Timeline of Weasyl Security Events, 29 Nov - Present (2014)

1. My name is Wag. I was a moderator on Weasyl from October 14th until November 30th, 2014, about a month and a half's time.
2.  
3. At about 7 PM on November 29th, an IRC log containing private staff conversation from the Weasyl staff channel was leaked. The source of the leak was my account, which had appeared to be compromised by an unknown party. Upon discovery of the suspected compromise, I immediately reported it to Weasyl administration. Several hours of discussion followed, including discussions suggesting a hole in site security was found and repaired. To me, the situation seemed like it was under control and the primary concern had shifted to discussion of writing a public statement.
4.  
5. However, at about 2 AM, I was suddenly informed that I was to be removed from staff due to the leak. The next day, I found Weasyl had issued a public statement claiming to have evidence that I most likely leaked the materials myself, while denying the possibility of security issues. Their statement included no reasoning, evidence, or useful information beyond their minimal explanation, and a number of concerns from the staff IRC room the night before went unaddressed. I made attempts to contact administration and detailed my concerns to them, but after waiting over a week, I received only a dismissive reply.
6.  
7. As I believe there is important information being withheld by Weasyl that is of concern to both myself and the users of the site, I have decided to organize and release my own personal timeline of the events of the 29th to present.
8.  
9. The following timeline includes relevant supporting material of the events relating to the account compromise I claim occurred on November 29th and related discussions that followed. This timeline is, to my knowledge, as complete as I can make it to be with the information I have on hand.
10.  
11. My goals for this timeline:
12. - To show that, contrary to Weasyl's public statement, the leak was something performed outside of my control and without my knowledge, and that the logs were leaked by no fault of my own, whether due to negligence, collusion, or otherwise
13. - To demonstrate Weasyl knew of a potential security issue that may have resulted in an account compromise
14. - To show Weasyl's public statements omitted some data while outright fabricating or denying other information, and to raise questions concerning why they chose to omit or fabricate that information
15. - To question why a third party was involved in making the site's determination, why the involvement of a third party was not included in any statements prior to December 12th, and what factors were used to determine the third party's conclusion
16. - To prompt productive dialog between Weasyl and their userbase regarding their actual transparency and site security, including how these may be improved in the future
17.  
18. All times are Eastern Standard Time. For every entry, anything relevant from IRC is included where available. Irrelevant messages, such as snippets from unrelated conversations and join/part messages, have been removed.
19.  
20. The only IRC room quoted is #weasyl-staff, the main Weasyl staff channel. I also had access to #weasyl-mod, though nothing of note relating to this incident took place there. I did not have any access to or knowledge of discussions in any development, administrative, technical, or any other channels.
21.  
22. -----------------
23. 29 November 2014:
24.  
25. 6:37 PM (timestamp from gmail): Password reset request received into my Gmail address. I was playing League of Legends with friends and did not notice until later.
26.  
27. 6:59 PM (timestamp from weasyl note outbox): Note sent to [the user] from my account. I am not aware of this yet.
28.  
29. 7:12 PM (timestamp from mirc log): After finishing several games of League, I notice a password reset request in my email and mention it on the staff channel.
30. [14/11/29 19:12:04] <wag> oh hey... I just got a password reset request sent to my email o_O
31. [14/11/29 19:12:29] <Fiz> from weasyl?
32. [14/11/29 19:12:32] <wag> yep
33. [14/11/29 19:13:09] <wag> at least, it appears that way - I haven't read the email headers or anything (not that I'd know what to look for)
34.  
35. 7:15 PM (mirc): I paste.weasyldev (pastebin, but private) the header and body of the email.
36.  
37. 7:16 PM (mirc): Fiz instructs me to reset my email and weasyl passwords.
38. [14/11/29 19:16:33] <Fiz> you might want to reset your email password and weasyl password
39. [14/11/29 19:16:39] <Fiz> change it to something else
40. [14/11/29 19:16:52] <Ikani> yeah, just to be safe
41. [14/11/29 19:17:07] <wag> sounds good
42. [14/11/29 19:17:15] <pinardilla> I should change my pass to a more secure one as well
43. [14/11/29 19:17:42] <wag> actually maybe I should have done that before I pasted it. XD
44.  
