The founder of Nigeria’s most popular website, Seun Osewa has finally broken silence on the incident that led to the closure of the website for over a week and caused significant loss of data to Nairaland users.
In a statement posted as a topic on the popular Forum, Mr. Osewa explained how hackers accessed the data on the site, the security breaches that occured and what Forum members could do to protect themselves and retrieve any lost data.
He also said Nairaland management would beef up security going forward in order to protect one of Nigeria’s most important data repositories.
The statement below:
Fellow Nairalanders,
On Sunday, the 22nd of June, at exactly 1:00PM, we lost access to Nairaland’s server. I immediately asked our web host to fix the problem. They refused to discuss the situation with me until very early on Monday morning, when they told me that someone hacked their server management system and used it to gain access to our server. The hacker deleted everything on our server, including our backups which we kept in a separate disk on the same server.
At that point, I knew that we had failed you in two ways: by relying on a web host which didn’t follow security best practices, which led to their systems being hacked, and by storing our backups in a location where anyone who hacked our primary server would be able to access them and delete them. “Luckily”, we recovered 8 years and 10 months of data out of the 9 years and 3 months of data that was lost, from a remote backup made in January.
All topics and posts created in the last 5 months are gone. All users who registered within the last 5 months will have to register again. It’s awful.
The attackers probably downloaded our entire database including your usernames, email addresses, and password hashes. As a result of our use of hashing, salting, and key stretching, it won’t be so easy for the attackers to steal your passwords if they are strong. However, we advice every Nairalander to please change his/her Nairaland password immediately. Please logout and then visit http://www.nairaland.com/login to use the password reset form.
You can recover your most important data using the technique below (we could not apply it automatically due to data consistency issues)
1) Search Google for the title of your thread, e.g. (title of thread site:nairaland.com)
2) Copy the URL of the page on Nairaland where the information used to reside from the search results, e.g. www.nairaland.com/123456/title-of-thread
3) Search Google’s cache for that URL, e.g. enter this into google: (cache:www.nairaland.com/123456/title-of-thread)
Here’s how we plan to secure your data in the future:
1) We’ve moved away from the host that lost our data to a very reputable host which is less likely to get hacked.
2) We’ve started storing our backups in remote location(s) that are completely independent of our primary server.
3) We’re doing a full review of all our operations in order to greatly improve security in every way that we can.
4) We’re trying to set up comprehensive disaster recovery plans so that Nairaland will survive no matter what happens.
Nairaland is no longer just Seun Osewa’s lucrative hobby. It is a vital resource that Nigerians and corporate bodies rely on. It must be protected and kept alive at all costs. It deserves to be managed, not by one feeble individual, but by a robust enterprise staffed by professionals who are the best at what they do. A robust enterprise that can defend Nairaland against all threats. I will devote the rest of my year to building such an enterprise.
If you had some advertising credit in your account before the attack, please send an email to the usual address so we can sort things out.
Sincerely,
Seun Osewa.