FANDOM


  • DaNASCAT
    DaNASCAT closed this thread because:
    Last update has fulfilled purpose of the thread. See here for further rationale.
    17:35, August 11, 2015

    Hi everyone,

    There was a security issue on a couple of wikias over the weekend. No long-term damage was done to any wikia, but a nasty troll caused some havoc for a while.

    We know some accounts were compromised during this time. It's a small number, and only affected members of attacked wikias - those communities have been directly informed, but if you are at all concerned, you should change your password to be safe. You should also consider where else you use the same password and change it, just in case. (Note: We recommend never using the same password on different sites.)

    We have taken immediate measures to ensure that the wikias, and your accounts, are safe. Including turning off custom JS on all wikias. We’ll look today, and over the coming days, at longer-term changes to increase security.

    One request: Central is full of incredibly intelligent folk, who will have various ideas about what happened and what should be done about it. For now, please hold off speculation and explanations, and let us work in the background on this over the next few days. We will talk more about this in the future, either with a blog or forum post, or similar communication.

    Thanks everyone, we'll follow up on this as soon as possible.

    Edit 1: I have tried to answer the first wave of questions here. Custom wikia CSS has also been turned back on.

    Edit 2: JavaScript will return tonight in read-only mode. Read more here.

    Edit 3: The code changes have been completed and JavaScript & Verbatim have returned in read-only mode. Read more here.

    Edit 4: We have re-enabled editing on some specific MediaWiki namespace pages: Common.css, Wikia.css, Monobook.css, Wiki-navigation, and Community-corner. We are continuing to work on expanding this list, along with other improvements.

    Edit 5: An update on this topic focusing on the next steps has been posted in this thread.

      Loading editor
    • What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

        Loading editor
    • ugh

        Loading editor
    • The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

      And you just hit the nail on the head :)

        Loading editor
    • Good to know security is tightened. Seeing the events unfold over the wiki worried me.

      Already changed my password.

        Loading editor
    • The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

      Also give two-factor authentication pls thx

        Loading editor
    • Not the solution I was hoping for.

      You know, it'd be nice if Wikia could use authenticators or other means of double protection for peoples accounts on Wikia.

        Loading editor
    • I think a nice double factor would be when you login from an IP that you haven't marked as okay, require an email and/or SMS verification to say hey can they come in.

      My thoughts that one troll did this much damage? Also as per The Mol Man I am hoping some anti-javascript measures will be taking place for the login form (not suprised if this is already implemented). When will custom JS be re-activated. 

        Loading editor
    • They don't have a date set, yet.

      Shyguy-emoticon.gifJoey (talk)

        Loading editor
    • I'm an admin on one of the wikis that was hit, the FNaF Wiki. I understand that the situation is being adressed, though I am wondering about the user rights that have been taken away from me, and the other admins. I am okay with waiting, though I do hope it'll be resolved soon.

        Loading editor
    • So, this was a sitebreaking change for a lot of the RuneScape Wiki, breaking calculators, price graphs, navboxes, sortable tables, the twitter feed, item comparison, and a bunch of custom content modules that we'd written in JavaScript...it would be great to get this working again at least on an individual basis as soon as possible, as it's really a devastating change for us that came with no warning whatsoever.

        Loading editor
    • Jillips Entertainment wrote: I'm an admin on one of the wikis that was hit, the FNaF Wiki. I understand that the situation is being adressed, though I am wondering about the user rights that have been taken away from me, and the other admins. I am okay with waiting, though I do hope it'll be resolved soon.

      Please ask for your rights back at Special:Contact/general, have to make sure it is you, and not someone else.

        Loading editor
    • Thanks, I am changing my password right now.

        Loading editor
    • No javascript broke like.. A lot of useful things on the runescape wiki =/

        Loading editor
    • Password changed.

        Loading editor
    • Now, when you try to edit MediaWiki:Common.js, you get greeted with a message saying "You can not perform this action right now. Please try again in a few minutes, or contact Wikia if you are having difficulties.", I believe when this gets sorted out, MediaWiki:Common.js will be editable by admins of all wikis again.

        Loading editor
    • Apart from having a login form on every damn page, which is a security issue, Wikia isn't using HTTPS. By using HTTPS, if the login form is hijacked to send credentials to an external website, the web browser would block the load of the target page, or at least present a warning on the user. This is something that should be improved too.

      About the login form, note that the latest MediaWiki release for 1.19 (which is now obsolete), prevented scripts and CSS from being loaded in Special:Preferences and on the login page... That of course couldn't be applied in Wikia because that would mean the current situation: no scripts on any page.

        Loading editor
    • CSS has now been shut off, too.

        Loading editor
    • DaNASCAT wrote: Hi everyone,

      There was a security issue on a couple of wikias over the weekend. No long-term damage was done to any wikia, but a nasty troll caused some havoc for a while.

      We know some accounts were compromised during this time. It's a small number, and only affected members of attacked wikias - those communities have been directly informed, but if you are at all concerned, you should change your password to be safe. You should also consider where else you use the same password and change it, just in case. (Note: We recommend never using the same password on different sites.)

      We have taken immediate measures to ensure that the wikias, and your accounts, are safe. Including turning off custom JS on all wikias. We’ll look today, and over the coming days, at longer-term changes to increase security.

      One request: Central is full of incredibly intelligent folk, who will have various ideas about what happened and what should be done about it. For now, please hold off speculation and explanations, and let us work in the background on this over the next few days. We will talk more about this in the future, either with a blog or forum post, or similar communication.

      Thanks everyone, we'll follow up on this as soon as possible.

      Oh, well that's not bad (checks my wiki on Monobook) OMG WHAT DID THEY DO TO THE CSS AND I FORGOT TO CHANGE MY PASSWORD! (changes password) still not the same :(

        Loading editor
    • Ozuzanna wrote: You know, it'd be nice if Wikia could use authenticators or other means of double protection for peoples accounts on Wikia.

      Amen.

        Loading editor
    • Was the CSS also disabled? Because I'm not seeing it anywhere wikia-wide.

        Loading editor
    • WHOEVER IS THE TROLL, IM GONNA FRICKIN SMACK HIM OUT OF WIKIA

        Loading editor
    • And where do I look for the list of affected Wikias? :)

        Loading editor
    • That's sad.....Hopefully everyone will be safe! :)

        Loading editor
    • Template:InfoboxCharacter has changed on www.stormlightarchive.wikia.com. I did not make this change.

        Loading editor
    • Hurricane162 wrote:
      That's sad.....Hopefully everyone will be safe! :)

      U r right sir, lets recover wikia

        Loading editor
    • Ylimegirl wrote:
      Was the CSS also disabled? Because I'm not seeing it anywhere wikia-wide.

      I noticed the same thing. I'm not seeing the username colors on the wikis that have them.

        Loading editor
    • Ylimegirl wrote: Was the CSS also disabled? Because I'm not seeing it anywhere wikia-wide.

      Me too. I'm guessing they did on purpose.

        Loading editor
    • ikr

        Loading editor
    • Does this include our own personal JS scripts, or is it just the JS used on a wikia specifically (MediaWiki:common.js) that has been disabled? If personal js is gone temporarily, that's not helpful.

        Loading editor
    • So, when will all of the CS and JS mediawiki affects be turned back on?

        Loading editor
    • personal JS still works, but you can't edit it.

        Loading editor
    • SuperSajuuk wrote: Does this include our own personal JS scripts, or is it just the JS used on a wikia specifically (MediaWiki:common.js) that has been disabled? If personal js is gone temporarily, that's not helpful.

      Personal js is working for me

        Loading editor
    • and i wanna know who is the troll and who is destroying the wikis

        Loading editor
    • but its up to everyone else now ill be back later

        Loading editor
    • And now CSS is not working neither? What the heck is going on? This is unacceptable.

      If custom CSS and JS is not allowed, disable also all your ads, since they inject code and takes over backgrounds

        Loading editor
    • Everything is corrupted or what?

        Loading editor
    • I hope CSS will be turned back on soon. Some wikis I edit look like shit without it.

        Loading editor
    • It's not corrupted, they're probably trying to make sure everything is safe. So as long as it won't be long until everything comes back on I'm fine with it.

        Loading editor
    • Jr Mime wrote: personal JS still works, but you can't edit it.

      Good to know that we can't edit our own personal js files. I think Wikia should consider a topbar notice that appears everywhere and can't be hidden so people are aware. The message in the bottom corner will be closed by people and ignored.

