Possible data breach

Announcements made here about the game and the company.

Re: Possible data breach

Postby Razbae » Wed Jan 02, 2019 12:10 pm

Why would someone want to login to a town of salem account that badly? People are weird.
User avatar
Razbae
Vigilante
Vigilante
 
Posts: 672
Joined: Tue Sep 02, 2014 8:34 am
Location: i only like men back off ladies

Re: Possible data breach

Postby Razbae » Wed Jan 02, 2019 12:23 pm

Tusillody wrote:
Razbae wrote:Why would someone want to login to a town of salem account that badly? People are weird.


The account information found in this breach will be used to hack accounts on other websites or services. The information was being sold in early December, so it's already being used.


Oh that makes sense. Thanks for that.
User avatar
Razbae
Vigilante
Vigilante
 
Posts: 672
Joined: Tue Sep 02, 2014 8:34 am
Location: i only like men back off ladies

Re: Possible data breach

Postby Chemist1422 » Wed Jan 02, 2019 12:23 pm

Tusillody wrote:The information was being sold in early December, so it's already being used.

You gonna back up that claim or?
mist ~ she/her

i guess this is goodbye?
(still here for danganronpa i guess)


stop sending reports to me i'm not a tos game moderator
User avatar
Chemist1422
FM Game Moderator
FM Game Moderator
 
Posts: 1026
Joined: Tue Mar 20, 2018 5:39 pm
Location: on the beach at dusk (CST/CDT)

Re: Possible data breach

Postby sportakus1 » Wed Jan 02, 2019 12:25 pm

Changed my pass, but leaked IP and e-mail is still concerning me.

I hope this wont affect me in any way in future, otherwise I might delete my account to save myself from this mess.
My Role Ideas:
Informator

List of roles I like:
Spoiler: -investigator
-Consigliere
-Jailor
-Retributionist


List of roles I do not like:
Spoiler: -Framer
-Medium
-Mayor
-witch
-werewolf
(Only if someone else play werewolf role.)
User avatar
sportakus1
Medium
Medium
 
Posts: 162
Joined: Mon Oct 27, 2014 4:43 am

Re: Possible data breach

Postby S0me0ne23 » Wed Jan 02, 2019 12:33 pm

Chemist1422 wrote:
Tusillody wrote:The information was being sold in early December, so it's already being used.

You gonna back up that claim or?

Maybe linking to where that data is being sold isn't the wisest idea?
User avatar
S0me0ne23
Lookout
Lookout
 
Posts: 83
Joined: Fri Dec 05, 2014 10:25 pm

Re: Possible data breach

Postby Dipsys » Wed Jan 02, 2019 12:37 pm

Is there actually no way to delete my account from the forums or am I just blind? I would very much like to delete it since I don't actually use this anyways. I know it doesn't undo what has happened in any way but I still don't feel comfortable continuing to have a profile here.

If it's not something I can do by myself I would greatly appreciate a staff member deleting if for me.
Dipsys
Newbie
Newbie
 
Posts: 1
Joined: Sun Apr 02, 2017 2:35 pm

Re: Possible data breach

Postby sportakus1 » Wed Jan 02, 2019 12:38 pm

Tusillody wrote:
sportakus1 wrote:Changed my pass, but leaked IP and e-mail is still concerning me.

I hope this wont affect me in any way in future, otherwise I might delete my account to save myself from this mess.


Deleting your account will not save you from anything. Make sure your email password is not the same as the breached password and you should be fine. In a breach like this, IP addresses are not cared for. It's the account information that can be used on other sites and services, and credit card info that is either used for return-scams or sold off.



Changed e-mail

Repeating, if this mess gets worse than in current state, either for this game or for me, I will request deleting the account. So far, I will keep watching.
My Role Ideas:
Informator

List of roles I like:
Spoiler: -investigator
-Consigliere
-Jailor
-Retributionist


List of roles I do not like:
Spoiler: -Framer
-Medium
-Mayor
-witch
-werewolf
(Only if someone else play werewolf role.)
User avatar
sportakus1
Medium
Medium
 
Posts: 162
Joined: Mon Oct 27, 2014 4:43 am

Re: Possible data breach

Postby Varanus » Wed Jan 02, 2019 12:38 pm

Clearly the people trying to make a profit off the info are a far more reputable source about what's in there than the actual devs
/s




Reminder to use a password manager so that the possible damage from these types of breaches is minimal. This isn't the first, nor will it be the last time a site you have an account on has data stolen.
You were expecting a decent signature...

