No. It's not that. I'll explain in a bit.
It's not Discourse. This same method happened to LinkedIn [someone gained access to Mark Zuckerberg's account(s) this way]. Same method of getting admin password. What happened was the user admin used something like facebook connect to gain access to his admin panel. This is very dangerous for a lot of reasons. First is some people use the same password for e-mails, facebook, and whatever. This means, whoever had the password to the e-mail address combo (which some databases do - kinda like xrumer does for spamming; they know the CAPTCHA secret input keys, etc.), used the login portal to gain access and downloaded the database that way. That means, he didn't need to know the admin panel password. He just needed to know the facebook connect e-mail and password.
Secondly, how the database was downloaded? I'm not sure, but don't make it that easy to download databases if your service is a "forums as a service" product. (That's what it is.)
Never, ever enable social account(s) for your admin privs. NEVER.
It's just that simple, don't do it. Don't be stupid.
It doesn't, but at least it eliminates the ease of downloading a database. Most "Forums as a Service" businesses live on users themselves, not ads. They (Discourse) compete with the likes of ProBoards, Vanilla Forums, and other smaller Cloud solutions. I've met Jeff before, he's a nice guy, but he needs to treat his business well, as in, "how does a user see my forums?"
It would have been better if the admin of the Discourse database had a stronger password for that FB connect login, and/or stronger password for the admin panel. But he was lazy. Sorry, dude, but true. And for fuck's sake, don't use the same password everywhere you login!
Discourse is a forum software with a market-share comparable to that of MyBB.
A software. You download it, install it, and run it. Yes, you can buy hosting straight off Discourse itself, but this isn't particularly uncommon for the paid players in the market (e.g. IPB).
Discourse is unusual however, as it somewhat tries to follow the Wordpress model. Free software. Paid hosting.
And as Mr. Atwood said in that very topic discussing it, social logins are disabled when 2FA is enabled. Hence, if they're capable of doing it there, then they should be capable of doing it without for admin accounts.
An administrator is not a normal user. They should be held to higher standards, for they hold the fate of others on their shoulders.
And yes, the admin never should have linked those accounts or whatever ceremony is required to intermingle the accounts like that. But, it is a bit of a trap for the less aware.
And even if someone isn't capable of downloading the database, they don't actually need to download the database to grab everything dear to you. Discourse admins can read PMs, as-well as everything you'd expect a super administrator to be capable of.
The only thing they can't grab is your hashed passwords.
But frankly, I have a certain level of caution towards self-hosted sites, and by extension, forums in general. Even if I were an infamous password re-user, which I am sadly not, I would not even consider using an important password in a place like that.
Another thing which would help is forcing 2FA for all staff. No forum owner worth his / her salt would run a sizeable site without having their administrator enable 2FA, not using it is simply irresponsible. And it's not like 2FA hasn't been marketed as the solution for all password reuse woes for years.
