🔓 Hack Incident Report

May 27, 2026 — Published May 31, 2026 — Actively being updated as restoration continues

⚠️ Our site was hacked on May 27, 2026

Attackers gained access to our server and destroyed approximately 90% of our database. This page explains what happened, what was lost, what we are doing to restore it, and what may currently be broken or missing on the site. We are deeply sorry for the disruption this has caused to our community.

🔒 Your Private Information Was NOT Leaked

We want to be clear and upfront about this: no sensitive private data was exposed or stolen. This was a destructive attack (data deletion), not a data theft attack.

✅ Email addresses — not leaked
✅ Passwords — not leaked (all stored encrypted with Argon2id)
✅ Home addresses or phone numbers — not leaked
✅ Payment information — not stored on our server; not leaked
✅ Age verification photos / ID documents — not leaked
✅ Private messages — not leaked (though message history has been lost)
✅ IP addresses — not leaked

The attack was focused on destroying our data, not stealing it.

🗄️

Database

~90% destroyed

🖼️

Photos

~1,375 restored

🎬

Videos

~60 restored

🌐

Site

Back online ✅

📤

Uploads

Working ✅

🤖

AI Moderation

Reprocessing…

🔧

Restoration

In progress

🔍 What Happened?

On May 27, 2026, an attacker (or group of attackers) gained unauthorized access to our web server and systematically deleted the contents of our database. The attack was targeted and deliberate — it was not an accident or a technical failure.

The attacker exploited a vulnerability and was able to run destructive commands against our database, wiping out nearly all stored records. Tables containing user accounts, uploaded content metadata, ratings, comments, messages, and site settings were dropped or emptied.

The physical files — photos, videos, and thumbnails — were partially deleted as well. Approximately 50% of all uploaded photos and videos were wiped from the server's file system entirely. The other half survived and have been re-added to the database. What was lost for those surviving files was the database records describing them (who uploaded them, when, what category, their ratings, etc.).

This is actually the second significant attack against our site in 2026. In April we dealt with a smaller SQL injection attack. This May attack was far more severe and specifically designed to cause maximum damage to our data.

💔 What Was Lost?

Data Type	Status	Details
User accounts	Lost	All registered member accounts, usernames, profiles, bios, avatars, and account settings were deleted. There is no backup of account data we can restore.
Photos	~50% Lost	Approximately half of all uploaded photos were permanently deleted from the server — both the files and their database records are gone with no way to recover them. The remaining ~1,375 photos that survived on disk have been restored as guest uploads — original uploader info, descriptions, ratings, and category assignments are lost.
Videos	~50% Lost	Approximately half of all uploaded videos were permanently deleted from the server. The remaining 60 processed video files that survived on disk have been restored to the database as guest uploads. Original uploader info, titles, descriptions, and ratings are gone.
Ratings & votes	Lost	All ratings, votes, scores, and leaderboard data have been wiped. Photos and videos are starting fresh with zero ratings.
Comments	Lost	All photo comments, video comments, and profile comments are gone.
Private messages	Lost	All private message conversations have been lost.
Points & Allure currency	Lost	All accumulated points, Allure balances, purchased items, and purchase history are gone.
Friendships & followers	Lost	All friend lists, follow relationships, and follower counts have been wiped.
AI review history	Lost	All AI moderation results, review queues, and AI-generated body score data are gone.
Favourites & collections	Lost	All saved favourites, wishlists, and collections are lost.
Ban list & moderation history	Lost	All bans, ban appeals, moderation notes, and moderation history have been wiped.
Site settings & configuration	Rebuilding	Site settings, category configuration, and admin-level settings are being manually rebuilt.
Staff applications	Lost	All pending and approved staff applications (moderators, liaisons, safeguard team) are gone.

🔧 What Are We Restoring?

Despite the scale of the attack, we have made significant progress rebuilding the site from scratch. Here is where things stand as of May 31, 2026:

