UKC/UKH/Rockfax Server Attack - Information for Users

© UKC News

It has come to light that in late July of this year, UKH was hacked. We have outlined below the details of this attack, our actions to address this and recommendations for our users. We are very sorry about this and for any inconvenience caused.


Here are the important points:

  • We learned about the breach on 15 October 2020.
  • We recommend changing your UKH password.
  • We recommend changing the password on all sites that share the same password as your UKH one [1].
  • The passwords in our database were stored in a secure format - salted and hashed in accordance with industry standards [2].
  • We are internally reviewing the security of our systems, the personal data we hold, and whether we need to hold it.

Based on the security we have been using, the risk to passwords is very low and we are exercising an abundance of caution in our actions and recommendations

What information does UKH hold

In specific relation to user data, we hold:

  • Username
  • Email
  • Password hash
  • In certain cases, addresses [3]

What happened

After our server changeover earlier this week, the enhanced security flagged a suspicious file in the codebase on our advertising site. An investigation revealed it was malicious code (a backdoor) that enabled the attacker to access the UKH codebase and database.

We cannot be certain what the hackers did to the server (or namely, what data they took). The most likely targets were usernames, emails, and password hash data [2].

What it means for our users

For our users, this means that they should take the precautionary steps of changing their password on UKH and all other sites that use the same password.

What was not affected

We don't hold any payment data; if you are a UKH Supporter, or you have a Rockfax Digital subscription, rest assured that your payment information is still secure. We use Stripe to manage our payments, and your card details are never stored in our database.

How it happened

There was a vulnerability in an upload plugin on the server that allowed malicious code to be uploaded and executed. Once this file was uploaded, the attackers could run this file through the browser, giving them the ability to view the server and run commands on it.

Being aware of, and keeping up-to-date with all third party libraries we use is important - in this instance, this library had slipped through due to the non-standard way it was being used.

What are we going to do now

Initial actions we have taken:

  • This specific vulnerability has been removed.
  • We have taken steps to ensure similar vulnerabilities do not exist on the server.
  • We have reported this as a data breach to the ICO.

Preventative actions we will implement:

  • A review of our entire codebase is underway. This has been completed and the only affected files were on our Advertising site where the breach happened. No files on UKC or UKH were affected.
  • We are recommending all users to change your UKH password as a precaution.
  • We will change the hashing algorithm we use to encrypt passwords to an even more secure one.
  • Similarly, we recommend changing the password on any sites for which you have also used your old password. See the advice of Troy Hunt on password reuse.
  • We will delete all addresses stored from competitions, and review how this system works [3]

Going forward

There may be an increase of phishing emails asking you to interact with your account. We will not be sending any emails about this. Please be extra vigilant and, if you are at all unsure, please contact us by using the contact us link at the bottom of every page. Learn more about phishing attacks.

If you have used your UKH password on other sites, we strongly recommend you change these. We would also suggest using a password manager to ensure you use a unique password for every site.

Our investigation is ongoing. If more information comes to light, we will make another announcement.

If you have any questions or concerns, please don't hesitate to contact us.

We are very sorry that this happened. We will keep working towards a better and more secure platform for all our users.


[1] Change it to a unique one if this is the case.

[2] Industry Standards - This means that your password was not stored in plain text. We use the SHA-2 hashing algorithm, along with a long unique salt for each password. For more information see The Guardian's explainer.

[3] To make the process of entering competitions smoother for the user, we stored the user's address for the next time. We will delete all addresses stored from competitions, and review how this system works.


This post has been read 22,509 times

Return to Latest News


16 Oct, 2020

Rockfax hacked? Did they try to change the grade on Three Pebble Slab?

16 Oct, 2020

Those are good comms. We know: what happened, when it happened, why it happened, what you are doing about it, what users should do about it, that card data is safe and the Information Commissioner has been informed

Some companies, with huge pr teams, could learn from that.

16 Oct, 2020

Thanks for the heads up. Not an ideal situation, but these things happen and the damage seems limited and your communication about the issue is refreshingly good.

16 Oct, 2020

Thanks for being so open about it.

16 Oct, 2020

Does this explain the Great Barrington chatbot scandal?

More Comments
Loading Notifications...
Facebook Twitter Copy Email