## FANDOM

25,782 Pages

• TimmyQuivy closed this thread because:
Last update has fulfilled purpose of the thread. See here for further rationale.
17:35, August 11, 2015

Hi everyone,

There was a security issue on a couple of wikias over the weekend. No long-term damage was done to any wikia, but a nasty troll caused some havoc for a while.

We know some accounts were compromised during this time. It's a small number, and only affected members of attacked wikias - those communities have been directly informed, but if you are at all concerned, you should change your password to be safe. You should also consider where else you use the same password and change it, just in case. (Note: We recommend never using the same password on different sites.)

We have taken immediate measures to ensure that the wikias, and your accounts, are safe. Including turning off custom JS on all wikias. We’ll look today, and over the coming days, at longer-term changes to increase security.

One request: Central is full of incredibly intelligent folk, who will have various ideas about what happened and what should be done about it. For now, please hold off speculation and explanations, and let us work in the background on this over the next few days. We will talk more about this in the future, either with a blog or forum post, or similar communication.

Thanks everyone, we'll follow up on this as soon as possible.

Edit 1: I have tried to answer the first wave of questions here. Custom wikia CSS has also been turned back on.

Edit 3: The code changes have been completed and JavaScript & Verbatim have returned in read-only mode. Read more here.

Edit 4: We have re-enabled editing on some specific MediaWiki namespace pages: Common.css, Wikia.css, Monobook.css, Wiki-navigation, and Community-corner. We are continuing to work on expanding this list, along with other improvements.

Edit 5: An update on this topic focusing on the next steps has been posted in this thread.

• What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

• ugh

• The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

And you just hit the nail on the head :)

• Good to know security is tightened. Seeing the events unfold over the wiki worried me.

• The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

Also give two-factor authentication pls thx

• Not the solution I was hoping for.

You know, it'd be nice if Wikia could use authenticators or other means of double protection for peoples accounts on Wikia.

• I think a nice double factor would be when you login from an IP that you haven't marked as okay, require an email and/or SMS verification to say hey can they come in.

My thoughts that one troll did this much damage? Also as per The Mol Man I am hoping some anti-javascript measures will be taking place for the login form (not suprised if this is already implemented). When will custom JS be re-activated.

• They don't have a date set, yet.

Joey (talk)

• I'm an admin on one of the wikis that was hit, the FNaF Wiki. I understand that the situation is being adressed, though I am wondering about the user rights that have been taken away from me, and the other admins. I am okay with waiting, though I do hope it'll be resolved soon.

• So, this was a sitebreaking change for a lot of the RuneScape Wiki, breaking calculators, price graphs, navboxes, sortable tables, the twitter feed, item comparison, and a bunch of custom content modules that we'd written in JavaScript...it would be great to get this working again at least on an individual basis as soon as possible, as it's really a devastating change for us that came with no warning whatsoever.

• Jillips Entertainment wrote: I'm an admin on one of the wikis that was hit, the FNaF Wiki. I understand that the situation is being adressed, though I am wondering about the user rights that have been taken away from me, and the other admins. I am okay with waiting, though I do hope it'll be resolved soon.

Please ask for your rights back at Special:Contact/general, have to make sure it is you, and not someone else.

• Thanks, I am changing my password right now.

• No javascript broke like.. A lot of useful things on the runescape wiki =/

• Now, when you try to edit MediaWiki:Common.js, you get greeted with a message saying "You can not perform this action right now. Please try again in a few minutes, or contact Wikia if you are having difficulties.", I believe when this gets sorted out, MediaWiki:Common.js will be editable by admins of all wikis again.

• Apart from having a login form on every damn page, which is a security issue, Wikia isn't using HTTPS. By using HTTPS, if the login form is hijacked to send credentials to an external website, the web browser would block the load of the target page, or at least present a warning on the user. This is something that should be improved too.

About the login form, note that the latest MediaWiki release for 1.19 (which is now obsolete), prevented scripts and CSS from being loaded in Special:Preferences and on the login page... That of course couldn't be applied in Wikia because that would mean the current situation: no scripts on any page.

• CSS has now been shut off, too.

• DaNASCAT wrote: Hi everyone,

There was a security issue on a couple of wikias over the weekend. No long-term damage was done to any wikia, but a nasty troll caused some havoc for a while.

We know some accounts were compromised during this time. It's a small number, and only affected members of attacked wikias - those communities have been directly informed, but if you are at all concerned, you should change your password to be safe. You should also consider where else you use the same password and change it, just in case. (Note: We recommend never using the same password on different sites.)

We have taken immediate measures to ensure that the wikias, and your accounts, are safe. Including turning off custom JS on all wikias. We’ll look today, and over the coming days, at longer-term changes to increase security.

One request: Central is full of incredibly intelligent folk, who will have various ideas about what happened and what should be done about it. For now, please hold off speculation and explanations, and let us work in the background on this over the next few days. We will talk more about this in the future, either with a blog or forum post, or similar communication.

Thanks everyone, we'll follow up on this as soon as possible.

Oh, well that's not bad (checks my wiki on Monobook) OMG WHAT DID THEY DO TO THE CSS AND I FORGOT TO CHANGE MY PASSWORD! (changes password) still not the same :(

• Ozuzanna wrote: You know, it'd be nice if Wikia could use authenticators or other means of double protection for peoples accounts on Wikia.

Amen.

• Was the CSS also disabled? Because I'm not seeing it anywhere wikia-wide.

• WHOEVER IS THE TROLL, IM GONNA FRICKIN SMACK HIM OUT OF WIKIA

• And where do I look for the list of affected Wikias? :)

• That's sad.....Hopefully everyone will be safe! :)

• Template:InfoboxCharacter has changed on www.stormlightarchive.wikia.com. I did not make this change.

• Hurricane162 wrote:
That's sad.....Hopefully everyone will be safe! :)

U r right sir, lets recover wikia

• Ylimegirl wrote:
Was the CSS also disabled? Because I'm not seeing it anywhere wikia-wide.

I noticed the same thing. I'm not seeing the username colors on the wikis that have them.

• Ylimegirl wrote: Was the CSS also disabled? Because I'm not seeing it anywhere wikia-wide.

Me too. I'm guessing they did on purpose.

• ikr

• Does this include our own personal JS scripts, or is it just the JS used on a wikia specifically (MediaWiki:common.js) that has been disabled? If personal js is gone temporarily, that's not helpful.

• So, when will all of the CS and JS mediawiki affects be turned back on?

• personal JS still works, but you can't edit it.

• SuperSajuuk wrote: Does this include our own personal JS scripts, or is it just the JS used on a wikia specifically (MediaWiki:common.js) that has been disabled? If personal js is gone temporarily, that's not helpful.

Personal js is working for me

• and i wanna know who is the troll and who is destroying the wikis

• but its up to everyone else now ill be back later

• And now CSS is not working neither? What the heck is going on? This is unacceptable.

If custom CSS and JS is not allowed, disable also all your ads, since they inject code and takes over backgrounds

• Everything is corrupted or what?

• I hope CSS will be turned back on soon. Some wikis I edit look like shit without it.

• It's not corrupted, they're probably trying to make sure everything is safe. So as long as it won't be long until everything comes back on I'm fine with it.