✅ Database schema rebuilt — All ~80+ tables have been recreated from our codebase.
✅ ~1,375 photos restored — Surviving photos re-added to the database as guest uploads. The other ~50% are permanently gone.
✅ 60 videos restored — Surviving videos re-added to the database as guest uploads. The other ~50% are permanently gone.
✅ 15 categories re-seeded — Photo and video categories are back.
✅ Admin accounts re-created — Site administration is operational again.
✅ Upload system working — New photos and videos can be uploaded again, including AI-powered upload processing.
✅ AI moderation system — Fully operational. AI reviews every new upload for content policy compliance using Gemini AI.
✅ AI body rating system — AI-generated body analysis and ratings are working on new uploads.
✅ Rating system — Functional for new votes. Historical ratings are permanently lost.
✅ Ownership claim system — A "Claim This Photo/Video" button has been added to all pre-hack restored content so you can reclaim your uploads.
✅ Google & X (Twitter) OAuth login — Social login options are back and configured.
✅ 250+ database columns rebuilt — The photos table had over 250 analysis columns that needed to be manually added back one by one. Done.
🔄 AI reprocessing queue — All ~1,500 restored photos and videos are being put through AI moderation automatically. Estimated completion: ~June 5, 2026.
🔄 User registration open — Users can register new accounts. Original accounts cannot be restored.
🔄 Content moderation in progress — Restored photos/videos are being reviewed and approved.
🔵 Staff team — We are rebuilding our moderation team. If you previously applied or volunteered, please reapply.

⚠️ What May Currently Be Broken or Missing?

We are actively working through bugs and issues. Here are known things that may not work correctly right now:

Leaderboards — Will show incorrect or empty data until enough ratings accumulate.
Achievement badges — Achievements tied to historical activity are reset.
Profile stats — View counts, rating averages, and milestones are starting from zero.
Some admin pages — Minor display issues on certain admin management pages as we fix remaining database columns.
Video playback — Restored videos are queued for re-processing. Some may not play immediately.
"Newest" and sort features — Restored photos show the restoration date, not the original upload date. We are unable to recover original upload dates.
Stats pages — Site-wide statistics will be sparse until activity rebuilds.
Some error messages — You may encounter occasional errors as we continue to patch remaining issues. Please report anything you see.

If you encounter a bug or broken page, please contact us or use the support ticket system — it helps us fix things faster.

�️ Every Fix We've Shipped Since the Attack

We are documenting this openly so you know exactly what has been repaired and what still needs work.

✅ Photo upload pipeline — Fixed a critical bug in the perceptual hash column that was silently blocking all new photo uploads from saving to the database.
✅ Video upload pipeline — Restored and verified. Video processing, thumbnail generation, and category assignment all working.
✅ AI moderation (photos) — Gemini AI review is running on every new photo upload. The AI flags problematic content, assigns body scores, and queues borderline content for human review.
✅ AI moderation (videos) — Video frames are extracted and sent to AI for review. AI moderation is active on all new video uploads.
✅ AI token limit increased — The AI reviewer was hitting a cap of 4,096 tokens (too low for full analysis). Raised to 16,384 — AI now produces complete, detailed body assessments.
✅ 250+ missing database columns re-added — The photos table lost 250+ detailed analysis columns covering body measurements, skin tone, hair, and feature scores. All manually reconstructed and deployed.
✅ AI status types restored — Re-added missing status values (manual_override, error) to the AI review status field so admin overrides work correctly again.
✅ Database JSON constraint fixed — A database-level JSON validation check was silently rejecting AI result data. Neutralised via a trigger that prevents invalid writes.
✅ Feet, legs, hands category detection — The AI was miscategorising feet/legs/hands photos into wrong categories. Category mapping logic corrected.
✅ Google OAuth settings — Admin panel settings for Google OAuth login have been rebuilt and are configurable again.
✅ X (Twitter) OAuth settings — Same for X/Twitter login.
✅ Photo & video ownership claim system — Built from scratch post-hack. Every restored photo and video shows a "Claim This" button. Logged-in users submit a claim and an admin verifies and reassigns ownership.
✅ Admin claims management page — A dedicated admin page for reviewing, approving, and denying ownership claims for both photos and videos.
✅ May 27 hack notice links — Updated all site-wide hack notices (homepage, photo pages, video pages) to correctly link to this incident report instead of the April incident.
🔄 Video AI reprocessing — All restored videos are queued for AI moderation. Running now in background.
🔄 Photo AI reprocessing — All restored photos are queued for AI moderation and body scoring. Running now in background.

🤖 AI Moderation — Reprocessing All Restored Content

Every photo and video that was restored after the hack needs to be re-analysed by our AI moderation system. This covers content safety screening, body analysis scoring, and category verification.

We currently have approximately ~1,500 items (photos + videos) queued for AI review. The AI processes one item every 5 minutes to stay within API rate limits and ensure thorough analysis per item.

Stat	Value
Items to process	~1,500 (photos + videos)
Processing speed	1 item per 5 minutes
Total time required	~7,500 minutes — 125 hours (~5.2 days)
Processing started	May 31, 2026
Estimated completion	~June 5, 2026

While reprocessing is ongoing, restored photos and videos are still visible and rateable. AI body scores and detailed analysis tags will appear progressively as each item is processed. Content that fails AI safety checks will be automatically hidden pending manual review.