        Loading editor
    • TheAquuaHybrid
      TheAquuaHybrid removed this reply because:
      always late
      18:40, August 10, 2015
      This reply has been removed
    • So, how long until javascript and css is re-enabled? This is kind of annoying. Especially since I was kind of in the middle of porting some infoboxes to the new format... which is now IMPOSSIBLE without CUSTOM CSS, THANKS A LOT

        Loading editor
    • TheAquuaHybrid wrote:

      I believe it's only wikia.css and common.js.

      And the Common.css.

        Loading editor
    • Well, for a little bit yesterday, I saw some Japanese text above each page that led to an edit link for each article, EVEN THE FRONT PAGE.

        Loading editor
    • My main account was compromised and I've already contacted Staff about it, so I suppose it's just a matter of time, but I'm also quite on edge since whoever is currently controlling that account is going around posting explicit content.  That really isn't something I need, or anyone needs for that matter.

        Loading editor
    • The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

      Tooke me like 20 seconds to figure out that it's "log-in" and not "a log" 30px-Top_Kek.png But i totally agree (not to mention that most of the times i get a stupid error or a timeout message which direct me to Special:UserLogin, which kinda makes the form useless)

        Loading editor
    • I can't wait for CSS to be turned back on, because without it my wiki looks like trash when viewed on Monobook.

        Loading editor
    • What wikis were attacked?

        Loading editor
    • A workaround in case you temporarily really need JavaScript: open up your console and insert the script there. Note - please only add scripts you're familiar with, so that you know they're safe. Cheers!

        Loading editor
    • Jr Mime wrote:

      Jillips Entertainment wrote: I'm an admin on one of the wikis that was hit, the FNaF Wiki. I understand that the situation is being adressed, though I am wondering about the user rights that have been taken away from me, and the other admins. I am okay with waiting, though I do hope it'll be resolved soon.

      Please ask for your rights back at Special:Contact/general, have to make sure it is you, and not someone else.

      I'll do just that. Thank you.

        Loading editor
    • Which wikias were attacked?
      Did-we-just-do-that?
        Loading editor
    • I've made a news announcement on the Gamer's Guide Wiki about this for those users who are curious.

        Loading editor
    • Is it still recommended I change my password? Or is it safe to keep it?

        Loading editor
    • No JavaScript, no CSS... What's next? remove all text and images from pages, and leave only ads, for safeness sake? That's ridiculous!

        Loading editor
    • Axle555 wrote:
      Which wikias were attacked?
      Did-we-just-do-that?

      From what I known, the Five Nights at Freddy's wiki, and the SCP Wiki.

        Loading editor
    • Axle555 wrote:
      Which wikias were attacked?
      Did-we-just-do-that?

      What the heck is that?

        Loading editor
    • RapunzafanMSP wrote: Is it still recommended I change my password? Or is it safe to keep it?

      If you're really concerned about the security of your account.

        Loading editor
    • Some others were hit, too - at least one other.

        Loading editor
    • ThePokémonGamer wrote:

      RapunzafanMSP wrote: Is it still recommended I change my password? Or is it safe to keep it?

      If you're really concerned about the security of your account.

      But double-check and make sure it's the same email first.  I made the mistake of finding out what was going on hours later and jumped to changing my password without realizing the person changed my email.

        Loading editor
    • CSS is back on to me. No JS though.

        Loading editor
    • Custom username colors are back on the wiki I contribute to.

        Loading editor
    • RainingPain17 wrote: CSS is back on to me. No JS though.

      Same for me.

        Loading editor
    • Hiddenlich wrote:
      Custom username colors are back on the wiki I contribute to.

      Not on mine.

        Loading editor
    • @DaNASCAT

      Has anything been done about the troll, or is said user unknown still?

        Loading editor
    • IceColdRapper (Miiverse) wrote:

      Hiddenlich wrote:
      Custom username colors are back on the wiki I contribute to.

      Not on mine.

      Try clearing your cache.

        Loading editor
    • Curiousgorge66 wrote:

      RainingPain17 wrote: CSS is back on to me. No JS though.

      Same for me.

      And me!

        Loading editor
    • Penguin-Pal wrote:

      The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

      Tooke me like 20 seconds to figure out that it's "log-in" and not "a log" 30px-Top_Kek.png But i totally agree (not to mention that most of the times i get a stupid error or a timeout message which direct me to Special:UserLogin, which kinda makes the form useless)

      hi pp

        Loading editor
    • Yes, a good news, CSS seems to be retablished liitle by little.

        Loading editor
    • Ylimegirl wrote:

      IceColdRapper (Miiverse) wrote:

      Hiddenlich wrote:
      Custom username colors are back on the wiki I contribute to.
      Not on mine.
      Try clearing your cache.

      I'm not a mod there. P9, a mod on my Wiki, says that we won't have any colors until it gets cleared up.

        Loading editor
    • I think the username colors were shut off for a few minutes because of a troll

        Loading editor
    • That1Girl wrote:
      I think the username colors were shut off for a few minutes because of a troll

      They are.

        Loading editor
    • What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for the wiki's 2nd anniversary.

        Loading editor
    • North Aurora wrote:
      What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for their 2nd anniversary.

      Yesterday.

        Loading editor
    • Jesus, it scary to know some wikis were hit this hard...

      I mean, look at FNAF wiki! I don't know if it's the same problem, but some trolls got in and deleted almost everything there! They did manage to restore most of the stuff, but the whole wikia was on lockdown for a while! That's some scary shit!

        Loading editor
    • When will the affects be turned back on? And how will it affect us if they are on??

        Loading editor
    • Hello,

      I just want to address some of the points already addressed in the replies to this thread.

      First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

      Re: Affected wikias - at this time, I am not releasing a list of the communities that were compromised. First and foremost, we need to respect user privacy in general and so we don't want attention to fall upon them at a time when they need to feel they have control over their accounts. We have communicated directly with the affected communities and are reaching out ot users directly we believe were likely affected. Secondly, it goes back to a core tenant of not feeding trolls - we're not here to celebrate or publicize their work. Rather we are going to revert it and deal with it as needed, without the deep emotional reaction trolls crave. I ask that no one else in this thread try to figure out which wikias were affected.

      I can not provide a timetable to when we will turn off this emergency measure. Please know though that a team of engineers and your Community Support team are working tirelessly on this. As an avid wiki user and coder myself, I certainly understand and empathize with the frustration some of you are feeling right now. Doing something for the greater good does not necessarily mean that all consequences of an action are positive. And right now, JS disablement for the online security of our users' information is the greater good.

        Loading editor
    • That1Girl wrote: I think the username colors were shut off for a few minutes because of a troll

      JS as a whole has been disabled.

      Shyguy-emoticon.gifJoey (talk)

        Loading editor
    • Llove Kuwait wrote:

      Penguin-Pal wrote:

      The Mol Man wrote: What you really need to do is NOT HAVE THE LOG IN FORM ON EVERY PAGE, WHERE JAVASCRIPT IS EASILY INSERTED.

      Tooke me like 20 seconds to figure out that it's "log-in" and not "a log" 30px-Top_Kek.png But i totally agree (not to mention that most of the times i get a stupid error or a timeout message which direct me to Special:UserLogin, which kinda makes the form useless)

      hi pp

      luk a kek :]
      hi llove

        Loading editor
    • TheFoxyRiolu wrote:
      Jesus, it scary to know some wikis were hit this hard...

      I mean, look at FNAF wiki! I don't know if it's the same problem, but some trolls got in and deleted almost everything there! They did manage to restore most of the stuff, but the whole wikia was on lockdown for a while! That's some scary shit!

      One of the admins on the Wiki also had their account compromised, and whoever had it went around blocking people and wreaking havoc as well.  Everyone got demoted, too.

        Loading editor
    • What is JS? I personally have never used it.

        Loading editor
    • ...wonderful...

        Loading editor
    • IAmAwesome2 wrote:
      What is JS? I personally have never used it.

      JavaScript

        Loading editor
    • So some hell humper is on the loose are they?

        Loading editor
    • OK, I have never used JavaScript.

        Loading editor
    • Who is this vandal? Or it it personal?

        Loading editor
    • IAmAwesome2 wrote:
      Who is this vandal? Or it it personal?

      Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on. 

        Loading editor
    • IAmAwesome2 wrote: What is JS? I personally have never used it.

      A lot of scripts that individual wikis use are made with JS. So with it being disabled, almost all communities will be affected in one way or another.