45. 7:19 PM (gmail): I send a password reset request using the site's password reset function in a private browsing window, allowing me to not log out. I also discover that my password has already been changed.
46.  
47. 7:19 PM (weasyl note inbox): I receive a reply note from [the user] regarding the note that was sent to them from my account (both of which I am not yet aware of).
48.  
49. 7:20 PM (mirc): I tell staff my password has already been changed and ask them to lock my account.
50. [14/11/29 19:20:41] <wag> it looks like my password has already been changed
51. [14/11/29 19:20:49] <wag> someone do me a favor and lock my account?
52. [14/11/29 19:21:13] <@weykent> wag, hmm, not sure if there's a way to do that
53. [14/11/29 19:21:15] <SkylerBunny> De-op him.
54. [14/11/29 19:21:22] <@weykent> oh, yeah
55. [14/11/29 19:21:28] <@weykent> revoking staff privs would be good
56. [14/11/29 19:21:30] <@weykent> one sec
57. [14/11/29 19:21:31] <Fiz> weykent, remove wag's mod options, check ip logs for his login
58. [14/11/29 19:22:05] <wag> you could suspend me
59. [14/11/29 19:22:11] <wag> I'll take a suspension =P
60.  
61. 7:26 PM (mirc): I am informed by weykent that my staff privs are gone. I also discover and mention in the room that I received a reply from [the user] in regards to the note that was sent from my account. I post the contents of the original note being sent from my account (the leaked pastebin log) into the staff channel.
62. [14/11/29 19:26:27] <wag> UM
63. [14/11/29 19:26:28] <@weykent> ok, wag, your privs are gone
64. [14/11/29 19:26:41] <wag> Someone sent me as message
65. [14/11/29 19:26:44] <wag> As a reply
66. [14/11/29 19:26:49] <Armaina> uh
67. [14/11/29 19:26:50] <wag> Apparently this was sent to them http://pastebin.com/p6NY9cDd
68. [14/11/29 19:26:51] <Wesley> Page title weasyl staff scramble - Pastebin.com
69. (I failed to clearly explain this - at the time, I intended to say that I received a reply from The User from a note that had been sent to them via my account. I actually only said it was a reply, leaving the fact that it came from my account ambiguous and unstated until later.)
70.  
71. 7:32 PM (mirc): Fiz asks about my IRC connection.
72. [14/11/29 19:32:03] <Fiz> wag; are you on an irc bouncer of any sorts?
73. [14/11/29 19:32:22] <wag> I'm using mirc 7.32
74. [14/11/29 19:32:30] <wag> No addons whatsoever
75. [14/11/29 19:32:39] <Fiz> okay
76. [14/11/29 19:32:46] <Fiz> so nothing that keeps you connected all the time?
77. [14/11/29 19:32:54] <wag> Well... other than some personalized time/date stamping
78. [14/11/29 19:33:07] <wag> nope, if I'm not home I'm not on irc
79.  
80. 7:33 PM (mirc): Pinardilla asks if I've used API keys.
81. [14/11/29 19:33:15] <pinardilla> wag, have you ever generated any API keys?
82. [14/11/29 19:33:16] <Armaina> Well um - do we change IRC password or log access passwords after we remove staff?
83. [14/11/29 19:33:28] <wag> To my knowledge, I haven't - I may have for redmine
84. [14/11/29 19:33:52] <pinardilla> go to settings -> preferences -> manage API keys and see if there are any
85.  
86. 7:34 PM (mirc): I discover an API key was generated on my account at some point. (API keys do not have date/time generated information available to users, to my knowledge)
87. [14/11/29 19:34:59] <wag> There is one generated - does redmine require one?
88. [14/11/29 19:35:03] <pinardilla> no
89. [14/11/29 19:35:05] <Ikani> nope
90.  
