FA+
Shop
Nov 17th, 2025- Exploit and Potential Breach Disclosure
4 months ago
General
🏳️🌈💖Enjoy the site? Please consider supporting us via the links below!💖🏳️🌈
⭐ FA+ ⭐ SHOP ⭐ KO-FI ⭐
Journal Start
On Saturday, November 15th, we became aware of a short-lived exploit that impacted roughly 7,000 accounts. The site was taken offline briefly to address the issue. The exploit has been resolved, but we want to let everyone know what happened.
The exploit accessed pages to scrape data. The targeted pages were Account Settings, Edit Profile, and User Notes (Inbox, Outbox, Trash, and Archives). The targeted data was Usernames, emails, and Notes, but due to the nature of the exploit the data may not have been pulled. 35% of the impacted accounts have 0 Notes on their account.
We are sending emails and notes to impacted users.
This exploit occurred due to a lapse in URL processing in our BBCode implementation, which recently had its processing code changed without a proper escape function that fully sanitized the URI (uniform resource identifier). We located this bug and patched it so escaping is no longer possible.
Members of our community and our staff reported the exploit roughly 3 hours after it was introduced to the site. Upon learning about the vulnerability, we immediately took the site offline to ensure we could contain the spread and eradicate the exploit before it affected any further users.
FAQ
Q: Why did it take so long to post this?
A: Many of our lead staff members were away when this occurred and we wanted to take the time needed to make sure the issue was completely understood and resolved.
Q: Why was the site down for 11 minutes on Sunday?
A: The downtime on Sunday was completely unrelated to the exploit issue. On Sunday, we noticed that users were having issues with uploading and investigated our storage system, which required us to put the site in offline mode for a few minutes while we did some debugging/troubleshooting.
Q: Were passwords compromised?
A: No, the exploit did not have access to any passwords.
Q: Do I need to do anything?
A: No, no action is required for users.
Q: Who can I contact if I have more questions?
A: Please open a Trouble Ticket.
Q: Was the downtime on Tuesday, November 18th also related to this issue?
A: No, that was due to a global outage from Cloudflare, our caching provider: https://www.cloudflarestatus.com/incidents/8gmgl950y3h7
Thank you all for your support through this, and a reminder to be excellent to each other in the comments.
The exploit accessed pages to scrape data. The targeted pages were Account Settings, Edit Profile, and User Notes (Inbox, Outbox, Trash, and Archives). The targeted data was Usernames, emails, and Notes, but due to the nature of the exploit the data may not have been pulled. 35% of the impacted accounts have 0 Notes on their account.
We are sending emails and notes to impacted users.
This exploit occurred due to a lapse in URL processing in our BBCode implementation, which recently had its processing code changed without a proper escape function that fully sanitized the URI (uniform resource identifier). We located this bug and patched it so escaping is no longer possible.
Members of our community and our staff reported the exploit roughly 3 hours after it was introduced to the site. Upon learning about the vulnerability, we immediately took the site offline to ensure we could contain the spread and eradicate the exploit before it affected any further users.
FAQ
Q: Why did it take so long to post this?
A: Many of our lead staff members were away when this occurred and we wanted to take the time needed to make sure the issue was completely understood and resolved.
Q: Why was the site down for 11 minutes on Sunday?
A: The downtime on Sunday was completely unrelated to the exploit issue. On Sunday, we noticed that users were having issues with uploading and investigated our storage system, which required us to put the site in offline mode for a few minutes while we did some debugging/troubleshooting.
Q: Were passwords compromised?
A: No, the exploit did not have access to any passwords.
Q: Do I need to do anything?
A: No, no action is required for users.
Q: Who can I contact if I have more questions?
A: Please open a Trouble Ticket.
Q: Was the downtime on Tuesday, November 18th also related to this issue?
A: No, that was due to a global outage from Cloudflare, our caching provider: https://www.cloudflarestatus.com/incidents/8gmgl950y3h7
Thank you all for your support through this, and a reminder to be excellent to each other in the comments.
like up there with Steam
Thanks for the fast fix in every case :)
...
This exploit occurred due to a lapse in URL processing in our BBCode implementation...