      Shyguy-emoticon.gifJoey (talk)

        Loading editor
    • "For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)"

      I'm sorry, but all I'm hearing is that it's better to have a small increase in the number of users joining than it is to keep everyone's accounts and information safe.  It really doesn't matter how many users you have if none of them are safe.

        Loading editor
    • Thankfully I wasn't in the affected wikia but I'll gladly go with the changes

        Loading editor
    • HTTPS would also help

        Loading editor
    • What are trolls?

      Some kind of hacker?
      Eli-is-confused
        Loading editor
    • Thunderheart of Thunderclan wrote:
      IAmAwesome2 wrote:
      Who is this vandal? Or it it personal?
      Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on. 

      That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.

        Loading editor
    • DaNASCAT wrote:
      But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      I would rather sign up to a website that is secure and has more registration steps than a website that is insecure and has fewer registration steps.


      If it's possible, I think Wikia needs to make this accouncement appear in the global naviation notifications. I always look there to see the messages that pertain to me- the little bubble at the bottom blends in and usually doesn't say anything that I needed to know. If I hadn't visited Community Central, I wouldn't have even noticed that the bubble showed up.

        Loading editor
    • It is.

        Loading editor
    • DaNASCAT is requesting us not to try and figure out which wikis were affected by who.

        Loading editor
    • Blaster Niceshot wrote:
      DaNASCAT wrote:
      But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)
      I would rather sign up to a website that is secure and has more registration steps than a website that is insecure and has fewer registration steps.

      Seriously.  It doesn't matter if you have more users if none of them are safe.

        Loading editor
    • DaNASCAT wrote:

      The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

      If Javascript will not return anytime in the immediate future (next few days), then can we see it return after Helios is implemented since logins should be more secure at that point?

        Loading editor
    • Flamestar22 wrote:
      Thunderheart of Thunderclan wrote:
      IAmAwesome2 wrote:
      Who is this vandal? Or it it personal?
      Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on. 
      That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.

      Point there, ja. It could be anyone. I also agree that all wikias will be affected. This is gonna be a hard time for wikia. Darn hacker scum, need to go get a life. 

      I do agree that changing password is necessary. I might do it myself. 

        Loading editor
    • Hey guys,Mike here,I believe this is not something to worry about

        Loading editor
    • DaNASCAT wrote:
      Hi everyone,

      There was a security issue on a couple of wikias over the weekend. No long-term damage was done to any wikia, but a nasty troll caused some havoc for a while.

      No kidding...

        Loading editor
    • Thunderheart of Thunderclan wrote:
      Flamestar22 wrote:
      Thunderheart of Thunderclan wrote:
      IAmAwesome2 wrote:
      Who is this vandal? Or it it personal?
      Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on. 
      That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.
      Point there, ja. It could be anyone. I also agree that all wikias will be affected. This is gonna be a hard time for wikia. Darn hacker scum, need to go get a life. 

      I do agree that changing password is necessary. I might do it myself. 

      I've already changed my password for safety reasons, and it seems like a good idea for everyone to do. 

        Loading editor
    • Blaster Niceshot wrote:

      DaNASCAT wrote:
      But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      I would rather sign up to a website that is secure and has more registration steps than a website that is insecure and has fewer registration steps.


      If it's possible, I think Wikia needs to make this accouncement appear in the global naviation notifications. I always look there to see the messages that pertain to me- the little bubble at the bottom blends in and usually doesn't say anything that I needed to know. If I hadn't visited Community Central, I wouldn't have even noticed that the bubble showed up.

      They have.

        Loading editor
    • The whole "extra steps means less users" thing also backfires even more once you realize that there are people leaving Wikia right now because they feel they aren't safe.  I'm on one of the affected Wikis right now and all I see is blog post after blog post from different users who don't feel safe so they don't want to stick around.

        Loading editor
    • Zazme Yakuza wrote:
      Hey guys,Mike here,I believe this is not something to worry about

      Really? Ask the hackers about that. I've had some encounters with them. Believe me, this IS something to worry about. 

        Loading editor
    • Flamestar22 wrote:
      Thunderheart of Thunderclan wrote:
      Flamestar22 wrote:
      Thunderheart of Thunderclan wrote:
      IAmAwesome2 wrote:
      Who is this vandal? Or it it personal?
      Not sure, but my best guess: Nightscythe. He attacked a lot of the wikias I've been on. 
      That's a good guess, but no one knows for sure. Seeing that he only attacks certain wiki's (ones that have cats on to be particular), I doubt it's him, and I think it's someone much much worse.
      Point there, ja. It could be anyone. I also agree that all wikias will be affected. This is gonna be a hard time for wikia. Darn hacker scum, need to go get a life. 

      I do agree that changing password is necessary. I might do it myself. 

      I've already changed my password for safety reasons, and it seems like a good idea for everyone to do. 

      I agree, but I'm hesitant, as I never remember passwords. 

      Imho, there should be, like, a way to get in if you do not remember your password (like your mom's middle name, idea came from Minecraft) Because some people don't really have a choice with the lack of rememberance. 

        Loading editor
    • Thunderheart of Thunderclan wrote:

      Zazme Yakuza wrote:
      Hey guys,Mike here,I believe this is not something to worry about
      Really? Ask the hackers about that. I've had some encounters with them. Believe me, this IS something to worry about. 

      It IS something to worry about. Hackers are a big deal, especially on a global site that could affect millions of people.

        Loading editor
    • I have dealt with these hackers even if they are smarter than you or them and me,You can't risk worrying about it,it is just plain dumb or some words which fits in the category.

        Loading editor
    • Didn't you get hacked as well, DaNASCAT?

        Loading editor
    • Whats gonna happen!? How will you stop the troll and is their an estimate of days of when we could go to our normal lives on the webzz?

        Loading editor
    • DaNASCAT wrote:

      For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      I wanted to make a reply on its own to point this out: this is disgusting and scary to read from official staff of such a massive website. So many services are using two-factor authentication now and they're far better off for it. 2FA would help massively on Wikia, and yet you guys think it would stop people from registration? Just don't make it mandatory. People would feel more secure knowing they can enable 2FA. I would highly suggest you guys reconsider your stance on adding security to your service, because the idea that you wouldn't add security that so many other websitse have already added is really scary.

        Loading editor
    • ThePokémonGamer wrote:

      Blaster Niceshot wrote:

      DaNASCAT wrote:
      ...
      ...
      They have.

      Did they do that before I posted or after? If they did it before, my apologies, I must have forgotten that I clicked on it.

        Loading editor
    • And if this is actually hackers I believe they are in a group

        Loading editor
    • Flamestar22 wrote:

      Thunderheart of Thunderclan wrote:


      Zazme Yakuza wrote:
      Hey guys,Mike here,I believe this is not something to worry about
      Really? Ask the hackers about that. I've had some encounters with them. Believe me, this IS something to worry about. 
      It IS something to worry about. Hackers are a big deal, especially on a global site that could affect millions of people.

      Amen

        Loading editor
    • SlyCooperFan1 wrote:

      DaNASCAT wrote:

      For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      I wanted to make a reply on its own to point this out: this is disgusting and scary to read from official staff of such a massive website. So many services are using two-factor authentication now and they're far better off for it. 2FA would help massively on Wikia, and yet you guys think it would stop people from registration? Just don't make it mandatory. People would feel more secure knowing they can enable 2FA. I would highly suggest you guys reconsider your stance on adding security to your service, because the idea that you wouldn't add security that so many other websitse have already added is really scary.

      I agree with this.

        Loading editor
    • Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

        Loading editor
    • LLRweegee wrote:
      Whats gonna happen!? How will you stop the troll and is their an estimate of days of when we could go to our normal lives on the webzz?

      You can go to normal wiki life, but just be on the lookout in case someone gets hacked c:

      They'll stop the troll somehow, just let them do they need to do ^.~

        Loading editor
    • Wikia needs to enable HTTPS!

        Loading editor
    • SlyCooperFan1 wrote:

      Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

      Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers. 

        Loading editor
    • Superluigi6 wrote:

      Wikia needs to enable HTTPS!

      HTTPS does not solve all issues, and there have been many HTTPS security flaws over the years. Heartbleed was one of the more recent and high-profile ones. If Wikia enabled HTTPS on all pages, it would help some attacks, but others wouldn't be affected.

        Loading editor
    • This isn't the first time, wikia has been a target of such an attack. 