91. 7:35 PM (mirc): Pinardilla instructs me to delete the API key that was generated, which I do. There's also some speculation as to what happened, including how an intruder would know the IRC logs address, which isn't kept on the site.
92. [14/11/29 19:35:06] <pinardilla> delete it
93. [14/11/29 19:35:07] <Ikani> %
94. [14/11/29 19:35:10] <Ikani> ^^
95. [14/11/29 19:35:15] <wag> Done
96. [14/11/29 19:35:42] <pinardilla> I'm thinking they accessed your account, generated the key quick, and ran to irclogs with it
97. [14/11/29 19:35:53] <pinardilla> which would suggest inside knowledge, which makes me think Ben
98. [14/11/29 19:35:56] <wag> Well they knew what they were doing, at least
99. [14/11/29 19:36:10] <Armaina> that's why I'm wondering if Ex staff :/
100. [14/11/29 19:36:23] <Fiz> no, the irclog url was changed recently
101. [14/11/29 19:36:24] <Ikani> ben didn't know about irclogs
102.  
103. 7:40 PM (weasyl note inbox): I receive another note from [the user].
104.  
105. 7:41 PM (mirc): More information about where the IRC logs are kept. (It's not made clear here - the IRC logs are not linked to from staff accounts on the main site, nor is the development site. In order for someone to access the IRC logs, they would have to know either the address for the IRC logs directly, or the address for the development site software Weasyl uses, neither of which are listed or linked to from the main site, even when logged in as staff.)
106. [14/11/29 19:41:13] <Armaina> it would still take someone who knew that we used redmine and that we kept access to IRC logs through redmine, I would think
107. [14/11/29 19:41:26] <wag> I don't think they're in redmine
108. [14/11/29 19:41:33] <Armaina> the link to the logs is
109. [14/11/29 19:41:39] <@weykent> no, irclogs is a separate service
110. [14/11/29 19:41:47] <@weykent> it's not only linked in redmine
111. [14/11/29 19:42:30] <Armaina> Basically what I mean is I feel like this isn't something someone could do so fast without some background information about how we organize or use or data
112.  
113. 7:42 PM (mirc): I see the reply from [the user] and mention it in the staff channel. Ikani asks I PM it to them.
114. [14/11/29 19:42:40] <wag> the user that got the pastebin is sending me messages
115. [14/11/29 19:43:12] <Ikani> wag: can you PM them to me?
116. [14/11/29 19:43:14] <term> oh?
117. [14/11/29 19:43:26] <wag> pm or devpaste?
118. [14/11/29 19:43:33] <Ikani> pm
119. [14/11/29 19:43:37] <wag> sending
120. [14/11/29 19:43:40] <Ikani> (so they're not posted in here)
121. [14/11/29 19:43:45] <wag> just going to copypaste both in the same message
122. [14/11/29 19:43:52] <Ikani> okay that works
123. [14/11/29 19:43:54] <Ikani> thanks
124. [14/11/29 19:44:48] <Fiz> ...i wonder why theyre pming you?
125. [14/11/29 19:45:05] <Fiz> do you know them at all or something?
126. [14/11/29 19:45:18] <wag> because my account was used to send that thing from pastebin to them via PM
127. [14/11/29 19:45:30] <Fiz> ohhh
128. [14/11/29 19:45:33] <Ikani> oooh okay
129. [14/11/29 19:46:03] <Fiz> fun
130. [14/11/29 19:46:05] <wag> It LOOKS like that's the only thing that was done
131.  
132. 7:44 PM (weasyl note outbox): I send a PM containing copypaste of notes from [the user] to Ikani.
133.  
134. 7:51 PM (mirc): I ask what other steps to take, and my email security is discussed.
135. [14/11/29 19:51:12] <wag> I've changed password on both email (which had 2-factor) and site, deleted the API key, logged out and back in - anything else I should be doing?
136. [14/11/29 19:51:37] <Fiz> can you report the email as compromised?