With these two bits of information taken together, I would imagine it affected only users of the site during those three hours, who had potentially sensitive information processed without proper URI sanitising. So for example if no one accessed a user's Notes page during the period of vulnerability, the contents of that page couldn't have been exposed.
At least, that's my understanding. I'm not an expert, so I'd love to be corrected or see this confirmed by someone who has more technical expertise in this area.
In any case, as the staff said in the journal, they're personally contacting any users who may've been affected, which should be reassuring.
Unfortunately, the way the script worked, it would access the other pages without you navigating to those pages. Once you left the page with the malicious code on it though, the attack would have been completely removed.
Just so I can figure out when it was happening and what I was doing at the time. (I did end up getting impacted, unfortunately.... hopefully nothing major got accessed.)
And in terms of "Impacted," I just got a message/note from the FA Staff telling me it happened, but none of my notes were missing or anything.
However, now that someone can tie a username to an email, they can try and nab an account. Taken accounts can be used to spam, send scam notes, or otherwise be used in other attacks on the site. It's always best practice to check your email against databases like https://haveibeenpwned.com and move to a new email if it's been compromised. And never share passwords between sites, of course.
That's almost the worst that could happen, isn't it? I really hope that data isn't appearing somewhere online later. Really emphasizes that people should export+delete their notes and also should use a dedicated email for FA. Not like the janitors on 4chan a while ago. Wasn't that good when their IP got leaked.
I'm one of those users. That is not reassuring at all, wtf.
Thank you all for what you do <3
passkey bestkey
Thought I'd ask, cos I prefer using my KeePassXCs...
That's what I gather!
Good work tech team! :3
Thank you for letting us know all this. Keep up the good work.
About all I can say is I hope FA can further combat data scraping beyond our own page setting to disallow it by Google and the like.
Thanks for what you do!
It sounds scary, but the attack is considered "ephemeral" meaning once it runs the code, it doesn't really have any way to stick around thanks to how sandboxed your browser is from the rest of your device.
Tom Scott and Computerphile made a really good explainer here: https://www.youtube.com/watch?v=L5l9lSnNMxg
I hope this helps! Probably a lot of other tech folks can come in and help clarify things, but I did my best to keep it approachable <3
Thank you!
This attack was purely Javascript XSS though, so JS Disabled Browsers were not affected at all.
As for Modern + JS, unfortunately there's so much JS can offer in exchange that we can't avoid using it in places, but rest assured we try our best to develop features that can be as broadly accessible as possible. <3
hope the affected userd didnt share sensitive data and is only limited to vore erp, inflation and farts
that will be usefull for these criminals
Honestly I don't think this took that long at all. Look at corporations that take weeks if not months to announce similar. I think announcing 2 days later is plenty fast enough.
We've reverted those changes, and thankfully we caught it early enough it couldn't be iterated on
At least it was caught reasonably fast.
Perhaps add an anteater to the team to sniff out any yet-undiscovered bugs! :)
Security over convenience for sure. Much appreciated.
Were there additional unit/integration tests added to hopefully prevent a similar regression in the future? :o
That being said: If anyone can break the current parsing mechanism, please give it a shot and let us know how you did it. We wanna encourage folks to help us keep Fur Affinity safe for everyone <3
I've always considered doing random pen testing but I don't want to set off any alerts or anything by trying lol
Was this somehow related? The account is suspended as of this morning.
If you encounter an account that appears to have been created solely to mass-watch others, please file a trouble ticket so that we can handle the issue. We'll take care of it as soon as we can!
user disconnected from your channel
If they uncover who's details been taken, then please do message them quicky, I'm worried that there's people willing to be malicious with this potential breach.
Also, don’t know if anyone else is going through this after the attack that any other IOS users are having trouble navigating FA by trying to click on one thing and it selects something else entirely?
I noticed on the 16th that I had a weird URL in my footer - but thought that it was FA or something doing something. Good to learn that it wasn't - and thanks for clearing it from my thing :D
Do you want the contents of that footer or nah? Because I can provide them, I had taken a screenshot and just typed it back out RN
We were able to nab what was at the end point of that link, but feel free to toss it in a ticket just in case. Can never be too careful!