        Loading editor
    • Thunderheart of Thunderclan wrote:

      Flamestar22 wrote:

      Thunderheart of Thunderclan wrote:


      Zazme Yakuza wrote:
      Hey guys,Mike here,I believe this is not something to worry about
      Really? Ask the hackers about that. I've had some encounters with them. Believe me, this IS something to worry about. 
      It IS something to worry about. Hackers are a big deal, especially on a global site that could affect millions of people.

      Amen

      Meh,Big deal??You are not kind of making sense

        Loading editor
    • Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

        Loading editor
    • okay, thats all I wanted to know!
      HEURP-we're-frogs!

      HEURP!

        Loading editor
    • Maybe not it is but are??

        Loading editor
    • IAmAwesome2 wrote:

      Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

      Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.

        Loading editor
    • Grand Duchess Anastasia wrote: This isn't the first time, wikia has been a target of such an attack. 

      As such a large site, it's amazing things like this don't happen more often

        Loading editor
    • Zazme Yakuza wrote:
      Maybe not it is but are??

      Say again?

        Loading editor
    • IAmAwesome2 wrote: Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

      He is.

      Shyguy-emoticon.gifJoey (talk)

        Loading editor
    • Thunderheart of Thunderclan wrote:

      Zazme Yakuza wrote:
      Maybe not it is but are??

      Say again?

      Don't encourage him.

        Loading editor
    • Was the Elder scrolls wiki or the Elder Scrolls sandbox wiki affected?

        Loading editor
    • Thunderheart of Thunderclan wrote:

      Zazme Yakuza wrote:
      Maybe not it is but are??

      Say again?

      Maybe they are a group of hackers,if they are above 100,well good luck

        Loading editor
    • Zazme Yakuza wrote:

      Thunderheart of Thunderclan wrote:

      Zazme Yakuza wrote:
      Maybe not it is but are??

      Say again?

      Maybe they are a group of hackers,if they are above 100,well good luck

      what are you talking about

        Loading editor
    • SlyCooperFan1 wrote:

      IAmAwesome2 wrote:

      Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

      Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.

      Good point.

        Loading editor
    • Zazme Yakuza wrote:

      Thunderheart of Thunderclan wrote:

      Zazme Yakuza wrote:
      Maybe not it is but are??
      Say again?
      Maybe they are a group of hackers,if they are above 100,well good luck

      You are so not helping..

        Loading editor
    • Everyone kudos this comment because Zmario wrote it!

        Loading editor
    • k

        Loading editor
    • I don't see what's so important about registering? By default, even users who aren't signed in can contribute to wikias. Registration allows you to hide your IP from the masses, get proper credit for your contributions, possibly get promoted to do some deep-end stuff with the wikias, contribute to pages or wikias that are locked from the masses, post blogs, set up a profile, and have a message wall. That's it, isn't it? The core of wikias is that they can be edited by anyone by default, and the lack of a proper account does not hinder that, does it? Did I miss something o.o

      Also I'm laughing my ass off at the dude that's basically like "don't bother trying to defend against the hackers 'cause of this and that and this and that" xD

        Loading editor
    • Keep this on topic please. It's impossible to keep track of as it is, you're just derailing it now.

        Loading editor
    • Shegorath's Servant04 likes cheez-its wrote: Was the Elder scrolls wiki or the Elder Scrolls sandbox wiki affected?

      Its site JS was.

      Shyguy-emoticon.gifJoey (talk)

        Loading editor
    • Dragonfree97 wrote:

      Grand Duchess Anastasia wrote: This isn't the first time, wikia has been a target of such an attack. 

      As such a large site, it's amazing things like this don't happen more often

      Which is a good thing.

        Loading editor
    • Thunderheart of Thunderclan wrote:
      Zazme Yakuza wrote:
      Hey guys,Mike here,I believe this is not something to worry about
      Really? Ask the hackers about that. I've had some encounters with them. Believe me, this IS something to worry about. 

      Agreed. While I haven't noticed anything being very broken so far or unusual, it's good to see that this has been noticed and is being adressed. And while it does suck that many wikis are seeing their custom JS content broken, what the heck did you think was going to happen with something as vulnerable as JavaScript?​

      At the same time, though, there aren't exactly many different ways to achieve the same things that one can with JavaScript through different ways, so I understand why it is widely used. Not the best of choices, though...

        Loading editor
    • SolarMist wrote: I don't see what's so important about registering? By default, even users who aren't signed in can contribute to wikias. Registration allows you to hide your IP from the masses, get proper credit for your contributions, possibly get promoted to do some deep-end stuff with the wikias, contribute to pages or wikias that are locked from the masses, post blogs, set up a profile, and have a message wall. That's it, isn't it? The core of wikias is that they can be edited by anyone by default, and the lack of a proper account does not hinder that, does it? Did I miss something o.o

      Also I'm laughing my ass off at the dude that's basically like "don't bother trying to defend against the hackers 'cause of this and that and this and that" xD

      Some wikis have disabled anon editing. I think there was a staff blog post about it a few weeks ago

        Loading editor
    • Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

        Loading editor
    • Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

      I'm not even sure that's possible, but even if it was, there would be nothing stopping an attacker copying and pasting js onto a Wikia page somewhere and importing that

        Loading editor
    • Does disabling the java have an effect on the youtube player? On my wiki, and a fellow friend's wiki as well, it doesn't seem to function anymore.

        Loading editor
    • Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect most scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

      The issue here is that Wikia was negligent about security, and now we're paying the price.

        Loading editor
    • Deadcoder wrote: Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect any scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

      The issue here is that Wikia was negligent about security, and now we're paying the price.

      Hopefully, only temporarily, and not for too long.

        Loading editor
    • Deadcoder wrote:

      Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect any scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

      The issue here is that Wikia was negligent about security, and now we're paying the price.

      Given the fact that Wikia doesn't want to enable 2FA, we might be paying this price for a long time to come.

        Loading editor
    • Dragonfree97 wrote:

      SolarMist wrote: I don't see what's so important about registering? By default, even users who aren't signed in can contribute to wikias. Registration allows you to hide your IP from the masses, get proper credit for your contributions, possibly get promoted to do some deep-end stuff with the wikias, contribute to pages or wikias that are locked from the masses, post blogs, set up a profile, and have a message wall. That's it, isn't it? The core of wikias is that they can be edited by anyone by default, and the lack of a proper account does not hinder that, does it? Did I miss something o.o

      Also I'm laughing my ass off at the dude that's basically like "don't bother trying to defend against the hackers 'cause of this and that and this and that" xD

      Some wikis have disabled anon editing. I think there was a staff blog post about it a few weeks ago

      Yeah, but that's not disabled by default, is it? I'm wondering about this:

      DaNASCAT wrote:

      First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      (emphasis not mine!)

        Loading editor
    • Fandyllic wrote:
      Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

      Some accounts were taken over, like mine, so I think they mean on an individual scale like that, not like the user database got ripped open or something.

        Loading editor
    • Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

      User, pass and email, no database hack, and it was internal JS, not external.

        Loading editor
    • Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

      My guess is that someone put JS to redirect the login form to an external website, so users that were using the login form on the affected wiki were sending their credentials to the attacker instead of logging into wikia.

        Loading editor
    • How do I unsubscribe from this?

        Loading editor
    • Press the Unfollow button on top

        Loading editor
    • Thunderheart of Thunderclan wrote:
      How do I unsubscribe from this?

      Go to the OP and in the corner of the post there will be a button that will let you unfollow.

        Loading editor
    • There's a "Unfollow" button on the top of the thread.

        Loading editor
    • Thunderheart of Thunderclan wrote:

      How do I unsubscribe from this?

      At the very top in the first post, hover over the "Following" button. Click it to unsubscribe.

        Loading editor
    • SlyCooperFan1 wrote:

      Thunderheart of Thunderclan wrote:

      How do I unsubscribe from this?

      At the very top in the first post, hover over the "Following" button. Click it to unsubscribe.

      THANK YOU! It was spamming my inbox

        Loading editor
    • What caused this?

        Loading editor
    • By the way, thanks Wikia, I feel really safe, considering someone just posted what my old password was to a blog post on a very popular Wiki.  Within the last 30 minutes.  Thanks.

        Loading editor
    • DaNASCAT wrote: … 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.


      First, thank you TimQ for telling us about this and for keeping us up to date. That is very much appreciated by us all, I am sure.

      Second, what’s 2FA? Is that like the two-step login at Facebook, Google, tumblr, and Twitter?