137. [14/11/29 19:51:39] <Fay> for now we should keep venting and snark absent, if more goes out then we don't want to make things worse by saying things we don't mean
138. [14/11/29 19:52:13] <wag> the account?
139. [14/11/29 19:52:38] <Ikani> Fay: probably a good rule all around honestly
140. [14/11/29 19:53:04] <Ikani> oh also, Wag were you gonna forward me those PMs?
141. [14/11/29 19:53:18] <Fiz> yeah most email accounts theres a way you can report they were compromised
142. [14/11/29 19:53:21] <wag> I did
143. [14/11/29 19:54:25] <Ikani> I don't think Wag's e-mail was compromised.. just their wzl account
144. [14/11/29 19:54:27] <wag> There's been no other access to the account
145. [14/11/29 19:55:07] <Fiz> well the email had a reset password thing sent to it though
146. [14/11/29 19:55:29] <wag> It's a gmail address, I have two-factor enabled with my phone (which is not logged into this account), and the access log only has my home computer (which still would require two factor)
147. [14/11/29 19:55:51] <wag> I could report my email as compromised but I really really really don't want to unless it's absolutely necessary
148. [14/11/29 19:56:17] <Taw> I think your email is fine
149.  
150. 7:56 PM (mirc): weykent discusses briefly the password reset token.
151. [14/11/29 19:56:50] <@weykent> trying to think of how else someone could've used the password reset token
152. [14/11/29 19:57:37] <@weykent> oh, the token is generated with a PRNG
153. [14/11/29 19:57:47] <@weykent> i thought we'd switched it to a secure RNG :?
154.  
155. 8:00 PM (mirc): More discussion about password resets and the email token.
156. [14/11/29 20:00:56] <@weykent> actually i'm wondering now if the password reset was a red herring and they forced wag's password some other way
157. [14/11/29 20:01:32] <Armaina> considering the timing, I think they might have already been in before Wag noticed
158. [14/11/29 20:02:22] <wag> the password reset email was almost an hour old when I saw it, and that's the only way I'd have known about it until probably late tonight
159.  
160. 8:09 PM (mirc): Fiz asks about the info in my messagebox on-site.
161. [14/11/29 20:09:58] <Fiz> wag; did you ever link to irclogs or redmine in your messagebox or tell anyone about the links?
162. [14/11/29 20:11:01] <wag> Nope - everything is mod related save one reply to someone about hanging with them at furpocalypse
163. [14/11/29 20:11:30] <Fiz> wonder if your pc itself is compromised then
164. [14/11/29 20:11:35] <pinardilla> we can probably figure out when they compromised irclogs by the last timestamp in the leaked log
165. [14/11/29 20:11:48] <Fiz> yeah but we need to know how they knew about hte irclogs url
166.  
167. 8:12 PM (mirc): weykent expresses concern regarding turnover in the -dev IRC room.
168. [14/11/29 20:12:17] <@weykent> my worry re: irclogs linking is that it's been linked in -dev before, and -dev has had a lot of people come and go recently
169.  
170. 8:15 PM (mirc): I ask if I should reply to [the user].
171. [14/11/29 20:15:34] <wag> anyway, should I be sending a reply to [the user]?
172. [14/11/29 20:15:51] <Fiz> wag: probably
173.  
174. 8:16 PM (mirc): I ask what to send [the user]. Ikani refers to a plugged leak.
175. [14/11/29 20:16:18] <Fay> what did the note sent to you say?
176. [14/11/29 20:16:20] <Ikani> heh should we mention the compromise?
177. [14/11/29 20:16:27] <Ikani> Fay: one sec I'll copy it to you
178. [14/11/29 20:16:46] <Ikani> (I'm not posting [the user]'s responses in here so they're not posted everywhere >.>)
179. [14/11/29 20:16:59] <Ikani> ((even though I'm pretty sure we plugged the leak))
180.  
181. 8:19 PM (mirc): Discussion about the use of the Wesley bot's Twitter usage begins and is largely uneventful.