BUT IT WAS ME! DIO!
User avatar
Varanus
FM Lead Moderator
FM Lead Moderator
 
Posts: 698
Joined: Fri Mar 06, 2015 10:08 am
Location: Lurking

Re: Possible data breach

Postby Flavorable » Wed Jan 02, 2019 12:39 pm

Dipsys wrote:Is there actually no way to delete my account from the forums or am I just blind? I would very much like to delete it since I don't actually use this anyways. I know it doesn't undo what has happened in any way but I still don't feel comfortable continuing to have a profile here.

If it's not something I can do by myself I would greatly appreciate a staff member deleting if for me.


You have to e-mail the developers for that.
No reply to your support ticket after 15 business days? PM me with your ticket number.

You may PM me for clarifications on appeal verdicts, but keep in mind the verdict will not change.

Do you have 151+ games played and want to help rid the community of toxic players and gamethrowers? Join the Trial System today: https://www.blankmediagames.com/Trial/#start

Also, check out the Trial System Discord Server: https://discord.gg/K5SnyJS
User avatar
Flavorable
Global Moderator
Global Moderator
 
Posts: 9279
Joined: Thu Apr 28, 2016 3:24 am
Location: Netherlands

Re: Possible data breach

Postby ICECLIMBERS » Wed Jan 02, 2019 12:39 pm

sportakus1 wrote:Changed my pass, but leaked IP and e-mail is still concerning me.

I hope this wont affect me in any way in future, otherwise I might delete my account to save myself from this mess.

Those should be nonissues. IP is vaguer than physical address, which is public information anyway. Email might cause headaches with spam but you won’t be losing money over it compared to, say, a credit card breach.
Passwords, on the other hand....
Spoiler: Image

in the distance the shelves
rode three shadows of blue
User avatar
ICECLIMBERS
[Forum Mafia VII] Winner
[Forum Mafia VII] Winner
 
Posts: 3080
Joined: Wed Nov 19, 2014 11:50 pm
Location: Eastern Time

Re: Possible data breach

Postby ElderSivart » Wed Jan 02, 2019 12:41 pm

Dipsys wrote:Is there actually no way to delete my account from the forums or am I just blind? I would very much like to delete it since I don't actually use this anyways. I know it doesn't undo what has happened in any way but I still don't feel comfortable continuing to have a profile here.

If it's not something I can do by myself I would greatly appreciate a staff member deleting if for me.

viewtopic.php?f=38&t=38940
tl;dr email info@blankmediagames.com and request deletion

Do note that your forum account is the SAME ACCOUNT as your game account so if it gets deleted you won't be able to play the game without making a new account and paying.
ElderSivart
Vigilante
Vigilante
 
Posts: 621
Joined: Sat Apr 30, 2016 8:55 pm
Location: Alrest

Re: Possible data breach

Postby S0me0ne23 » Wed Jan 02, 2019 12:45 pm

Varanus wrote:Clearly the people trying to make a profit off the info are a far more reputable source about what's in there than the actual devs
/s




Reminder to use a password manager so that the possible damage from these types of breaches is minimal. This isn't the first, nor will it be the last time a site you have an account on has data stolen.

+1
Having a unique password for every website should be common sense nowadays, and a password manager is the most realistic approach to generating and managing secure passwords for each site.

Also, I don't have enough information to say whether recent payment information would be vulnerable, but if BMG says that they don't store that information, then they don't store that information.
User avatar
S0me0ne23
Lookout
Lookout
 
Posts: 83
Joined: Fri Dec 05, 2014 10:25 pm

Re: Possible data breach

Postby Flavorable » Wed Jan 02, 2019 12:52 pm

Tusillody wrote:
KatiyaKramer wrote:
Tusillody wrote:
sportakus1 wrote:Changed my pass, but leaked IP and e-mail is still concerning me.

I hope this wont affect me in any way in future, otherwise I might delete my account to save myself from this mess.


Deleting your account will not save you from anything. Make sure your email password is not the same as the breached password and you should be fine. In a breach like this, IP addresses are not cared for. It's the account information that can be used on other sites and services, and credit card info that is either used for return-scams or sold off.

