🛡️ Security Incident Notice

🔍 What Happened?

Earlier today, someone found a way to mess with our database — essentially the place where all the site's data is stored. They used a technique called "SQL injection," which is basically a way of tricking the website into running commands it was never supposed to run.

Through this, they were able to delete parts of our database, which caused the site to go down. No user passwords were leaked (they're all encrypted and stored securely), but the attack did take down the site and we lost about 16 hours worth of data — things like new uploads, ratings, and account changes made during that window.

We rolled the site back to a backup from earlier that day and started working on fixes right away.

⚙️ What Did We Do About It?

A lot. As soon as we found out what happened, we went through the entire site top to bottom. Here's the short version of what we fixed:

• Closed the holes: Every single place on the site where data goes into the database has been secured so that the same type of attack can't work again.
• Removed unnecessary files: We cleaned up over 130 old setup and maintenance scripts that were left over from development. These didn't need to be there and some could have been used to cause trouble.
• Added login protection: If someone (or a bot) tries to guess your password too many times, they'll get temporarily locked out. This protects your account from brute force attacks.
• Built a security monitoring system: We now have a real-time alert system that watches for suspicious activity and flags it immediately for our team to review.
• Tightened admin security: Admin accounts now have shorter session times and all login attempts are logged. If someone tries to access admin areas without permission, we know about it instantly.
• Locked down file uploads: The folders where your photos and uploads are stored have been hardened to make sure nobody can sneak in malicious files.
• Added security headers: Technical stuff that helps your browser protect you better while you're on our site.
• Hid error messages: Previously, if something broke, the error message could sometimes reveal technical details about how the site works. That's been fixed — you'll see a friendly error instead, while we still get the technical details in our private logs.

🔐 Was My Account Affected?

Your password is safe. All passwords on RateMyBody are encrypted using strong modern encryption (Argon2id, for the nerds out there). Even if someone got their hands on the database, your actual password can't be read from it.

If your account was created or you made changes during the 16-hour window we rolled back, those changes may have been lost. If you're having trouble logging in, try registering again or use the forgot password page.

💭 A Note From Us

Look — we're not going to pretend this was no big deal. It sucked. Nobody wants to wake up and find out their site got attacked. This is a community we care about, and seeing someone try to tear it down is honestly just frustrating.

At the same time, stuff like this is a reality of running a website. It's a lesson for us, and we're taking it seriously. We've already made more security improvements in the past day than most sites make in a year. That doesn't make it okay that someone did this — it's always messed up when people decide to break things instead of, you know, just being normal — but we're using it as fuel to make the site stronger.

We're going to keep monitoring things closely over the coming days. If anything seems off or you notice something weird, please don't hesitate to contact us or open a support ticket.

📅 Timeline

• April 15 — Early morning: Attack detected. Site went offline.
• April 15 — Within hours: Database restored from backup (16-hour rollback).
• April 15 — Throughout the day: Full security audit and fixes applied across the entire codebase.
• April 15 — Evening: Site back online with all security improvements in place.
• Ongoing: Active monitoring, security alerts, and continued hardening.