User blog:DaNASCAT/Technical Update: October 7, 2015

Traditionally, each Tuesday and Thursday, we release system updates to add new features and fix bugs on Wikia. This week, we have cancelled both our releases and I would like to spend some time explaining why.

On Sunday, an attacker appears to have gained access to a staff account that we used for QA (Quality Assurance) testing and used its staff privileges to close and redirect some of our most popular wikias. Our weekend staff and VSTF caught this issue quickly and we were able to undo most of the damage within two hours.

However, the attacker was able to use a different strategy Monday to regain access to a number of staff accounts. At that time, we elected to throw our network into read-only mode (preventing the attacker from making any changes to our platform) while locking down our staff accounts and login system.

As of early Tuesday morning, the site has been up and running as expected. Because of this attack, our engineers have decided to spend the rest of the week focusing on protecting important internal data and making changes where needed to increase our security and have elected to cancel this week’s scheduled product release. I would like to reassure the community that very few accounts or communities were impacted and owners of the affected accounts have already been contacted.

These recent incidents have certainly escalated the urgency of certain changes we plan to make. Some of these changes will happen quietly in the backend and we can not share them for business or security reasons. However, we will try to be as transparent as possible about changes that our users will see as part of their daily time at Wikia. Right now, our primary user-facing security focus revolves around deploying the JavaScript review process and an improved, more secure login system called Helios (which we had already built and intended to discuss more in depth later this year).

We would certainly like to thank our community for your patience as we continue to improve Wikia’s security. While no online company enjoys or wants an attack like this to happen, we are going to turn this into a positive opportunity to make Wikia stronger today and in the years to come.