Data Incident Questions

...and their answers

If you cannot find the answer to your questions in this page please contact Jono [email protected].

Answers...

What’s the very short version?
Some of our member’s passwords may have been compromised. If you used the same password on CFS and on any other account, you should update those passwords immediately.
What is this page?
CFS was unfortunately caught up in a large-scale data breach of a third party which has exposed a limited amount of our users data on the internet. The purpose of this page is to be transparent with our users about what happened and to inform them of the risks posed by the breach, and what they can do to ensure they are protected from any further risk.
What has happened?
Before November 2020, the Christian Flatshare (CFS) website suffered a cyber-attack that allowed user details to be downloaded from our website via what is known as a SQL injection attack. This is where commands to manipulate a database are sent by hackers using sign up or account management forms to force the database to perform arbitrary actions such as providing a list of the database content.

This content was then indexed by a now-defunct website called ”Cit0day” which aggregated lists of stolen and compromised credentials for use by cybercriminals. In November 2020, the entire content of the Cit0day website was made public. This included several thousand Christian Flatshare accounts (amongst approximately 227,000,000 total unique accounts in the breach collected from tens of thousands of websites).

More technically-minded users may find this detailed explanation by well-known and respected security researcher Troy Hunt helpful https://www.troyhunt.com/inside-the-cit0day-breach-collection/.

There is some evidence from the UK’s National Crime Agency that cybercriminals have tried to exploit the information in the Cit0day breach and they are pursuing a criminal prosecution – they are directly in touch with those whose accounts have been exploited.
What data was exposed?
The data that was exposed was limited. It comprised the email address you used to register with CFS, a ‘hashed’ (i.e. encrypted) version of your password, and the text of any posts you may have made regarding accommodation offered or wanted. We don’t hold any further data and nothing else was exposed.
Why is this a risk?
The leaked information in itself is unlikely to pose any risk to you. Passwords were stored in an enencrypted format. However, short or weak passwords encrypted using hashing can potentially be reverse-engineered. If this were the case, a hacker could gain access to your CFS account. In itself, this is unlikely to pose a threat to you as the amount of information stored on our website is limited.

However, there is a potential risk if you re-used the same email address and password combination on other websites. In this case, it would mean a hacker could access other more sensitive accounts by trying the email and password combination on other popular websites (this is known as ‘credential stuffing’). This is a particular risk if the same password is used on your primary email account, as the hacker could then undertake password resets to take ownership of linked accounts to hijack the account. There is also a risk that if you have saved payment details on an account that is then compromised, an attacker could use the saved card details to make payments using that card.

Please note that if you have not re-used the same password from CFS for another online account, you are highly unlikely to be at risk in any way.

Questions...

  • What’s the very short version?
  • What is this page?
  • What has happened?
  • What data was exposed?
  • Why is this a risk?
  • What has CFS done to protect my data?
  • What do I need to do?
  • This happened a while ago; why are you only telling us now?
  • Next steps for CFS…
  • What has CFS done to protect my data?
    Since becoming aware of the breach, CFS has been in direct contact with the relevant authorities, including the ICO (the UK Data Protection Regulator) and the National Crime Agency who are investigating and trying to bring criminal charges regarding the exploitation of the Cit0day breach, and we are helping them with their investigations.

    We have undertaken a full review of our website security to close the vulnerability that allowed our database to be compromised in the first place using a respected independent cybersecurity contractor.

    We provide this advice to help you take steps to ensure your security.
    What do I need to do?
    You should change your password on any site where you used the same password as you used on CFS.

    You should monitor your online accounts for any suspicious activity, such as email sign-ups to services you don’t recognise, or password reset emails you did not request. If you are particularly worried about a payment card being compromised, you may wish to contact your bank.

    If you do not already do so, refrain from re-using passwords for more than one account. Ensure that you use long and/or complex passwords.

    If you do not already do so, consider adopting the use of a password manager. These are free or relatively cheap utilities that allow you to generate and save unique secure passwords which prevents this sort of credential stuffing attack.

    On any account which allows it, you should enable two-factor authentication.

    The National Cyber Security Centre maintains helpful advice on maintaining online security for members of the public, including more detail about the above steps. If you follow these steps, you will minimise the risk of harm from this data breach, and the risk of any future cyber-attacks on all of your online activity. The NSA guidance can be found here.
    This happened a while ago; why are you only telling us now?
    The data incident was detected in March 2021 and the underlying security weakness was identified by a security expert and fixed within a week, accounts created after March 2021 are unaffected. CFS is maintained for the benefit of the Church community as a non-commercial venture largely by a single administrator. Unfortunately, the founder and administrator of the site has spent the last year in hospital due to sudden and life-changing circumstances. We confirm we have been working with the relevant authorities and have informed you as soon as possible given the circumstances.

    This page will be updated and the content matured from any questions arising from the community Please contact Jono [email protected], acting DPO for this incident should you have any questions
    Next steps for CFS…
    We know CFS to be a valued resource within the church community at this juncture the present administrator needs to focus on his recovery and it may be best if CFS finds a new home and leadership we expect that this may be best found in an established church or para-church organisation with vision and alignment such that CFS could be a compliment to its ministry and to continue: finding homes-growing churches and building communities on the same non-commercial and ecumenical basis.

    Pecuniary matters:
    Presently CFS is not optimised for donations or monetized in any way and as such presently CFS runs a small net loss and day-to-day administration is usually minimal.

    If you can offer input on what these next steps might be, please be in touch,
    Happy Easter,
    Ryan Davies
    Christianflatshare Support
    [email protected]


    Christian Flatshare... helping accommodation seekers connect with the local church community
    Finding homes, growing churches and building communities
    © ChristianFlatShare.org 2007-2022