What happened?
On June 12, 2023, we were notified that a database hosted by one of our 3rd party vendors, which contained Usernames, User IDs, and hashed (encrypted) passwords of RiffTrax users was publicly accessible over the Internet and its presence was indexed by a search engine belonging to an industry provider. In order to access this database contents, knowledge of the command-line terminal and the server location was required.
What caused it?
A misconfigured server hosting the database was configured with its normal defaults for its version of the database software. This configuration meant that anyone could connect to this database without requiring credentials.
What was exposed?
User names, IDs, password "hashes", and session / token values for our Sync App users, which could theoretically be used to impersonate the user and retrieve their list of Library items. The password hashes themselves were encrypted, but it is possible for a malicious actor with lots of time and sophisticated resources to use the exposed values to reverse-engineer common passwords, and then use those as attack vectors for the same person's accounts in other places where the same email address is in use.
Note that the only purpose of this database server is to facilitate synchronizing users' purchase histories between the Sync App and the RiffTrax.com servers. The information that was disclosed could not be used to make purchases using your stored payment information, but if the same password is used elsewhere on the Internet, we highly recommend changing your password in those places as well. Even though the passwords themselves were encrypted in the database, a malicious actor could use this information to perform a "dictionary attack" and gain access to other vulnerable accounts if they share the same password.
Was my credit card compromised?
No. All payment methods are stored securely either on the device itself or in our payment processor, Stripe. The two systems are separate.
What was done to correct this?
We worked with our 3rd party provider and responded immediately to this incident, correctly configuring the database and stopping the leak within a few hours. The server has also been configured to block further anonymous access, and we are requiring admin access for any Sync App operations. We are also changing the app functionality to no longer transmit or store these data points. Finally, we forced a reset of all affected users' passwords, and logged them out of their active RiffTrax.com sessions out of an abundance of caution.
What do I need to do?
Nothing at this time. We have already identified all the impacted users, and are currently in the process of logging them out from all active sessions, resetting their passwords, requiring them to set new passwords. If you are affected, you will receive an email with further instructions. If you were a user of the Sync App for iOS and Android we recommend changing your password anywhere it's used, and using a service like Bitwarden or 1Password to generate strong, unique passwords.
I still have questions not answered here.
Please open a Help ticket at rifftrax.com/help and we can answer them directly.