182.  
183. 8:23 PM (mirc): Discussion about whether or not Term was too harsh in his comments.
184.  
185. 8:29 PM (mirc): Discussion begins about if they should wait to respond to the leak until after contacting [the user].
186.  
187. 8:31 PM (mirc): wweber brings up the possibility of using client certs.
188. [14/11/29 20:31:35] <wweber> two words
189. [14/11/29 20:31:37] <wweber> client
190. [14/11/29 20:31:38] <wweber> certs
191. [14/11/29 20:31:48] <@weykent> meh
192. [14/11/29 20:31:57] <@weykent> client certs have awful UX
193. [14/11/29 20:32:11] <@weykent> plus i don't think it's possible with cloudflare
194. [14/11/29 20:35:02] <wweber> weykent: yes, but i'd expect that people on staff can figure it out or be walked through installing them
195. [14/11/29 20:35:33] <@weykent> wweber, cloudflare is a bigger concern
196. [14/11/29 20:35:52] <wweber> oh, poo. cloudflare
197.  
198. 8:32 PM (mirc): I post a possible reply to [the user]'s notes to me. SkylerBunny instructs a different message.
199. (This conversation takes place concurrently with the client certs conversation. I have separated them for readability.)
200. [14/11/29 20:31:44] <wag> here's what I wrote (haven't sent yet) for a reply https://paste.weasyldev.com/show/33mA9gVDFsMHorWKJeBN/
201. [14/11/29 20:31:44] <Wesley> Page title Paste #33mA9gVDFsMHorWKJeBN at spacepaste
202. [14/11/29 20:32:06] <SkylerBunny> Heh. They already did, wag.
203. [14/11/29 20:32:11] <SkylerBunny> They linked the log in their tumblr.
204. [14/11/29 20:32:17] <wag> yeah, I know
205. [14/11/29 20:32:38] <SkylerBunny> Wag: I suggest this:
206. [14/11/29 20:32:54] <SkylerBunny> I'm sorry you were put in this position. I believe another Weasyl staff member will be contacting you shortly.
207. [14/11/29 20:33:25] <Ikani> yeah thats good skyler
208. [14/11/29 20:33:32] <wag> Just that and that alone?
209. [14/11/29 20:33:35] <SkylerBunny> Yes.
210. [14/11/29 20:33:39] <wag> Consider it done
211. [14/11/29 20:33:41] <SkylerBunny> The 'If you have any questions' thing sounds weird in this context.
212. [14/11/29 20:34:00] <wag> yeah, it does
213. [14/11/29 20:34:06] <Fiz> yeah just replace that last line with skylers
214. [14/11/29 20:34:08] <wag> but... eh, gotta leave that door open
215. [14/11/29 20:34:31] <SkylerBunny> The 'Another staff will contact' leaves the door open.
216.  
217. 8:41 PM (mirc): Discussion begins about turning response to the situation into an AMA and how a system allowing users to delete their own accounts could be implemented.
218.  
219. 8:58 PM (mirc): I realize that when my password was changed, none of my current sessions expired, and this meant any unauthorized users would still be able to access my account as long as they don't log out.
220. [14/11/29 20:58:07] <wag> I just realized - after my password was changed, I had no idea anything was wrong until the email, I didn't get logged out of my current session
221. [14/11/29 20:58:23] <SkylerBunny> wag: True, you wouldn't.
222. [14/11/29 20:58:28] <SkylerBunny> That could be construed as a bug.
223. [14/11/29 20:58:39] <wag> Yeah, or at least a hole of some sort
224. [14/11/29 20:58:40] <@weykent> eh? you can deliberately log in from multiple places at once
225. [14/11/29 20:58:40] <SkylerBunny> Password change = all tokents invalidated perhaps.
226. [14/11/29 20:58:52] <wag> that'd be good
227. [14/11/29 20:58:57] <@weykent> changing the password invalidating sessions might be a good idea though yeah
228. [14/11/29 20:59:00] <SkylerBunny> Right.