      Lastly, I don’t understand the comment “allows us to avoid a lot of the traps MediaWiki architecture has put us in.” At Wikipedia, logoff is indeed on every page when logged in; similarly, login is on every page when logged out. However, clicking on login takes one to a separate https: page to perform the login and credential check. Once correctly completed, one is returned to the page one was on when login was selected. Most likely it’s all over my head, but it seems to contract the quoted statement at the start of this paragraph.

      Thanks again for keeping us in the loop!Face-smile

        Loading editor
    • Was the MLP community affected (dumb question) because I got reported for abusing people for no apparent reason..

        Loading editor
    • Now I feel something is really happening. People are making blog posts from one of the hacked wikis with this:


      "Unfortunately due to the recent hackings I am afraid that my account to will be caught by the hackers

      Until Wikia is certain that the hackers have been dealt with, I will be taking a short leave of absence from this wiki for a little while."


      People start making jokes of it. Some thought it was it was really a joke. I have no idea if it's really a joke or not.

        Loading editor
    • It's no joke. Someone seems to really dislike the FNAF wiki.

        Loading editor
    • Tupka217 wrote:
      It's no joke. Someone seems to really dislike the FNAF wiki.

      I see.


      If they really hate the FNaF Wiki they could have just leave and never came back.

        Loading editor
    • DaNASCAT wrote:
      Hello,

      I just want to address some of the points already addressed in the replies to this thread.

      First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      ...

      Every major service that offers 2FA has it as a recommended option. For some examples, see Google, Facebook, Outlook.com, Dropbox, GitHub. You don't need to have it to register, but it should be available for those who want it, and visible (via usergroup or whatever) so communities can enforce it for their admins.

      DaNASCAT wrote:
      ... The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole.

      In the meantime you can replace the form with a link to Special:UserLogin, so JS can be re-enabled.

        Loading editor
    • SlyCooperFan1 wrote:

      Deadcoder wrote:

      Disabling Javascript isn't the answer. The problem isn't enabling Javascript. The problem is that Wikia's security policies are horribly negligent. Wikia uses insecure transmission for a bunch of different things. Wikia's policy on the Dev wiki was to not protect any scripts, ignoring the security issues; when the policy should have always been to require the code-editor permission to edit any scripts. Logging in should be restricted to a single page. Scripts should be auto-audited before being put into effect.

      The issue here is that Wikia was negligent about security, and now we're paying the price.

      Given the fact that Wikia doesn't want to enable 2FA, we might be paying this price for a long time to come.

      Plus how DaNASCAT seems to think we're going to require everyone to have 2FA - I'm pretty sure at least half of us here understand that not everyone is even able to do 2FA. C'mon Staff, if you're going to deny something because "oh gawd we won't get advertising or more users" then I don't understand why you even bother listening to us in the first place. We're not complete idiots, and it shouldn't take us saying this to make you understand that.

        Loading editor
    • Springy Boy wrote:
      Now I feel something is really happening. People are making blog posts from one of the hacked wikis with this:


      "Unfortunately due to the recent hackings I am afraid that my account to will be caught by the hackers

      Until Wikia is certain that the hackers have been dealt with, I will be taking a short leave of absence from this wiki for a little while."


      People start making jokes of it. Some thought it was it was really a joke. I have no idea if it's really a joke or not.

      It seems like at least some of them are legitimately a show of solidarity, as that has happened with the wiki in the past, but I got word from a friend that a Wiki she uses has something going on where accounts are posting blogs without the actual owner of said account knowing.  In other words, on that Wiki, someone is taking over accounts.  Maybe it's happening on the FNAF Wiki again.  It doesn't help that I'm seeing a lot of names pop up that I've never seen before that have no edits there that are making that post.

        Loading editor
    • Ciencia Al Poder wrote:

      Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

      My guess is that someone put JS to redirect the login form to an external website, so users that were using the login form on the affected wiki were sending their credentials to the attacker instead of logging into wikia.

      That's pretty evil, but I could see that happening. I assume this evildoer would have to be an admin to do this for it to affect other users?

        Loading editor
    • Fandyllic wrote:

      Ciencia Al Poder wrote:

      Fandyllic wrote: Not much info in this announcement. What kind of user info could have been compromised? Did hackers access the Wikia user DB? Why couldn't Wikia just disable JS imported from outside the wikia.com domain?

      My guess is that someone put JS to redirect the login form to an external website, so users that were using the login form on the affected wiki were sending their credentials to the attacker instead of logging into wikia.

      That's pretty evil, but I could see that happening. I assume this evildoer would have to be an admin to do this for it to affect other users?

      I know that an admin account was taken over on the FNAF Wiki and used to wreak havoc so

        Loading editor
    • I'm stunned that something of this magnitude could happen. How did no one fail to see that this could be a problem? I'm not an admin or a site manager, but authentication on any sort of script editing seems standard. Anyway, I'm going to keep this short and not say what's already been said, but disabling JavaScript isn't the solution.

        Loading editor
    • DaNASCAT wrote:
      ...
      The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in.
      ...

      Special:UserLogin has none of the faults you attribute to it.

        Loading editor
    • WalkerTexasRanger wrote: I'm stunned that something of this magnitude could happen. How did no one fail to see that this could be a problem? I'm not an admin or a site manager, but authentication on any sort of script editing seems standard. Anyway, I'm going to keep this short and not say what's already been said, but disabling JavaScript isn't the solution.

      I'm not surprised that the person who did this, did it during the weekend, when most of the staff wouldn't be readily available. Or notice something wrong with their account.

        Loading editor
    • Believe me, Staff worked ultra fast when they've seen it.

        Loading editor
    • Would it be possible to implement 2FA as an optional thing you turn on?

        Loading editor
    • Jr Mime wrote: Believe me, Staff worked ultra fast when they've seen it.

      I don't believe you.

        Loading editor
    • Shining-Armor wrote:
      Would it be possible to implement 2FA as an optional thing you turn on?

      No, see this reply from DaNASCAT.

        Loading editor
    • Jr Mime wrote: Believe me, Staff worked ultra fast when they've seen it.

      Yeah, I noticed it. Good job on that, all of you.

        Loading editor
    • MichiRecRoom wrote:
      Shining-Armor wrote:
      Would it be possible to implement 2FA as an optional thing you turn on?
      No, see this reply from DaNASCAT.

      That's not saying it's impossible, that's just saying they don't want to implement it because they think it will deter people from signing up.

      It doesn't matter how many users you have if none of them are protected.

      2FA should be an option.  It's an option on pretty much every major website used these days.

        Loading editor
    • I'm pretty sure the TTTE wiki had a security breach as well.

        Loading editor
    • MichiRecRoom wrote:

      Shining-Armor wrote:
      Would it be possible to implement 2FA as an optional thing you turn on?

      No, see this reply from DaNASCAT.

      That reply seems to be saying they won't make in mandatory.

      I am asking if they can enable it so that you can go to your preferences and add it.

        Loading editor
    • Shining-Armor wrote:

      MichiRecRoom wrote:

      Shining-Armor wrote:
      Would it be possible to implement 2FA as an optional thing you turn on?

      No, see this reply from DaNASCAT.

      That reply seems to be saying they won't make in mandatory.

      I am asking if they can enable it so that you can go to your preferences and add it.

      Is it possible? Yes. Will they do it? DaNASCAT said they probably wouldn't. We'll just have to wait and see.

        Loading editor
    • You've got to be joking. A lot of our wikis use and need JavaScript; disabling it is NOT the solution. Give us two-factor authentication, or switch to HTTPS like every other website. So many solutions have been posted here.

        Loading editor
    • On my gameknight999 wiki that explains why when I created a navbox it didint work (I realized there is another Gameknight999 wiki,=|)

        Loading editor
    • I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

        Loading editor
    • Homura-chan's Backup Account wrote: I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

      It's not that. They've shut it down temporarily to prevent the same thing (or comparable things) from happening again. It's not a long term thing. It's short term, very, very short term.

        Loading editor
    • Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

      Is this connected to the security issue?
      WeirdJapaneseBox

      Is this conected?

        Loading editor
    • Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

      Is this connected to the security issue?
      WeirdJapaneseBox

      Is this conected?

      No, that's an unrelated issue. It's been solved.

        Loading editor
    • Homura-chan's Backup Account wrote:
      I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

      I'm actually convinced of the contrary — it's Wikia's responsibility to make sure that such thing cannot happen without taking away this freedom from their users. But as probably said several times in this thread, Wikia are working on it and it's only a temporary solution.

