Kiwis being picked

Kiwi Farms breached, user data potentially exposed

The operators of a site known to most observers for being in a recent state of flux have announced a forum breach. Kiwi Farms, which gained a reputation for sophisticated trolling and doxxing, was recently dropped by Cloudflare after a sustained campaign to have the DDoS mitigation and cloud hosting service abandon the forum.

The site has since returned, but with a major problem: a breach which potentially reveals a large amount of user data.

The breach revealed

The site creator had the following to say in relation to the compromise:

The forum was hacked. You should assume the following.

Assume your password for the Kiwi Farms has been stolen.

Assume your email has been leaked.

Assume any IP you’ve used on your Kiwi Farms account in the last month has been leaked.

The attack made use of the synergy between the main forum site and a second site, XenForo. The latter is a commercial internet forum software package written in PHP. Attackers created a webpage disguised as an audio file to XenForo, loading this page elsewhere in a manner which caused user authentication cookies to be sent off-site. The main admin account for the forum was apparently hijacked in this same fashion.

The fallout from a forum compromise

We often warn about using forums without implementing the proper failsafes and protection, and a breach such as this hammers home the point. A lot of users on the site may now have a lot of information exposed that they’d really rather not. Similarly, curious observers or even unwary researchers or law enforcement may have registered and not considered the possibility of a data leak.

This data could end up anywhere, and there’s no surefire way to know what’s been taken. It could end up on other forums, data dumps, or in the hands of law enforcement agencies. No matter what site you’re registered on, you should consider:

  • Use different passwords for all sites. Once those data dumps go public, cybercriminals will try logging in to other accounts using the same email and username combinations.

  • Consider using a VPN, TOR, or some other method to obscure your IP address. Some forums insist on people using their real IP address when registering and posting to a forum, and may even ban or block VPNS, proxies, and other services.

  • Be careful what you reveal to other site users via direct messages. People tend to not delete these messages, and sites don’t always auto-prune older messages. It’s also possible sites may store data sent and received, and not even tell you.

It remains to be seen what happens to Kiwi Farms, and the site owner is looking to migrate away from aspects of the site which led to this compromise. For now, it’s a timely reminder to keep on top of potential system vulnerabilities and also consider what data you may be leaving on a site for others to collect at the worst possible moment.