Show random questions here?
✨ Ask Maya a Question
Maya answers instantly based on site policies.
Welcome back (or hello!)
Join for free — no payment required, ever.

🔓 Hack Incident Report

May 27, 2026 — Published May 31, 2026 — Actively being updated as restoration continues

⚠️ Our site was hacked on May 27, 2026

Attackers gained access to our server and destroyed approximately 90% of our database. This page explains what happened, what was lost, what we are doing to restore it, and what may currently be broken or missing on the site. We are deeply sorry for the disruption this has caused to our community.

🔒 Your Private Information Was NOT Leaked

We want to be clear and upfront about this: no sensitive private data was exposed or stolen. This was a destructive attack (data deletion), not a data theft attack.

  • Email addresses — not leaked
  • Passwords — not leaked (all stored encrypted with Argon2id)
  • Home addresses or phone numbers — not leaked
  • Payment information — not stored on our server; not leaked
  • Age verification photos / ID documents — not leaked
  • Private messages — not leaked (though message history has been lost)
  • IP addresses — not leaked

The attack was focused on destroying our data, not stealing it.

🗄️
Database
~90% destroyed
🖼️
Photos
~1,375 restored
🎬
Videos
~60 restored
🌐
Site
Back online ✅
📤
Uploads
Working ✅
🤖
AI Moderation
Reprocessing…
🔧
Restoration
In progress

🔍 What Happened?

On May 27, 2026, an attacker (or group of attackers) gained unauthorized access to our web server and systematically deleted the contents of our database. The attack was targeted and deliberate — it was not an accident or a technical failure.

How they got in: We have now traced the attack vector. At the time of the hack we were running a beta version of the site on a separate subdomain — a development and testing environment that was accessible to the public. The attacker exploited a vulnerability in this beta site to gain access to the underlying server and its database, which was shared with the main site. The beta site was the entry point for the entire attack.

The attacker exploited a vulnerability and was able to run destructive commands against our database, wiping out nearly all stored records. Tables containing user accounts, uploaded content metadata, ratings, comments, messages, and site settings were dropped or emptied.

The physical files — photos, videos, and thumbnails — were partially deleted as well. Approximately 50% of all uploaded photos and videos were wiped from the server's file system entirely. The other half survived and have been re-added to the database. What was lost for those surviving files was the database records describing them (who uploaded them, when, what category, their ratings, etc.).

This is actually the second significant attack against our site in 2026. In April we dealt with a smaller SQL injection attack. This May attack was far more severe and specifically designed to cause maximum damage to our data.

💔 What Was Lost?

Data Type Status Details
User accounts Lost All registered member accounts, usernames, profiles, bios, avatars, and account settings were deleted. There is no backup of account data we can restore.
Photos ~50% Lost Approximately half of all uploaded photos were permanently deleted from the server — both the files and their database records are gone with no way to recover them. The remaining ~1,375 photos that survived on disk have been restored as guest uploads — original uploader info, descriptions, ratings, and category assignments are lost.
Videos ~50% Lost Approximately half of all uploaded videos were permanently deleted from the server. The remaining 60 processed video files that survived on disk have been restored to the database as guest uploads. Original uploader info, titles, descriptions, and ratings are gone.
Ratings & votes Lost All ratings, votes, scores, and leaderboard data have been wiped. Photos and videos are starting fresh with zero ratings.
Comments Lost All photo comments, video comments, and profile comments are gone.
Private messages Lost All private message conversations have been lost.
Points & Allure currency Lost All accumulated points, Allure balances, purchased items, and purchase history are gone.
Friendships & followers Lost All friend lists, follow relationships, and follower counts have been wiped.
AI review history Lost All AI moderation results, review queues, and AI-generated body score data are gone.
Favourites & collections Lost All saved favourites, wishlists, and collections are lost.
Ban list & moderation history Lost All bans, ban appeals, moderation notes, and moderation history have been wiped.
Site settings & configuration Rebuilding Site settings, category configuration, and admin-level settings are being manually rebuilt.
Staff applications Lost All pending and approved staff applications (moderators, liaisons, safeguard team) are gone.

🔧 What Are We Restoring?