Bet, ticket #285881
I only have speculation and deductive reasoning as to why it was a security nightmare back then but it’s moot now. But a big part of it was old code that is like spaghetti and updates tend to get more complicated with that in the mix.
I don’t think a full rewrite of the site’s code is feasible but I don’t know. My web dev skills are woefully outdated.
I prefer FurAffinity's approach, I think a lot of websites use way more JavaScript than they actually need.
Nevertheless, thank you for your hard work, FA staff.
Thxs.
A lot of people put in decently sensitive information in them such as when they exchange contact information for payment for commissions so ensuring they are secure is imo a worthy priority. Ideally the info that has been scraped is minimal but just the thought of that info becoming public record for bad actors is a little anxiety inducing.
Even though it was explained that it’s unneeded I still have taken action to further improve security on my own account.
If you don't mind me asking: Is there anything that we, the users, can do in the future to prevent something like this from affecting us?
I'm asking as one of the folks that got a note of account breach, and seeing that it could've affected my notes... do I need to delete them all or something? I've never deleted any of them, juuuussst in case I've needed one for some reason or another, but I also use certain things like paypal that's actually in my husband's name. Am I okay in assuming that the info is safe, and it's not something to worry about?
Sorry if it's already been addressed, I'm not a tech savvy person, so I wasn't sure exactly what the scrape did.
Good to see the prompt and efficient reaction force, and a concise rundown of events. Still, are you quite sure there are no recommended actions?
Second, I suppose mail adresses and whatever information in the notes can be considered to be in the wild now. Any particular actions you would recommend off-site?
We are sending emails and notes to impacted users.
We are doing it in waves to not overwhelm the system or messages being considered spam.
All notes are already out. Emails will be going in waves.
Regardless, I am relieved that the issue was detected and fixed quickly and that some improved automated tests have been implemented—we can't afford to wait for an interested party (friendly or otherwise) to discover these problems later.
Ahh.. that's why i was logged off after the site was down.
At least we've been lucky and no big harm was done. ^^
However a friend of mine
Is there anything else I need to do since I got a note from the staff?
Hope those emails saying who got effected, go out soon. Especially as someone who is a survivor of physical assault by a individual who was stalking me online and does not want the same to happen to others.
A good habit to get into is to check your registered email on a site like https://haveibeenpwned.com
If you see your email has been compromised, and you share your password with said compromised site, change your password as a precaution. While they did not access your passwords through us, they do have your email + username combo. This means if your email + password combo is on another site's data breach, they can try and gain entry into your account by using that leaked password.
Does that mean no note = no compromise? Apparently not from other replies. Say we WILL send emails and notes. It's clearer.
Do you mean trouble ticket or note?
I wish you notified people ASAP. Keep the site offline if you have to (to prevent me too exploits), but quick notification is crucial.
This isn't hypothetical. Breach recovery is really about the first few hours and then whatever script kiddie tries stolen credentials months later. Sophisticated attacks are racing you.
If I understand correctly, notes are private messages. The OP could be clearer for casual users or security researchers passing by.
The worst case scenario is a few things:
combine account name (fender) with email addresses (realname@gmail) to create dox
use PM info for dox / embarrassment / scams / etc
impersonation
this exploit I assume had access to anything your user account had access to (XSS exploit). that's why pm and email is compromised but not password.
we're lucky this was a minor attack. but that stolen info could leak. this feels like an anti furry troll or an unsophisticated attacker. not someone in it for money.
The emails are going to the same users who received notes as a backup in case they have not been on FA since the incident, or they simply just ignore their notes.
It has come to our attention that your account was impacted by a short-lived exploit on Saturday, November 15, 2025. The targeted data was Username, email, and Notes, but due to the nature of the exploit the data may not have been accessed.
Yeah I'm one of the people impacted. Wasn't catastrophic thanks to the FA staff reacting quickly, but I did a bit of extra protection just in case. Did have all my notes left.
I sure hope they didnt see that
vs
Major corporations having massive data leaks and not telling anyone about it or doing anything to fix it for months to years and then refusing to take responsibility.
