Board Thread:General Discussion/@comment--20150810171627/@comment--20150810185948

Hello,

I just want to address some of the points already addressed in the replies to this thread.

First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

Re: Affected wikias - at this time, I am not releasing a list of the communities that were compromised. First and foremost, we need to respect user privacy in general and so we don't want attention to fall upon them at a time when they need to feel they have control over their accounts. We have communicated directly with the affected communities and are reaching out ot users directly we believe were likely affected. Secondly, it goes back to a core tenant of not feeding trolls - we're not here to celebrate or publicize their work. Rather we are going to revert it and deal with it as needed, without the deep emotional reaction trolls crave. I ask that no one else in this thread try to figure out which wikias were affected.

I can not provide a timetable to when we will turn off this emergency measure. Please know though that a team of engineers and your Community Support team are working tirelessly on this. As an avid wiki user and coder myself, I certainly understand and empathize with the frustration some of you are feeling right now. Doing something for the greater good does not necessarily mean that all consequences of an action are positive. And right now, JS disablement for the online security of our users' information is the greater good.