2020-06-11 Security Disclosure

On June 10th, 2020 a user of the Miraheze project discovered a security issue affecting several Miraheze wikis. A user managed to access the private information of a user containing IPs on users who triggered the AbuseFilter. We have rectified this by blacklisting the permission allowing access to the private information. We have also immediately conducted an investigation to find out if access had been gained to IPs of any user.

In accordance with our Privacy Policy and the General Data Protection Regulation ("GDPR"), IPs are treated as private information.

We have conducted an internal investigation which revealed that we didn't log who accessed the private information on the 105 wikis, where it affects users. We cannot say for certain that someone accessed the private information on the users. We countered this by logging when users access the private information, and also requiring a reason for visiting it.

While IPs have potentially been exposed, we have no evidence that users actually used the permission to look at the private information.

If any user would like their personal information removed or to know what personal information we have stored, please visit Special:Preferences or send an email to privacy@undefinedmiraheze.org referring to this incident. Any further questions that a user wishes to keep private can be sent to sre@undefinedmiraheze.org and we will respond in due course.

--

paladox,

Miraheze Site Reliability Engineer