Thankyou!
Thankyou for the speed and the note.
I will have to double check a few things, hopefully should be fine.
Idk if I want to change my password or not yet, but we'll see.
But thankyou so much for letting know.
I'll have to figure out what to do with this information, but good to know I, should be fine.
Again, thankyou!
(I did type this out as a Note back, but saw I couldn't so, gonna just leave it here.)
So for data collection like this, the potential is to be able to link usernames to emails and then cross check those emails with password leaks from other sites.
If you contact us saying "Hey my email address is XYZ, what's my username?" we will not give it to you unless you pass our verification questions, which includes matching your account birthdate to your ID.
Now they can look up your email in and see your password on, say, NotAFurryWebsite.com was 123furry. Then they can come try and login to your FA using that password. Once they have your account they can do a few things, like use it to spam or troll the site.
As you are affected, I suggest running your email through https://haveibeenpwned.com. If you see it has been compromised, it may be best to make a new email.
Me being rounded up in the 7k accounts makes me feel special >⩊<
Do I get a treat? ૮₍ • ᴥ • ₎ა
what does this mean? was this a cause? does this mean people WITH notes lost them?
still confused
why would notes need to be scrapped?
im assuming that the hack wasnt what deleted those notes?
hoping the patch y'all did is enough for now
Bruh I can't win giveaways and art raffles, but I can win being pulled into a hacker pool? Bruh what the heck!?
Who do I complain to in order to get better winning odds and a consolation prize!? D:<
(THANK YOU TECH TEEEEEEEAM!!💚💚💚)
Gotta be sure we're keeping our stuff safe and secure! 💪
Yay! I am curious though if at some point it'll be possible to duel authenticate our accounts so we can get that much more protection against possible hacks/exploits that may compromise our accounts.
But, sounds like things were resolved. ^_^ Thank you. :D
1 - If we haven't been contacted via note or email at this point, does that mean we were not among those accounts impacted?
2 - The attack seems to have been described as an XSS (Cross Site Scripting) attack. If a user is running a scriptblocker set to whitelist javascript on a per-domain basis, would this mean they would avoid this attack entirely? Or was the malicious script being hosted on FA itself, and thus would be whitelisted in?
Thanks much.
I'm not Tech, so I've forwarded your comment to them. I can, however, answer the first one.
If you have not received a note, then you are in the clear. :)
P.s.: I have no personal experience, nor do I want to.
While I, too, have no experience in the substance you speak of, I do know that the iconography of the Pink Elephants sequence was used on the paper LSD was distributed on sometime in the past. That might be the connection!
I have hallucinated twice in my life. Once from strong painkillers after throat surgery, and the second time from brain surgery; that one made me see, among other things, a lot of swirly rainbow/RGB stuff everywhere for a few days.
I'm struggling to understand how the exploit spread. Was the XSS code injected in a url inside of a note sent to users?
Is it known how that note was sent? Botted accounts? Was it more targeted than that?
But....why would they even attack FA?
I can only bet the point of this was to scrape for AI data.
The tags are in a single VARCHAR(255).
Your username is burned in to all the tables that matter. Not your user ID (int), your user name (char). Allowing aliases is a relatively new table, *on top of* the one that has your user name burned into it.
You have about 35 million +/- submissions that you have to keep online while you fool around in the background rewriting everything.
FA has been on the 'net probably just about as long as you've been alive.
I wish you luck. :D
Would much rather hear about it like this, than to hear about it from some "THIS IS WHAT HAPPENED--" random drama post or something, haha.
Very informative post without random fluff to pad it out. Thank you!!!!!
If you have not received an email and/or note regarding this, you're A-OK!
As stated in my reply, if you have not received anything, you were not affected.
Is anybody else experiencing this issue?
Anyway I am glad you are all back
Q: Do I need to do anything?:
A: No, but if you want to cheer the staff at Furaffinity that is probably greatly apriciated
In that case, did you contact only the person whose account was compromised, or do you also contact all the people who sent notes to those people? Because those people's data has also been compromised, even though they didn't ever encounter the malicious payload themselves