• Jr Mime wrote: personal JS still works, but you can't edit it.

Good to know that we can't edit our own personal js files. I think Wikia should consider a topbar notice that appears everywhere and can't be hidden so people are aware. The message in the bottom corner will be closed by people and ignored.

•  TheAquuaHybrid removed this reply because: always late 18:40, August 10, 2015
• So, how long until javascript and css is re-enabled? This is kind of annoying. Especially since I was kind of in the middle of porting some infoboxes to the new format... which is now IMPOSSIBLE without CUSTOM CSS, THANKS A LOT

• TheAquuaHybrid wrote:

I believe it's only wikia.css and common.js.

And the Common.css.

• Well, for a little bit yesterday, I saw some Japanese text above each page that led to an edit link for each article, EVEN THE FRONT PAGE.

• My main account was compromised and I've already contacted Staff about it, so I suppose it's just a matter of time, but I'm also quite on edge since whoever is currently controlling that account is going around posting explicit content.  That really isn't something I need, or anyone needs for that matter.

• The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

Tooke me like 20 seconds to figure out that it's "log-in" and not "a log" But i totally agree (not to mention that most of the times i get a stupid error or a timeout message which direct me to Special:UserLogin, which kinda makes the form useless)

• I can't wait for CSS to be turned back on, because without it my wiki looks like trash when viewed on Monobook.

• What wikis were attacked?

• A workaround in case you temporarily really need JavaScript: open up your console and insert the script there. Note - please only add scripts you're familiar with, so that you know they're safe. Cheers!

• Jr Mime wrote:

Jillips Entertainment wrote: I'm an admin on one of the wikis that was hit, the FNaF Wiki. I understand that the situation is being adressed, though I am wondering about the user rights that have been taken away from me, and the other admins. I am okay with waiting, though I do hope it'll be resolved soon.

Please ask for your rights back at Special:Contact/general, have to make sure it is you, and not someone else.

I'll do just that. Thank you.

• Which wikias were attacked?

• Is it still recommended I change my password? Or is it safe to keep it?

• No JavaScript, no CSS... What's next? remove all text and images from pages, and leave only ads, for safeness sake? That's ridiculous!

• Axle555 wrote:
Which wikias were attacked?

From what I known, the Five Nights at Freddy's wiki, and the SCP Wiki.

• Axle555 wrote:
Which wikias were attacked?

What the heck is that?

• RapunzafanMSP wrote: Is it still recommended I change my password? Or is it safe to keep it?

• Some others were hit, too - at least one other.

• ThePokémonGamer wrote:

RapunzafanMSP wrote: Is it still recommended I change my password? Or is it safe to keep it?

But double-check and make sure it's the same email first.  I made the mistake of finding out what was going on hours later and jumped to changing my password without realizing the person changed my email.

• CSS is back on to me. No JS though.

• Custom username colors are back on the wiki I contribute to.

• RainingPain17 wrote: CSS is back on to me. No JS though.

Same for me.

• Hiddenlich wrote:
Custom username colors are back on the wiki I contribute to.

Not on mine.

• @DaNASCAT

Has anything been done about the troll, or is said user unknown still?

• IceColdRapper (Miiverse) wrote:

Hiddenlich wrote:
Custom username colors are back on the wiki I contribute to.

Not on mine.

• Curiousgorge66 wrote:

RainingPain17 wrote: CSS is back on to me. No JS though.

Same for me.

And me!

• Penguin-Pal wrote:

The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

Tooke me like 20 seconds to figure out that it's "log-in" and not "a log" But i totally agree (not to mention that most of the times i get a stupid error or a timeout message which direct me to Special:UserLogin, which kinda makes the form useless)

hi pp

• Yes, a good news, CSS seems to be retablished liitle by little.

• Ylimegirl wrote:

IceColdRapper (Miiverse) wrote:

Hiddenlich wrote:
Custom username colors are back on the wiki I contribute to.
Not on mine.

I'm not a mod there. P9, a mod on my Wiki, says that we won't have any colors until it gets cleared up.

• I think the username colors were shut off for a few minutes because of a troll

• That1Girl wrote:
I think the username colors were shut off for a few minutes because of a troll

They are.

• What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for the wiki's 2nd anniversary.

• North Aurora wrote:
What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for their 2nd anniversary.

Yesterday.

• Jesus, it scary to know some wikis were hit this hard...

I mean, look at FNAF wiki! I don't know if it's the same problem, but some trolls got in and deleted almost everything there! They did manage to restore most of the stuff, but the whole wikia was on lockdown for a while! That's some scary shit!

• When will the affects be turned back on? And how will it affect us if they are on??

• Hello,

First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

Re: Affected wikias - at this time, I am not releasing a list of the communities that were compromised. First and foremost, we need to respect user privacy in general and so we don't want attention to fall upon them at a time when they need to feel they have control over their accounts. We have communicated directly with the affected communities and are reaching out ot users directly we believe were likely affected. Secondly, it goes back to a core tenant of not feeding trolls - we're not here to celebrate or publicize their work. Rather we are going to revert it and deal with it as needed, without the deep emotional reaction trolls crave. I ask that no one else in this thread try to figure out which wikias were affected.

I can not provide a timetable to when we will turn off this emergency measure. Please know though that a team of engineers and your Community Support team are working tirelessly on this. As an avid wiki user and coder myself, I certainly understand and empathize with the frustration some of you are feeling right now. Doing something for the greater good does not necessarily mean that all consequences of an action are positive. And right now, JS disablement for the online security of our users' information is the greater good.

• That1Girl wrote: I think the username colors were shut off for a few minutes because of a troll

JS as a whole has been disabled.

Joey (talk)

• Llove Kuwait wrote:

Penguin-Pal wrote:

The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

Tooke me like 20 seconds to figure out that it's "log-in" and not "a log" But i totally agree (not to mention that most of the times i get a stupid error or a timeout message which direct me to Special:UserLogin, which kinda makes the form useless)

hi pp

luk a kek :]
hi llove

• TheFoxyRiolu wrote:
Jesus, it scary to know some wikis were hit this hard...

I mean, look at FNAF wiki! I don't know if it's the same problem, but some trolls got in and deleted almost everything there! They did manage to restore most of the stuff, but the whole wikia was on lockdown for a while! That's some scary shit!

One of the admins on the Wiki also had their account compromised, and whoever had it went around blocking people and wreaking havoc as well.  Everyone got demoted, too.

• What is JS? I personally have never used it.

• ...wonderful...

• IAmAwesome2 wrote:
What is JS? I personally have never used it.
• So some hell humper is on the loose are they?

• OK, I have never used JavaScript.

• Who is this vandal? Or it it personal?

• IAmAwesome2 wrote:
Who is this vandal? Or it it personal?

Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on.

• IAmAwesome2 wrote: What is JS? I personally have never used it.

A lot of scripts that individual wikis use are made with JS. So with it being disabled, almost all communities will be affected in one way or another.

Joey (talk)

• "For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)"

I'm sorry, but all I'm hearing is that it's better to have a small increase in the number of users joining than it is to keep everyone's accounts and information safe.  It really doesn't matter how many users you have if none of them are safe.

• Thankfully I wasn't in the affected wikia but I'll gladly go with the changes

• HTTPS would also help

• What are trolls?