Despite the scale of the attack, we have made significant progress rebuilding the site from scratch. Here is where things stand as of May 31, 2026:

  • ✅ Database schema rebuilt — All ~80+ tables have been recreated from our codebase.
  • ✅ ~1,375 photos restored — Surviving photos re-added to the database as guest uploads. The other ~50% are permanently gone.
  • ✅ 60 videos restored — Surviving videos re-added to the database as guest uploads. The other ~50% are permanently gone.
  • ✅ 15 categories re-seeded — Photo and video categories are back.
  • ✅ Admin accounts re-created — Site administration is operational again.
  • ✅ Upload system working — New photos and videos can be uploaded again, including AI-powered upload processing.
  • ✅ AI moderation system — Fully operational. AI reviews every new upload for content policy compliance using Gemini AI.
  • ✅ AI body rating system — AI-generated body analysis and ratings are working on new uploads.
  • ✅ Rating system — Functional for new votes. Historical ratings are permanently lost.
  • ✅ Ownership claim system — A "Claim This Photo/Video" button has been added to all pre-hack restored content so you can reclaim your uploads.
  • ✅ Google & X (Twitter) OAuth login — Social login options are back and configured.
  • ✅ 250+ database columns rebuilt — The photos table had over 250 analysis columns that needed to be manually added back one by one. Done.
  • 🔄 AI reprocessing queue — All ~1,500 restored photos and videos are being put through AI moderation automatically. Estimated completion: ~June 5, 2026.
  • 🔄 User registration open — Users can register new accounts. Original accounts cannot be restored.
  • 🔄 Content moderation in progress — Restored photos/videos are being reviewed and approved.
  • 🔵 Staff team — We are rebuilding our moderation team. If you previously applied or volunteered, please reapply.

⚠️ What May Currently Be Broken or Missing?

We are actively working through bugs and issues. Here are known things that may not work correctly right now:

  • Leaderboards — Will show incorrect or empty data until enough ratings accumulate.
  • Achievement badges — Achievements tied to historical activity are reset.
  • Profile stats — View counts, rating averages, and milestones are starting from zero.
  • Some admin pages — Minor display issues on certain admin management pages as we fix remaining database columns.
  • Video playback — Restored videos are queued for re-processing. Some may not play immediately.
  • "Newest" and sort features — Restored photos show the restoration date, not the original upload date. We are unable to recover original upload dates.
  • Stats pages — Site-wide statistics will be sparse until activity rebuilds.
  • Some error messages — You may encounter occasional errors as we continue to patch remaining issues. Please report anything you see.

If you encounter a bug or broken page, please contact us or use the support ticket system — it helps us fix things faster.

�️ Every Fix We've Shipped Since the Attack

We are documenting this openly so you know exactly what has been repaired and what still needs work.

  • ✅ Photo upload pipeline — Fixed a critical bug in the perceptual hash column that was silently blocking all new photo uploads from saving to the database.
  • ✅ Video upload pipeline — Restored and verified. Video processing, thumbnail generation, and category assignment all working.
  • ✅ AI moderation (photos) — Gemini AI review is running on every new photo upload. The AI flags problematic content, assigns body scores, and queues borderline content for human review.
  • ✅ AI moderation (videos) — Video frames are extracted and sent to AI for review. AI moderation is active on all new video uploads.
  • ✅ AI token limit increased — The AI reviewer was hitting a cap of 4,096 tokens (too low for full analysis). Raised to 16,384 — AI now produces complete, detailed body assessments.
  • ✅ 250+ missing database columns re-added — The photos table lost 250+ detailed analysis columns covering body measurements, skin tone, hair, and feature scores. All manually reconstructed and deployed.
  • ✅ AI status types restored — Re-added missing status values (manual_override, error) to the AI review status field so admin overrides work correctly again.
  • ✅ Database JSON constraint fixed — A database-level JSON validation check was silently rejecting AI result data. Neutralised via a trigger that prevents invalid writes.
  • ✅ Feet, legs, hands category detection — The AI was miscategorising feet/legs/hands photos into wrong categories. Category mapping logic corrected.
  • ✅ Google OAuth settings — Admin panel settings for Google OAuth login have been rebuilt and are configurable again.
  • ✅ X (Twitter) OAuth settings — Same for X/Twitter login.
  • ✅ Photo & video ownership claim system — Built from scratch post-hack. Every restored photo and video shows a "Claim This" button. Logged-in users submit a claim and an admin verifies and reassigns ownership.
  • ✅ Admin claims management page — A dedicated admin page for reviewing, approving, and denying ownership claims for both photos and videos.
  • ✅ May 27 hack notice links — Updated all site-wide hack notices (homepage, photo pages, video pages) to correctly link to this incident report instead of the April incident.
  • 🔄 Video AI reprocessing — All restored videos are queued for AI moderation. Running now in background.
  • 🔄 Photo AI reprocessing — All restored photos are queued for AI moderation and body scoring. Running now in background.