229. [14/11/29 20:59:04] <SkylerBunny> Weykent, I meant that only.
230. [14/11/29 20:59:07] <@weykent> ok
231. [14/11/29 20:59:08] <Hendikins> SkylerBunny: As long as all /other/ sessions are invalidated, that's the important thing.
232. [14/11/29 20:59:10] <wag> since I assume whoever was logged in as me is still logged in as me
233. [14/11/29 20:59:17] <@weykent> well
234. [14/11/29 20:59:21] <@weykent> that's easy to fix
235. [14/11/29 21:00:51] <Taw> Wait, so the other person may still be logged in as wag? :v
236. [14/11/29 21:00:57] <Taw> Or did I read that wrong
237.  
238.  
239. 9:01 PM (mirc): weykent states he has deleted my sessions. I refresh my browser and appear to be logged out.
240. [14/11/29 21:01:03] <@weykent> i already deleted their sessions
241. [14/11/29 21:01:06] <Taw> Ah, okay
242.  
243. 9:04 PM (mirc): While discussing public response, SkylerBunny includes that Dev may have discovered and fixed a vulnerability.
244. [14/11/29 21:04:52] <SkylerBunny> Oh, prefaced just before that with 'A staff account was compromised shortly after the our first response to the user went public on Twitter.' (We may have to insert what Dev has done to prevent further, which I think we may have discovered, the password change security thing.)
245.  
246. Next several hours: Discussions on potential follow-ups and different courses of action (including specific wording of responses) as well as discussion of public response to the leak. None of these discussions were related to or mentioned anything regarding site security.
247.  
248. -----------------
249. 30 November 2014:
250.  
251. 12:44 AM (mirc): Admin Stereo joins chat and is brought up to speed, and it is mentioned (not for the first time) that anything they say may also be leaked.
252. [14/11/30 00:44:59] <Stereo> I missed fun stuff apparently
253. [14/11/30 00:45:03] <Taw> yeah
254. [14/11/30 00:45:04] <Stereo> saw my twitter exploding with "FUCK WEASYL"
255. [14/11/30 00:45:20] <Taw> staff logs got leaked, it's on lulz
256. [14/11/30 00:45:26] <Stereo> Wait what the fuck
257. [14/11/30 00:45:35] <Stereo> staff logs?
258. [14/11/30 00:45:37] <Taw> yeah
259. [14/11/30 00:45:39] <Taw> from here
260. [14/11/30 00:45:39] <Stereo> how
261. [14/11/30 00:45:39] <pinardilla> https://lulz.net/furi/res/3040782.html
262. [14/11/30 00:45:40] <Wesley> Page title /furi/
263. [14/11/30 00:45:53] <Taw> wag's account got compromised
264. [14/11/30 00:45:57] <pinardilla> wag's account got compromised, looks like they generated an api key and opened irclogs
265. [14/11/30 00:46:00] <Stereo> :I
266. [14/11/30 00:46:10] <Stereo> Amazing
267. [14/11/30 00:47:14] <@weykent> heh
268. [14/11/30 00:47:18] <Stereo> I'm angry about this fucking thing.
269. [14/11/30 00:47:36] <Fay2> hey hey
270. [14/11/30 00:47:47] <Fay2> before you say anything remember it can be leaked at any time
271. [14/11/30 00:47:56] <Stereo> :I
272. [14/11/30 00:47:58] <Fay2> dont wanna say something in anger that you regret
273. [14/11/30 00:48:09] <Stereo> still, ugh.
274. [14/11/30 00:48:13] <Taw> hole should be plugged, but still
275. [14/11/30 00:49:17] <term> mhmm. from this point forward consider anything and anything posted here as fair game to the public.
276. [14/11/30 00:49:34] <term> anything and everything**
277.  
278. 2:02 AM (mirc): Ikani states to me in the staff room (and not in private) that I am dismissed from staff.
