2019-01-25 Security Disclosure
On January 24th, 2019 a trusted volunteer of the Miraheze project discovered a security issue that affected several wikis hosted by Miraheze. By accessing a certain page on a wiki with the 'SocialProfile' extension enabled, an administrator could retrieve the email address of any user who a) was registered on that wiki and b) had an email address tied to their user account. Also, an administrator could potentially change the email address of other user accounts to gain access to their accounts. As a countermeasure we have immediately fixed the privacy leak and conducted an investigation to find out if access had been gained to the personal information of any user.
We have conducted an internal investigation to find out if someone has exploited this security issue to gain access and/or change the personal information of any user on the project. There is absolutely no evidence that suggests this issue was exploited to change others' email addresses and we have no evidence either that suggests someone would have exploited this issue en masse.
While there is no need to change your password, as a result of this incident, it is strongly recommended all users use a strong and secure password and that they regularly change it. Miraheze also provides a second-factor authentication (2FA/Multi-Auth) implementation that users can set up by going to this page.
If any user would like their personal information removed or to know what personal information we have stored, please visit Special:Preferences or send an email to privacymiraheze.org referring to this incident. Any further questions that a user wishes to keep private can be sent to staffmiraheze.org and we will respond in due course.