Some kind of hacker?
• Thunderheart of Thunderclan wrote:
IAmAwesome2 wrote:
Who is this vandal? Or it it personal?
Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on.

That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.

• DaNASCAT wrote:
But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

I would rather sign up to a website that is secure and has more registration steps than a website that is insecure and has fewer registration steps.

If it's possible, I think Wikia needs to make this accouncement appear in the global naviation notifications. I always look there to see the messages that pertain to me- the little bubble at the bottom blends in and usually doesn't say anything that I needed to know. If I hadn't visited Community Central, I wouldn't have even noticed that the bubble showed up.

• It is.

• DaNASCAT is requesting us not to try and figure out which wikis were affected by who.

• Blaster Niceshot wrote:
DaNASCAT wrote:
But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)
I would rather sign up to a website that is secure and has more registration steps than a website that is insecure and has fewer registration steps.

Seriously.  It doesn't matter if you have more users if none of them are safe.

• DaNASCAT wrote:

The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

If Javascript will not return anytime in the immediate future (next few days), then can we see it return after Helios is implemented since logins should be more secure at that point?

• Flamestar22 wrote:
Thunderheart of Thunderclan wrote:
IAmAwesome2 wrote:
Who is this vandal? Or it it personal?
Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on.
That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.

Point there, ja. It could be anyone. I also agree that all wikias will be affected. This is gonna be a hard time for wikia. Darn hacker scum, need to go get a life.

I do agree that changing password is necessary. I might do it myself.

• Hey guys,Mike here,I believe this is not something to worry about

• DaNASCAT wrote:
Hi everyone,

There was a security issue on a couple of wikias over the weekend. No long-term damage was done to any wikia, but a nasty troll caused some havoc for a while.

No kidding...

• Thunderheart of Thunderclan wrote:
Flamestar22 wrote:
Thunderheart of Thunderclan wrote:
IAmAwesome2 wrote:
Who is this vandal? Or it it personal?
Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on.
That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.
Point there, ja. It could be anyone. I also agree that all wikias will be affected. This is gonna be a hard time for wikia. Darn hacker scum, need to go get a life.

I do agree that changing password is necessary. I might do it myself.

I've already changed my password for safety reasons, and it seems like a good idea for everyone to do.

• Blaster Niceshot wrote:

DaNASCAT wrote:
But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

I would rather sign up to a website that is secure and has more registration steps than a website that is insecure and has fewer registration steps.

If it's possible, I think Wikia needs to make this accouncement appear in the global naviation notifications. I always look there to see the messages that pertain to me- the little bubble at the bottom blends in and usually doesn't say anything that I needed to know. If I hadn't visited Community Central, I wouldn't have even noticed that the bubble showed up.

They have.

• The whole "extra steps means less users" thing also backfires even more once you realize that there are people leaving Wikia right now because they feel they aren't safe.  I'm on one of the affected Wikis right now and all I see is blog post after blog post from different users who don't feel safe so they don't want to stick around.

• Zazme Yakuza wrote:
Hey guys,Mike here,I believe this is not something to worry about

• Flamestar22 wrote:
Thunderheart of Thunderclan wrote:
Flamestar22 wrote:
Thunderheart of Thunderclan wrote:
IAmAwesome2 wrote:
Who is this vandal? Or it it personal?
Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on.
That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.
Point there, ja. It could be anyone. I also agree that all wikias will be affected. This is gonna be a hard time for wikia. Darn hacker scum, need to go get a life.

I do agree that changing password is necessary. I might do it myself.

I've already changed my password for safety reasons, and it seems like a good idea for everyone to do.

I agree, but I'm hesitant, as I never remember passwords.

Imho, there should be, like, a way to get in if you do not remember your password (like your mom's middle name, idea came from Minecraft) Because some people don't really have a choice with the lack of rememberance.

• Thunderheart of Thunderclan wrote:

Zazme Yakuza wrote:
Hey guys,Mike here,I believe this is not something to worry about

It IS something to worry about. Hackers are a big deal, especially on a global site that could affect millions of people.

• I have dealt with these hackers even if they are smarter than you or them and me,You can't risk worrying about it,it is just plain dumb or some words which fits in the category.

• Didn't you get hacked as well, DaNASCAT?

• Whats gonna happen!? How will you stop the troll and is their an estimate of days of when we could go to our normal lives on the webzz?

• DaNASCAT wrote:

For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

I wanted to make a reply on its own to point this out: this is disgusting and scary to read from official staff of such a massive website. So many services are using two-factor authentication now and they're far better off for it. 2FA would help massively on Wikia, and yet you guys think it would stop people from registration? Just don't make it mandatory. People would feel more secure knowing they can enable 2FA. I would highly suggest you guys reconsider your stance on adding security to your service, because the idea that you wouldn't add security that so many other websitse have already added is really scary.

• ThePokémonGamer wrote:

Blaster Niceshot wrote:

DaNASCAT wrote:
...
...
They have.

Did they do that before I posted or after? If they did it before, my apologies, I must have forgotten that I clicked on it.

• And if this is actually hackers I believe they are in a group

• Flamestar22 wrote:

Thunderheart of Thunderclan wrote:

Zazme Yakuza wrote:
Hey guys,Mike here,I believe this is not something to worry about
It IS something to worry about. Hackers are a big deal, especially on a global site that could affect millions of people.

Amen

• SlyCooperFan1 wrote:

DaNASCAT wrote:

For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

I wanted to make a reply on its own to point this out: this is disgusting and scary to read from official staff of such a massive website. So many services are using two-factor authentication now and they're far better off for it. 2FA would help massively on Wikia, and yet you guys think it would stop people from registration? Just don't make it mandatory. People would feel more secure knowing they can enable 2FA. I would highly suggest you guys reconsider your stance on adding security to your service, because the idea that you wouldn't add security that so many other websitse have already added is really scary.

I agree with this.

• Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

• LLRweegee wrote:
Whats gonna happen!? How will you stop the troll and is their an estimate of days of when we could go to our normal lives on the webzz?

You can go to normal wiki life, but just be on the lookout in case someone gets hacked c:

They'll stop the troll somehow, just let them do they need to do ^.~

• Wikia needs to enable HTTPS!

• SlyCooperFan1 wrote:

Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers.

• Superluigi6 wrote:

Wikia needs to enable HTTPS!

HTTPS does not solve all issues, and there have been many HTTPS security flaws over the years. Heartbleed was one of the more recent and high-profile ones. If Wikia enabled HTTPS on all pages, it would help some attacks, but others wouldn't be affected.

• This isn't the first time, wikia has been a target of such an attack.

• Thunderheart of Thunderclan wrote:

Flamestar22 wrote:

Thunderheart of Thunderclan wrote:

Zazme Yakuza wrote:
Hey guys,Mike here,I believe this is not something to worry about
It IS something to worry about. Hackers are a big deal, especially on a global site that could affect millions of people.

Amen

Meh,Big deal??You are not kind of making sense

• Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

• okay, thats all I wanted to know!
• Maybe not it is but are??

• IAmAwesome2 wrote:

Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.

• Grand Duchess Anastasia wrote: This isn't the first time, wikia has been a target of such an attack.

As such a large site, it's amazing things like this don't happen more often

• Zazme Yakuza wrote:
Maybe not it is but are??

