Hello everyone!

Our commitment is to be fair with our community and provide all required information of what happened and what we did to prevent this in future.

Since our latest hack less than half of a year passed, but, unfortunately, appdb was hacked on infrastructure level again. Now, hacker were using backup infrastructure instead of hypervisiors in order to encrypt everything and ask for money.

Summary:

appdb was hacked for the second time in it's entire history

hack was manual, dedicated to our systems

everything was encrypted, part of production systems was removed from servers completely

everything may be lost. appdb is non-profit community that is dedicated to providing freedom to everyone and hacker was an ethic person and provided decryption password for free, and also told us entry point of his hack. Otherwise appdb will be dead

User data is safe. Backup wasn't exported and was encrypted with our passwords

And here are details of this hack:

On 28 April 2023 appdb stopped to work. Upon investigation we have found that everything regarding frontend and backend and IPA caches/libraries was deleted. Only routing and backup system remained. There was a message on backup server that we need to contact hacker to get our data.

Unfortunately, backup storage was encrypted with DiskCryptor, and, while diving deeper to logs, we have found that actual hack started on 24th of April.

Hacker installed software, examined our internal network, removed all backups, encrypted empty disk and waited for new backups to be created on encrypted disk. Why we didn't notice this? Sometimes backups failing, this is ok, we have 2 tiers of backups, so when we replace failing disks, backups are getting rebalanced automatically, so we have no worries regarding this.

But hacker was smart, he decrypted passwords from backup system database and used them to go to 2nd tier of backups and remove them as well. This is our fault, passwords for both systems were the same. Also he used backup system APIs to remove live parts of system.

We ended up with no backups at all and with encrypted disk with latest full backup (as on 26th of April), so we need to contact hacker or completely give it up and place notice that appdb finished it's existence.

We contacted hacker, explained to him what he had done and what we plan to do next. He didn't want to take glory of taking of appdb down, he has hacker ethics. He provided us decryption password and told us what he has used to hack our systems. We greatly appreciate this decision and want to say "thank you" from us personally and from all our community as well. But please next time, read notices regarding bounty program that are placed everywhere inside our infrastructure:)

We decrypted backup and restored appdb as on 26th of April.

Furthermore, we:

Issue that hacker used - open ports on backup infrastructure. We firewalled them, upgraded all backup software, so it no longer has CVE that allows RCE, and no longer has ports to exploit it

Checked for logs, additional accounts, security keys, changed all passwords to unique ones

Rebuilt backup system

Introduced 3rd offsite backup tier with file immutability

So that is what happened under the hood. Appdb is still alive, still safe and still the best place to find and share your freedom for Apple devices!

Best regards, appdb team!

Read at appdb