In the early morning of 17 November, UKC suffered a sustained Spam attack through our User-to-User messaging system. We have outlined below the details of this attack, our actions to address this and recommendations for our users. We are very sorry about this and for any inconvenience caused.
Here are the important points:
- We learned about the exploit following user reports early in the morning on 17 November.
- We quickly blocked the User-to-User messaging and New User registration systems.
- The Spammers DO NOT have any email addresses, they were just submitting the messages via the website.
- DO NOT reply to any of the emails since that is the only way they will have your email address.
- No personal data has been leaked.
- We are internally reviewing the security of our systems to prevent future similar attacks.
What happened
Spammers used the system we have to enable registered users to send emails to each other - our User-to-User email system. There's a 5 message/day limit a user can send before alarm bells are triggered using this system. In this case, the Spammers got around this by registering multiple user accounts. Over 20,000 new accounts were created all from different IP addresses. All these accounts were banned as soon as we became aware and we have temporarily disabled the User-to-User messaging service while we properly investigate. Any unsent email on the server has been purged. There's no way for them to send out any more SPAM.
What it means for our users
For our users, you may well have received a small number of Spam emails this morning describing a cryptocurrency scheme. Please delete these emails - DO NOT REPLY TO THEM.
What was not affected
None of your personal data was accessed and no spammer has your email address. No passwords were leaked.
NOTE - When using a web form to send an email, the sender never sees the email address. The website holds the email address and sends the email for the sender. Only if you reply to such an email will the sender see your email address.
What are we going to do now
Initial actions we have taken:
- We have suspended the User-to-User messaging system.
- There are just 3 valid user accounts created 17 November so far. The rest have been removed.
- Unsent emails have been purged.
Preventative actions we will implement:
- We will review our User-to-User messaging system to prevent this happening again.
- We will review our User Registration system to prevent this happening again.
Our investigation is ongoing. If more information comes to light, we will make another announcement.
If you have any questions or concerns, please don't hesitate to contact us.
We are very sorry that this happened. We will keep working towards a better and more secure platform for all our users.
It would help us out a lot if you just delete these emails and not click on the SPAM button in your email client. We will be blacklisted from email servers if too many SPAM buttons are clicked. The reason this worked so well is ukclimbing.com was a trusted domain in your inboxes and we would like to keep it that way.
Comments
Once again, clear and prompt comms following an issue. Thanks for this.
Thanks for the clear and effective response Paul.
I had 2, from different users, plugging Bitcoin investing.
That is just greedy, I didn't get any.
Thanks, Paul. I got one of these, which was obviously not kosher, so I immediately came here and was pleased to see your post. Thanks for the quick notification and for action to stop it.
Cheers, Andy