If you’d like a deeper dive into the philosophy of Discourse, the project — what it is, what it set out to do, and why it exists — I can recommend a few presentations and podcasts I’ve done over the years which go deeper on background than what you’ll find on the Discourse home page.
From mid 2014 to January 2018, Discourse used Slack as an internal chat tool.
In February 2015, Slack had a security incident, and notified any accounts of “suspicious activity”:
As part of our investigation we detected suspicious activity affecting a very small number of Slack accounts. We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams. Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.
We were not notified of any suspicious activity for any of our Slack accounts at that time. In July 2019, Slack posted an update and revealed important new information:
In 2015, unauthorized individuals gained access to some Slack infrastructure, including a database that stored user profile information including usernames and irreversibly encrypted, or “hashed,” passwords. The attackers also inserted code that allowed them to capture plaintext passwords as they were entered by users at the time.
We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.
We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.
Our Slack workspace was permanently deleted in January 2018, and as of that date we no longer use Slack in any capacity whatsoever. We were not notified by Slack of any potential compromises of our old Slack Workspace.
About 3 days ago, we were contacted by an individual who provided excerpts from Slack chat logs from a specific non-management Discourse team member that span dates from July 2015 to March 2017.
Please note that access to Slack, by itself, confers absolutely no access to Discourse systems. We’ve closely analyzed the old Slack chat logs provided by this individual, and any credentials listed in those chat logs.
We only identified one set of credentials in the Slack chat log that was still valid — a Digital Ocean droplet that we used for external HTTP ping monitoring, but was no longer in active use. This droplet had no internal access to Discourse systems. We destroyed the old droplet and rebuilt it.
Based on our analysis of the Slack logs provided by this individual, we believe the risk to our hosting customers is low, and there is no risk to the Discourse public codebase.
However, out of an abundance of caution:
We directly and privately contacted all our enterprise hosted clients within 24 hours of discovery, and provided them a draft of this blog post.
We ensured that all internal Discourse credentials, of any type, have been cycled since January 2018.
On our hosting, we are now deleting Discourse API keys that have not been used in 4 weeks.
We are also moving up two security related features that are now planned for the current beta release, Discourse 2.4:
Any unused API keys will always be deleted after 6 months of non-use.
We will automatically send reminders to admins when sensitive secrets in your Discourse instance have not been rotated for 2 years.
Feel free to contact us at firstname.lastname@example.org if you have followup questions.
We apologize for this incident, and we will certainly use this as a lesson in how to further improve our security hygiene.
Today we release Discourse 2.3, building on Discourse 2.2 from February. For post 2.0 releases we’ve chosen a new set of codenames based on the history of human communication; this release is Vinca.
Completely overhauled flag and review system
Arguably the the biggest change in this release is that we’ve completely overhauled and centralized our system for reviewing flags, posts, users, or anything else that needs to be reviewed or approved.
In older versions of Discourse there were multiple places you’d need to go to approve posts, topics, users, or flags. We’ve unified that into one simple queue for all so-called “reviewable” items.
Not only does this hopefully make life generally easier for Discourse moderators, it also opens the door to category specific moderators, who can now dip into the review queue for just the categories they’re in charge of.
Unicode usernames and translated Emoji names
Early in the life of Discourse we decided to copy the Twitter rules for usernames — which are rather short, strict and ASCII-centric. We’ve increased maximum username length already, and now we’ve introduced a site setting that allows the ultimate in flexibility: full unicode usernames.
(Please note that you’ll very likely want to whitelist just the allowable unicode ranges for your desired target language(s), as “full unicode” can be overwhelming and also exploitable.)
We’ve also added translation support for the long form text version of emoji codes, such as :smile:.
Staff Annotations / Notices
Sometimes you want to offer a bit of contextual staff commentary on a post, right there on the post, right as it happens. You can now do that with staff notices via the staff wrench on a post.
Additionally, new users and long absent users will have automatic, short staff notices on their initial posts that are only visible to trust level 2 and higher users.
The hope is that these reminders will encourage your most engaged community members to give new and long absent returning users a special welcome.
Group Membership Requests
We continue to improve and refine our group support in Discourse. In this release, we’ve added a self-service hub for people to request membership to a group (if the group allows it), and group owners can approve or deny those requests.
We’ve had a “mute” feature for a long time, which suppresses notifications and PMs from a target user. This has worked well enough, but in large communities sometimes certain users just can’t quite get along no matter what they try. In this release we’ve added an “ignore” feature which goes one step further than mute, and actively suppresses that user’s posts (and topics) from your display.
If you are trust level 2, Ignore can be enabled via your user preferences, or via a drop-down selector on the target user’s profile page. We hope this reduces the need for moderator intervention in these rare cases, as users can now self medicate and take breaks from each other as needed.
Discourse isn’t just a place for discussion; it’s also a tool for getting things done! We’ve enhanced the Assign plugin to make it easier to manage your assigned topics, across both private PMs and public topics.
We’ve also added configurable assignment limits and reminder PMs that go out periodically to let you know how many assignments you have on your list and how to manage them.
Require 2FA for Staff
We believe deeply in being secure and safe by default with Discourse. You may remember in the past two or three releases we added the following security improvements:
Two factor authentication is supported, with printable backup codes.
Automatic invalidation of staff accounts that are dormant for more than six months.
In this release, we’ve made further strides toward Discourse being even more safe and secure out of the box:
You can now make two factor authentication mandatory for all staff.
Abandoned user accounts with no read time or posts for two years are automatically removed.
These are just the highlights of 2.3 — we didn’t even mention our search refinements (including search weights by category), wiki posts now notifying watchers of edits, handy composer image resizing, or friendlier indication of subcategory permission errors. View the release-notes tag to get a detailed account of changes in every beta leading up to this release, or see the full release notes.
Easy One Click Upgrade
If you are on our hosting, you’re already upgraded. Otherwise, upgrading is as easy as clicking the Update button linked from your Discourse dashboard.
We have a public exploit bounty program at Hacker One as a part of our security policy. Being secure by default is a core value at Discourse, and we always follow up on any security concerns brought to us. There are several important security fixes in 2.3, so we urge everyone to upgrade to it as soon as possible.
Many thanks to the translators who generously contributed their time and effort translating Discourse into dozens of languages for this release. We make sure the top 10 most popular translations of Discourse get financial support direct from us to ensure excellent and timely translation of updated copy in each release.
As always, thanks to the greater Discourse community for posting support / bug request / feedback topics on meta.discourse and helping us improve Discourse. If you operate or support a Discourse community, come hang out with us!
We hope you find this release full of useful and interesting improvements. But we’re not done yet — not by a long shot! Visit the releases category to see what’s coming up for Discourse 2.4 and beyond.