        Loading editor
    • To be clear, I am certainly not saying that 2FA is not an option or shouldn't be considered. I was simply trying to choose one example that each security measure we implement does have a cost, both in terms of implementation and in terms of barrier of use, to each and every user. Adding it as an optional preference is a fine idea and one we have been and will be actively discussing.

        Loading editor
    • Yes, Wikia is working on fixing the security problems that plague the site, but the problem is that these issues were obvious and should have been fixed much earlier, before an attack happened. They are performing disaster cleanup, because they failed to use proper safety procedures in the first place. Sympathy is not justified here, nor is patience.

        Loading editor
    • Just use no script

        Loading editor
    • Which wikis did the attacks occur on?

      Gen. Grievous1138 (admin) comlink 20:57, August 10, 2015 (UTC)

        Loading editor
    • MichiRecRoom wrote:

      Shining-Armor wrote:
      Would it be possible to implement 2FA as an optional thing you turn on?

      No, see this reply from DaNASCAT.

      An even better reason is that if it's optional, it can be turned off. Unless turning it off is at least as hard as providing the 2nd factor, the 2nd factor is useless. You can apply the same logic to so-called account recovery hints (at any number of sites) to see that they weaken security, not enhance it. Unless the administration of a site is truly committed to 2-factor, it's not an improvement. This is not an indictment of 2-factor. It's an indictment of the administration of most sites.

        Loading editor
    • Tupka217 wrote:

      Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

      Is this connected to the security issue?
      WeirdJapaneseBox

      Is this conected?

      No, that's an unrelated issue. It's been solved.

      Please could you tell me what issue it was caused by?

      I would feel much happier knowing what caused it.

        Loading editor
    • Punkdrummergirl wrote:

      Tupka217 wrote:

      Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

      Is this connected to the security issue?
      WeirdJapaneseBox

      Is this conected?

      No, that's an unrelated issue. It's been solved.

      Please could you tell me what issue it was caused by?

      I would feel much happier knowing what caused it.

      I heard about it when user:Candy Randy, one of the 7D wiki admins mentioned it to me.

        Loading editor
    • Punkdrummergirl wrote:

      Tupka217 wrote:

      Punkdrummergirl wrote: Hello, thank you for explaining what happened, I had a message that was in Jappanese I translated it and it said something about the comunity wants me to edit it or something, I have a picture, that I shall upload, but I can't remember exactly what it said.

      Is this connected to the security issue?
      WeirdJapaneseBox

      Is this conected?

      No, that's an unrelated issue. It's been solved.

      Please could you tell me what issue it was caused by?

      I would feel much happier knowing what caused it.

      That was a promo run by the Japanese cluster of Wikia, and got accidentally sent sitewide instead of just restricted to Japanese users.

        Loading editor
    • On the Just Dance Wiki, show/hide buttons are now missing from navboxes. Is this related to the CSS being… whatever it was, turned off or something (too lazy to scroll up)?

        Loading editor
    • CAMERAwMUSTACHE wrote: On the Just Dance Wiki, show/hide buttons are now missing from navboxes. Is this related to the CSS being… whatever it was, turned off or something (too lazy to scroll up)?

      Show/hide is enabled by Javascript, which is currently turned off. This means that they are disabled for the time being.

        Loading editor
    • CAMERAwMUSTACHE wrote:
      On the Just Dance Wiki, show/hide buttons are now missing from navboxes. Is this related to the CSS being… whatever it was, turned off or something (too lazy to scroll up)?

      Show/Hide are functions of JavaScript. JavaScript has also been disabled.

        Loading editor
    • My widgets and my countdown is turned off

      That countdown was important :/

        Loading editor
    • You can still edit JS pages in XML through Special:Export and Special:Import. Ya'll always seem to miss these two pages when it comes to overriding Wikia features. So if I'm an admin on a given wiki, I can still update any javascript page and anyones personal JS with Import.

      Also, HTTPS is in use on at least https://one.wikia-inc.com/. Although that's not necessarily the main domain people would be using. Whenever Helios goes live, I hope it is a secure connection for at least the log-in. Ryan PM

      21:25, August 10, 2015 (UTC)
      
        Loading editor
    • @Ryan PM: While we can still edit JS pages through Import/Export, the functionality of Javascript iself has been globally disabled by Wikia across all wikis. Being able to edit the scripts or not doesn't matter; they won't run regardless.

        Loading editor
    • Axle555 wrote:
      What are trolls? Some kind of hacker?
      Eli-is-confused

      They try and make people angry. Look it up.

        Loading editor
    • SlyCooperFan1 wrote: @Ryan PM: While we can still edit JS pages through Import/Export, the functionality of Javascript iself has been globally disabled by Wikia across all wikis. Being able to edit the scripts or not doesn't matter; they won't run regardless.

      Personal JS still runs, so if I were to be malicious, I could change User:X's Special:MyPage/wikia.js on a wiki that I have sysop rights on with Special:Import. The only way to supercede that is to do another import over that one. It's a glaring issue that has existed long before this. In the past I've been able to overwrite MediaWiki messages that normally are not changeable on the local wiki (like the On the Wiki tab at launch). Ryan PM

      21:37, August 10, 2015 (UTC)
      
        Loading editor
    • This also affects wikis using MathJax or LaTeX, which Googology Wiki relies on. 

        Loading editor
    • DaNASCAT wrote: First and foremost, there are a lot of suggestions included on this thread about how to mitigate this particular exploit. They are very good solid ones. However, each one would require a good amount of engineering time and each have a fallback. For instance, 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

      I don't ever recall a 2FA system that was mandatory at registration. In the scope of Wikia's interests, 2FA is useful, but only to a comparatively small handful of people (such as staff), for whom have extensive permissions across Wikia's network; it should be optional, but certainly not mandatory at registration.

        Loading editor
    • Shoot. My newly created Fairy Tail OC was hit with this. Eric Peterson.

        Loading editor
    • SlyCooperFan1 wrote: @Ryan PM: While we can still edit JS pages through Import/Export, the functionality of Javascript iself has been globally disabled by Wikia across all wikis. Being able to edit the scripts or not doesn't matter; they won't run regardless.

      Tell that to my Batch Delete JS. It still works!

        Loading editor
    • n_n I wasn't affected, good 4 me n_n

        Loading editor
    • Tupka217 wrote:

      Homura-chan's Backup Account wrote: I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

      It's not that. They've shut it down temporarily to prevent the same thing (or comparable things) from happening again. It's not a long term thing. It's short term, very, very short term.

      That wasn't so much about Wikia disabling JS as it was about someone mentioning switching from JS to something else.

      Also, this is Homura again, it looks like my backup account may have been compromised as well, as I was logged out of my account after I refreshed a page and now my password doesn't appear to work, so I guess this is fun.  I really don't understand what's going on anymore.

        Loading editor
    • 65.28.172.134 wrote:
      Tupka217 wrote:

      Homura-chan's Backup Account wrote: I only know some very basic coding stuff from using Wikia for the past year but if switching from Javascript to something else will prevent this crap from happening again I'm sure everyone would be willing to make the change.

      It's not that. They've shut it down temporarily to prevent the same thing (or comparable things) from happening again. It's not a long term thing. It's short term, very, very short term.
      That wasn't so much about Wikia disabling JS as it was about someone mentioning switching from JS to something else.

      Also, this is Homura again, it looks like my backup account may have been compromised as well, as I was logged out of my account after I refreshed a page and now my password doesn't appear to work, so I guess this is fun.  I really don't understand what's going on anymore.

      Actually scratch that, apparently that account doesn't exist.

        Loading editor
    • Maybe your computer has a trojan.

        Loading editor
    • Even if 2FA isn't rolled out as an optional feature to all accounts, could it at least be made mandatory for staff (and VSTF, maybe?), so you guys' accounts can't be compromised like this again?

      Personally, if 2FA was an option I would take it, as long as it was a free text-based service workable with any mobile phone, not some sort of app-based thing that caters only to those with smartphones.

        Loading editor
    • This has been the second security breach involving JavaScript in a short period of time.

        Loading editor
    • Hello,

      Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

      That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

      This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

      While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

        Loading editor
    • Now im not sure ill be safe.......

        Loading editor
    • ThePokémonGamer wrote:
      Maybe your computer has a trojan.

      I can absolutely assure you it is not my computer.  And only my Wikia stuff is being affected.  As you can see after some tinkering I'm back in this one, but I'm highly suspicious and I've changed my password yet again.

