As many of you have seen, OD has been down for most of the last 24 hours due to a security problem caused by illegal accesses to our system.
I intend to write a longer entry later with more detail (for those who are inclined to know), but I want to get this out there with some important information for people as they log back onto the site.
The attack on the site was performed by a person who found a way to embed an invisible piece of script in notes, which would be activated by anybody viewing an entry with that note on it. Without the user knowing anything had happened, that invisible note would trigger a piece of script on an overseas server, which would change the user's email address in OD to an email address owned by the perpetrator. Then, the script would trigger a password retrieval through OD, asking OD to mail the password to the perpetrator. After that, the script attempted to change the user's email address back to the original (but that part failed in most cases). It was an ingenious and evil piece of script - I have shown it to several programmers over the past day, and most of them admitted that it was doing things across servers that they did not think was possible.
In any case, more on that later. The important news is that the opening in the system which allowed this to happen has been closed, and we have spent most of the day testing to ensure that this problem cannot happen again. We have already added several new layers of security, to prevent this sort of activity at many levels. More on that later, as well.
What is important and unfortunate is that the person responsible was able to illegally obtain over 2,000 usernames and passwords from OD's system. We were lucky that the Support Staff realized that there was a problem, and we were able to shut down the site last night before the situation became worse.
Let me make this clear: there was no damage to any diary data, and nothing was lost from any of our accounts. If anything had been deleted from any diaries it would have been caught and retained by our security and backup software - however, that does not seem to have been the criminal's intent.
For those users whose diary security was compromised, we have changed the password in the system to ensure that nobody else can access your diary. This password has been emailed to you at the email address that you had on file with OD before the problem. Every user should check to see if they have received one of these emails - it will have a subject of "IMPORTANT message from Open Diary about online security".
If you have received one of these emails, the only change on OD is that you need to use the password in the email to log back into your diary. After that, you can change the password to another one, if you would like. However, this is important: if you received one of these emails and you use the same username and password on other sites that you used on OD, you should change those passwords immediately. It is never a good idea to share usernames and passwords among multiple sites.
Another thing that is important is that one of the new layers of security that we have added will be validating login attempts in your diary. You have probably seen this sort of system on other sites - if you try to log into your account from a computer you don't normally use, you will see a message saying that you need to validate this computer. This is designed so that somebody using a computer other than yours can not log into your account.
I have added a system like this to OD, but it should be invisible to you as long as you are logging in from a computer that you have previously used for OD. If you try to log in with a computer that has not previously been used for OD, you will see a message asking you to contact the Support Staff to validate the computer. In the near future, we will be adding a facility for secret questions and answers, so that you can validate new computers and IP addresses automatically.
That's all for right now. I apologize for the inconvenience caused by this situation, and we have done everything we can in a very short time period to bring the site back online. I owe a HUGE debt of gratitude to our Support Staff: X, EWS, and Gail, who stayed up all night with me to work through this problem and come up with a solution. We truly would not be where we are today without their invaluable assistance.
Finally, if you did not receive one of the emails from us, there should be nothing to worry about - your diary was not affected by this intrusion. Also, please be aware that no other information was compromised - we do not store credit card numbers, PayPal information, or personal information that could have been exposed by this attack.
I will post more later, but in the meantime if you have any trouble logging into OD, please use the "Help" link in the menu to contact our staff.