Page 4 of 10

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 8:32 am
by Chemist1422
GoogleFeud wrote:Someone tried to access my account 13 hours ago from El Limón, Aragua, Venezuela, with IP 190.38.37.97, but Google stopped them :BlobTea:

So who do we report that to

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 8:32 am
by TurdPile
The password hashing is controlled by the forum software; the forum at the moment is deeply ingrained with interactions with the game, which makes any changes to the forum software literally game-breaking. With the Unity development, the BMG devs are working on completely decoupling the game from the forum and ditching PhpBB altogether for a better forum software (Vanilla is what was being discussed).

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 8:48 am
by ApolloRD
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 9:01 am
by Stormbird
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


You got 7M accounts breached, and you can't even give responsibility. As for the emails falling in your "spam" folder, I call BS. You guys just sat on the breach for days.

Also, FYI, you are not GDPR-compliant. You'd better take action on this front too, or I have no doubt that you will be sued.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 9:03 am
by MafiaMenace
ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 9:14 am
by Operaismo
omg.....

are you serious??? This is really bad omg.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 9:57 am
by miksu56
Operaismo wrote:omg.....

are you serious??? This is really bad omg.


It's not that bad. If you change your Town of Salem password and your email password if it's the same as your Town of Salem password, and then you should be fine.

I doubt that anyone would bother to see if a username and password fit every single service they knew of and repeat that process for everyone they try to hack. Much easier to just see if email password is the same as the game password and from there to see how far they can go by using the same password.

Like Deagler wrote earlier:
Deagler wrote:- Change your ToS password to something secure
- If you used the same password somewhere else, Change that password
- Setup 2FA on important accounts and your e-mail


I also recommend going to Have I Been Pwned and signing up to get email notifications whenever they are informed of a data breach containing your email. Might also be a good idea to check if your email appears in any pastes and then report to pastes to Pastebin, even if the passwords were your old ones.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 9:57 am
by TurdPile
Stormbird wrote:As for the emails falling in your "spam" folder, I call BS. You guys just sat on the breach for days.


They are working with vendors to investigate this.

And you wonder why he gave a snarky/sarcastic response when you make a comment like that right afterwards. Bravo.

Also, I just ran a test email on both Pwn and dehashed and both sent emails to my junk folder automatically (I am using hotmail). So it checks out on my side.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:09 am
by YFYDB
WATCH OUT IT'S A LONG ESSAY ABOUT HOW MUCH YOU DISSAPOINTED ME. DO NOT OPEN THE SPOILERS IF YOU DO NOT WANT TO READ THAT ALL.
Admins... I am a Christian, my religion forces me to respect every human being, but you lost my respect.
Spoiler: I never used to care if a website is safe or not. I was looking for anime for hours on unsafe websites will millions troyans on them... Nothing. Once when i was playing another game i was in a very small sect. I made an account on their forum, and then i left them, when i realized they are a sect... Nothing. I used to play a game, where players have been literally screaming from for the fear of hackers... Nothing.
You were one of the safest websites i made an account on. When i was making my account, i was only afraid, that people will recognise my nickname, because i am YFYDB in a few places, or that i will waste the account by leaving it and never using it again, but those didn't happen.
Spoiler: I used to tolerate the haters, who are all over the ToS, because i am rude myself.
I used to tolerate the spammers, because i know from my experience, that the boundary between spammers and just much talking people is small. I thought somebody is just teasing you, admins.
I forgave you the fact, that people responsible for spam-attack were your entrusted people, because i understand, that you may trust a wrong person.
I used to tolerate the annoying mods on the official Discord, who find me a hater and an anbleist. Are you psychopaths/sociopaths or do you understand, that it was humilitiating, when i was muted, only because troll and hater said "i have autism and YFYDB is rude to me" (when he was the rude one)? Do you find it okey, that moderators believe any troll, who says "i have autism"? Everybody can say "i have autism, tolerate me" and you should never make mods people who don't know it.


But that breanch (how ever it is typed) is the thing i CAN'T FORGIVE YOU.
I can't believe ToS, the community, where i belong, where i have found people, that means anything for me, where i became for the very first time "an experienced player", was hacked.

You should have known, there might be an attack. Why? I have no idea, if this is caused by people, who made spamming bots, but i know one thing for sure: spam-attack encouraged hackers to hack the game, because they knew, you struggled with the spam-bots, so hackers thought "if they struggled with something like that, they will never deal with proffesional attack". That's why you should have prepared stronger defense before your vacation.
I blame you.
OMG, i should become a proffesional writer for real. Sorry for such a long post.
tl;dr Admins should have forseen the attack and i don't like them anymore.


EDIT: i agree with that dude who said he has the right to complain. We must show admins that we need to be safe, because if we remain silent, they will think "users don't mind".

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:15 am
by Flavorable
Companies get hacked and securities get breached all the time. While it's unfortunate, to the general consumer it's not as big a deal as everyone makes it out to be. If you use proper internet security etiquette yourself, there's not much people can do with your username and an encrypted password.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:34 am
by TurdPile
bkyblyat wrote:Sitting on a data breach like this is against GDPR. Considering EU citizens data got hacked, BMG can be fined. Interesting how this will turn out


GDPR is 72 hours for reporting, they made the announcement post at 3am (my time), about 4 or so hours after we were made aware of legitimacy of the breach. I was contacted about this at 2am by the devs asking if I knew any info about the breach that wasn't already made available, so really 1 hour from discovering to posting an announcement is well within GDPR regulation. The data deletion matter is a separate topic under GDPR though, but kind of outside the scope of this discussion.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:37 am
by AnnoymousGracey
But BMG new 4 days before it happened. That's too late.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:43 am
by TurdPile
bkyblyat wrote:That website claims they were made aware december 28. Besides, I don't think a simple forum post even qualifies for informing affected users


Just because they said they contacted, doesn't mean they got in contact.