279. [14/11/30 02:02:30] <@Ikani> Wag, given the security issues earlier, the strange nature of the leak, and the trouble this has caused, I'm afraid we must thank you for your effort and wish you well on your endeavours, but we can't maintain you on staff.
280.  
281. 2:03 AM (mirc): I respond.
282. [14/11/30 02:03:56] <wag> Well, I can't say I don't understand
283. [14/11/30 02:04:29] <wag> But... well, thanks for the opportunity
284. [14/11/30 02:04:51] <@Ikani> thanks for your effort. I'm sorry we even had to come to this :(
285.  
286. 2:05 AM (mirc): pinardilla (a moderator who started about the same time as I did) asks if the leak was something I could've prevented.
287. [14/11/30 02:05:16] <pinardilla> do we know the security fault was in his sphere of control? :x
288.  
289. 2:07 AM (mirc): Ikani asks me to part staff channels. I state (in reference to pinardilla's statement) that "it's possible it wasn't" thinking this would be a discussion. It is not, and I part all staff channels and join the public non-staff weasyl IRC channel. (From this point forward I have no access to staff IRC activity.)
290. [14/11/30 02:07:16] <@Ikani> if I could ask you to part the staff channels
291. [14/11/30 02:07:19] <wag> Well, it's possible it wasn't
292. [14/11/30 02:07:28] <wag> *nod*
293. [14/11/30 02:07:32] <@Ikani> thanks :)
294.  
295. 3:55 PM (timestamp on Weasyl Forum post): Term posts "A Few Words On Our Callout Guidelines" which contains a statement regarding the situation, including this line, the only portion referring to the account compromise: "Somewhere around this point, someone compromised a staff member’s account and gained access to our staff chat, copied the logs, posted them online, and shared them with The User. The logs were also reposted to lulz.net and Vivisector."
296.  
297. 4:09 PM (Weasyl forum): User Swampwulf asks for more information regarding the compromise.
298.  
299. 4:55 PM (Weasyl forum): Fay V (an admin) responds directly to Swampwulf's questions, stating "The Moderator account in question has already been removed from staff and all access was removed as soon as staff were made aware of a "compromise". At this time, based on the information at hand, we are virtually certain the moderator while claiming to have been compromised was acting of their own accord." and "The development staff have been reviewing the site security measures since yesterday when the compromise was first indicated to us by the staff member who has been removed. Of all activity at the time, the only suspicious activity was accessing the IRC staff logs for November 29, which coincides with the information leaked to The User, and beyond. Meaning that the extent of the breach was only accessing staff logs."
300.  
301. 6:20 PM (timestamp on Vivisector forum post - NOT Weasyl forums): User KaylaLa (an account that was created 13 minutes prior) posts a comment to the thread titled "Leaked weasyl staff chatlog re rape allegation accusation journal" comparing a Google cache of Weasyl's staff page to the current version and finds Moderator Wag is the only change in staff. This post is later used as a reference to add this information to Wag's Wikifur page.
302.  
303. 6:55 PM (weasyl note outbox): I send a note to Ikani (to be forwarded to the rest of administration) requesting reinstatement on Weasyl staff citing the potential security issues and stating I had nothing to do with the compromise. I was unaware at the time of Fay V's public statement on the Weasyl forums claiming "the moderator" was "acting of their own accord", or the post to Vivisector publicly naming me as the moderator in question.
304.  
305. 7:33 PM (Weasyl forum): Fay V responds to additional questions and states the staff's commitment to transparency.
306.  
307. 9:03 PM (Weasyl forum): User Gamedog asks if "the staff member in question" may still have access to private information.
308.  
309. 10:07 PM (Weasyl forum): Fay V states "There is no chance this ex-staff member has access to any private information."
310.  
311. ----------------
312. 1 December 2014:
313.  
314. 12:33 AM (Weasyl forum): Fay V states again "The staff account "compromise" was not a hacking. We believe the staff member acted of their own volition. Even if said staff member was not the agent acting and the account was compromised, it would have been a case of password compromise, not a problem in the code."
315.  