You do not need to do anything — this happens automatically in the background 24/7.

🙋 Reclaiming Your Pre-Hack Photos & Videos

Because all original uploader data was wiped in the attack, every restored photo and video is currently listed as an anonymous guest upload with no owner. We have built a claim system specifically to fix this.

How to claim your content:

Re-register your account — Create a new account at ratemybody.net/register.php. Your old account cannot be restored, but you can use the same username if it's still available.
Find your photo or video — Browse the site to find content that was originally yours. All restored pre-hack content is marked with a ⚠️ Pre-Hack Photo or 🎬 Pre-Hack Video badge.
Click "Claim This" — The button appears on every unclaimed pre-hack item. Click it while logged in. You can add a short message to help us verify it's yours (e.g. "this is from my 2024 upload session" or any other context).
Admin review — Our team reviews your claim. If approved, the photo or video is immediately transferred to your new account. You'll get a notification.

We will do our best to verify claims fairly. Original file metadata was lost in the attack, so we can't verify ownership automatically — but we will use all available evidence (file content, your claim message, and context) to make fair decisions. False claims will be denied.

If you uploaded many photos/videos and need to claim them in bulk, contact us and we can assist.

�📅 Timeline of Events

May 27, 2026

Attack occurs. Attacker gains access to our server and destroys approximately 90% of the database. The site goes down or behaves erratically.

May 27–28

Attack discovered and assessed. We determine the full scope of the damage. Physical files (photos, videos) are confirmed intact. Database records are confirmed destroyed.

May 28–29

Emergency restoration begins. Database schema rebuilt from codebase. Emergency admin accounts created. 1,375 photos added back to DB. Core site functionality restored.

May 29–30

SQL bug-fixing marathon. Over 15 missing database columns and tables identified and added. Multiple pages fixed. Smoke tests run across 29 pages.

May 30–31

Upload system fixed. Guest photo uploads repaired (perceptual hash column type bug). 60 videos restored to database. Admin photo management fixed.

May 31, 2026

This report published. Site is back online with core functionality working. Restoration ongoing.

May 31 (ongoing)

AI deep-fixes & 250+ columns rebuilt. AI token limit raised to 16,384. JSON constraint neutralised via DB trigger. 250+ missing analysis columns re-added to the photos table. AI body scoring producing full results again.

May 31 (evening)

Claim system launched. All pre-hack photos and videos now show a "Claim This" button so users can reclaim their content. Admin claims page live. Google & X OAuth settings restored. AI reprocessing queue started for all ~1,500 items.

~June 5, 2026

AI reprocessing estimated complete. All ~1,500 restored photos and videos will have been processed through AI moderation and body analysis (~125 hours of processing).

Ongoing

Continued restoration & hardening. Ownership claims processing, content moderation, security patches, staff team rebuilding, and feature-by-feature verification in progress.

🛡️ Security Improvements Made

This attack has pushed us to significantly harden the site. In addition to fixing the immediate damage, we have implemented:

Full audit and patching of all database query code
Removal of sensitive recovery and maintenance scripts from the server after use
Tightened admin authentication and session management
Improved error handling so internal details are not exposed publicly
Server-side rate limiting on upload and authentication endpoints
Ongoing review of file permissions and server configuration

We are also reviewing our backup strategy to ensure faster recovery in any future incident.

💬 A Note From Our Team

We want to be honest with you: this was bad. Losing almost everything our community has built — the photos, the ratings, the conversations, the profiles — is genuinely gutting. We're angry about it too.

But we also want you to know that we haven't gone anywhere. We've spent every available hour since the attack rebuilding, patching, and putting the pieces back together. The site is back. Uploads are working. The community can rebuild.

If you had an account before May 27, we are sorry — we cannot restore your account data. We encourage you to re-register and start fresh. If any of your uploaded photos or videos survived (as they likely did — we've restored over 1,400 pieces of content), we will work to re-attribute them to you where possible once you re-register and contact us.

To anyone who has been patiently waiting, asking questions, or sending kind words: thank you. It means a lot. We'll keep fighting for this community.

If you have questions not answered here, please reach out.

This report will continue to be updated as restoration progresses.
Last updated: May 31, 2026 — evening — added fixes log, AI reprocessing estimate & completion date, claim system guide.

— The RateMyBody.net Team 💜