🤖 AI Moderation — Reprocessing All Restored Content

Every photo and video that was restored after the hack needs to be re-analysed by our AI moderation system. This covers content safety screening, body analysis scoring, and category verification.

We currently have approximately ~1,500 items (photos + videos) queued for AI review. The AI processes one item every 5 minutes to stay within API rate limits and ensure thorough analysis per item.

Stat Value
Items to process ~1,500 (photos + videos)
Processing speed 1 item per 5 minutes
Total time required ~7,500 minutes — 125 hours (~5.2 days)
Processing started May 31, 2026
Estimated completion ~June 5, 2026

While reprocessing is ongoing, restored photos and videos are still visible and rateable. AI body scores and detailed analysis tags will appear progressively as each item is processed. Content that fails AI safety checks will be automatically hidden pending manual review.

You do not need to do anything — this happens automatically in the background 24/7.

🙋 Reclaiming Your Pre-Hack Photos & Videos

Because all original uploader data was wiped in the attack, every restored photo and video is currently listed as an anonymous guest upload with no owner. We have built a claim system specifically to fix this.

How to claim your content:

  1. Re-register your account — Create a new account at ratemybody.net/register.php. Your old account cannot be restored, but you can use the same username if it's still available.
  2. Find your photo or video — Browse the site to find content that was originally yours. All restored pre-hack content is marked with a ⚠️ Pre-Hack Photo or 🎬 Pre-Hack Video badge.
  3. Click "Claim This" — The button appears on every unclaimed pre-hack item. Click it while logged in. You can add a short message to help us verify it's yours (e.g. "this is from my 2024 upload session" or any other context).
  4. Admin review — Our team reviews your claim. If approved, the photo or video is immediately transferred to your new account. You'll get a notification.

We will do our best to verify claims fairly. Original file metadata was lost in the attack, so we can't verify ownership automatically — but we will use all available evidence (file content, your claim message, and context) to make fair decisions. False claims will be denied.

If you uploaded many photos/videos and need to claim them in bulk, contact us and we can assist.

�📅 Timeline of Events

May 27, 2026
Attack occurs. Attacker gains access to our server and destroys approximately 90% of the database. The site goes down or behaves erratically.
May 27–28
Attack discovered and assessed. We determine the full scope of the damage. Physical files (photos, videos) are confirmed intact. Database records are confirmed destroyed.
May 28–29
Emergency restoration begins. Database schema rebuilt from codebase. Emergency admin accounts created. 1,375 photos added back to DB. Core site functionality restored.
May 29–30
SQL bug-fixing marathon. Over 15 missing database columns and tables identified and added. Multiple pages fixed. Smoke tests run across 29 pages.
May 30–31
Upload system fixed. Guest photo uploads repaired (perceptual hash column type bug). 60 videos restored to database. Admin photo management fixed.
May 31, 2026
This report published. Site is back online with core functionality working. Restoration ongoing.
May 31 (ongoing)
AI deep-fixes & 250+ columns rebuilt. AI token limit raised to 16,384. JSON constraint neutralised via DB trigger. 250+ missing analysis columns re-added to the photos table. AI body scoring producing full results again.
May 31 (evening)
Claim system launched. All pre-hack photos and videos now show a "Claim This" button so users can reclaim their content. Admin claims page live. Google & X OAuth settings restored. AI reprocessing queue started for all ~1,500 items.
~June 5, 2026
AI reprocessing estimated complete. All ~1,500 restored photos and videos will have been processed through AI moderation and body analysis (~125 hours of processing).
Ongoing
Continued restoration & hardening. Ownership claims processing, content moderation, security patches, staff team rebuilding, and feature-by-feature verification in progress.
June 1, 2026
Attack vector identified & closed. Confirmed the hack entered through the beta site. Beta site permanently taken down and discontinued. Staff misconduct discovered: multiple staff members removed and reported to authorities for inappropriate contact with minors.

🚫 The Beta Site — Removed & Discontinued

The beta site that was exploited in this attack has been taken down, disabled, and permanently discontinued. It no longer exists in any form.

We have also decided not to pursue a new or replacement website. Our systems have grown to be highly complex and interdependent — safely migrating everything to a new platform would introduce far more risk than it would remove. We will continue operating and improving this current site, updating it progressively as we see fit.

The removal of the beta site eliminates the specific attack surface that was used against us. Going forward, any testing or development work will be done in a fully isolated environment with no connection to production data.

