Security Notice — March 2026
Status: Resolved
What happened
Between March 2 and March 3, 2026, a third party gained unauthorized access to rows of our primary users table via a backend vulnerability. The individual subsequently attempted to extort Opal for $50 USD in exchange for not publishing the data. We declined.
The exposed data appears to be limited to the users table only — no other tables (payments, keys, configurations, etc.) are believed to have been accessed. That said, we do not know with certainty whether all user accounts were affected. All users should assume their data was included and take the recommended actions below.
Origin of the vulnerability
Following the extortion attempt, we conducted a full audit of the codebase. Multiple vulnerabilities were identified — some in code from the original authors of the platform, and some in code written by the current maintainer. All identified vulnerabilities were patched within hours of discovery, and additional hardening measures were applied across the platform. A security test suite was also developed to continuously verify these protections going forward.
Data potentially exposed
Based on our investigation, the following fields were present in the compromised data:
| Field | Description | Risk |
|---|---|---|
id | Internal user identifier (e.g. user_trq) | Low — internal only, not secret |
name | Username / display name | Low — already public |
email | Account email address | Medium— could be used for phishing or spam |
password | Argon2id hash (not plaintext). Passwords are hashed with Argon2id, the current industry standard. | Medium— cracking is computationally expensive but weak passwords could still be at risk |
role | User role (e.g. user, developer) | Low |
emailVerified | Whether the email was verified | Low |
twoFactorSecret | TOTP secret used for 2FA | High— could be used to generate valid 2FA codes. All 2FA secrets were reset as part of remediation. |
twoFactorBackupCodes | One-time backup codes for 2FA recovery | High— could bypass 2FA. All backup codes were invalidated. |
twoFactorEnabled | Whether 2FA was enabled | Low |
isReseller | Reseller status flag | Low |
createdAt | Account creation date | Low |
coins | In-platform currency balance | Low — informational only, cannot be spent externally |
Actions we took
- Identified and patched multiple backend vulnerabilities within hours of the initial report.
- Refused the extortion demand.
- Force-reset every user password — all users are required to set a new password on next login.
- Invalidated all 2FA secrets and backup codes platform-wide.
- Terminated every active session across all accounts.
- Conducted a full audit of the existing backend codebase.
- Developed an automated security test suite to continuously verify protections.
- Deployed new user-facing features (email change and account deletion) to give users more control over their data.
What you need to do
- Reset your password— you will be prompted on your next login. If you forgot your old password, you can use the “Forgot Password” flow instead.
- Re-enable 2FA— if you previously had it enabled, set it up again in Settings → Security.
- Update reused passwords— if you used your Opal password anywhere else, change it there too. Your password was stored as an Argon2id hash (not plaintext), but weak or commonly reused passwords may still be vulnerable to offline cracking. See the “Understanding Password Hashing” section below.
- Watch for phishing— your email address may have been exposed. Be cautious of unsolicited messages claiming to be from Opal. We will never ask for your password.
Security best practices
- Use unique passwords everywhere— and use a password manager (e.g. 1Password, Bitwarden) to keep track of them.
- Use email masking— services like SimpleLogin or Apple’s Hide My Email let you create unique addresses per site. If one leaks, you can identify the source and shut it down.
- Always enable two-factor authentication (TOTP) — this adds a second layer of protection even if your password is compromised.
Understanding password hashing
We’ve seen some confusion around what it means that your “password was leaked.” Here’s what actually happened:
Your password is transformed into a fixed-length string of random-looking characters. This process is one-way — you cannot reverse the hash to get the original password.
Encryption (reversible)
Anyone with the key can reverse it. We do NOT use encryption for passwords.
Hashing (one-way)
No key exists to reverse it. This is what Opal uses (Argon2id).
So what does this mean for you?
- No one can read your original password from the leaked data.
- Attackers can try to “guess and check” common passwords against the hash, but Argon2id is specifically designed to make this extremely slow and expensive.
- If you used a strong, unique password, the risk of it being cracked is very low.
- If you used a weak or reused password, change it everywhere you used it — not just on Opal.
New features added in response
As a direct result of this incident, we built and deployed the following features to give users more control:
- Email change— you can now change the email address associated with your account from Settings. Requires password confirmation and 2FA if enabled.
- Account deletion— you can disable your account from Settings. Disabled accounts are scheduled for permanent deletion after 30 days. You can reactivate within that window by logging in.
Bug bounty & responsible disclosure
We welcome responsible security research. If you discover a vulnerability in Opal, we ask that you:
- Report it privately via our Discord server or email.
- Provide a clear description with reproduction steps.
- Allow reasonable time for us to investigate and patch before any public disclosure.
We are happy to pay bounties for valid, responsibly disclosed vulnerabilities. Extortion, threats, or public disclosure without prior notice do not qualify.
Timeline
| Date | Event |
|---|---|
| March 2, 2026 | Unauthorized access identified |
| March 2, 2026 | Extortion attempt received and refused |
| March 3, 2026 | All identified vulnerabilities patched; remediation began |
| March 3, 2026 | Platform-wide credential reset, 2FA invalidation, and session termination completed |
| March 3–5, 2026 | Full codebase security audit and automated test suite development (125+ security tests) |
| March 5, 2026 | Public disclosure published; email change and account deletion features deployed |
We take platform security seriously and are committed to full transparency with our users. This page will be updated if new information becomes available. If you have questions or concerns, please reach out via our Discord server.
