7. Discord compromise fix
Hey Guppy Gang,
I wanted to personally shed some light on the situation that has unfolded over the last 48 hours. To those of you who don’t know, members of staff had their discord accounts compromised through fake captcha methods that allowed for their discord tokens to be exposed which can bypass their passwords and 2FA.
The attackers used the access to our staff members accounts to set up webhooks, bots and integrations. These allowed the attackers to quickly message fake links to a scam website they had set up imitating ours and ban most of our admin team.
Luckily, due to our amazing community and staff members being active on their weekends and off-hours, we were able to quickly act as the attack unfolded on the Guppy Gang discord server. From here, we were able to identify how they were controlling the server and we removed their access, and the compromised accounts access while we were assessing the situation.
Less than 24 hours later after we believed we had recovered from the initial attack a second staff member’s account allowed the attackers entrance to control our server once more. Again, within a short time we regained control and removed the attacker’s access.
Shortly after the second attack we retraced both of our staff members’ steps and identified where the token was stolen and have now taken measures to ensure that no other staff members are vulnerable or exposed.
We are pleased that there was minimal damage and that our studio has completely covered the assets compromised and has fully rectified the situation.
We have taken initial steps and will continue over the next week(s) to further tighten our digital security to keep Guppy Gang holders and our communities safe. Additionally, we are reducing the number of staff members and moderators that have elevated access to reduce the risk of a compromised account having as much access as they did during this attack.
It has been a long and stressful 48 hours for the staff as we love this community and the project. We deeply apologize for what has happened and thank you for being so supportive and understanding during this unfortunate event, and thankful to the community and the members ensuring the damage was to a minimum.
The leadership team is meeting tomorrow to discuss a community reward to raise morale and turn this into a learning and improvement opportunity and an overall win for the community and project moving forward.
Again, many thanks, Josh & all the team
Note: Currently scripts can be attached to website links, captcha bots and bookmarks which gain access to your discord account token which allows an attacker full access to your discord account via the API without a password or 2FA. Please do not click on links or follow any captcha bots that require you to add a website bookmark. Our staff members will not message you first or send links, ensure that if you want to speak to a staff member you open a ticket on one of our discord servers. Be safe out there!
