
Curse.com fails to notify Bukkit.org users of data breach - Sleaker
http://maxkorlaar.com/post/31
======
lol768
It's actually worse than the online post here indicates. There was another
<script> tag at the bottom of the page that had remained there, seemingly
missed after the password theft script had been removed.

Ultimately I think the site's been serving foreign (potentially malicious) JS
for about two months with Curse having been aware for probably a month without
users being informed. The password theft script was definitely there for at
least a month before it was removed. It's great to hear Curse are working on a
bug bounty programme but I as I mentioned in IRC it's disappointing to see
such a big company respond like this.

There's some more information available from the channel IRC logs:
[https://korobi.io/network/esper/channel/bukkit/logs/2015/12/...](https://korobi.io/network/esper/channel/bukkit/logs/2015/12/07/#L268)

------
gabizou
It gets worse that they're "still writing an announcement" to this day.

[http://bukkit.org/threads/let-users-know-their-password-
was-...](http://bukkit.org/threads/let-users-know-their-password-was-
stolen.396783/)

~~~
lol768
It's unfortunate the thread was locked, I feel like it's an important topic to
discuss. I only hope the official announcement thread stays open for
discussion.

