Skip to content
Revolt Team Wiki

2025-05-08 Attempted extortion

Thanks to Vale for the write-up!

This page may change as they’re still trying to extort us as of 2025-05-09 10:00.

Yesterday, someone claimed to have gained access to, and stolen, a Revolt database containing all user account credentials by exploiting a bug they refused to elaborate on. This was a false cyber-extortion attempt, and our system remains secure. If you just want to know how to secure your account and the measures we’ve taken, then you can skip to that. If you’d like the details of exactly what went down, read on.

What Went Down

On 08/05/2025 at 02:32 UTC, a user pinged me in a message in the Lounge channel of the official Revolt server. “@Vale, who do i contact about me having the revolt db” it read. This is not the sort of thing you want to read on a Thursday morning. I never could get the hang of Thursdays.

Both Jennifer and I immediately replied with “[email protected]”. This is our official email for all security enquiries and is manned not just by the Revolt Team but also personnel who provide further security guidance. I also mentioned that we award a badge for responsible disclosures, to which I was met with “a badge for a db lol”.

The user refused to contact us over email and instead requested a direct message on Telegram. I wasn’t planning to entertain this until they started posting legitimate account details and made the claim that the account they were using was one they’d breached.

I signed up for Telegram, locked down my account, and sent a hello. In a response, they sent through a ‘small glimpse’ of the ‘full db’ with an alleged 602K records in an attempt to prove their legitimacy. Each record had a Revite URL, email, and plain-text password. We started trying some of the emails, and they were associated with accounts. The passwords were also valid. Oh oh.

Immediately, we were suspect of the plain-text passwords. For the uninitiated, no respectable service will store your passwords in plain-text within their database. At the very least, passwords should be hashed. Hashing a password involves running it through a one-way mathematical function that turns it into a fixed-length string of seemingly random characters. For example, mypassword123 goes in, and 6f1ed002ab5595859014ebf0951522d9 comes out. That latter string of characters is what Revolt stores. Then, when the user goes to login and types mypassword123 again, the system hashes their input and compares it to the stored hash. If that matches what is stored, then you get into your account.

For them to have plain-text passwords, they either managed something really bad or hadn’t actually hacked us. One theory we had was that they might have created tons of accounts, stored those created accounts, and were now using them in an attempt to prove a breach. This theory was disproved when we took a deeper look at the accounts and saw that many of them had extended legitimate usage and were created over a period of several years.

When we probed them, asking how they acquired the data, they claimed they sourced it from a ‘bug’ but refused to elaborate without the payment of $1000 USD by midnight AEST. We don’t negotiate with terrorists script kiddies hackers extortionists and continued to take some preventative measures while we investigated further.

I put together a spreadsheet with some account details so we could identify patterns and further figure out exactly what we were dealing with. With this information, it became immediately obvious that things weren’t as they seemed.

We Weren’t Breached

Using Have I Been Pwned, we started running checks on the emails. All of them had two Telegram leaks in common. Bingo.

Revolt itself was not at any point breached; this was a pretty clear-cut case of credential stuffing and individual user compromise via malicious software. Credential stuffing is a form of cyberattack where account credentials from one leak are used to breach accounts on another service. If people use the same credentials across multiple services, a leak affecting one service means accounts on all services using those same details are compromised.

The leaks the account credentials came from were a combination of stealer logs and existing combolists. Stealer logs are collected via malicious software running on the victim’s machine which collects account credentials as they’re entered on websites. This explains the URL column in the ‘database’ screenshot they sent us. “Combolists”, as they’re dubbed, are lists of account credentials, often including an amalgamation of accounts from previous leaks.

The cherry on top is that of all the accounts, the email of the only one with a password that seemed to be Revolt specific wasn’t associated with an account. A red herring if we’ve ever seen one. This was no doubt included in an attempt to legitimise the leak and throw us off the path of credential stuffing. For the curious, the password was “PASS4Revolt!” — please don’t make this your password, we beg of you.

Measures We’ve Taken

We value your account security, and although this event was a dud, we don’t want anything like it to reoccur. We already had detection of commonly used passwords and some other security measures, but we’ve stepped things up. Authifier, our authentication library, has gotten some upgrades and will now be a lot more active in checking if accounts have been implicated in breaches.

The key change to look out for is that we’ve updated the breached passwords database that Revolt checks against when validating your passwords, it will now match all known passwords from the HIBP database as opposed to just the top few thousand.

We’ve also learnt a lot from this experience — more than we’ve mentioned here — and we’ll be putting this to use in improving our internal policies and systems.

If your account is impacted, you’ll see an error when logging in with a notice telling you to change your password. All you need to do is request a password reset, and you’ll be back on your feet.

Measures You Can Take

There are a few major things you can do to secure your account. The first is to use a unique password for each and every site/service you sign up for. Passwords should be sufficiently long and strong.

You should also use multi-factor authentication (MFA). MFA adds an extra layer of security, removing the risk of a single point of failure. A time-based one-time password (TOTP) is a common second factor of authentication and is supported within Revolt. It involves you having an authentication app which generates a code you must enter when logging into your account. This is used in addition to your password, which means that anyone trying to breach your account needs your email, password, and TOTP code. This makes unauthorised access significantly more difficult. If your password leaks, your account still can’t be breached unless they also have your TOTP code.

We recommend using a good password manager for creating and storing strong, unique passwords and managing your TOTP secrets.

If you encounter any strange behaviour with your account, you can always get in contact with us, and we’ll look into it as soon as we can.