I'm pretty sure it was clarified that no info like credit card info was touched in all this. In fact if you read the main announcement:
Achilles wrote:
Important Notes:
We don't store any credit card or payment info
All passwords were hashed and not plain text, so your emails should all be safe still if they used the same password, but you can change that as well if you are worried.

The only important data compromised would be your Username/hashed password, IP and email. Everything else is just game related data.




I did read that announcement, and I also read the breach information from DeHashed, which is way more credible considering the lack of action from the developers regarding this whole situation.

"The data affected, includes but is not limited to:

Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well."

The forum here should be up in arms over the lies and lack of real announcement. The only reason we're here on this forum to discuss this is that other sources have notified us about the breach. The developers here knew a week ago.


A website that profits from security breaches and doesn't post a source of the actual data leaked, and makes claims of contact without being able to back them up with physical proof is not something I am going to believe over Developers. If you do, that's your prerogative, but personally, I'd rather go with something I know and trust. It's quite obvious that no payment info is stored, because if it had been, people would have become victims of creditcard fraud by now. Not to mention that the Developers have literally -just- been made aware of this, since they were absent for the holidays and are probably gathering more info before they send out an e-mail message about this, which is well within their rights.

There's plenty of much bigger companies out there getting security breaches with even more valuable information and even they are getting less heat than BMG is. Making a big fuss about it is just playing into the hands of the people trying to destroy this company, if we're being honest.
No reply to your support ticket after 15 business days? PM me with your ticket number.

You may PM me for clarifications on appeal verdicts, but keep in mind the verdict will not change.

Do you have 151+ games played and want to help rid the community of toxic players and gamethrowers? Join the Trial System today: https://www.blankmediagames.com/Trial/#start

Also, check out the Trial System Discord Server: https://discord.gg/K5SnyJS
User avatar
Flavorable
Global Moderator
Global Moderator
 
Posts: 9279
Joined: Thu Apr 28, 2016 3:24 am
Location: Netherlands

Re: Possible data breach

Postby FrankLeeAwful » Wed Jan 02, 2019 12:54 pm

Personally I find BMG's response well within the realm of plausibility.

This thread has somewhat predictably gotten out of hand.
User avatar
FrankLeeAwful
Doctor
Doctor
 
Posts: 198
Joined: Sun Jul 06, 2014 1:38 pm
Location: The depths of Tartarus

Re: Possible data breach

Postby shapesifter13 » Wed Jan 02, 2019 12:59 pm

We don't store any CC or payment information, so all credit card information is safe. Not sure where that site is getting their info, but that I can say is not true. The other information they claim was hacked all seems plausible.
shapesifter13
Developer
Developer
 
Posts: 4681
Joined: Fri Jan 02, 2015 4:55 pm

Re: Possible data breach

Postby PyromonkeyGG » Wed Jan 02, 2019 1:01 pm

We have identified one breach and have fixed it. We have been working with Rackspace to help identify any other potential leaks or vulnerabilities on our servers. We will be sending out a mass email announcement soon. Our #1 priority right now is to ensure that our servers are secure, then adding support in our code for forced password resets.
User avatar
PyromonkeyGG
Developer
Developer
 
Posts: 2198
Joined: Mon Feb 10, 2014 5:32 pm

Re: Possible data breach

Postby cents02 » Wed Jan 02, 2019 1:05 pm

This was said in the forums by the devs

Important Notes:

We don't store any credit card or payment info

All passwords were hashed and not plain text, so your emails should all be safe still if they used the same password, but you can change that as well if you are worried.

The only important data compromised would be your Username/hashed password, IP and email. Everything else is just game related data.

However, the source blog https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/ states that credit card information has been compromised.

Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well.

Cared to explain?
cents02
Newbie
Newbie
 
Posts: 1
Joined: Sun Jun 05, 2016 2:38 pm

Re: Possible data breach

Postby S0me0ne23 » Wed Jan 02, 2019 1:06 pm

PyromonkeyGG wrote:We have identified one breach and have fixed it. We have been working with Rackspace to help identify any other potential leaks or vulnerabilities on our servers. We will be sending out a mass email announcement soon. Our #1 priority right now is to ensure that our servers are secure, then adding support in our code for forced password resets.