I got a message at 2am saying "Just now seeing all this shit about a data breach, Anything in the trial's code that could compromise db access?" - that doesn't scream awareness about having known about the issue to you, does it?

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:55 am
by YFYDB
Dare I touch this post with a 10 metre stick, but are you roleplaying your outrage?

No idea, what you mean by roleplaying my outrage, i am writing it over.

Of course, you can't forsee everything, but you have forseen a bit too little. No forgiveness for you all.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:56 am
by Royee
the biggest problem I see with this is people who don't know about this and all of their passwords are pretty much the same.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 10:58 am
by goigle
MD5 in 2018? Is that a joke?

Being an indie developer is no excuse, that's a negligent disregard for security.
I've also heard the forums are 5 years out of date, I'd that true? Newer versions of phpbb use more secure hashing algorithms

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:05 am
by YFYDB
KatiyaKramer wrote:
YFYDB wrote:You were one of the safest websites i made an account on.

I would hate to know what other websites you use, because this was the farthest from being the safest site on the internet in terms of security... :BlobSweat:

It used to be.
Emm... Just regular websites with anime.


Yeah.... 5 years too old? It is named procrastination...

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:26 am
by Flavorable
Tusillody wrote:
williewest wrote:
orangeandblack5 wrote:Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol

I can help with this. From what I've just tested, going into your bookmarks and editing the BMG ones to contain https:// at the beginning, and also adding it to the url of the page you're currently on in the url bar does seem to make it default to https instead of http.
Alternatively, if your browser does not do this as a function or it reverts back to http, there's a handy extension for Chrome, Firefox and Opera called Redirector by Einar Egilsson that can be used to make sure it redirects to https every time a BMG site is entered.

Edit: Better alternative- "HTTPS everywhere" (Thank kristian818 a couple posts down)



I have just logged into the town of salem website and was redirected here with an insecure link. We should not have to add the "s" to "https", these devs have left all of our data wide open for years. Now it's caught up to all of us.

"We're not a large company we are an indie company"

This excuse is bollocks. No excuse is good enough for all of the incompetence from this team. They will find the legal trouble they deserve, and soon.


I sincerely doubt there's any legal trouble over this. No one is ever obligated to use an https website.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:30 am
by TurnaboutTeddy
MafiaMenace wrote:
ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie

You should leave this one to the community manager I think

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:35 am
by Technetium
I don't really think yelling at BMG about how they let this happen is going to get it fixed.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:39 am
by ChubbyMooshroom9
TurdPile wrote:The password hashing is controlled by the forum software; the forum at the moment is deeply ingrained with interactions with the game, which makes any changes to the forum software literally game-breaking. With the Unity development, the BMG devs are working on completely decoupling the game from the forum and ditching PhpBB altogether for a better forum software (Vanilla is what was being discussed).

Will I lose prosilver?

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:41 am
by MafiaMenace
BonnieThePenguin wrote:
MafiaMenace wrote:
ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie

You should leave this one to the community manager I think

lol bro sis? this entire mess is a joke

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:45 am
by TurdPile
Tusillody wrote:Edit: Just saw TurdPile's comment on GDPR time limit being 72 hours. This breach happened on December 22nd according to DeHashed and December 28th according to HaveIBeenPwnd.. That's a little longer than 72 hours. If you (The devs) expect anyone to believe that you had no clue about the breach until today then you're dumber than you think we are.


I, (not a dev, nor employee) do not care if you believe what I state as fact. Me doing my part to give proper information is enough to let me sleep at night; whether or not you want to believe the facts I tell you is up to you. The fact is GDPR regulations state 72 hours after awareness, not after occurrence. That is all I'm saying. Nothing more, nothing less. You can easily verify that information yourself.

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:49 am
by ChubbyMooshroom9
TurdPile wrote:
Tusillody wrote:Edit: Just saw TurdPile's comment on GDPR time limit being 72 hours. This breach happened on December 22nd according to DeHashed and December 28th according to HaveIBeenPwnd.. That's a little longer than 72 hours. If you (The devs) expect anyone to believe that you had no clue about the breach until today then you're dumber than you think we are.


I, (not a dev, nor employee) do not care if you believe what I state as fact. Me doing my part to give proper information is enough to let me sleep at night; whether or not you want to believe the facts I tell you is up to you. The fact is GDPR regulations state 72 hours after awareness, not after occurrence. That is all I'm saying. Nothing more, nothing less. You can easily verify that information yourself.

Ok that's cool and all but what about prosilver the masses await

Re: Possible data breach

PostPosted: Wed Jan 02, 2019 11:57 am
by TurnaboutTeddy
MafiaMenace wrote:
BonnieThePenguin wrote:
MafiaMenace wrote:
ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie

You should leave this one to the community manager I think

lol bro sis? this entire mess is a joke


Smooth edit :Clapping: