It has come to light that in late July of this year, UKH was hacked. We have outlined below the details of this attack, our actions to address this and recommendations for our users. We are very sorry about this and for any inconvenience caused.
Here are the important points:
- We learned about the breach on 15 October 2020.
- We recommend changing your UKH password.
- We recommend changing the password on all sites that share the same password as your UKH one .
- The passwords in our database were stored in a secure format - salted and hashed in accordance with industry standards .
- We are internally reviewing the security of our systems, the personal data we hold, and whether we need to hold it.
Based on the security we have been using, the risk to passwords is very low and we are exercising an abundance of caution in our actions and recommendations
What information does UKH hold
In specific relation to user data, we hold:
- Password hash
- In certain cases, addresses 
After our server changeover earlier this week, the enhanced security flagged a suspicious file in the codebase on our advertising site. An investigation revealed it was malicious code (a backdoor) that enabled the attacker to access the UKH codebase and database.
We cannot be certain what the hackers did to the server (or namely, what data they took). The most likely targets were usernames, emails, and password hash data .
What it means for our users
For our users, this means that they should take the precautionary steps of changing their password on UKH and all other sites that use the same password.
What was not affected
We don't hold any payment data; if you are a UKH Supporter, or you have a Rockfax Digital subscription, rest assured that your payment information is still secure. We use Stripe to manage our payments, and your card details are never stored in our database.
How it happened
There was a vulnerability in an upload plugin on the server that allowed malicious code to be uploaded and executed. Once this file was uploaded, the attackers could run this file through the browser, giving them the ability to view the server and run commands on it.
Being aware of, and keeping up-to-date with all third party libraries we use is important - in this instance, this library had slipped through due to the non-standard way it was being used.
What are we going to do now
Initial actions we have taken:
- This specific vulnerability has been removed.
- We have taken steps to ensure similar vulnerabilities do not exist on the server.
- We have reported this as a data breach to the ICO.
Preventative actions we will implement:
A review of our entire codebase is underway.This has been completed and the only affected files were on our Advertising site where the breach happened. No files on UKC or UKH were affected.
- We are recommending all users to change your UKH password as a precaution.
- We will change the hashing algorithm we use to encrypt passwords to an even more secure one.
- Similarly, we recommend changing the password on any sites for which you have also used your old password. See the advice of Troy Hunt on password reuse.
- We will delete all addresses stored from competitions, and review how this system works 
There may be an increase of phishing emails asking you to interact with your account. We will not be sending any emails about this. Please be extra vigilant and, if you are at all unsure, please contact us by using the contact us link at the bottom of every page. Learn more about phishing attacks.
If you have used your UKH password on other sites, we strongly recommend you change these. We would also suggest using a password manager to ensure you use a unique password for every site.
Our investigation is ongoing. If more information comes to light, we will make another announcement.
If you have any questions or concerns, please don't hesitate to contact us.
We are very sorry that this happened. We will keep working towards a better and more secure platform for all our users.
 Change it to a unique one if this is the case.
 Industry Standards - This means that your password was not stored in plain text. We use the SHA-2 hashing algorithm, along with a long unique salt for each password. For more information see The Guardian's explainer.
 To make the process of entering competitions smoother for the user, we stored the user's address for the next time. We will delete all addresses stored from competitions, and review how this system works.