Say again?

• IAmAwesome2 wrote: Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

He is.

Joey (talk)

• Thunderheart of Thunderclan wrote:

Zazme Yakuza wrote:
Maybe not it is but are??

Say again?

• Was the Elder scrolls wiki or the Elder Scrolls sandbox wiki affected?

• Thunderheart of Thunderclan wrote:

Zazme Yakuza wrote:
Maybe not it is but are??

Say again?

Maybe they are a group of hackers,if they are above 100,well good luck

• Zazme Yakuza wrote:

Thunderheart of Thunderclan wrote:

Zazme Yakuza wrote:
Maybe not it is but are??

Say again?

Maybe they are a group of hackers,if they are above 100,well good luck

• SlyCooperFan1 wrote:

IAmAwesome2 wrote:

Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.

Good point.

• Zazme Yakuza wrote:

Thunderheart of Thunderclan wrote:

Zazme Yakuza wrote:
Maybe not it is but are??
Say again?
Maybe they are a group of hackers,if they are above 100,well good luck

You are so not helping..

• Everyone kudos this comment because Zmario wrote it!

• k

• I don't see what's so important about registering? By default, even users who aren't signed in can contribute to wikias. Registration allows you to hide your IP from the masses, get proper credit for your contributions, possibly get promoted to do some deep-end stuff with the wikias, contribute to pages or wikias that are locked from the masses, post blogs, set up a profile, and have a message wall. That's it, isn't it? The core of wikias is that they can be edited by anyone by default, and the lack of a proper account does not hinder that, does it? Did I miss something o.o

Also I'm laughing my ass off at the dude that's basically like "don't bother trying to defend against the hackers 'cause of this and that and this and that" xD

• Keep this on topic please. It's impossible to keep track of as it is, you're just derailing it now.

• Shegorath's Servant04 likes cheez-its wrote: Was the Elder scrolls wiki or the Elder Scrolls sandbox wiki affected?

Its site JS was.

Joey (talk)

• Dragonfree97 wrote:

Grand Duchess Anastasia wrote: This isn't the first time, wikia has been a target of such an attack.

As such a large site, it's amazing things like this don't happen more often

Which is a good thing.

• Thunderheart of Thunderclan wrote:
Zazme Yakuza wrote:
Hey guys,Mike here,I believe this is not something to worry about

Agreed. While I haven't noticed anything being very broken so far or unusual, it's good to see that this has been noticed and is being adressed. And while it does suck that many wikis are seeing their custom JS content broken, what the heck did you think was going to happen with something as vulnerable as JavaScript?​

At the same time, though, there aren't exactly many different ways to achieve the same things that one can with JavaScript through different ways, so I understand why it is widely used. Not the best of choices, though...

• SolarMist wrote: I don't see what's so important about registering? By default, even users who aren't signed in can contribute to wikias. Registration allows you to hide your IP from the masses, get proper credit for your contributions, possibly get promoted to do some deep-end stuff with the wikias, contribute to pages or wikias that are locked from the masses, post blogs, set up a profile, and have a message wall. That's it, isn't it? The core of wikias is that they can be edited by anyone by default, and the lack of a proper account does not hinder that, does it? Did I miss something o.o

Also I'm laughing my ass off at the dude that's basically like "don't bother trying to defend against the hackers 'cause of this and that and this and that" xD

Some wikis have disabled anon editing. I think there was a staff blog post about it a few weeks ago

• Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

• Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

I'm not even sure that's possible, but even if it was, there would be nothing stopping an attacker copying and pasting js onto a Wikia page somewhere and importing that

• Does disabling the java have an effect on the youtube player? On my wiki, and a fellow friend's wiki as well, it doesn't seem to function anymore.

• Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect most scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

The issue here is that Wikia was negligent about security, and now we're paying the price.

• Deadcoder wrote: Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect any scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

The issue here is that Wikia was negligent about security, and now we're paying the price.

Hopefully, only temporarily, and not for too long.

Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect any scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

The issue here is that Wikia was negligent about security, and now we're paying the price.

Given the fact that Wikia doesn't want to enable 2FA, we might be paying this price for a long time to come.

• Dragonfree97 wrote:

SolarMist wrote: I don't see what's so important about registering? By default, even users who aren't signed in can contribute to wikias. Registration allows you to hide your IP from the masses, get proper credit for your contributions, possibly get promoted to do some deep-end stuff with the wikias, contribute to pages or wikias that are locked from the masses, post blogs, set up a profile, and have a message wall. That's it, isn't it? The core of wikias is that they can be edited by anyone by default, and the lack of a proper account does not hinder that, does it? Did I miss something o.o

Also I'm laughing my ass off at the dude that's basically like "don't bother trying to defend against the hackers 'cause of this and that and this and that" xD

Some wikis have disabled anon editing. I think there was a staff blog post about it a few weeks ago

DaNASCAT wrote:

First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

(emphasis not mine!)

• Fandyllic wrote:
Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

Some accounts were taken over, like mine, so I think they mean on an individual scale like that, not like the user database got ripped open or something.

• Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

User, pass and email, no database hack, and it was internal JS, not external.

• Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

My guess is that someone put JS to redirect the login form to an external website, so users that were using the login form on the affected wiki were sending their credentials to the attacker instead of logging into wikia.

• How do I unsubscribe from this?

• Press the Unfollow button on top

• Thunderheart of Thunderclan wrote:
How do I unsubscribe from this?

Go to the OP and in the corner of the post there will be a button that will let you unfollow.

• There's a "Unfollow" button on the top of the thread.

• Thunderheart of Thunderclan wrote:

How do I unsubscribe from this?

At the very top in the first post, hover over the "Following" button. Click it to unsubscribe.

• SlyCooperFan1 wrote:

Thunderheart of Thunderclan wrote:

How do I unsubscribe from this?

At the very top in the first post, hover over the "Following" button. Click it to unsubscribe.

THANK YOU! It was spamming my inbox

• What caused this?

• By the way, thanks Wikia, I feel really safe, considering someone just posted what my old password was to a blog post on a very popular Wiki.  Within the last 30 minutes.  Thanks.

• DaNASCAT wrote: … 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

First, thank you TimQ for telling us about this and for keeping us up to date. That is very much appreciated by us all, I am sure.

Lastly, I don’t understand the comment “allows us to avoid a lot of the traps MediaWiki architecture has put us in.” At Wikipedia, logoff is indeed on every page when logged in; similarly, login is on every page when logged out. However, clicking on login takes one to a separate https: page to perform the login and credential check. Once correctly completed, one is returned to the page one was on when login was selected. Most likely it’s all over my head, but it seems to contract the quoted statement at the start of this paragraph.

Thanks again for keeping us in the loop!

• Was the MLP community affected (dumb question) because I got reported for abusing people for no apparent reason..

• Now I feel something is really happening. People are making blog posts from one of the hacked wikis with this:

"Unfortunately due to the recent hackings I am afraid that my account to will be caught by the hackers

Until Wikia is certain that the hackers have been dealt with, I will be taking a short leave of absence from this wiki for a little while."

People start making jokes of it. Some thought it was it was really a joke. I have no idea if it's really a joke or not.

• It's no joke. Someone seems to really dislike the FNAF wiki.

