Kiwi Farms has been breached; assume passwords and emails have been leaked
The head of Kiwi Farms, the Internet forum best known for organizing harassment campaigns against trans and non-binary people, said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users.
On the site, creator Joshua Moon wrote:
The forum was hacked. You should assume the following.
Assume your password for the Kiwi Farms has been stolen.
Assume your email has been leaked.
Assume any IP you’ve used on your Kiwi Farms account in the last month has been leaked.
Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.