Do you plan on switching to a salted hash algorithm with SHA256 or another modern hash function?
User avatar
S0me0ne23
Lookout
Lookout
 
Posts: 83
Joined: Fri Dec 05, 2014 10:25 pm

Re: Possible data breach

Postby FrankLeeAwful » Wed Jan 02, 2019 1:10 pm

It's a good start. Meanwhile I'm praying for Unity to fix any other issues.
User avatar
FrankLeeAwful
Doctor
Doctor
 
Posts: 198
Joined: Sun Jul 06, 2014 1:38 pm
Location: The depths of Tartarus

Re: Possible data breach

Postby Varanus » Wed Jan 02, 2019 1:12 pm

FrankLeeAwful wrote:It's a good start. Meanwhile I'm praying for Unity to fix any other issues.

Image
You were expecting a decent signature...

BUT IT WAS ME! DIO!
User avatar
Varanus
FM Lead Moderator
FM Lead Moderator
 
Posts: 698
Joined: Fri Mar 06, 2015 10:08 am
Location: Lurking

Re: Possible data breach

Postby PyromonkeyGG » Wed Jan 02, 2019 1:12 pm

cents02 wrote:This was said in the forums by the devs

Important Notes:

We don't store any credit card or payment info

All passwords were hashed and not plain text, so your emails should all be safe still if they used the same password, but you can change that as well if you are worried.

The only important data compromised would be your Username/hashed password, IP and email. Everything else is just game related data.

However, the source blog https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/ states that credit card information has been compromised.

Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well.

Cared to explain?


We already said we don't store any credit card or payment information. Not sure what more I can explain.
User avatar
PyromonkeyGG
Developer
Developer
 
Posts: 2198
Joined: Mon Feb 10, 2014 5:32 pm

Re: Possible data breach

Postby PyromonkeyGG » Wed Jan 02, 2019 1:14 pm

S0me0ne23 wrote:
PyromonkeyGG wrote:We have identified one breach and have fixed it. We have been working with Rackspace to help identify any other potential leaks or vulnerabilities on our servers. We will be sending out a mass email announcement soon. Our #1 priority right now is to ensure that our servers are secure, then adding support in our code for forced password resets.

Do you plan on switching to a salted hash algorithm with SHA256 or another modern hash function?


Ours is already salted.
User avatar
PyromonkeyGG
Developer
Developer
 
Posts: 2198
Joined: Mon Feb 10, 2014 5:32 pm

Re: Possible data breach

Postby ReversePolarity » Wed Jan 02, 2019 1:18 pm

Achilles wrote:
kristian818 wrote:large company


Our staff is myself, pyro, shapesifter (community manager), docexer and blueheatwave (Artist).

I'm sorry that this all happened and wasn't responded to quickly enough but people were on vacation spending time with their families (and his emails went to our spam filter). We aren't a large company we are an indie company. Yeah we have a lot of registered users but it was a F2P game and millions of those accounts played a few games and never came back.


I guess the 2 phone calls that dehashed sent, including one that according to them you answered also just went to your emails spam?
ReversePolarity
Newbie
Newbie
 
Posts: 4
Joined: Sun Apr 17, 2016 12:02 pm

Re: Possible data breach

Postby SereninSparks » Wed Jan 02, 2019 1:18 pm

PyromonkeyGG wrote:
S0me0ne23 wrote:
PyromonkeyGG wrote:We have identified one breach and have fixed it. We have been working with Rackspace to help identify any other potential leaks or vulnerabilities on our servers. We will be sending out a mass email announcement soon. Our #1 priority right now is to ensure that our servers are secure, then adding support in our code for forced password resets.

Do you plan on switching to a salted hash algorithm with SHA256 or another modern hash function?


Ours is already salted.


But what algorithm though?
SereninSparks
Newbie
Newbie
 
Posts: 1
Joined: Tue Jun 21, 2016 1:33 pm

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 1:20 pm

why do I am getting attacked by unknown website every time I refresh the site?
Recent Town game - 21A
Recent Mafia game - VFM73
Recent Neutral game - 17B
User avatar
Royee
Easter 2020 Winner
Easter 2020 Winner
 
Posts: 333
Joined: Wed Sep 30, 2015 1:11 pm
Location: UTC +3

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: No registered users and 3 guests