API tools faq
paste
Guest User

Untitled

a guest
May 19th, 2022
8
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.48 KB | None | 0 0
raw download clone embed print report
  1. 🔵 Mee6 Discord Drama 🔵
  2.  
  3. Here is what I view the next steps @mee6bot and @MEE6NFT need to make in order to restore faith in their project, and prove their interest in becoming a useful Discord bot in the NFT space.
  4.  
  5. A lovely little 🧵 [1/16]
  6. [2/16] For people who are reading about this late, Mee6, the bot itself, was compromised.
  7.  
  8. This lead to something like $500k+ getting stolen as dozens of the largest servers in the NFT space were hit with fake mint messages.
  9.  
  10. Unroll available on Thread Reader
  11.  
  12. [3/16] This happened because of two issues:
  13.  
  14. 1. Mee6 apparently allowed employees special backend access to any server Mee6 was installed in... to execute any command they wanted to, apparently.
  15.  
  16. 2. A Mee6 employee got compromised.
  17. [4/16] The Mee6 team took ~10 hrs to finally respond that there was an issue - and then said it was a compromised employee account.
  18.  
  19. The entire time, compromised teams were actively trying to get in touch with the Mee6 support team and request anyone figure out what was going on.
  20. [5/16] This was heavily exasperated by two other issues:
  21.  
  22. Given how often account compromises in the space happen, the assumption was that the teams were to blame.
  23.  
  24. & there was no way to identify WHO changed settings in Mee6.
  25.  
  26. Every other serious general Discord bot shows this.
  27. Image
  28. [6/16] If Mee6 had implemented a simple log, visible to anyone in the dashboard, highlighting who, or more importantly: the fact an actual Mee6 employee changed settings, this entire fiasco could have been solved in minutes, instead of 10 hours.
  29.  
  30. But Mee6 has no log.
  31. [7/16] Past that - the other major issue with Mee6's dashboard is that anyone, once they have admin permissions, or if their role is listed as a botmaster, can change anything in the web panel.
  32.  
  33. This makes it very hard to pinpoint that indeed no team members had been compromised.
  34. [8/16] A fix to the above is to have a setting where you can limit who can actually access the web panel, usually set up by the server owner.
  35.  
  36. Other bots do this, so why can't Mee6 set this up as an optional setting...
  37. Image
  38. [9/16] Now let's start with Mee6's potential rebuttals:
  39.  
  40. "It wasn't a breach of the bot!"
  41.  
  42. Yeah but the bot was used to post malicious links losing people and communities thousands of dollars. The attackers got in because your base infra was terribly set up, and that is on y'all.
  43. [10/16] "It was just unwanted messages!"
  44.  
  45. No. It was a focused attack that sucked out hundreds of thousands of dollars from the space. People lost money, calling it just an unwanted message, a funny prank, is insulting to the space you want to be a part of.
  46. [11/16] "We're just a Discord bot, not an NFT bot!"
  47.  
  48. Then why did you raise close to $1mil by issuing an NFT. Why are you planning on offering NFT 'tools' built into your bot, that people will have to pay for, if you haven't built the bot in a way that is fundamentally secure?
  49. [12/16] There hasn't been any further communication from the team other than the one message linked above.
  50.  
  51. So here is a list of what we needed to know... 30 hours ago?
  52.  
  53. 1. Did the team track all changes made by attackers, have all changes been reviewed and REVOKED.
  54. [13/16]
  55. 2. Who was the employee? What happened? Are you looking into if they did this intentionally?
  56.  
  57. 3. Has all employee access been revoked from all servers, if no why the fuck?
  58.  
  59. 4. What is Mee6 going to do for impacted communities? Mee6 caused this catastrophe, own up.
  60. [14/16]
  61.  
  62. 5. What changes are going to be fast tracked to make Mee6 more secure seeing as this was a massive deficiency in the existing bot.
  63.  
  64. 6. What changes will be done with support staff + comm staff since they brushed off allegations and allowed this attack to continue?
  65. [15/16]
  66.  
  67. 7. What changes will be implemented to better accelerate response time to more bot intrusions? Having all team members asleep when you run a global business is not an option.
  68.  
  69. 8. Will employees get more training now.
  70.  
  71. 9. How will you rebuild trust the with community.
  72. [16/16]
  73.  
  74. I do not recommend Mee6 to any NFT projects I associate with. Nor should you.
  75.  
  76. NFT projects were paying for your service, 1 team
  77. member getting hacked should not have caused this massive issue and "whoopsie employee got compromised" is not nearly enough explanation.
  78. [16.5/16]
  79.  
  80. Huge shoutouts to @server_forge for providing a spot to try to gain information from the outside.
  81.  
  82. @lukenamop for his work contacting Mee6 support - @Plumferno @GrassyEth and many others in the spaces the other night.
  83.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!