The controversial online community Kiwi Farms, long accused of promoting targeted online and offline harassment campaigns, was taken offline after a hacker gained access to an administrator account.
Joshua Moon, the site’s administrator and de facto head, told users to assume the hackers have their email address, password, and the IP address of every device they’re using to visit Kiwi Farms in the visited last month.
Kiwi Farms has backups and none of the forum materials have been permanently destroyed. However, users’ personal information may have been compromised.
Cybersecurity expert Kevin Beaumont of Arcadia Group said that after the website and proxy service were compromised, all avatars were replaced with the logo of another free speech forum.
Each node on the forum index was also gradually deleted.
Moon said the hack happened after Kiwi Farms’ offshore hosting provider was breached. The hacker(s) then used session hijacking to access both their own administrator account and an unknown number of user accounts.
The attacker uploaded a webpage disguised as an .OPUS audio file to XenForo and elsewhere, likely using an inline frame.
XenForo is a commercial Internet forum software package used to create forums such as Kiwi Farms.
The website caused random user accounts to generate automated requests and send their authentication cookies outside of the website the attacker used to access the accounts.
“Once they had access to the ACP, they tried to download user data, and XenForo provides a way to export user lists with accurate information: email, username, last activity, registration date, user status (banned/unverified), post count, and when they are employees,” Moon added.
Because the hackers requested too many records at once, their demands didn’t seem to be met.
Moon acknowledged that the security incident resulted in his own administrator account being compromised.
He informed users that the site will be restored with a September 17 savepoint. This won’t happen right away, however, as he’ll have to “reformat and reinstall everything.”
“I have to evaluate my safety completely from the top down.
“The sophistication of this attack is very high and shows close familiarity with Rust and XenForo. It is unfortunate that they have dedicated themselves to this target, probably for a fee.”
To be fair to Joshua (the admin), he technically seems to know what he’s doing based on his comments in the Telegram chat.
Unfortunately for him, all the companies he works with do this and the users don’t.
— Kevin Beaumont (@GossiTheDog) September 18, 2022
Moon, a former 8chan admin, founded Kiwi Farms in 2013. Since then, the site has evolved into a place for the harassment and tracking of “lolcows,” which is how Kiwi Farms users describe their victims — generally members sexually, ethnically, and political minorities – in the online and physical world.
This behavior has made it difficult for Kiwi Farms to get help from the tech industry.
Earlier this month, content delivery network Cloudflare stopped supporting Kiwi Farms after a transgender Canadian Twitch streamer was the target of a harassment campaign by Kiwi Farms users.
Cloudflare had defended Kiwi Farms from distributed denial of service (DDoS) attacks for years.
After Cloudflare severed its ties to the site, Kiwi Farms was left with no choice but to rely on less-performing services, which seems to have played a part in the recent hack.
“Not only did Cloudflare provide DDoS protection, but it was also responsible for many popular exploits like this one,” Moon wrote.