• Tupka217 wrote:
It's no joke. Someone seems to really dislike the FNAF wiki.

I see.

If they really hate the FNaF Wiki they could have just leave and never came back.

• DaNASCAT wrote:
Hello,

First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

...

Every major service that offers 2FA has it as a recommended option. For some examples, see Google, Facebook, Outlook.com, Dropbox, GitHub. You don't need to have it to register, but it should be available for those who want it, and visible (via usergroup or whatever) so communities can enforce it for their admins.

DaNASCAT wrote:
... The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

In the meantime you can replace the form with a link to Special:UserLogin, so JS can be re-enabled.

• SlyCooperFan1 wrote:

Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect any scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

The issue here is that Wikia was negligent about security, and now we're paying the price.

Given the fact that Wikia doesn't want to enable 2FA, we might be paying this price for a long time to come.

Plus how DaNASCAT seems to think we're going to require everyone to have 2FA - I'm pretty sure at least half of us here understand that not everyone is even able to do 2FA. C'mon Staff, if you're going to deny something because "oh gawd we won't get advertising or more users" then I don't understand why you even bother listening to us in the first place. We're not complete idiots, and it shouldn't take us saying this to make you understand that.

• Springy Boy wrote:
Now I feel something is really happening. People are making blog posts from one of the hacked wikis with this:

"Unfortunately due to the recent hackings I am afraid that my account to will be caught by the hackers

Until Wikia is certain that the hackers have been dealt with, I will be taking a short leave of absence from this wiki for a little while."

People start making jokes of it. Some thought it was it was really a joke. I have no idea if it's really a joke or not.

It seems like at least some of them are legitimately a show of solidarity, as that has happened with the wiki in the past, but I got word from a friend that a Wiki she uses has something going on where accounts are posting blogs without the actual owner of said account knowing.  In other words, on that Wiki, someone is taking over accounts.  Maybe it's happening on the FNAF Wiki again.  It doesn't help that I'm seeing a lot of names pop up that I've never seen before that have no edits there that are making that post.

• Ciencia Al Poder wrote:

Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

My guess is that someone put JS to redirect the login form to an external website, so users that were using the login form on the affected wiki were sending their credentials to the attacker instead of logging into wikia.

That's pretty evil, but I could see that happening. I assume this evildoer would have to be an admin to do this for it to affect other users?

• Fandyllic wrote:

Ciencia Al Poder wrote:

Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

My guess is that someone put JS to redirect the login form to an external website, so users that were using the login form on the affected wiki were sending their credentials to the attacker instead of logging into wikia.

That's pretty evil, but I could see that happening. I assume this evildoer would have to be an admin to do this for it to affect other users?

I know that an admin account was taken over on the FNAF Wiki and used to wreak havoc so

• I'm stunned that something of this magnitude could happen. How did no one fail to see that this could be a problem? I'm not an admin or a site manager, but authentication on any sort of script editing seems standard. Anyway, I'm going to keep this short and not say what's already been said, but disabling JavaScript isn't the solution.

• DaNASCAT wrote:
...
The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in.
...

Special:UserLogin has none of the faults you attribute to it.

• WalkerTexasRanger wrote: I'm stunned that something of this magnitude could happen. How did no one fail to see that this could be a problem? I'm not an admin or a site manager, but authentication on any sort of script editing seems standard. Anyway, I'm going to keep this short and not say what's already been said, but disabling JavaScript isn't the solution.

I'm not surprised that the person who did this, did it during the weekend, when most of the staff wouldn't be readily available. Or notice something wrong with their account.

• Believe me, Staff worked ultra fast when they've seen it.

• Would it be possible to implement 2FA as an optional thing you turn on?

• Jr Mime wrote: Believe me, Staff worked ultra fast when they've seen it.

I don't believe you.

• Shining-Armor wrote:
Would it be possible to implement 2FA as an optional thing you turn on?

No, see this reply from DaNASCAT.

• Jr Mime wrote: Believe me, Staff worked ultra fast when they've seen it.

Yeah, I noticed it. Good job on that, all of you.

• MichiRecRoom wrote:
Shining-Armor wrote:
Would it be possible to implement 2FA as an optional thing you turn on?
No, see this reply from DaNASCAT.

That's not saying it's impossible, that's just saying they don't want to implement it because they think it will deter people from signing up.

It doesn't matter how many users you have if none of them are protected.

2FA should be an option.  It's an option on pretty much every major website used these days.

• I'm pretty sure the TTTE wiki had a security breach as well.

• MichiRecRoom wrote:

Shining-Armor wrote:
Would it be possible to implement 2FA as an optional thing you turn on?

No, see this reply from DaNASCAT.

That reply seems to be saying they won't make in mandatory.

I am asking if they can enable it so that you can go to your preferences and add it.

• Shining-Armor wrote:

MichiRecRoom wrote:

Shining-Armor wrote:
Would it be possible to implement 2FA as an optional thing you turn on?

No, see this reply from DaNASCAT.

That reply seems to be saying they won't make in mandatory.

I am asking if they can enable it so that you can go to your preferences and add it.

Is it possible? Yes. Will they do it? DaNASCAT said they probably wouldn't. We'll just have to wait and see.

• You've got to be joking. A lot of our wikis use and need JavaScript; disabling it is NOT the solution. Give us two-factor authentication, or switch to HTTPS like every other website. So many solutions have been posted here.

• On my gameknight999 wiki that explains why when I created a navbox it didint work (I realized there is another Gameknight999 wiki,=|)

• I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

• Homura-chan's Backup Account wrote: I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

It's not that. They've shut it down temporarily to prevent the same thing (or comparable things) from happening again. It's not a long term thing. It's short term, very, very short term.

• Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

Is this connected to the security issue?
• Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

Is this connected to the security issue?

No, that's an unrelated issue. It's been solved.

• Homura-chan's Backup Account wrote:
I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

I'm actually convinced of the contrary — it's Wikia's responsibility to make sure that such thing cannot happen without taking away this freedom from their users. But as probably said several times in this thread, Wikia are working on it and it's only a temporary solution.

• To be clear, I am certainly not saying that 2FA is not an option or shouldn't be considered. I was simply trying to choose one example that each security measure we implement does have a cost, both in terms of implementation and in terms of barrier of use, to each and every user. Adding it as an optional preference is a fine idea and one we have been and will be actively discussing.

• Yes, Wikia is working on fixing the security problems that plague the site, but the problem is that these issues were obvious and should have been fixed much earlier, before an attack happened. They are performing disaster cleanup, because they failed to use proper safety procedures in the first place. Sympathy is not justified here, nor is patience.

• Just use no script

• Which wikis did the attacks occur on?

• MichiRecRoom wrote:

Shining-Armor wrote:
Would it be possible to implement 2FA as an optional thing you turn on?

No, see this reply from DaNASCAT.

An even better reason is that if it's optional, it can be turned off. Unless turning it off is at least as hard as providing the 2nd factor, the 2nd factor is useless. You can apply the same logic to so-called account recovery hints (at any number of sites) to see that they weaken security, not enhance it. Unless the administration of a site is truly committed to 2-factor, it's not an improvement. This is not an indictment of 2-factor. It's an indictment of the administration of most sites.

• Tupka217 wrote:

Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

Is this connected to the security issue?

