Kiwi Farms hacked and user details exposed

The controversial website, whose users regularly targeted minorities for abuse, recently lost its protection from Cloudflare

Controversial online community Kiwi Farms, which has long been accused of encouraging targeted online and offline harassment campaigns, has been knocked offline after a hacker was able to access an admin account.

Joshua Moon, the website's admin and de facto leader, told users they should assume the hackers have their email address, password, and the IP address of every device they used to visit Kiwi Farms in the last month.

Kiwi Farms has data backups and none of the forum material has been permanently destroyed. However, users' personal information may have been compromised.

Cybersecurity expert Kevin Beaumont, of Arcadia Group, said that after the website and proxy service were compromised, all avatars were replaced with the logo of another 'free speech' forum.

Each node on the forum index was also gradually erased.

Moon said the hack occurred after Kiwi Farms' offshore hosting provider was breached. The hacker(s) then used session hijacking to access both his own admin account and an unknown number of user accounts.

The attacker uploaded a webpage disguised as a .OPUS audio file to XenForo and elsewhere, likely using an inline frame.

XenForo is a commercial Internet forum software package used to create forums like Kiwi Farms.

The webpage caused random user accounts to generate automated requests and send their authentication cookies outside the website, which the attacker used to access the accounts.

"Once they had access to the ACP, they attempted to download user data, and XenForo provides a way to export user lists with information that is precise: email, username, last activity, register date, user state (banned/unverified), post count, and if they are staff," Moon added.

Because the hackers requested too many records at once, their demands did not seem to be fulfilled.

Moon acknowledged that the security incident led to his own admin account being compromised.

He told users the website will be restored using a backup point from the 17th September. However, it won't happen immediately as he will need to "reformat and reinstall everything."

"I need to completely evaluate my security from the top down.

"The sophistication in this attack is very high, and shows an intimate familiarity with both Rust and XenForo. It is unfortunate that they have applied themselves to this end, likely for pay."

Moon, a former administrator of 8chan, founded Kiwi Farms in 2013. Since then, the website has developed into a place for the harassment and stalking of 'lolcows,' as Kiwi Farms users describe its victims - generally members of sexually, ethnic and political minorities - in the online and physical worlds.

This behaviour has made it difficult for Kiwi Farms to get help from the tech industry.

Earlier this month, content delivery network Cloudflare stopped supporting Kiwi Farms after a transgender Canadian Twitch streamer was targeted by a harassment campaign by Kiwi Farms users.

Cloudflare had defended Kiwi Farms from distributed denial-of-service (DDoS) attacks for years.

After Cloudflare severed its ties with the website, Kiwi Farms was left with little choice except to rely on less capable services, which seems to have played a role in the latest hack.

"Cloudflare not only provided DDoS protection, they also accounted for many popular exploits like this," Moon wrote.