragon" password.
Finally, we can take a look at those "anonymous" moderator accounts...
Oh cool, all the moderator accounts share the same gmail account. And whoever Moderator-Gryphon is seems to have trouble with coming up with a password that other people aren't using.
Now, put on those tinfoil hats, because it's conspiracy time!
Remember that time Dragoneer was caught sockpuppeting
"? well, he may have been sockpuppeting as other accounts at the time.
Hm, interesting... "G**a", that couldn't be...
Oh, but it is. Somehow, an impostor account calling itself "Giza
" (One of Sean's old time rivals from the Olive Garden Incident and Anthrocon) has the same password as Firepyro, which was known to have been accessed by Dragoneer.
Make of that what you will.