Possible data breach

Announcements made here about the game and the company.

Re: Possible data breach

Postby Dash2 » Wed Jan 02, 2019 6:11 am

EvanManManMan wrote:Image

sAmE
Image

Spoiler: Never forget, spiritofspirits
Image
User avatar
Dash2
[Forum Mafia X] Winner
[Forum Mafia X] Winner
 
Posts: 3366
Joined: Wed Oct 21, 2015 4:05 pm
Location: A discord versiom of TRASH

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 6:22 am

Jackparrot wrote:]
Do you plan on, or are looking into who did this? I would really like to know who did this so that you can bring them to court. An attack this big is probably carried out by some very vengeful people, therefore I suspect that the botters could be behind this.


Not to ruin your dreams of an evil mastermind targeting bmg only for some absurd reason (like botters) but usually hackers scan for vulnerable websites with a large userbase through various search engines and programs. Then they compromise said servers to steal information (especially billing information or email+password). This login data can then be used on other sites that hold sensitive data and be used for either phishing (sextortion as an example) or directly stealing data from other sites with a valid login. It is a lot easier to target a small site rather than a large site and since people reuse passwords quite often then chances are the hackers can hit a jackpot by hacking a small site.

Also this attack is not that big if you believe what is written by dehashed. A rfi or lfi attack does not demand a lot to actually be successful with and it is quick to run away from since the server itself is doing the compromising by handling files to users it shouldn't give them to.
Last edited by kristian818 on Wed Jan 02, 2019 6:25 am, edited 1 time in total.
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby Deagler » Wed Jan 02, 2019 6:23 am

Just let BMG handle it in peace, No one knows if BMG even has control of the hashing of the passwords... It could easily have been a phpBB vulnerability since those have existed in the past... It's amazing how everyone in the ToS community is suddenly an experienced Software Engineer and is so ready to put BMG to shame.

Yeah it happened, Yeah it sucks. Yeah they could have told us sooner. But so what, they were on a 5 day holiday when most software companies take 10 days during this time of the year. Give them a break and stop crying about it. Crying about it doesn't help the situation or speed up any process.

Data breaches are a reality in this day and age. Equifax actively tried to cover up their data breach for almost 3 months. BMG was on holiday for 5 days and didn't see a couple emails, relax guys... It's no big conspiracy

For now, since everyone is so worried:
- Change your ToS password to something secure
- If you used the same password somewhere else, Change that password
- Setup 2FA on important accounts and your e-mail
Deagler
Newbie
Newbie
 
Posts: 4
Joined: Thu Dec 04, 2014 11:00 pm

Re: Possible data breach

Postby Knuffeldraak » Wed Jan 02, 2019 6:30 am

It's always best, regardless, to change your password with any kind of data breach. Always play the safe card.
25+ Wins:
Bodyguard Doctor Lookout
Survivor
Knuffeldraak
Retributionist
Retributionist
 
Posts: 347
Joined: Sat Jan 31, 2015 1:33 pm
Location: Exiecutionner's office.

Re: Possible data breach

Postby azapf2277 » Wed Jan 02, 2019 6:31 am

So much crying going on here. Dont worry, nobody is gonna steal your bad credit.
azapf2277
Benefactor
Benefactor
 
Posts: 14
Joined: Thu Apr 28, 2016 6:13 am

Re: Possible data breach

Postby S0me0ne23 » Wed Jan 02, 2019 6:33 am

Technetium wrote:This is probably a stupid idea, but what would prevent them from, say, using a new hash algorithm on top of the old one, re-hash all the existing passwords, and have login run the two hashes in sequence?

So currently it uses what we'll call Hash A.
When a password is input on login, it goes plaintext>Hash A and is checked against the stored password, already converted plaintext>Hash A before storing.

What I'm thinking, is, they convert all the stored passwords with another hash, we'll call it B, and have the login setup hash the passwords twice to match, so it goes plaintext>Hash A>Hash B.

