In November and December 2020 a huge dump of maliciously obtained user data was posted on the internet from the defunct hacker site cit0day. The compressed files totalled some 50GB in size and contained billions of individual records gleaned from over 23,000 individual websites.

It has recently come to light that regrettably Winterhighland is one of those websites and we have now verified that genuine user data from Winterhighland was included.

You can read an explainer on the cit0day data dump by Troy Hunt.

If you don't have the time or inclination to read this whole announcement which is lengthy, please do read the top two sections 'The important stuff' and 'What preventative actions should you take'.

THE IMPORTANT STUFF

• While passwords were not stored in plain text, we have been able to establish that 2222 user passwords were cracked.
• The cit0day dump contains Email and Password pairs (plain text where the encrypted password was cracked), but does not contain usernames.
• Aside from what is published on the forum and public / backcountry snow reports, the user database contains no additional information other than email address and any currently unpublished forum signatures.
• Winterhighland is a non transactional website. No financial information is processed or stored on the Winterhighland Website.
  If you have previously purchased Warren Miller Tour Tickets for screenings organised by Winterhighland, the tour sites were hosted separately and third party payment providers (Stripe and Paypal) were used - we do not store payment credentials on any of our systems.

WHAT PREVENTATIVE ACTIONS SHOULD YOU TAKE?

The purpose of limited data sets such as these, is 'credential stuffing' on the basis that a proportion of users will have used the same password / email combination elsewhere. We advise checking your email address(es) and passwords for potential breaches:

• Avast Hack Check

  Get a personalised report to your inbox if your email address is linked with any password leaks, the database is closing in on 5 billion compromised passwords. You can only check for email accounts that you control as results are returned by email only.
  
  

• Have I been Pwned

  HIBP allows you to check whether the passwords you use are still secure of whether they have been cracked in known data breaches.
  
  

Specific to the Winterhighland partial password leak, we recommend the following:

• We advise changing your Winterhighland password even if you have not been notified that your password was cracked.
  
  
• Change your password (and use different passwords, please) anywhere you have used the same email and password combination. Even if the encrypted hash of your old password has not yet been cracked, it may be in the future as greater computer processing power increases the scope of brute force cracking attempts.
  
  
• Consider using a password manager system, if you can easily remember your passwords, they probably aren't as secure as you'd wish!
  
  
• Do not use a new Winterhighland password elsewhere. Due to additional bandwidth overheads of HTTPS, the Winterhighland website currently operates over http, as we understand many people have relied on getting some access to our website over very limited mobile internet connections in remote locations. This means there is a theoretical risk of a malicious actor sniffing forum passwords as they are transmitted to the web server.
  
  

If you have used the same password on the email account associated with your Winterhighland forum account, stop everything else and CHANGE IT NOW!

While reusing a password is always poor practice, we can not reiterate enough the importance of not having a reused or weak password on your email account! If a malicious actor can access your email account, they can take control of other accounts linked to your email address.

WHAT INITIAL ACTIONS HAS WINTERHIGHLAND TAKEN?

• We have verified that the data dump does contain valid email and password pairs.
  
  
• Having established that and due to the potential risk where individuals have used the same email and password elsewhere, we have notified the ICO on Sunday 14th February 2021 that a personal data breach has occured.
  
  
• We thank the forum members who have been in contact, whether via the forum, the many more via email who have provided useful information to this purpose.
  
  
• We have deleted all 2222 known cracked password hashes. If your password was one of them, you will be required to use the 'forgot password' link to reactivate your account.
  
  
• Winterhighland has emailed the 2222 user accounts where we know the password hash has been cracked and is publicly available. We are continuing to review the site code base and are engaged with a third party provider of advanced automated testing tools to further check all aspects of the servers and website.
  
  
• We have fixed a bug on the forgot password page where an issue with the sendmail system engaged debug code that inadvertently displayed the users email address on screen if certain email failures occurred.
  
  
• All forum users' email addresses have been hidden on the forum, even where the status was set to public.
  
  
• Mininum password requirement for new passwords has been tightened. Passwords must be at least 10 charcaters long, containing both upper and lower case characters, numbers and at least one punctation mark or special character.
  
  

WHAT HAPPENED AND WHEN?

Cit0day is a now defunct hacker website that traded stolen user credentials on the 'dark web', the site was taken down on 14th September 2020 and it's entire ill gotten database was dumped on the open internet in November and December 2020.

