September 22, 2021

Message to Our Community: Data Incident Alert

In April 2021, we became aware of a vulnerability in the AI Dungeon API. The individual who informed us accessed our systems between April 15th, 2021, and April 19th, 2021 as part of what they said was a proof of concept, before disclosing the vulnerability and claiming to delete the data.

The vulnerability was promptly fixed and, to our knowledge, only the reporter used the vulnerability to access data.

We recognize that scaling the business necessitates a continually evolving strategy that remains devoted to user security and privacy. Latitude is committed to that goal. We will work hard to protect our community.

Thank you for your continued membership in our community. Emails are being sent to users whose information was involved. If your data was included in the incident, you should receive an email within the next 24 hours. Our support team is accessible at [email protected].

Sincerely,

The Latitude Team

Questions

What data did the individual access?

The individual obtained user content from some users’ adventures, scenarios, posts, and comments, including those which were not currently published, and the associated username. The individual also obtained:

  • dates and times of creation, most recent update, and publication (if applicable),
  • whether the NSFW flag was set,
  • tags and total upvotes (where applicable),
  • descriptions, internal identifiers, and titles for scenarios, and
  • adventure titles, multiplayer invite codes, and player count.

No passwords or emails were obtained.

What did you do to fix the issue?

Our team took the following steps in particular to address this issue:

  • Disabled introspection to our GraphQL API,
  • Disabled vulnerable endpoints,
  • Expand the scope of our automated testing suite with a focus on security tooling to continually improve our software,
  • Immediately completed a robust security audit of our entire system, and
  • Initiated an external security assessment of our company’s security policies and processes.

Why has it been so long?

After learning about this issue, we undertook an extensive review of the data to understand how information was involved to which users it related. We also worked with outside data specialists to assess the incident and data involved to determine next steps. Based on these efforts, we are providing you, our community, with more information about what we have learned.