Loading Notifications...

UKC/UKH/Rockfax Server Attack - Information for Users

It has come to light that in late July of this year, UKH was hacked. We have outlined below the details of this attack, our actions to address this and recommendations for our users. We are very sorry about this and for any inconvenience caused.

Here are the important points:

  • We learned about the breach on 15 October 2020.
  • We recommend changing your UKH password.
  • We recommend changing the password on all sites that share the same password as your UKH one [1].
  • The passwords in our database were stored in a secure format - salted and hashed in accordance with industry standards [2].
  • We are internally reviewing the security of our systems, the personal data we hold, and whether we need to hold it.

Based on the security we have been using, the risk to passwords is very low and we are exercising an abundance of caution in our actions and recommendations

What information does UKH hold

In specific relation to user data, we hold:

  • Username
  • Email
  • Password hash
  • In certain cases, addresses [3]

What happened

After our server changeover earlier this week, the enhanced security flagged a suspicious file in the codebase on our advertising site. An investigation revealed it was malicious code (a backdoor) that enabled the attacker to access the UKH codebase and database.

We cannot be certain what the hackers did to the server (or namely, what data they took). The most likely targets were usernames, emails, and password hash data [2].

What it means for our users

For our users, this means that they should take the precautionary steps of changing their password on UKH and all other sites that use the same password.

What was not affected

We don't hold any payment data; if you are a UKH Supporter, or you have a Rockfax Digital subscription, rest assured that your payment information is still secure. We use Stripe to manage our payments, and your card details are never stored in our database.

How it happened

There was a vulnerability in an upload plugin on the server that allowed malicious code to be uploaded and executed. Once this file was uploaded, the attackers could run this file through the browser, giving them the ability to view the server and run commands on it.

Being aware of, and keeping up-to-date with all third party libraries we use is important - in this instance, this library had slipped through due to the non-standard way it was being used.

What are we going to do now

Initial actions we have taken:

  • This specific vulnerability has been removed.
  • We have taken steps to ensure similar vulnerabilities do not exist on the server.
  • We have reported this as a data breach to the ICO.

Preventative actions we will implement:

  • A review of our entire codebase is underway. This has been completed and the only affected files were on our Advertising site where the breach happened. No files on UKC or UKH were affected.
  • We are recommending all users to change your UKH password as a precaution.
  • We will change the hashing algorithm we use to encrypt passwords to an even more secure one.
  • Similarly, we recommend changing the password on any sites for which you have also used your old password. See the advice of Troy Hunt on password reuse.
  • We will delete all addresses stored from competitions, and review how this system works [3]

Going forward

There may be an increase of phishing emails asking you to interact with your account. We will not be sending any emails about this. Please be extra vigilant and, if you are at all unsure, please contact us by using the contact us link at the bottom of every page. Learn more about phishing attacks.

If you have used your UKH password on other sites, we strongly recommend you change these. We would also suggest using a password manager to ensure you use a unique password for every site.

Our investigation is ongoing. If more information comes to light, we will make another announcement.

If you have any questions or concerns, please don't hesitate to contact us.

We are very sorry that this happened. We will keep working towards a better and more secure platform for all our users.

[1] Change it to a unique one if this is the case.

[2] Industry Standards - This means that your password was not stored in plain text. We use the SHA-2 hashing algorithm, along with a long unique salt for each password. For more information see The Guardian's explainer.

[3] To make the process of entering competitions smoother for the user, we stored the user's address for the next time. We will delete all addresses stored from competitions, and review how this system works.

This post has been read 15,045 times

Return to Latest News

Support UKH

We need your help.

UKHillwalking is a vibrant site with rich content and an amazing community. So far, all we’ve asked is that you visit and interact with the site, but we are now in uncertain times. We need to look at new ways to ensure we can keep providing our content and features whilst maintaining our key aim of allowing free access to everyone.

If you appreciate UKHillwalking then please help by becoming a UKH Supporter.

UKH Supporter

  • Support the website we all know and love
  • Show your support UKH Supporter badge on your profile and forum posts

16 Oct

Rockfax hacked? Did they try to change the grade on Three Pebble Slab?

16 Oct

Those are good comms. We know: what happened, when it happened, why it happened, what you are doing about it, what users should do about it, that card data is safe and the Information Commissioner has been informed

Some companies, with huge pr teams, could learn from that.

16 Oct

Thanks for the heads up. Not an ideal situation, but these things happen and the damage seems limited and your communication about the issue is refreshingly good.

16 Oct

Thanks for being so open about it.

16 Oct

Does this explain the Great Barrington chatbot scandal?

More Comments
Facebook Twitter Copy Email LinkedIn Pinterest