        Loading editor
    • This is very scary news. Especially as a founder of a Wiki, I don't want any of the hard work made by myself and my community down the drain. I do really appreciate this warning though, and I encourage all users to make the necessary changes to make us safe from these attacks.

        Loading editor
    • Good idea. I'll go change my password right now.

        Loading editor
    • Homura-chan's Backup Account wrote:

      North Aurora wrote:
      What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for their 2nd anniversary.

      Yesterday.

      Ok.

        Loading editor
    • I hope the editors at the Dev Wiki have also begun locking down their code and migrating it to a special Code namespace where only experienced and trusted code developers can edit. Good luck with the work, DaNASCAT.

       Speedit   talk contribs  23:07, August 10, 2015 (UTC)

        Loading editor
    • North Aurora wrote:

      Homura-chan's Backup Account wrote:

      North Aurora wrote:
      What day did this all begin? Note: On Saturday, 2 days ago, I was at Corn Sky Wiki for their 2nd anniversary.

      Yesterday.

      Ok.

      Good thing there weren't any issues while I was at Corn Sky Wiki for their 2nd anniversary day. The Corn Sky Wiki's anniversary day is on August 8th every year since August 8, 2013. The wiki is currently 2 years old now.

        Loading editor
    • They've already done that for a few weeks now.

        Loading editor
    • DaNASCAT wrote: Hello,

      Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

      That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

      This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

      While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

      So Javascript will work again, but the only MediaWiki namespaced pages we can edit are the core CSS files?

        Loading editor
    • Yeah, you have to be a codeeditor to edit existing scrips on Dev wikia. You can still make scripts, you just have to request they be protected.

        Loading editor
    • Deadcoder wrote:

      DaNASCAT wrote: Hello,

      Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

      That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

      This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

      While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

      So Javascript will work again, but the only MediaWiki namespaced pages we can edit are the core CSS files?

      And other ones like the block messages. Just not anything related to javascript.

        Loading editor
    • Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

        Loading editor
    • IAmAwesome2 wrote:
      SlyCooperFan1 wrote:

      IAmAwesome2 wrote:

      Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

      Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.
      Good point.

      An good idea for Wikia would be to block the computer of the hacker. But they might get another computer. Still, it's just an idea...

        Loading editor
    • Can't block computers on Wikia.

        Loading editor
    • Thunderheart of Thunderclan wrote:

      SlyCooperFan1 wrote:

      Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

      Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers. 

      They defend hackers, not crackers.

        Loading editor
    • IAmAwesome2 wrote:

      IAmAwesome2 wrote:
      SlyCooperFan1 wrote:

      IAmAwesome2 wrote:

      Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

      Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.
      Good point.

      An good idea for Wikia would be to block the computer of the hacker. But they might get another computer. Still, it's just an idea...

      How would they do it, MAC adress? Those can change and any sensible hacker would use Linux virtual machines anyway? IP adress? Maybe, its what we do now but its not all that, this incident is proof. Perhaps the people who violate Wikia's Terms of Use should be physically blocked from accessing the domain altogether. Harsh but if someone's already blocked everywhere, it stops them from doing anon edits through CheckUser of the blocked user to block ALL their IPs.

      I hate vandals more than I hate website blocks so this is a somewhat decent solution

       Speedit   talk contribs  23:32, August 10, 2015 (UTC)

        Loading editor
    • Jr Mime wrote:
      Can't block computers on Wikia.

      I figured. That could happen in the future, though.

      Just saying.

        Loading editor
    • Speedit wrote:

      IAmAwesome2 wrote:

      IAmAwesome2 wrote:
      SlyCooperFan1 wrote:

      IAmAwesome2 wrote:

      Well, if we know who it is, shouldn't he or she be blocked across Wikia already?

      Having your account blocked doesn't change how easy it can be to steal someone's login data, especially if you can just make another account.
      Good point.
      An good idea for Wikia would be to block the computer of the hacker. But they might get another computer. Still, it's just an idea...

      How would they do it, MAC adress? Those can change and any sensible hacker would use Linux virtual machines anyway? IP adress? Maybe, its what we do now but its not all that, this incident is proof. Perhaps the people who violate Wikia's Terms of Use should be physically blocked from accessing the domain altogether. Harsh but if someone's already blocked everywhere, it stops them from doing anon edits through CheckUser of the blocked user to block ALL their IPs.

      I hate vandals more than I hate website blocks so this is a somewhat decent solution

       Speedit   talk contribs  23:32, August 10, 2015 (UTC)

      Thank you.

        Loading editor
    • Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

        Loading editor
    • Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

        Loading editor
    • Speedit wrote:

      Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

      I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.

        Loading editor
    • Argali1 wrote: Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

      YEEEEES! ^THIS.

      I mean, who would entrust all their passwords to a password manager or bother to remember all those passwords anyway?

       Speedit   talk contribs  23:43, August 10, 2015 (UTC)

        Loading editor
    • Alysdexia wrote:

      Thunderheart of Thunderclan wrote:

      SlyCooperFan1 wrote:

      Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

      Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers. 

      They defend hackers, not crackers.

      WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

        Loading editor
    • Speedit wrote:

      Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

      Because they don't have disciplined and right staff that's why.

        Loading editor
    • Veran Onyx wrote:

      Speedit wrote:

      Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

      I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.

      Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

        Loading editor
    • So many people would actually swear they'd hack us almost daily so like, honestly, I doubt anyone actually saw this coming, because I'm being honest when I say a lot of those users who say such things are legitimately 12 and under.

        Loading editor
    • Homura-chan's Backup Account wrote:

      Veran Onyx wrote:

      Speedit wrote:

      Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

      I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.

      Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

      You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life

        Loading editor
    • Me, too.

      Well, I had this bully who insulted me. But she is blocked across Wikia.

        Loading editor
    • Speedit wrote:

      Argali1 wrote: Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

      YEEEEES! ^THIS.

      I mean, who would entrust all their passwords to a password manager or bother to remember all those passwords anyway?

       Speedit   talk contribs  23:43, August 10, 2015 (UTC)

      Pretty simple question make a note and stick it on a table or below your chair,I mean no one looks below the chair when they are busy on the computer right?!

        Loading editor
    • Zazme Yakuza wrote:

      Homura-chan's Backup Account wrote:

      Veran Onyx wrote:

      Speedit wrote:


      Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

      I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.
      Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

      You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life

      None of us said we paid attention to them.  Someone asked why the FNAF Wiki gets targeted and I gave a few examples to support vern's.  People on the FNAF Wiki take things too seriously and we get targeted all the time.

        Loading editor
    • Zazme Yakuza wrote:

      Alysdexia wrote:

      Thunderheart of Thunderclan wrote:

      SlyCooperFan1 wrote:

      Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

      Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers. 

      They defend hackers, not crackers.

      WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

      Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

      DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

      In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

       Speedit   talk contribs  23:51, August 10, 2015 (UTC)

        Loading editor
    • DaNASCAT wrote: Hello,

      Here is an important update. Later this evening, we will release a change that will mitigate the most pressing security concern while allowing JavaScript and Verbatim to run again.

      That change will shut down editing on the MediaWiki namespace, putting it in read-only mode except for the basic CSS files (MediaWiki:Common.css, MediaWiki:Monobook.css & MediaWiki:Wikia.css) that will allow those specific pages to be edited as needed. JavaScript will thus function again but be in read-only mode.

      This is not a permanent solution - Many people at Wikia have been discussing strategy today and ways we can grow and adapt from this incident that makes Wikia secure but also protects and maintains the customization that makes our communities thrive.

      While a lot of great progress was made in making a roadmap from where to go, we will need more time to shore up a solid, concrete plan moving forward. I will be providing further updates and insight into this issue. I am however asking the community to give Wikia a few days to communicate what the long-term plans will be. I will update this thread later tonight both to confirm the change to re-enable JavaScript loading is live, and again later this week to share more about where we are going.

      Good move.

        Loading editor
    • Homura-chan's Backup Account wrote:

      Zazme Yakuza wrote:

      Homura-chan's Backup Account wrote:

      Veran Onyx wrote:

      Speedit wrote:


      Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

      I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.
      Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

      You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life

      None of us said we paid attention to them.  Someone asked why the FNAF Wiki gets targeted and I gave a few examples to support vern's.  People on the FNAF Wiki take things too seriously and we get targeted all the time.

      Well if they do,that is not great,and you guys get targeted everytime?!Umm well I don't believe that unless there is someone targets the wiki every single day.

        Loading editor
    • Speedit wrote:

      Zazme Yakuza wrote:

      Alysdexia wrote:

      Thunderheart of Thunderclan wrote:

      SlyCooperFan1 wrote:

      Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

      Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers. 