There are 3 aspects to inclusion of Winterhighland data in this dump:

• Password hashes were not robust enough.
  
  
• We did not previously enforce a high enough standard for passwords.
  
  
• When and by what means the email addresses and password hashes were obtained from the phorum user database.
  
  

We have to hold our hands up, the first two points made cracking the hashes of a proportion of the passwords more computationally feasible and had we done better on these two points which were directly in our control, the third point which is potentially related to hosting provision would likely not have resulted in passwords being cracked.

Unfortunately the cit0day data dump does not contain any information directly ascertaining when a given website suffered a password leak.

By working back and cross referencing across several security databases, we've ascertained that the newest Winterhighland user account where the password is cracked and the email is confirmed as being in cit0day just once registered on 7th March 2019.

Thus from the evidence currently available the balance of probabilities is that the breach occurred sometime after 7th March 2019 and obviously before cit0day's demise on 14th September 2019. It is more likely than not that if the password leak occurred in this period then it occurred earlier rather than later, as opposed to the alertnative option that all subsequently created passwords were much stronger than the minimum then required!

This potential date window for the password leak occurring from the second week in March 2019 corresponds with an enforced transfer of our hosting arrangements, as the infrastructure of our previous long term provider United Hosting underwent a staged shutdown following an earlier takeover by Iomart. We note:

• The United Hosting cloud platform finally closed early March 2019, including the Winterhighland Cloud VPS (virtual private server). Our site was migrated to Iomart hosting infrastructure.
  
  
• Compatibility issues between the UH cloud VPS servers as they were configured and the Iomart platform, plus transfer of tech support contributed to a number of rolling site issues and server outages through this period, with slow response times due to the resultant increased support workload.
  
  
• Protracted site downtime / server outages occured on 13/14th March and from 26th March 2019.
  
  
• The Warren Miller UK Film Tour site was hosted on Amazon Web Services and not affected by these issues.
  
  

While we were not made aware of any incidents by tech support that would have flagged a concern that data may have been extracted, nonetheless a misconfigured or unstable server is inherently more at risk of a breach than one which is functioning correctly. Given the overlap with the potential password leak window it is at least possible the server was compromised and the email and password hashes were obtained directly during this period.

An alternative scenario is an SQL injection attack, likely on a previously missed vulnerability in the Phorum codebase.

We are continuing to investigate the potential means of the data breach. However because of the time we believe has elapsed, plus the change in hosting provider and a wholly different split hosting environment mean it may not be possible to come to solid conclusions where it is possible to say X happened on date Y at time Z, but we suspect one of the 2 above scenarios provides a possible explanation.

Our investigations and review of the site will be ongoing and if additional information should come to light we update this announcement accordingly.

Further preventative action Winterhighland will take

We are implementing a number of short and longer term actions to reduce the risk of a repetition in the future. We are:

• Implementing a third party system of automated regular security scans and checks of the hosting environment and website that will be ongoing.
  
  
• Adding a flag to warn users logging in that a password leak occurred and non breached passwords will require to be changed by 31st March.
  
  
• Make further changes to the password hash algorithms for new passwords and will expire ALL remaining non cracked pre-existing passwords at the end of March 2021.
  
  
• Reviewing the forum's code base to mitigate the risk of any undocumented vulnerabilities. Ultimately this may in the short term require guest only posting with all user accounts disabled and details removed from the phorum database.
  
  
• Are reviewing the forum user database and considering a policy to remove accounts which have not posted and not logged in for an extended period of time. This will reduce the volume of user credentials stored.
  
  
• Given recent significant improvement in 4G LTE coverage at and in the vicinity of the snowsports areas, shift Winterhighland fully to HTTPS.
  
  
• Will move to a third party user credentials and login system such as Amazon Cognito during summer 2021, removing all user credentials and related code from the Winterhighland website and forum.
  
  
• Going forward we are considering options to remove entirely the remaining Phorum codebase from Winterhighland. The economics of this in the era of Facebook mean only a very small number of expensive large scale commercial forum platforms remain whom are likely to have long term security support. Utlimately closure of the forum maybe the only practical, secure and realistic outcome.

Moving forward

We are deeply sorry and embarrassed that a data breach has occurred on the Winterhighland website. If you have any questions or concerns please contact us by the means below.

We have moved our privacy policy statement to highlight this issue, please see Site Ts&C\'s and Winterhighland Privacy Policy.

<< Return to front page.