Update on the Data Breach

This one is quite serious, so it is going to be a lot of words - I apologize in advance for the wall of text, but it’s important and well worth reading.

I have spent a fair amount of time over the past week or so going back and forth with our hosting provider, and as of right now we have no evidence to suggest that there was actually a security breach on Fortress of Lies. So, that may leave you wondering, why did we think there had been one?

Well, the long story short is, we now believe we got hit by a really unlikely (and quite funny) set of coincidences that appeared likely to be the result of a data breach on our site, but were actually the result of an entirely unrelated data breach.

Specifically, on the afternoon of the 26th, one of our users reported that they had been notified by their password manager that one of their passwords for the site had appeared in a data breach. Because this password was only ever used by them on this site, they made the very reasonable assumption that our site must have been hacked in order for this password to have been compromised. Shortly thereafter, another user checked their own password manager, and discovered that one of their passwords was also now showing a “compromised password” notification that had not previously been present. As soon as I was notified of this (within an hour of the initial post), I moved to contact our hosting provider and began digging through our logs to see if I could find any evidence of a breach. Although I could not find any at the time, I still elected to send out a notification on the website and a (rare) @everyone ping on the Discord, as the fact that not one but two users had suddenly been notified that their passwords were compromised, including at least one password that had only ever been used on this site, was concerning enough to warrant immediate action.

Over the coming days, I was able to re-affirm that nothing looked wrong that I could see, and our hosting provider confirmed that everything on their end also seemed perfectly fine, with no sign of any malicious data breach. Additionally, even if there had been some kind of data breach, Discourse uses one-way-encrypted passwords that are considered impossible to decrypt, meaning that it is quite unlikely that a breach would allow anybody to get ahold of the passwords on this site. However, just to be safe, we waited a few days to be certain that no other users’ passwords suddenly started showing up as compromised.

Given this has not occurred, our best guess is that the first user with the unique password just so happened to have the exact same password as some other random user of some other random site somewhere out there on the internet, and a data breach password dump just so happened to hit that other random person’s coincidentally identical password while simultaneously just so happening to contain the password of our second user (this one they did admit to using on a large number of websites).

While this may sound wildly implausible, in following up with that first user I confirmed that the password is definitely such that it would not be impossible for somebody else to think of using the same password. Given that user’s passwords for their other accounts have not been showing as compromised, we must conclude that the most likely scenario is that this exact password was, entirely by coincidence, used by somebody else who was caught in some other random breach.

I am currently happy with how this incident was handled on our end - it is far better for us to announce a potential data breach and walk it back than to ignore a real data breach until actual harm has been done - but I do apologize to any confusion that has been caused by this incident. As per always, practicing proper password protection protocol is vital in the modern era, and I hope that this can, if nothing else, serve as a good reminder that some random internet forum being compromised should never be allowed to compromise other important aspects of your life. Please do remember to use different passwords (best done with a proper and secure password manager) and enable 2-factor authentication (2FA) on anything you wouldn’t be happy to lose.

Other Legal Concerns

This entire incident really got me thinking about a lot of legal aspects of this website that I honestly haven’t really had to personally consider before now, given Chloe has been the owner and is technically on the hook for anything going wrong. If somebody had been seriously hurt by this data breach, what would the legal fallout look like? Is the site even in compliance with modern laws and regulations? These are all questions I had previously been trusting to Chloe.

But like, honestly, when was the last time she even did anything? Just earlier today people were making fun of her for failing to deliver the addition of pronoun display, a feature I’ve been against and am unwilling to support, in like, six entire months. Sure, she has like kinda been running our MU Champs nomination process, but like I’ve done Champs way more than her anyways so I could do that just fine. Hell, just look at the fact that our Discourse instance is on version 2.8.14 - the current stable version is 3.4.2. We are nearly a half decade out of date and with Chloe in charge I just can’t do anything about it.

Well, that changes today! I’ll be making some changes to the site, in accordance with recent legal guidelines in the United States, given that is where this site is based. These changes are aimed at improving our adherence to modern rules and regulations, and should provide a much better user experience going forward.