Now, I figure there's very likely some reason why this wouldn't work, so if there is, could someone explain what that reason is?

tl;dr is that doing a hash twice doesn't necessarily make it more secure than doing a hash once.
It's more complicated than that, like it would sort of make brute forcing a password harder, but you'd still be relying on MD5.
Like the problem isn't necessarily that somebody gets your password. The problem could very well be that somebody gets a seemingly random string of characters that just so happens to hash to the same value as your password.

I would recommend waiting until BMG fixes the issue to change your password on this site, as your new password could still be compromised until BMG fixes the vulnerability.
User avatar
S0me0ne23
Escort
Escort
 
Posts: 72
Joined: Fri Dec 05, 2014 10:25 pm

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 6:36 am

Deagler wrote:Just let BMG handle it in peace, No one knows if BMG even has control of the hashing of the passwords... It could easily have been a phpBB vulnerability since those have existed in the past... It's amazing how everyone in the ToS community is suddenly an experienced Software Engineer and is so ready to put BMG to shame.

Yeah it happened, Yeah it sucks. Yeah they could have told us sooner. But so what, they were on a 5 day holiday when most software companies take 10 days during this time of the year. Give them a break and stop crying about it. Crying about it doesn't help the situation or speed up any process.

Data breaches are a reality in this day and age. Equifax actively tried to cover up their data breach for almost 3 months. BMG was on holiday for 5 days and didn't see a couple emails, relax guys... It's no big conspiracy

For now, since everyone is so worried:
- Change your ToS password to something secure
- If you used the same password somewhere else, Change that password
- Setup 2FA on important accounts and your e-mail


Deagler, perhaps it would help if you read the article by dehashed (https://blog.dehashed.com/town-of-salem ... es-hacked/). They clearly state having called and received answer on December 28th. Their hashing algorithm is old and outdated, declared unsafe by various people in tech. All these things are not complicated and if you have the slightest interest in security as a hobby then you can understand it with a bit of reading. Mostly, people are unhappy with how the breach is handled, at least that is what I am, because breaches happen and sometimes in the weirdest ways. I bet if this really was a LFI or RFI attack then it was some weird form or file upload that accepted the attack. Easily forgetable and totally understandable, especially for a team of their size. However when they don't react to calls of a security site then it is a problem. No matter a vacation someone should always keep a little tab on logs and so on. Swap the duty around each day or something but just keep an eye out.
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby Deagler » Wed Jan 02, 2019 7:00 am

kristian818 wrote:
Deagler wrote:Just let BMG handle it in peace, No one knows if BMG even has control of the hashing of the passwords... It could easily have been a phpBB vulnerability since those have existed in the past... It's amazing how everyone in the ToS community is suddenly an experienced Software Engineer and is so ready to put BMG to shame.

Yeah it happened, Yeah it sucks. Yeah they could have told us sooner. But so what, they were on a 5 day holiday when most software companies take 10 days during this time of the year. Give them a break and stop crying about it. Crying about it doesn't help the situation or speed up any process.

Data breaches are a reality in this day and age. Equifax actively tried to cover up their data breach for almost 3 months. BMG was on holiday for 5 days and didn't see a couple emails, relax guys... It's no big conspiracy

For now, since everyone is so worried:
- Change your ToS password to something secure
- If you used the same password somewhere else, Change that password
- Setup 2FA on important accounts and your e-mail


Deagler, perhaps it would help if you read the article by dehashed (https://blog.dehashed.com/town-of-salem ... es-hacked/). They clearly state having called and received answer on December 28th. Their hashing algorithm is old and outdated, declared unsafe by various people in tech. All these things are not complicated and if you have the slightest interest in security as a hobby then you can understand it with a bit of reading. Mostly, people are unhappy with how the breach is handled, at least that is what I am, because breaches happen and sometimes in the weirdest ways. I bet if this really was a LFI or RFI attack then it was some weird form or file upload that accepted the attack. Easily forgetable and totally understandable, especially for a team of their size. However when they don't react to calls of a security site then it is a problem. No matter a vacation someone should always keep a little tab on logs and so on. Swap the duty around each day or something but just keep an eye out.