No, that's an unrelated issue. It's been solved.

Please could you tell me what issue it was caused by?

I would feel much happier knowing what caused it.

• Punkdrummergirl wrote:

Tupka217 wrote:

Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

Is this connected to the security issue?

No, that's an unrelated issue. It's been solved.

Please could you tell me what issue it was caused by?

I would feel much happier knowing what caused it.

I heard about it when user:Candy Randy, one of the 7D wiki admins mentioned it to me.

• Punkdrummergirl wrote:

Tupka217 wrote:

Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

Is this connected to the security issue?

No, that's an unrelated issue. It's been solved.

Please could you tell me what issue it was caused by?

I would feel much happier knowing what caused it.

That was a promo run by the Japanese cluster of Wikia, and got accidentally sent sitewide instead of just restricted to Japanese users.

• On the Just Dance Wiki, show/hide buttons are now missing from navboxes. Is this related to the CSS being… whatever it was, turned off or something (too lazy to scroll up)?

• CAMERAwMUSTACHE wrote: On the Just Dance Wiki, show/hide buttons are now missing from navboxes. Is this related to the CSS being… whatever it was, turned off or something (too lazy to scroll up)?

Show/hide is enabled by Javascript, which is currently turned off. This means that they are disabled for the time being.

• CAMERAwMUSTACHE wrote:
On the Just Dance Wiki, show/hide buttons are now missing from navboxes. Is this related to the CSS being… whatever it was, turned off or something (too lazy to scroll up)?

Show/Hide are functions of JavaScript. JavaScript has also been disabled.

• My widgets and my countdown is turned off

That countdown was important :/

• You can still edit JS pages in XML through Special:Export and Special:Import. Ya'll always seem to miss these two pages when it comes to overriding Wikia features. So if I'm an admin on a given wiki, I can still update any javascript page and anyones personal JS with Import.

Also, HTTPS is in use on at least https://one.wikia-inc.com/. Although that's not necessarily the main domain people would be using. Whenever Helios goes live, I hope it is a secure connection for at least the log-in.

21:25, August 10, 2015 (UTC)

• @Ryan PM: While we can still edit JS pages through Import/Export, the functionality of Javascript iself has been globally disabled by Wikia across all wikis. Being able to edit the scripts or not doesn't matter; they won't run regardless.

• Axle555 wrote:
What are trolls? Some kind of hacker?

They try and make people angry. Look it up.

• SlyCooperFan1 wrote: @Ryan PM: While we can still edit JS pages through Import/Export, the functionality of Javascript iself has been globally disabled by Wikia across all wikis. Being able to edit the scripts or not doesn't matter; they won't run regardless.

Personal JS still runs, so if I were to be malicious, I could change User:X's Special:MyPage/wikia.js on a wiki that I have sysop rights on with Special:Import. The only way to supercede that is to do another import over that one. It's a glaring issue that has existed long before this. In the past I've been able to overwrite MediaWiki messages that normally are not changeable on the local wiki (like the On the Wiki tab at launch).

21:37, August 10, 2015 (UTC)

• This also affects wikis using MathJax or LaTeX, which Googology Wiki relies on.

• DaNASCAT wrote: First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

I don't ever recall a 2FA system that was mandatory at registration. In the scope of Wikia's interests, 2FA is useful, but only to a comparatively small handful of people (such as staff), for whom have extensive permissions across Wikia's network; it should be optional, but certainly not mandatory at registration.

• Shoot. My newly created Fairy Tail OC was hit with this. Eric Peterson.

• SlyCooperFan1 wrote: @Ryan PM: While we can still edit JS pages through Import/Export, the functionality of Javascript iself has been globally disabled by Wikia across all wikis. Being able to edit the scripts or not doesn't matter; they won't run regardless.

Tell that to my Batch Delete JS. It still works!

• n_n I wasn't affected, good 4 me n_n

• Tupka217 wrote:

Homura-chan's Backup Account wrote: I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

It's not that. They've shut it down temporarily to prevent the same thing (or comparable things) from happening again. It's not a long term thing. It's short term, very, very short term.

That wasn't so much about Wikia disabling JS as it was about someone mentioning switching from JS to something else.

Also, this is Homura again, it looks like my backup account may have been compromised as well, as I was logged out of my account after I refreshed a page and now my password doesn't appear to work, so I guess this is fun.  I really don't understand what's going on anymore.

• 65.28.172.134 wrote:
Tupka217 wrote:

Homura-chan's Backup Account wrote: I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

It's not that. They've shut it down temporarily to prevent the same thing (or comparable things) from happening again. It's not a long term thing. It's short term, very, very short term.
That wasn't so much about Wikia disabling JS as it was about someone mentioning switching from JS to something else.

Also, this is Homura again, it looks like my backup account may have been compromised as well, as I was logged out of my account after I refreshed a page and now my password doesn't appear to work, so I guess this is fun.  I really don't understand what's going on anymore.

Actually scratch that, apparently that account doesn't exist.

• Maybe your computer has a trojan.

• Even if 2FA isn't rolled out as an optional feature to all accounts, could it at least be made mandatory for staff (and VSTF, maybe?), so you guys' accounts can't be compromised like this again?

Personally, if 2FA was an option I would take it, as long as it was a free text-based service workable with any mobile phone, not some sort of app-based thing that caters only to those with smartphones.

• This has been the second security breach involving JavaScript in a short period of time.

• Hello,

Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

• Now im not sure ill be safe.......

• ThePokémonGamer wrote:
Maybe your computer has a trojan.

I can absolutely assure you it is not my computer.  And only my Wikia stuff is being affected.  As you can see after some tinkering I'm back in this one, but I'm highly suspicious and I've changed my password yet again.

• This is very scary news. Especially as a founder of a Wiki, I don't want any of the hard work made by myself and my community down the drain. I do really appreciate this warning though, and I encourage all users to make the necessary changes to make us safe from these attacks.

• Good idea. I'll go change my password right now.

• Homura-chan's Backup Account wrote:

North Aurora wrote:
What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for their 2nd anniversary.

Yesterday.

Ok.

• I hope the editors at the Dev Wiki have also begun locking down their code and migrating it to a special Code namespace where only experienced and trusted code developers can edit. Good luck with the work, DaNASCAT.

Speedit  23:07, August 10, 2015 (UTC)

• North Aurora wrote:

Homura-chan's Backup Account wrote:

North Aurora wrote:
What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for their 2nd anniversary.

Yesterday.

Ok.

Good thing there weren't any issues while I was at Corn Sky Wiki for their 2nd anniversary day. The Corn Sky Wiki's anniversary day is on August 8th every year since August 8, 2013. The wiki is currently 2 years old now.

• They've already done that for a few weeks now.

• DaNASCAT wrote: Hello,

Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

So Javascript will work again, but the only MediaWiki namespaced pages we can edit are the core CSS files?

• Yeah, you have to be a codeeditor to edit existing scrips on Dev wikia. You can still make scripts, you just have to request they be protected.

DaNASCAT wrote: Hello,

Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

So Javascript will work again, but the only MediaWiki namespaced pages we can edit are the core CSS files?

And other ones like the block messages. Just not anything related to javascript.

• Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

• IAmAwesome2 wrote:
SlyCooperFan1 wrote:

IAmAwesome2 wrote:

Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.
Good point.