      They defend hackers, not crackers.

      WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

      Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

      DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

      In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

       Speedit   talk contribs  23:51, August 10, 2015 (UTC)

      If you can't access your password just actually email a new one and change it,if they got your ip change it,it is not so much a big deal

        Loading editor
    • Homura-chan's Backup Account wrote:Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.


      I remember I banned someone from chat, and they went and vandalized the wiki, replacing the text on the pages "Cata must die" and other stuff.

        Loading editor
    • Speedit wrote:

      Zazme Yakuza wrote:

      Alysdexia wrote:

      Thunderheart of Thunderclan wrote:

      SlyCooperFan1 wrote:

      Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

      Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers. 

      They defend hackers, not crackers.

      WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

      Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

      DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

      In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

       Speedit   talk contribs  23:51, August 10, 2015 (UTC)

      Well,if you are making some speculations or some suspections just like I did just now,you got to be logical and think throughout everything that happens and you need to analyze it

        Loading editor
    • And it looks like we are indeed having trouble on the FNAF Wiki.  There is a user who has not actually made certain posts, but someone else who has access to their account.  However, the rightful owner of the account still has access to their account and is using it - someone else is just using it at the same time.

      This seems to be happening with at least two or three other users over there right now, as well as with multiple users on a somewhat related Wiki.

      So I mean that's neat.

        Loading editor
    • TheCatastrophe wrote:
      Homura-chan's Backup Account wrote:Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.

      I remember I banned someone from chat, and they went and vandalized the wiki, replacing the text on the pages "Cata must die" and other stuff.

      Yep, people are after us all the time.

        Loading editor
    • Zazme Yakuza wrote:

      Homura-chan's Backup Account wrote:

      Zazme Yakuza wrote:

      Homura-chan's Backup Account wrote:


      Veran Onyx wrote:

      Speedit wrote:


      Homura-chan's Backup Account wrote: Was there another incident again that just happened within the past like 30 minutes or is it just the FNAF Wiki acting up or being targeted, because it seems people who are not blocked cannot make blog posts right now, and the reasoning reads similar to the reasons given for when everything was on lockdown yesterday.

      Why do these hackers and vandals target FNAF so much, that site needs Wikia staff on regular patrol a lot more than it did. And I mean a LOT.

       Speedit   talk contribs  23:35, August 10, 2015 (UTC)

      I can think of a few reasons. For one, the series had a whirlwind popularity so people like to cause problems, particularly trolling. We've also had a number of users swear vengeance on us for bans they felt undeserving of. The fandom tends to be despised in a number of circles.... There's a number of reasons.
      Yeah, some people just take the Wiki way too seriously.  When I was an admin there, I had someone make a "Kill Homura-chan" Wiki because I temp banned them from chat, and I've had multiple death threats made out to me (so have other admins), and someone made at least 12 accounts sporting my name but with some kind of profanity at the end, ex. "Homura-chan is a x, Homura-chan likes x," etc.
      You could just ban them and move on,why do you even pay attention to those haters,they just don't have a life
      None of us said we paid attention to them.  Someone asked why the FNAF Wiki gets targeted and I gave a few examples to support vern's.  People on the FNAF Wiki take things too seriously and we get targeted all the time.

      Well if they do,that is not great,and you guys get targeted everytime?!Umm well I don't believe that unless there is someone targets the wiki every single day.

      I gave examples of this being true but if you don't want to believe me that's not my business.  The local staff there is screamed at for everything they do.

        Loading editor
    • Not so much if you know it,but basically you just need to change your password it is that easy.or just like block your self for a minute or so.Well I am very glad that people is actually taking these thing seriously and their reaction is so direct to the topic,well if people with out priviliges actually wouldn't believe this kind of threat,and sometimes,you may just want to alarm that person and it actually they just go mayhem and close their accounts down

        Loading editor
    • Zazme Yakuza wrote:

      Speedit wrote:

      Argali1 wrote: Well, I really would love to be secure, but, I am very forgetful and one password is all I can handle.

      YEEEEES! ^THIS.

      I mean, who would entrust all their passwords to a password manager or bother to remember all those passwords anyway?

       Speedit   talk contribs  23:43, August 10, 2015 (UTC)

      Pretty simple question make a note and stick it on a table or below your chair,I mean no one looks below the chair when they are busy on the computer right?!

      Problem: that would make my baby brother a master hacker because he'd probably start reading the Postik notes (he likes colorful things =D).

      Zazme Yakuza wrote:

      Speedit wrote:

      Zazme Yakuza wrote:

      Alysdexia wrote:

      Thunderheart of Thunderclan wrote:

      SlyCooperFan1 wrote:

      Zazme Yakuza wrote:

      And if this is actually hackers I believe they are in a group

      You're not helping. Passwords were stolen from user accounts and both accounts and wikis were comprised. Wikia is already doing their best to mitigate the issue, but pretending that hackers aren't hackers or that they're in a group or something is not helping the discussion.

      Ja, and besides, I am beginning to have supsicions about you now. Normal people don't defend hackers. 

      They defend hackers, not crackers.

      WTF,why do you even think I am defending them,I said maybe the hackers are in a freaking group ok?

      Discussing the identity of the hackers is USELESS. The people who replied to your comment are also wasting their time. Please read DaNASCAT's thread opener again:

      DaNASCAT wrote: For now, please hold off speculation and explanations, and let us work in the background on this over the next few days.

      In any case, I want to know what the importance of a password change is right now. What's the actual risk that my password has been stolen IF my home wiki has no notice on the subject?

       Speedit   talk contribs  23:51, August 10, 2015 (UTC)

      If you can't access your password just actually email a new one and change it,if they got your ip change it,it is not so much a big deal

      So I should probably change it to my Windows password. That should cover me for a while. It's just that mebee I should wait until JS is on and then the transition phase is over when I can believe the staff have well and truly fixed the exploit and scared off the hacker.

        Loading editor
    • Zazme Yakuza wrote:
      Not so much if you know it,but basically you just need to change your password it is that easy.or just like block your self for a minute or so.Well I am very glad that people is actually taking these thing seriously and their reaction is so direct to the topic,well if people with out priviliges actually wouldn't believe this kind of threat,and sometimes,you may just want to alarm that person and it actually they just go mayhem and close their accounts down

      People are most likely taking this seriously because they run the real risk of losing their accounts if they are not careful, if they haven't already lost their accounts, that is.

        Loading editor
    • Speedit wrote:

      So I should probably change it to my Windows password. That should cover me for a while. It's just that mebee I should wait until JS is on and then the transition phase is over when I can believe the staff have well and truly fixed the exploit and scared off the hacker.

      I'm not sure the hacker has been scared off, judging by the weird activity by some users in the FNAF wiki.

        Loading editor
    • This was a terrible and knee-jerk response to the problem. One of the biggest issues I notice with Wikia -- one that has been pointed out time and time again -- is that the login form is on every single page. It's not just on one page. It would be very simple and incredibly secure to make a login page that, after login, takes one directly to the page they came from (or the main page/RWA if they came directly to the login page), instead of a login form on every page.

      Turning off custom JS is not, under any circumstances, a viable long-term solution.

        Loading editor
    • We atleast it stalls the hackers.

        Loading editor
    • And it's not intended to be a long-term solution, Staff have been working on new solutions to this problem, they just didn't decide "lets perm remove JS, no more problems!".

        Loading editor
    • 2FA for Wikia staff.

      Allow Wikia sites to require 2FA for admim roles. (Allow each site to select which roles require 2FA.)

      Show admins which site users have 2FA.

      (And allow a long warning period where 2FA is optional to ease the transition.)

        Loading editor
    • All I'm worried about is the date javascript will be enabled again. The only thing that keeps me sailing here is that it's only a short-term situation.

        Loading editor
    • Argadi wrote:
      2FA for Wikia staff.

      Allow Wikia sites to require 2FA for admim roles. (Allow each site to select which roles require 2FA.)

      Show admins which site users have 2FA.

      (And allow a long warning period where 2FA is optional to ease the transition.)

      The question is, is 2FA available for all operating systems (Mac, PC, Linux)?

        Loading editor
    • Homura-chan's Backup Account wrote: So many people would actually swear they'd hack us almost daily so like, honestly, I doubt anyone actually saw this coming, because I'm being honest when I say a lot of those users who say such things are legitimately 12 and under.

      I saw it coming.

        Loading editor