I've read the article and I actually have a professional interest in security (I work as a solutions architect&dev) so I do fully understand the implications of the breach. I don't really know why there is a mix of phpass(phpBB's newer stronger hashing algorithm) and MD5(phpBB3 fallback) hashes, but regardless the hashes found would imply that BMG didn't make a conscious decision to choose a weaker unsafe hashing algorithm and that it's controlled by phpBB. I'm sure they are well aware of the downfalls of MD5 themselves, I don't know why everyone is doubting them. Also in regards to the LFI/RFI attack, we don't even know if it's BMG's direct fault. Could just as easily be a phpBB vulnerability or a third-party plugin...

Also, Yeah they made contact and that's why I said they could have told us sooner in my previous reply. But everyone is ignoring that the first thing they did do was reach out to Rackspace to try and ensure they could fix the problem ASAP. As far as I'm concerned, BMG is doing their jobs and I'm sure they've already learnt a couple lessons from this.

Everyone just has to chill and let them handle it, No one is really helping by crying about them...
Last edited by Deagler on Wed Jan 02, 2019 7:10 am, edited 1 time in total.
Deagler
Newbie
Newbie
 
Posts: 4
Joined: Thu Dec 04, 2014 11:00 pm

Re: Possible data breach

Postby ICECLIMBERS » Wed Jan 02, 2019 7:01 am

TheGarner wrote:Anyway to delete an account? Haven’t used this for years and only remembered it due to the news of the breach.

viewtopic.php?f=38&t=38940

literally the second post in the faq subforum :roll:
Spoiler: Metrion (1069 in RU Bracket)06/11/2019
@Ice Ready for 900 more koroks?
avi
User avatar
ICECLIMBERS
[Forum Mafia VII] Winner
[Forum Mafia VII] Winner
 
Posts: 3173
Joined: Wed Nov 19, 2014 11:50 pm
Location: Eastern Time

Re: Possible data breach

Postby ChubbyMooshroom9 » Wed Jan 02, 2019 7:08 am

https://haveibeenpwned.com/

if you want to check
Image
User avatar
ChubbyMooshroom9
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 1467
Joined: Wed Jun 10, 2015 2:31 pm
Location: Memory Lane

Re: Possible data breach

Postby Haaavier » Wed Jan 02, 2019 7:19 am

Question 1, are you going to email everyone to inform them of the breach? Not everyone checks the subreddit or the forums so not everyone will be aware of it.

Question 2, what steps are you going to take to prevent this from happening again in the future?
Haaavier
Newbie
Newbie
 
Posts: 1
Joined: Wed Jan 02, 2019 7:18 am

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 7:29 am

ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?
User avatar
Royee
Witch
Witch
 
Posts: 40
Joined: Wed Sep 30, 2015 1:11 pm

Re: Possible data breach

Postby Bodhrak » Wed Jan 02, 2019 7:32 am

Royee wrote:
ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?

It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.
You can call me Bod.
No, that's not my real name. Thanks for asking.
Bodhrak
Witch
Witch
 
Posts: 58
Joined: Fri Nov 04, 2016 8:26 am

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 7:41 am

Bodhrak wrote:
Royee wrote:
ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?

It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.

It is updated. I am affected. Damn i moved email address because i was leaked in 3 sites.
User avatar
Royee
Witch
Witch
 
Posts: 40
Joined: Wed Sep 30, 2015 1:11 pm

Re: Possible data breach

Postby Chemist1422 » Wed Jan 02, 2019 7:42 am

So what should we do about it if we have been pwned?
Image


FM: 23-31
Last: SFM60
Highest BtM placement: 2nd (twice)
User avatar
Chemist1422
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 770
Joined: Tue Mar 20, 2018 5:39 pm
Location: Fogbound Lake (UTC-7)

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 7:44 am

Chemist1422 wrote:So what should we do about it if we have been pwned?

I am joining the question too.
What do we do besides changing the password?
User avatar
Royee
Witch
Witch
 
Posts: 40
Joined: Wed Sep 30, 2015 1:11 pm

Re: Possible data breach

Postby iggyvolz » Wed Jan 02, 2019 7:46 am

Royee wrote:
Chemist1422 wrote:So what should we do about it if we have been pwned?

I am joining the question too.
What do we do besides changing the password?

