We have posted our transparency report detailing the incident and our response. The post below remains for historical purposes.
What happened?
On January 20, 2025, a malicious threat actor gained unauthorized access to Pyro’s infrastructure platform via a compromised GitHub Personal Access Token. During the breach, the actor had access to the database containing Modrinth Servers customer data. Modrinth user data (hosted by Modrinth) and Modrinth Servers data (hosted by Pyro) are separate from each other, and no part of Modrinth, like user data, billing information, and content were compromised.
The threat actor had access to server names server IDs, server IPs and ports, server subdomains, general server metadata (mod loader, installed modpacks, Minecraft version), backups metadata, and SFTP credentials, which have been reset for all Modrinth Servers. Three customer servers were directly accessed by updating the owner to a Modrinth account controlled by the threat actor. We have proactively contacted the customers affected and have already secured their servers.
As of today, January 25, we have fully resolved this security incident. We are no longer experiencing, nor expect to experience, any operational disruption to Modrinth Servers. We have no evidence that there is any malware or continued unauthorized activity within the platform. Outside of database access and certain dangerous APIs which were disabled immediately in response, the threat actor’s access was limited at every step of the incident. As a result, the vast majority of customers data were not accessed by the threat actor. Pyro will be releasing a transparency report, including a full timeline of events, root cause, and a detailed log of our security response, within the week.
All Modrinth Servers customers will have their service extended by two weeks at our expense as a result of this incident. Please contact support if you have any further concerns and our team will get back to you right away.