An good idea for Wikia would be to block the computer of the hacker. But they might get another computer. Still, it's just an idea...

• Can't block computers on Wikia.

• Thunderheart of Thunderclan wrote:

SlyCooperFan1 wrote:

Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers.

They defend hackers, not crackers.

• IAmAwesome2 wrote:

IAmAwesome2 wrote:
SlyCooperFan1 wrote:

IAmAwesome2 wrote:

Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.
Good point.

An good idea for Wikia would be to block the computer of the hacker. But they might get another computer. Still, it's just an idea...

How would they do it, MAC adress? Those can change and any sensible hacker would use Linux virtual machines anyway? IP adress? Maybe, its what we do now but its not all that, this incident is proof. Perhaps the people who violate Wikia's Terms of Use should be physically blocked from accessing the domain altogether. Harsh but if someone's already blocked everywhere, it stops them from doing anon edits through CheckUser of the blocked user to block ALL their IPs.

I hate vandals more than I hate website blocks so this is a somewhat decent solution

Speedit  23:32, August 10, 2015 (UTC)

• Jr Mime wrote:
Can't block computers on Wikia.

I figured. That could happen in the future, though.

Just saying.

• Speedit wrote:

IAmAwesome2 wrote:

IAmAwesome2 wrote:
SlyCooperFan1 wrote:

IAmAwesome2 wrote:

Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.
Good point.
An good idea for Wikia would be to block the computer of the hacker. But they might get another computer. Still, it's just an idea...

How would they do it, MAC adress? Those can change and any sensible hacker would use Linux virtual machines anyway? IP adress? Maybe, its what we do now but its not all that, this incident is proof. Perhaps the people who violate Wikia's Terms of Use should be physically blocked from accessing the domain altogether. Harsh but if someone's already blocked everywhere, it stops them from doing anon edits through CheckUser of the blocked user to block ALL their IPs.

I hate vandals more than I hate website blocks so this is a somewhat decent solution

Speedit  23:32, August 10, 2015 (UTC)

Thank you.

• Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

• Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

• Speedit wrote:

Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.

• Argali1 wrote: Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

YEEEEES! ^THIS.

I mean, who would entrust all their passwords to a password manager or bother to remember all those passwords anyway?

Speedit  23:43, August 10, 2015 (UTC)

• Alysdexia wrote:

Thunderheart of Thunderclan wrote:

SlyCooperFan1 wrote:

Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers.

They defend hackers, not crackers.

WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

• Speedit wrote:

Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

Because they don't have disciplined and right staff that's why.

• Veran Onyx wrote:

Speedit wrote:

Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.

Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

• So many people would actually swear they'd hack us almost daily so like, honestly, I doubt anyone actually saw this coming, because I'm being honest when I say a lot of those users who say such things are legitimately 12 and under.

• Homura-chan's Backup Account wrote:

Veran Onyx wrote:

Speedit wrote:

Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.

Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life

• Me, too.

Well, I had this bully who insulted me. But she is blocked across Wikia.

• Speedit wrote:

Argali1 wrote: Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

YEEEEES! ^THIS.

I mean, who would entrust all their passwords to a password manager or bother to remember all those passwords anyway?

Speedit  23:43, August 10, 2015 (UTC)

Pretty simple question make a note and stick it on a table or below your chair,I mean no one looks below the chair when they are busy on the computer right?!

• Zazme Yakuza wrote:

Homura-chan's Backup Account wrote:

Veran Onyx wrote:

Speedit wrote:

Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.
Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life

None of us said we paid attention to them.  Someone asked why the FNAF Wiki gets targeted and I gave a few examples to support vern's.  People on the FNAF Wiki take things too seriously and we get targeted all the time.

• Zazme Yakuza wrote:

Alysdexia wrote:

Thunderheart of Thunderclan wrote:

SlyCooperFan1 wrote:

Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers.

They defend hackers, not crackers.

WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

Speedit  23:51, August 10, 2015 (UTC)

• DaNASCAT wrote: Hello,

Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

Good move.

• Homura-chan's Backup Account wrote:

Zazme Yakuza wrote:

Homura-chan's Backup Account wrote:

Veran Onyx wrote:

Speedit wrote:

Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.
Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life

None of us said we paid attention to them.  Someone asked why the FNAF Wiki gets targeted and I gave a few examples to support vern's.  People on the FNAF Wiki take things too seriously and we get targeted all the time.

Well if they do,that is not great,and you guys get targeted everytime?!Umm well I don't believe that unless there is someone targets the wiki every single day.

• Speedit wrote:

Zazme Yakuza wrote:

Alysdexia wrote:

Thunderheart of Thunderclan wrote:

SlyCooperFan1 wrote:

Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers.

They defend hackers, not crackers.

WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

Speedit  23:51, August 10, 2015 (UTC)

If you can't access your password just actually email a new one and change it,if they got your ip change it,it is not so much a big deal

• Homura-chan's Backup Account wrote:Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

I remember I banned someone from chat, and they went and vandalized the wiki, replacing the text on the pages "Cata must die" and other stuff.

• Speedit wrote:

Zazme Yakuza wrote:

Alysdexia wrote:

Thunderheart of Thunderclan wrote:

SlyCooperFan1 wrote:

Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers.

They defend hackers, not crackers.

WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

Speedit  23:51, August 10, 2015 (UTC)

Well,if you are making some speculations or some suspections just like I did just now,you got to be logical and think throughout everything that happens and you need to analyze it

• And it looks like we are indeed having trouble on the FNAF Wiki.  There is a user who has not actually made certain posts, but someone else who has access to their account.  However, the rightful owner of the account still has access to their account and is using it - someone else is just using it at the same time.

This seems to be happening with at least two or three other users over there right now, as well as with multiple users on a somewhat related Wiki.

So I mean that's neat.

• TheCatastrophe wrote:
Homura-chan's Backup Account wrote:Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

I remember I banned someone from chat, and they went and vandalized the wiki, replacing the text on the pages "Cata must die" and other stuff.

Yep, people are after us all the time.

• Zazme Yakuza wrote:

Homura-chan's Backup Account wrote:

Zazme Yakuza wrote:

Homura-chan's Backup Account wrote:

Veran Onyx wrote:

Speedit wrote:

Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

Speedit  23:35, August 10, 2015 (UTC)

I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.
Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.
You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life
None of us said we paid attention to them.  Someone asked why the FNAF Wiki gets targeted and I gave a few examples to support vern's.  People on the FNAF Wiki take things too seriously and we get targeted all the time.

Well if they do,that is not great,and you guys get targeted everytime?!Umm well I don't believe that unless there is someone targets the wiki every single day.

I gave examples of this being true but if you don't want to believe me that's not my business.  The local staff there is screamed at for everything they do.

• Not so much if you know it,but basically you just need to change your password it is that easy.or just like block your self for a minute or so.Well I am very glad that people is actually taking these thing seriously and their reaction is so direct to the topic,well if people with out priviliges actually wouldn't believe this kind of threat,and sometimes,you may just want to alarm that person and it actually they just go mayhem and close their accounts down

• Zazme Yakuza wrote:

Speedit wrote:

Argali1 wrote: Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

YEEEEES! ^THIS.