If you use the password elsewhere (first off don't do that), change that too. No confirmation afaik that the breach is fixed so be ready to change it again if needed. That's pretty much it.

@Achilles - any idea if the breach has in fact been fixed?
Image
(removed lolcard thing because I was DDoS'ing my own server because of it)
Wall of Quotes (it outgrew my signature)
User avatar
iggyvolz
Werewolf
Werewolf
 
Posts: 3330
Joined: Wed Mar 26, 2014 12:21 pm
Location: /dev/null

Re: Possible data breach

Postby punjian » Wed Jan 02, 2019 8:10 am

Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Wow can we ban him for being toxic pls? Keep this community clean please.
Tucker the
punjian
Survivor
Survivor
 
Posts: 37
Joined: Thu Nov 10, 2016 8:51 am

Re: Possible data breach

Postby ChubbyMooshroom9 » Wed Jan 02, 2019 8:15 am

Bodhrak wrote:
Royee wrote:
ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?

It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.

mfw my alts are fine but not my main

not like it matters lol the password is different
Image
User avatar
ChubbyMooshroom9
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 1467
Joined: Wed Jun 10, 2015 2:31 pm
Location: Memory Lane

Re: Possible data breach

Postby GoogleFeud » Wed Jan 02, 2019 8:30 am

Someone tried to access my account 13 hours ago from El Limón, Aragua, Venezuela, with IP 190.38.37.97, but Google stopped them :BlobTea:
User avatar
GoogleFeud
Role Ideas Moderator
Role Ideas Moderator
 
Posts: 455
Joined: Fri Jul 08, 2016 9:09 am
Location: AHHHHHHHHHHHHHHHHHHHHHHHH

Re: Possible data breach

Postby Chemist1422 » Wed Jan 02, 2019 8:32 am

GoogleFeud wrote:Someone tried to access my account 13 hours ago from El Limón, Aragua, Venezuela, with IP 190.38.37.97, but Google stopped them :BlobTea:

So who do we report that to
Image


FM: 23-31
Last: SFM60
Highest BtM placement: 2nd (twice)
User avatar
Chemist1422
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 770
Joined: Tue Mar 20, 2018 5:39 pm
Location: Fogbound Lake (UTC-7)

Re: Possible data breach

Postby TurdPile » Wed Jan 02, 2019 8:32 am

The password hashing is controlled by the forum software; the forum at the moment is deeply ingrained with interactions with the game, which makes any changes to the forum software literally game-breaking. With the Unity development, the BMG devs are working on completely decoupling the game from the forum and ditching PhpBB altogether for a better forum software (Vanilla is what was being discussed).
Do not PM me about your open appeal. It will be ignored.

DISCLAIMER: I am a Moderator of the forums and the game.
I manage the clutter so the developers can do their work.
My voice and my opinions are of my own and shouldn't be taken as the
word of the developers (although I may be slightly more informed of
certain matters). Therefore, rude remarks I may occasionally make
should not impact the reputation of the developers.
Cheers.
User avatar
TurdPile
Site Admin
Site Admin
 
Posts: 7897
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Possible data breach

Postby ApolloRD » Wed Jan 02, 2019 8:48 am

Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.
ApolloRD
Newbie
Newbie
 
Posts: 1
Joined: Sat Oct 13, 2018 3:24 pm

Re: Possible data breach

Postby BoringLorik » Wed Jan 02, 2019 8:54 am

rip
Will Smith don't gotta cuss in his raps to sell records
Well, I do, so fuck him and fuck you too!
User avatar
BoringLorik
Jester
Jester
 
Posts: 14
Joined: Tue Mar 20, 2018 12:41 pm

Re: Possible data breach

Postby Stormbird » Wed Jan 02, 2019 9:01 am

Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


You got 7M accounts breached, and you can't even give responsibility. As for the emails falling in your "spam" folder, I call BS. You guys just sat on the breach for days.

Also, FYI, you are not GDPR-compliant. You'd better take action on this front too, or I have no doubt that you will be sued.
Stormbird
Newbie
Newbie
 
Posts: 3
Joined: Thu Feb 19, 2015 11:08 pm

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: No registered users and 1 guest