I. Updating Site Branding

Going forward, Fortress of Lies shall henceforth be known as Fortress of Truth, as we seek to distance ourselves from the policies of the extreme Chloe administration. Our site branding and theming has also been updated to be more patriotic, with the default theme changed to “True Patriot” and our site address changed to www.fortressoftruth.net. Legacy themes have been retired, but against my better judgment I have decided to continue to support a dark mode for the time being. Pulling from my personal hero Elon Musk, it shall be entitled “Dark Gothic” - let me know if you want anything changed, I much prefer to stick with the proper white theme myself rather than get into any theme mixing, so I’m not sure if everything will be as good as it can be first go.

II. Restoring Merit-Based Moderation

In accordance with Executive Order 14151 and Executive Order 14173, all administrators and moderators who were hired under the Chloe administration’s DEI policies have been removed from their positions, effective immediately. I would like to take a moment to thank @Chloe, @Arete, @Geyde, @May, and @Magnus for their contributions to the site in the past, and to wish them the best in their future endeavors. There’s also Wind but I honestly don’t know if she’s really done anything so I’m not going to thank her.

Additionally, the entire review team except for Zone have all also been fired. Get Zone to review your games going forward. If any other non-DEI users wish to be part of the review team, please DM me, as applications are now open (and no, Ash, you’re brown, you don’t count).

III. Aligning With Modern Science

So, this one is a bit tricky. See, Executive Order 14168 is really great, but, technically it defines everyone as female, and I know I’m better than that, so I’m not really wanting to stick to the letter of the law on this one. Instead, to comply with what I believe to be the spirit of this executive order, Fortress of Truth will only recognize one gender going forward - male. This is both because “male” is the easiest gender to manage, requiring less maintenance, fewer emotional responses, and no complicated “nuance”; and also because no true female would ever use the internet.

All users’ pronoun display has been disabled in accordance with this ruling.

IIII. Doing Our Part to End Radical Indoctrination

In accordance with Executive Order 14190, all future forum games hosted on this site will be required to be dayless. They may only have night phases, as this is the only way I can think of to ensure that no player in any game hosted on this site will ever be “woke.” Currently running games have been grandfathered in and will not be affected, but anything in queue is going to need to be changed and re-reviewed.

If anybody has any other ideas about what “woke” means and how to get rid of it, I’m all ears.

It is my firm belief that, with these changes, FoL will be in a much better spot legally, ethically, and morally, making it a better site for all of the users we care about.

Please keep replies constructive and on topic.

where the fuck is my vaporwave theme

Can we ban women from signing up for games too? I feel like Mafia requires a really high level of intelligence that we can’t even hope to match.

that would be silly

there are already no females on the site so what would banning them accomplish

duh

MAKE AMERICA GREAT FOREVER
DRAIN THE SWAMP
LETS GO BRANDON
GOBBLESS

you fucking locked my out of my account you assholes

oh sorry

you fucking locked my out of my account you assholes

NGL, I didn’t even notice that until you pointed that out. All I noticed was that I got logged out of my account, and that the theme changed.

Then I remembered what date today is.

To be honest, I appreciate the unchange on my part.

I know currently running games are unaffected, but I find it funny how Flipless Purgatory still adheres to this change, considering it has Hell and Heaven Phase (and “Rest Phase”, I suppose) instead of Day and Night Phase.

Truly

An update of all time

RIP grey amber

Also these FUCKINF HATS

Agreed. Whatever women.do you mean? No women here.

Idea on how to truly make this site great again. Ban humans from this site. This shall be a Leafeon only site from now on. Congratulations everyone. You’re all now Leafeons.

help

I was wondering why I wasn’t able to open the site

whaoh that’s scary

can i still do a kickflip is that ok

yeah go for it

rahhhh I love america!! I could be part of the review team I’m not DEI I promise.

I think we could make games less woke by specifying that all mafia teams are specifically the italian mafia (in a racist way we’re bringing back racism against italians), while town should be renamed to like… american patriots.