DrawAFish.com Postmortem
DrawAFish.com TL;DR: Incident Duration: ~6 hours (2AM–8AM EST) ~6 hours (2AM–8AM EST) Impact: Username vandalism (slurs) Offensive fish approved / safe fish removed Root Causes: Legacy 6-digit admin password exposed in past data breach Username update API lacked authentication JWT not tied to specific user Mitigation: Manual reversal of mod actions, fixed authorization logic, backups reviewed Manual reversal of mod actions, fixed authorization logic, backups reviewed Takeaway: hwoopsy dais