Security Updates Important Announcement: Data Security Incident - User Full Names

[Helmuts]

We are writing to inform you about a data security incident that recently affected the AcornDomains.co.uk forum.

How We Discovered the Breach:

On July 6, 2024 (yesterday), we became aware of the data breach thanks to a private message received from a forum user. The message pointed out that the "Full Name" field in user profiles was publicly visible, potentially exposing user names to the public. We appreciate the user's time in bringing this matter to our attention in the most effective and helpful way (by also helping with potential next steps) - thank you!

What Happened:

An existing misconfiguration in the Xenforo forum software caused the "Full Name" field to be:

• Required during registration.
• Publicly visible on user profiles.

This meant that from an unknown date (likely around September 30, 2020), users' full names were potentially exposed to anyone visiting their forum profile or through search engine indexing.

Screenshot:

ref: https://web.archive.org/web/20200930164429/https://www.acorndomains.co.uk/members/admin.1/

Was the Breach Caused by a Cyber Security Attack?

No, this breach was not caused by a cyber security attack. It occurred due to an oversight in the "Full Name" field configuration. It was mistakenly set to be both required and publicly visible. This misconfiguration allowed user names to be displayed publicly, exposing them to public.

Are We Able to Identify Staff Members Involved in This Breach?

The misconfiguration likely existed before AcornDomains.co.uk acquired the forum in April 2023. Due to this timeframe, identifying specific staff members involved in the original configuration is not possible. The earliest point of the breach we have been able to backtrack is September 30, 2020.

What Personal Data Is Involved in the Breach?

In this specific case, the data breach only affected one data type:

• Full Names: The misconfiguration exposed users' full names, potentially including first names, last names, or middle names entered during registration.

It's important to clarify that no other user data was exposed in this breach. This includes:

• Usernames: Usernames (login credentials) were not affected.
• Email Addresses: Email addresses were not exposed.
• Passwords: Passwords are stored securely using hashing and salting techniques, so they were not compromised.
• Private Messages: Private messages were not impacted.
• Financial Information: The forum does not collect or store any financial information from users.

How Many People Could Be Affected?

As of May 16, 2024, the forum had 15,758 registered users. This number represents the potential number of users whose full names might have been exposed.

How Many Personal Data Records Have Been Affected?

One record per user was potentially affected. This means the number of potentially affected data records is: 15,758.

What We Have Done:

We take data security seriously and immediately took steps to address this issue:

• Corrected the configuration: We fixed the issue that allowed full names to be publicly displayed.
• Deleted data: All data from the "Full Name" field has been permanently deleted from our forum database.
• User notification: all users will be noticed via email with a link to this Announcement.
• Archive.org request: We contacted archive.org to request the removal of any archived snapshots that might have exposed user names.
• ICO notification: We submitted a report to the Information Commissioner's Office (ICO) despite their initial assessment that a formal report wasn't necessary.

What preventative measures did we have in place at the time of the breach?
AcornDomains.co.uk acquired the forum in April 2023. While we cannot definitively speak to all preventative measures in place before that date, at the time of the breach, we have hired a 3rd party UK based Xenforo specialist for regular updates and consultations, maintained a regular update schedule for the Xenforo software, monitored user access controls, and had strong password security policies in place. Passwords were stored securely using hashing and salting techniques.

What You, an Acorn user, Can Do:

While the data exposed was limited to full names, we understand this incident may cause concern.

Here are some recommendations:

• Review your account information: We recommend logging in to your account and reviewing your profile information to ensure accuracy.
• Strong passwords: If you use the same password for other online accounts, consider changing them to unique and strong passwords.

We are committed to protecting your data and are taking steps to prevent similar incidents in the future. This includes ongoing security reviews, user security awareness training programs (to be implemented), and maintaining a strong security posture.

We apologize for any inconvenience or concern this incident may have caused.

Sincerely,
Helmuts
The AcornDomains.co.uk Team

 

[Adam H]

Pretty sure it was originally put in place to improve trust and visibility in an active sales community, and one that was discussed in the community prior to it being done.

It's not a breach, and not an ICO related incident.

Rather overly dramatic stance on something that has been clear as day for 4 years or more and you have to consent to it prior to signing up.

 

[Helmuts]

It's not a breach, and not an ICO related incident.

Thank you, Adam. ICO did say that we don't need to submit the report, and can keep an internal record of the breach. Even then, I made a desiccion to report this as a personal data breach using the online form of the ICO.

And users had to be informed, as well.

Have a great day! Helmuts

 

[Azam.net]

Thank you for the update on this Helmuts. You have handled this very professionally indeed.

As our Acorn Domain username and account details makes it clear who we are, we have nothing to worry about in terms of the name behind our account being revealed. But I do appreciate that, should anybody have need to be anonymous, this could be a concern for them.

Appreciate you keeping us updated, and can't wait for London Domain Summit next month - only 46 days to go says your countdown!

 

[Helmuts]

Thank you for the update on this Helmuts. You have handled this very professionally indeed.

As our Acorn Domain username and account details makes it clear who we are, we have nothing to worry about in terms of the name behind our account being revealed. But I do appreciate that, should anybody have need to be anonymous, this could be a concern for them.

Appreciate you keeping us updated, and can't wait for London Domain Summit next month - only 46 days to go says your countdown!

Thank you my friend See you soon in person Best wishes! Helmuts

 

[JimDavies]

Sensible response Helmuts. In my case, my username is a bit of a clue to my identity!

 

[Helmuts]

Sensible response Helmuts. In my case, my username is a bit of a clue to my identity!

Thank you Jim. Yes, you username definitely is

 

[DesD]

Impressive response. Well done.

 

[Helmuts]

Impressive response. Well done.

Thank you.

 

[Helmuts]

Good morning all,

We have received a reply from the Wayback machine:

The following has been submitted for exclusion from the Wayback Machine at web.archive.org:

acorndomains.co.uk/members/*

Please allow up to a day for the automated portions of the process to run their course and for the changes to take effect.

You can check the previously mentioned link (it seems to be removed):

Code:
ref: https://web.archive.org/web/20200930164429/https://www.acorndomains.co.uk/members/admin.1/

Have a great weekend, Helmuts

 

[Adam H]

At some point the field being a required field or not definitely changed, as the field value being displayed publicly was inconsistent across member accounts.

Yeah I think you are right, as that wasnt how it was setup originally. But saying that im not sure whom worked on the site in the past 4 years after the initial migration so who knows what was changed .