316. ----------------
317. 3 December 2014:
318.  
319. 12:58 PM (weasyl note outbox): After reading staff statements and going over my own personal files, and having received no response from my first note to Ikani, I send a second note to all directors and administrators stating why I disagree with their public statements, why they may have a security issue, some personal observations that may help with an investigation, and a statement that I did not leak the information myself, that I had no reason to leak it, that I had reasons NOT to leak it, and that if I did decide to leak it I would be able to easily have done so without leaving any indication that I was the one who did it. I then requested a public apology and that an investigation to the cause of the issue be performed, and stated that I expect a prompt reply.
320.  
321. 1:59 PM (weasyl note inbox): Fiz replies to me stating things have been hectic for them, and confirming they have received the message and will reply when possible. Up to this point, this is the first time any staff member from Weasyl has spoken to me since leaving the staff IRC room.
322.  
323. 2:41 PM (weasyl note outbox): I reply to Fiz thanking them for the response.
324.  
325. ----------------
326. 4 December 2014:
327.  
328. 7:36 PM (weasyl note inbox): Fiz again contacts me, informing me that several staff will be at MFF so a response could take some time, but I should expect to hear something "hopefully early next week".
329.  
330. ----------------
331. 5 December 2014:
332.  
333. 6:13 PM (weasyl note outbox): I reply to Fiz confirming I understand.
334.  
335. ----------------
336. 9 December 2014:
337.  
338. 10:51 PM (weasyl note outbox): It's now Tuesday night after MFF and still no answer, so I ask Fiz for an updated ETA.
339.  
340. -----------------
341. 10 December 2014:
342.  
343. 9:10 AM (weasyl note inbox): Fiz responds that I should be receiving a reply shortly.
344.  
345. 10:57 AM (weasyl note inbox): Ikani sends a response to my note from December 3rd. It states "the evidence we currently have does not point to a stranger breaking in nor a current or former staff member taking control of your account. Unfortunately we do not have 100% proof of who did it, so we can only act on what we know. If we ever do get 100% proof of someone else doing the leaking, we will certainly give you an apology, both public and private." It also attempts to address my technical concerns, stating "Weykent mentioned this is theoretically possible, but it was far more difficult and complicated than he originally though when he first mentioned it. So this seems incredibly unlikely given the circumstances."
346.  
347. 3:13 PM (weasyl note outbox): I reply to Ikani stating their response provides no information and addresses no concerns. I express my disappointment in their handling of the situation and inform them of my intent to no longer use the site or recommend it to others, stating I will reconsider my decision when they reconsider theirs.
348.  
349. -----------------
350. 12 December 2014:
351.  
352. 4:40 AM (Weasyl forum): User skippyfox points out implications of the staff's statements and asks for further information as to why and how they reached their conclusions, plus what steps were being taken to confirm the site's security did not contain an exploitable flaw.
353. (Full disclosure: Skippy and I are friends and have worked together multiple times in the past on several projects. However, I had no input to the content of his forum post, nor was I aware he was writing it in the first place until he sent me an email asking if it was okay for him to do so. His request email to me included the body of the post as it appears on Weasyl.)
354.  
355. 8:15 PM (Weasyl forum): Director "ZiShuiJing" (a forum account name - there is nobody under this name or a similar name on Weasyl's mainsite staff page) states: "When this event was brought to light, we consulted 3rd-party professionals within our network to help us clearly understand what was going on. After giving them all the information on the situation, their analysis concluded a rogue actor over compromise." To my knowledge, this is the first mention of the involvement of a third party. They further explain their security review procedures, stating "A structural compromise would warrant a full audit of the code, but as there was no evidence of such, measures such as these would be a bit excessive."
356.  
357. -----------------
358.  
359. While I have made this timeline to be as complete as I could, further questions may later arise. Please direct these to my personal twitter account, @wagtehdog. I will respond as I can and include links to other places of discussion if available or needed.
360.  
361. Wag ("wagtehdog")
362. 15 December 2014
363.  
364. (end of file)