⚠️ Staff Team Update

During the process of rebuilding the site and the staff team following the hack, we discovered that a number of staff members had been engaging in serious misconduct.

Specifically, these staff members were found to have been:

  • Contacting minors (users under the age of 16) through the site
  • Sending inappropriate content to those minors
  • Receiving inappropriate content from those minors

These individuals have been immediately removed from the staff team and all access to site systems and data has been revoked. We have reported these staff members to the relevant authorities. We are fully cooperating with any investigations.

🚨 Update: One of the staff members referenced above has since been arrested and found guilty of possessing child sexual abuse material (CSAM). It has additionally come to light that this individual had a sexual relationship with the underage daughter of the site owner. This is an extremely serious matter. We are fully cooperating with law enforcement and all relevant authorities.

The safety of minors on this platform is non-negotiable. We take this matter with the utmost seriousness. If you or someone you know was affected, please contact us at our contact page or reach out to the appropriate authorities directly.

The remaining staff team has been vetted and we are continuing to carefully rebuild our moderation team. We are sorry this happened.

📋 Policy Change: Age Requirements

Effective immediately following the hack, we have updated our age policy. Previously, we had permitted minors to hold accounts under certain restrictions. Because the hack wiped all accounts entirely, there are no pre-existing accounts to grandfather in — this gives us a clean break to enforce a clearer policy from day one of the rebuild.

The new rules are simple:

  • 16+ — Minimum age to register an account and upload to clothed categories (swimwear, underwear, fitness, etc.)
  • 18+ — Required to upload any content involving nudity, without exception

Anyone found to be under 16 will have their account removed without warning. Anyone under 18 found to have uploaded nude content will have that content removed and their account reviewed.

If you are aware of an account or upload that violates these rules, please report it to us.

🔞 Age Verification — How It Works & Its Limitations

We get a lot of questions about this, so we want to be fully transparent.

How we verify age: We do not perform document-based age verification. Uploaders are required to confirm they are 18 or older before submitting any content. Beyond that self-declaration, every upload is automatically reviewed by our AI system, which assesses whether the person depicted appears to be an adult.

What this means in practice: No automated system is perfect. AI age estimation has limitations, and self-declaration relies on honesty. Despite our best efforts, it is possible for content to pass through that should not have. We are aware of this.

What we need from you: If you ever come across content that you believe depicts someone who is underage, please report it immediately using the report button on the photo or video, or contact us directly. Reports are reviewed promptly and content is removed if there is any reasonable concern. You do not need to be certain — if something looks wrong, report it.

What happens when content is reported:

  • The content is immediately flagged and hidden pending review
  • A staff member reviews the report manually
  • If there is any credible concern about the age of the person depicted, the content is permanently removed
  • The uploading account is banned and, where appropriate, reported to the authorities

Anyone who knowingly uploads content depicting a minor will be permanently banned and reported to law enforcement. There are no exceptions to this.

🛡️ Security Improvements Made

This attack has pushed us to significantly harden the site. In addition to fixing the immediate damage, we have implemented:

  • Full audit and patching of all database query code
  • Removal of sensitive recovery and maintenance scripts from the server after use
  • Tightened admin authentication and session management
  • Improved error handling so internal details are not exposed publicly
  • Server-side rate limiting on upload and authentication endpoints
  • Ongoing review of file permissions and server configuration

We are also reviewing our backup strategy to ensure faster recovery in any future incident.

💬 A Note From Our Team

We want to be honest with you: this was bad. Losing almost everything our community has built — the photos, the ratings, the conversations, the profiles — is genuinely gutting. We're angry about it too.

But we also want you to know that we haven't gone anywhere. We've spent every available hour since the attack rebuilding, patching, and putting the pieces back together. The site is back. Uploads are working. The community can rebuild.

If you had an account before May 27, we are sorry — we cannot restore your account data. We encourage you to re-register and start fresh. If any of your uploaded photos or videos survived (as they likely did — we've restored over 1,400 pieces of content), we will work to re-attribute them to you where possible once you re-register and contact us.

To anyone who has been patiently waiting, asking questions, or sending kind words: thank you. It means a lot. We'll keep fighting for this community.

If you have questions not answered here, please reach out.

This report will continue to be updated as restoration progresses.
Last updated: July 3, 2026 — identified attack vector (beta site), announced beta site discontinuation, staff misconduct disclosure, age verification transparency section added, minimum age policy change (no minors permitted); update: one referenced staff member arrested for possession of CSAM.

— The RateMyBody.net Team 💜
👁️ 201 views