Last Friday (June 28th) Autumn's account was used to kick and ban dozens of users and delete most channels on our Discord server, amongst others. This started at 08:11 UTC and ended at 09:37 UTC. Even though most of the damage has been undone in the days after that, we were unable to recover many tens of thousands of messages, not to speak of the hundreds of users that are no longer members of our server.
This announcement goes into detail on what happened, who was responsible, and what the repercussions for the involved parties will be.
What follows is an excerpt that shows the most significant actions undertaken by Autumn's account. All times are given in UTC.
- 08:11: Non-moderating staff was given permission to kick and ban other users.
- 08:12: The "non-moderating staff" role was given to two other users, who assisted in the attack.
- 08:12: 96 users were pruned for having been inactive for at least 1 day.
- 08:12–08:26: Hundreds of users were kicked.
- 08:13–09:39: A handful of high-profile users was banned.
- 08:15–08:16: All roles below Chat Moderator were removed.
- 08:16–08:17: Dozens of previously-banned users were unbanned.
- 08:22: All users were given partial control over the moderator channel.
- 08:55: All users were given full control over the moderator channel.
- 09:02–09:03: More users were unbanned.
- 09:31–09:37: 16 channels were deleted.
Additionally, approximately 16 thousand /d messages were deleted using Autumn's account on the same day.
The affected moderator's account belongs to President Autumn, who thus bears the responsibility for this incident. Autumn's defence is that his account was supposedly compromised by CCodyy, who has previously attacked other Discord servers. Autumn says CCodyy tricked him into revealing his Discord token, which subsequently gave CCodyy full control over Autumn's account. It should be noted that Discord explicitly warns users not to share their token with anyone else for this exact reason. Being a moderator comes with a set of responsibilities, one of which is responsibility over what happens to your account. If Autumn's story is true, Autumn should have been more wary of giving away account details, even to his friends.
However, there is more. The attack was planned and coordinated on a separate Discord server. Two separate Fandom staff members have confirmed that, based on the IP address used, Autumn likely deleted the /d posts himself, and we have further evidence that Autumn attacked the Discord server himself as well. Finally, he has stated that he does not care about the actions undertaken with his account. All this seems to indicate that Autumn's story is false and that he performed the attack himself, or at least a significant part of it.
Autumn was initially banned on Discord and Fandom until he could prove he had secured his account in order to prevent further damage. After our investigation we have come to the conclusion that Autumn acted with the intent to greatly damage the Nukapedia Discord server. The severity of these extra-rights abuses bypass the need for a user-rights removal request; Autumn simply cannot be trusted as a member of staff. While Autumn would initially have received a six-month removal of rights and a censure preventing the application for extra rights during that time frame, proof of his active involvement in the attack has led the bureaucrats to decide that Autumn will have his extra rights removed immediately and that he will be banned permanently.
- Nukapedia's admins