You can sign up to get a daily email of our articles, see the Mailing List page!

Libretro / RetroArch were hacked, wiping some repositories

By - | Views: 22,233

In an announcement, the Libretro / RetroArch mentioned how the Libretro / RetroArch organization on GitHub was attacked by hackers and they managed to do quite a bit of damage.

While restoration is ongoing, some of it is going to be more difficult. In the announcement, they mentioned the scale of the damage that was done comes down to:

  • He accessed our buildbot server and crippled the nightly/stable buildbot services, and the netplay lobby service. Right now, the Core Updater won’t work. The websites for these have also been rendered inaccessible for the moment
  • He gained access to our Libretro organization on Github impersonating a very trusted member of the team and force-pushed a blank initial commit to a fair percentage of our repositories, effectively wiping them. He managed to do damage to 3 out of 9 pages of repositories. RetroArch and everything preceding it on page 3 has been left intact before his access got curtailed.

GitHub themselves have replied (source) to mentioned they can't help, so they're now relying on local backups and Git history from their developers to get it back to where it was online.

Some good news though: for users they said no Cores or RetroArch installs should be considered compromised, as the attacker was too busy with wiping things and being a nuisance. However, thanks to it the Core installer is offline as are the 'Update Assets', 'Update Overlays', 'Update Shaders' functions.

Also mentioned is how they didn't have automated backups of their buildbot, a service which helps to automate building the application and testing. Something that's generally vital for larger projects. They said it's due to funding, as they don't have enough for it with a note about supporting them on Patreon to help.

This is another reminder of: backups, backups—backups! More than that though, it's also an example of why two factor authentication is also vitally important. This little detail was left out of their announcement, but they didn't force 2FA which appears to be how the attacker actually got in. Speaking on Twitter, they mentioned how some developers felt it was "too much of a pain" and they didn't want to lose those contributors. Well, was it worth it? Let's hope proper security will be implemented now.

Article taken from GamingOnLinux.com.
19 Likes , Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG and Humble Store. See more here.
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
17 comments
Page: «2/2
  Go to:

vipor29 17 Aug, 2020
well from what im hearing they have done a crappy job with telling people they were hacked especially there patreon subscribers.i just got told by one them they had no warning at all that this went down and found my video about it which is very very messed up.you should not have to see this stuff in news articles or videos to find this out.very very bad thing on there part and as for backing things up that is on them.they should of known they needed to do that and now the flood gates are gonna come down on them for it.its there own fault.
Creak 17 Aug, 2020
Quoting: vipor29they should of known they needed to do that and now the flood gates are gonna come down on them for it.its there own fault.
Libretro is an open source, community driven, low-funded project about playing retro games, and the hack was not about leaking private data, but about crippling a github repo.

Let's be reasonable, please. They don't have to know everything about security, they have the right to be wrong, it is not a bank.


Last edited by Creak on 17 August 2020 at 5:19 pm UTC
slaapliedje 17 Aug, 2020
View PC info
  • Supporter Plus
I figure the possibilities are.
1) aforementioned someone testing their skills
2) aforementioned bitter IP holder
3) FPGA vs Emulation vs Real hardware battle. RetroWar 2020!
4) There is no number 4
5) Simplest explanation, someone screwed up and they're blaming it on a hack.
vipor29 17 Aug, 2020
Quoting: Creak
Quoting: vipor29they should of known they needed to do that and now the flood gates are gonna come down on them for it.its there own fault.
Libretro is an open source, community driven, low-funded project about playing retro games, and the hack was not about leaking private data, but about crippling a github repo.

Let's be reasonable, please. They don't have to know everything about security, they have the right to be wrong, it is not a bank.

again use a backup no excuse.
Miles 19 Aug, 2020
Did they protect their default (master/main) branch and require pull requests with approvals to do any merges? Admin accounts with the power to override shouldn't be used for anything beyond setting things up, I would think. Preferring NOT to use 2FA is the real surprise to me. Wow! :/ Just because you're paranoid doesn't mean they're not out to get you. Stay secure, my friends.
svartalf 4 Sep, 2020
Quoting: vipor29again use a backup no excuse.

Indeed. The problem there is that it's presumed that the hosting service would actually take care of that as it's one of the features of most services. Couple this with git having a backup of pretty much everything there... It's more about finding out the hosting service didn't do backups (oops) and figuring out which is the cleanest clone with the good history you have to restore.

It's more a pain in the ass than anything else. Nothing QUITE like you're making it out to be.
svartalf 4 Sep, 2020
Quoting: MilesDid they protect their default (master/main) branch and require pull requests with approvals to do any merges? Admin accounts with the power to override shouldn't be used for anything beyond setting things up, I would think. Preferring NOT to use 2FA is the real surprise to me. Wow! :/ Just because you're paranoid doesn't mean they're not out to get you. Stay secure, my friends.

This presumes that your admin/control accounts aren't hacked/compromised. Once that happens...all bets are off.

From my admittedly limited understanding...that's what happened there.
While you're here, please consider supporting GamingOnLinux on:

Patreon, Liberapay or PayPal Donation.

This ensures all of our main content remains totally free for everyone with no article paywalls. We also don't have tons of adverts, there's also no tracking and we respect your privacy. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register

Or login with...
Sign in with Steam Sign in with Twitter Sign in with Google
Social logins require cookies to stay logged in.

Latest Forum Posts