I mean, who would entrust all their passwords to a password manager or bother to remember all those passwords anyway?

Speedit  23:43, August 10, 2015 (UTC)

Pretty simple question make a note and stick it on a table or below your chair,I mean no one looks below the chair when they are busy on the computer right?!

Problem: that would make my baby brother a master hacker because he'd probably start reading the Postik notes (he likes colorful things =D).

Zazme Yakuza wrote:

Speedit wrote:

Zazme Yakuza wrote:

Alysdexia wrote:

Thunderheart of Thunderclan wrote:

SlyCooperFan1 wrote:

Zazme Yakuza wrote:

And if this is actually hackers I believe they are in a group

You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers.

They defend hackers, not crackers.

WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

Speedit  23:51, August 10, 2015 (UTC)

If you can't access your password just actually email a new one and change it,if they got your ip change it,it is not so much a big deal

So I should probably change it to my Windows password. That should cover me for a while. It's just that mebee I should wait until JS is on and then the transition phase is over when I can believe the staff have well and truly fixed the exploit and scared off the hacker.

• Zazme Yakuza wrote:
Not so much if you know it,but basically you just need to change your password it is that easy.or just like block your self for a minute or so.Well I am very glad that people is actually taking these thing seriously and their reaction is so direct to the topic,well if people with out priviliges actually wouldn't believe this kind of threat,and sometimes,you may just want to alarm that person and it actually they just go mayhem and close their accounts down

People are most likely taking this seriously because they run the real risk of losing their accounts if they are not careful, if they haven't already lost their accounts, that is.

• Speedit wrote:

So I should probably change it to my Windows password. That should cover me for a while. It's just that mebee I should wait until JS is on and then the transition phase is over when I can believe the staff have well and truly fixed the exploit and scared off the hacker.

I'm not sure the hacker has been scared off, judging by the weird activity by some users in the FNAF wiki.

• This was a terrible and knee-jerk response to the problem. One of the biggest issues I notice with Wikia -- one that has been pointed out time and time again -- is that the login form is on every single page. It's not just on one page. It would be very simple and incredibly secure to make a login page that, after login, takes one directly to the page they came from (or the main page/RWA if they came directly to the login page), instead of a login form on every page.

Turning off custom JS is not, under any circumstances, a viable long-term solution.

• We atleast it stalls the hackers.

• And it's not intended to be a long-term solution, Staff have been working on new solutions to this problem, they just didn't decide "lets perm remove JS, no more problems!".

• 2FA for Wikia staff.

Allow Wikia sites to require 2FA for admim roles. (Allow each site to select which roles require 2FA.)

Show admins which site users have 2FA.

(And allow a long warning period where 2FA is optional to ease the transition.)

• All I'm worried about is the date javascript will be enabled again. The only thing that keeps me sailing here is that it's only a short-term situation.

2FA for Wikia staff.

Allow Wikia sites to require 2FA for admim roles. (Allow each site to select which roles require 2FA.)

Show admins which site users have 2FA.

(And allow a long warning period where 2FA is optional to ease the transition.)

The question is, is 2FA available for all operating systems (Mac, PC, Linux)?

• Homura-chan's Backup Account wrote: So many people would actually swear they'd hack us almost daily so like, honestly, I doubt anyone actually saw this coming, because I'm being honest when I say a lot of those users who say such things are legitimately 12 and under.

I saw it coming.

• Hiddenlich wrote:
The question is, is 2FA available for all operating systems (Mac, PC, Linux)?

OS is irrelevant. The most that would matter is the browser. Depending on the form 2-factor, maybe not even that.

• If anyone is wondering about the trolls who accomplished this (and yes, there were multiple persons):

Wikia got at least one of them, and serious things happened there.  And that's wonderful.  Screw those trolls.

As for two of the others, they ran into us.

And we f****d up their s**t.

You're welcome.

• Zazme Yakuza wrote:
We atleast it stalls the hackers.

No, it doesn't.  Custom JS makes hacking a page easy, because that means there's a form that hits all pages everywhere at once on a particular wiki.

However, there are several other scripts that do the same thing: the background of the wiki, for instance.  Tagging a code to the end of that page will hit the whole wiki.

That being said, the fact that one script hits everything means that everything came from a single source, and the traffic is easy to backtrack.  Hence the speed with which the first three hackers were found.

• HTTPS is also quite important, its a lot harder to crack a server with SSL/TLS encryption and JS in particular would benefit from this.

Speedit  00:41, August 11, 2015 (UTC)

• Hey you guys may want to get things under control because I've been logged out of my account 3 times today without actually doing it myself, so, like, that's not cool.

• Changed my password three days ago, still got banned during the worst of it though. :|

• I've had to change my pw like 4 times in one day.

• Also, just to add to the list of smol people who hate admins and ex-admins of the FNAF Wiki, someone in the Community Central chat just spent like 30 minutes trying to get me to kill myself because I banned them on the FNAF Wiki at some point, apparently.

I am telling you.

These are unsupervised children that will scream at us for anything we ever do.

• A quick note regarding being logged out: this is most likely related to some security tweaks we're making. If you're at all anxious about logging in again, http://www.wikia.com/Special:UserLogin is a safe place to do so.

• Why is the CSS editor now limited to VSTF and Staff Members?

• People on the FNAF Wiki are still getting hacked.  :/

• Kirkburn wrote: A quick note regarding being logged out: this is most likely related to some security tweaks we're making. If you're at all anxious about logging in again, http://www.wikia.com/Special:UserLogin is a safe place to do so.

• I don't mean logged out, I mean legitimate account take overs.  Someone who is not the rightful owner of said account is posting from those various accounts.  It seems this is not all over yet.

• Hiddenlich wrote:
Why is the CSS editor now limited to VSTF and Staff Members?

There was an issue at the Wikia Developers wiki site. So they had to protect it thanks to some vandal who attacked the communities with unwanted coding. My friends and I in Riley's mind aren't really happy about it. Also, my other friend "Sadness" is crying over this incident and Joy doesn't feel happy about.

• DaNASCAT wrote:
Hello,

Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

Hopefully, Javascript will be back up soon. I really want to edit my own navigation.

• I'm having an issue, but it's only on FNAF wiki. I can't post comments or replies on user blogs, but i can still post on forum posts. Any ideas as to why that might be?

• Multiple users cannot post certain things or to certain places.  A particular user's block has run out and now they're posting terrible things .  Everything is in chaos on the FNAF Wiki, pretty much.

• OH GREAT THE UTTP IS HERE >:(

• Homura-chan's Backup Account wrote:
Multiple users cannot post certain things or to certain places.  A particular user's block has run out and now they're posting terrible things .  Everything is in chaos on the FNAF Wiki, pretty much.

I don't even like FNAF. But what he was doing is not okay!

• Anyway, I can post comments again! :)

• Like the FNAF Wiki seriously needs help, all the admins are still demoted from what happened yesterday, no one has their powers back yet so all anyone there can do is just sit there and be harassed by people like this.  This is a mess.

• Homura-chan's Backup Account wrote:
Like the FNAF Wiki seriously needs help, all the admins are still demoted from what happened yesterday, no one has their powers back yet so all anyone there can do is just sit there and be harassed by people like this.  This is a mess.

It's sounds like a coup d'état occured for the worst.