On 2012-09-18 at 22:00 GMT the RTT staff was notified that it was a potential target of a hacker group. As soon as we became aware of this issue the site and tracker were taken offline as a precautionary measure. At this time there is no reason to believe the site, tracker, or any RTT servers were compromised. A thorough investigation was launched and we have determined that the site is secured and was not hacked. There are some theories, one of them and the most logical being there may have been a XSS (Cross site scripting) vulnerability that was being utilized against RTT users before HTTPS browsing was forced on the tracker some years ago.
Of the accounts listed many were duplicated in the list, had no passwords, were old passwords and even disabled/inactive accounts. We do know very few accounts were accessed and the accounts in question have already been looked at and addressed as needed. Passwords are NOT stored in clear text and never have been. Your account is secure. Your IP address(es) are secure. Your e-mail address is secure. No information was leaked from RTT directly.
We understand some accounts were accessed due in part to passwords that have not been changed in a very long time. Any changes in the past 24 hours have been rolled back and our Sysops will be actively monitoring activity on the tracker.
With this incident what does this mean for our users?
All users are being required to change their passwords. Please use the password recovery feature to receive a new password. Please use a password that is unique to RTT. Please be patient in getting the password reset email as alot of people will be doing this! This "attack" may have targeted other websites. It is recommended that you do not use the same password that you use on RTT on other websites. Users on the 'list' have had their passkeys reset as well, to stop use by unauthorized users. You will need to update your passkey on any existing torrents or simply re-download the torrent file.
Any invites that were sent out recently are null and void. If you invited someone you will need to re-invite them. Please notify staff immediately via IRC if your invitee list contains users you did not invite or if your ratio contains irregularities.
If you have any further questions or concerns please let us know and we will help you, please be patient as there are a lot of users asking for help regarding this incident. Our staff is made of volunteers and we help out in our spare time. If you do not get an answer on IRC please use the Contact Staff button on the Staff page and we will reply as soon as we can.
We've notified all users who's nicks appeared on the list whether the actual info was valid on the account or not. We encourage all those who receive this pm that if you use that information across more then one online venue to change it to avoid an issues outside of RTT.