Town of Salem Game Forums

williewest wrote:There's a handy extension for Chrome, Firefox and Opera called Redirector by Einar Egilsson that can be used to make sure it redirects to https every time a BMG site is entered.

Personally I would recommend HTTPS everywhere as an extension instead. It is open source and supported by EFF and TOR

Shouldn't this be pinned to the anoucements of every forum? Not everyone checks anouncements. Say forum games and FM users.
Would probably bring more awareness to the situation.

kristian818 wrote:

williewest wrote:There's a handy extension for Chrome, Firefox and Opera called Redirector by Einar Egilsson that can be used to make sure it redirects to https every time a BMG site is entered.

Personally I would recommend HTTPS everywhere as an extension instead. It is open source and supported by EFF and TOR

I like this guy. Go with him instead.

yauaustin202 wrote:Shouldn't this be pinned to the anoucements of every forum? Not everyone checks anouncements. Say forum games and FM users.
Would probably bring more awareness to the situation.

Really, should go further than that in getting people to know of this.

Technetium wrote:

yauaustin202 wrote:Shouldn't this be pinned to the anoucements of every forum? Not everyone checks anouncements. Say forum games and FM users.
Would probably bring more awareness to the situation.

Really, should go further than that in getting people to know of this.

I've just heard of this for the first time via the HaveIBeenPwned email alert. More info on the hack can be found on this website which alerted the breach.
https://blog.dehashed.com/town-of-salem ... es-hacked/

EDIT: Service name is HaveIBeenPwned, not You'veBeenPwned. I do recommend an account with them, its useful for tracking hacks on 99% of online websites.
https://haveibeenpwned.com/

Hope that things get patched up quickly, I have enjoyed a good game of ToS since the Kickstarters!

Dash2 wrote:Reading the OP again, did you guys seriously just all went on vacation with no monitoring of the site at all???

Relax, They did monitor. Dehashed's emails were going to spam. How often do you check your spam emails?

Also it's like a 5 person indie company, Chill out -- They were on holiday... Indie devs of all people deserve a break every now and then...

Deagler wrote:

Dash2 wrote:Reading the OP again, did you guys seriously just all went on vacation with no monitoring of the site at all???

Relax, They did monitor. Dehashed's emails were going to spam. How often do you check your spam emails?

Also it's like a 5 person indie company, Chill out -- They were on holiday... Indie devs of all people deserve a break every now and then...

They said they made a successful call: Friday, 12/28/2018 – 12:33 PM PST – Called BlankMediaGames

Sooooo

id ignore my phone over christmas too specially if it's a number i dont recognise. Might be negligence on BMG's part but that's not really important at this stage

Not the time to really point fingers and witch hunt until we know the full details in my opinion. Right now everybody associated with the game is in the same boat. Just cooperate until more news is broken then have your say. I'm sure they're all losing sleep tonight over this.

PotheadPrincess wrote:Could you perhaps update your password security? 6 characters is easy for hackers to bypass. Update it to 8 characters or more, with special characters and numbers

Symbols? Seriously? Jfc

lemonader666 wrote:

PotheadPrincess wrote:Could you perhaps update your password security? 6 characters is easy for hackers to bypass. Update it to 8 characters or more, with special characters and numbers

Symbols? Seriously? Jfc

It's the user's choice on how responsible the user wanna be on their password security, that responsibility should be held by the user not the company. The company just needs to keep the passwords secure and not have them leaked.
Some of us don't feel like making our password s5N=S7J&MrMX?JEy and that should be okay. If my password is unhackablepassword123, and i get hacked, i deserve that.

We’re seeing some reports that weak passwords can be cracked through the md5 hash. If your ToS password is shared with any other accounts you should change those passwords to be safe.

Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".

So...if the hashing isn't doing its job...why is that hashing method in use?

Was only the Forum Database breached?
Was the game account breached?

If I login though Steam is that account in danger as well?

Why was I informed about this by Firefox alarm and why didnt you guys reach out to your users?

Technetium wrote:

Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".

So...if the hashing isn't doing its job...why is that hashing method in use?

Because we’re terrible developers obviously

Sting wrote:id ignore my phone over christmas too specially if it's a number i dont recognise. Might be negligence on BMG's part but that's not really important at this stage

Not the time to really point fingers and witch hunt until we know the full details in my opinion. Right now everybody associated with the game is in the same boat. Just cooperate until more news is broken then have your say. I'm sure they're all losing sleep tonight over this.

Sorry but they did pick up the call and answer on the 28th
Dehashed note another call on the 29th was not answered.
Therefore they ignored the warning of the database hack.

https://blog.dehashed.com/town-of-salem ... es-hacked/

kruegerfreddy wrote:Was only the Forum Database breached?
Was the game account breached?

If I login though Steam is that account in danger as well?

Why was I informed about this by Firefox alarm and why didnt you guys reach out to your users?

Your Steam data is technically safe, unless there is any link between your ToS password and other services such as email, Steam, etc. If you don't reuse passwords you're fine, basically, just change the ToS password.

That said, BMG, just because you weren't storing passwords in plaintext is hardly a reason to celebrate. Hashes can be cracked and the people who use easily crackable passwords will likely reuse them elsewhere. You need to have a warning displayed on entering the game and the forums to change your passwords, don't ignore this. A way to change the password ingame would also be pretty nice.

nu.nl wrote:De wachtwoorden zijn versleuteld volgens het MD5-algoritme, dat in de regel al jaren geldt als een zeer kwetsbare manier om wachtwoorden op te slaan.

Which roughly translates to:

The passwords are encrypted using the MD5-Algorithm, which has shown in the past to be a vulnerable way to store passwords

Achilles wrote:The BMG staff is just coming back from Christmas/New years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again. You should update your Town of Salem passwords to be safe.

I surely agree you all should be free during the Christmas and New Years period, however why is there NOONE on call for security breaches? Sure nobody has to be in the office but there should atleast be someone available to be reached when a security breach like this happening and to fix it ASAP. BMG gave the hackers a couple of days to look around the database and steal close to 8m users their information.

Also, why is this not mailed to every registered user in the DB?! I had to find out thanks to the News site nu.nl that there was a breach, and yet no mail has been send from BMG! Shame!

Dash2 wrote:Also that last part implies you somehow didn't expect an attack just because it was the holidays so ??????

At this point, you're not really contributing anything. Yes this just happened, yes it was partly due to negligence, yes they should hire more people and probably seek help that isn't just in-house from their base of operations, and they definitely should consult a professional on this matter.
Seeing as this is all clear, known, stated, stamped, message sent and received, why are you still ranting like a broken record?

Be useful, or be quiet. Losing our heads satisfies the person(s) who did this.

Can you mega-sticky the thread?

Dash2 wrote:Fuck off. My info got leaked and the devs' choices made matters worse. I have a right to complain.

You also have the right to remain silent.
You've left behind actual helpful comments and resorted to stating how you "cannot get over" that this happened. I got bad news for ya: No one who will respond can help you with your mental constipation. We cannot use that information. Go put it in a Steam review or something.
This happened, that bit is over, and repeating that you cannot believe this happened and just going "you're negligent" doesn't revert that.

lol the shitshow that is this thread

So why don't you guys change to use a better hashing software?

lemonader666 wrote:Can you mega-sticky the thread?

This. Please.

Also jord, just go change your login info man. Ranting here won't get the issues resolved any faster and won't make your account safer. You should be double checking all your passwords right now.

Multiuniverse wrote:So why don't you guys change to use a better hashing software?

Whether or not there were reasons for not changing other than inertia, is this going to be one of the things that is changed with fixing the site security?

Sad, but thanks for letting us know!