Possible data breach

Announcements made here about the game and the company.

Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:01 am

Hey everyone,

The BMG staff is just coming back from Christmas/New years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again. You should update your Town of Salem passwords to be safe.

Important Notes:
We don't store any credit card or payment info. At all.
All passwords were hashed and not plain text. This means they do not know what your password is unless they run a program to attempt to guess it against the hashed password. Any reasonably strong password will take a very long time to be guessed.
Your accounts should all be safe still if they used the same password, but you can change that as well if you are worried.

The only important data compromised would be your Username/hashed password, IP and email. Everything else is just game related data.

Sorry that this happened, no game creator ever wants to be in this situation and having it happen over the holiday break when everyone was away was terrible timing.

Update: To clarify, we do not handle money. At all. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don't have access to that information.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 2:11 am

What does it mean for a password to be hashed, exactly?
Image

In memory of those who have been deleted.
The last poster to survive Blindside Island will win a cookie. Or perhaps 1500...
Technetium#8515 on Discord
User avatar
Technetium
Godfather
Godfather
 
Posts: 1941
Joined: Fri Dec 18, 2015 8:25 am
Location: The city, she's been dead, for years now...

Re: Possible data breach

Postby FrankLeeAwful » Wed Jan 02, 2019 2:13 am

Technetium wrote:What does it mean for a password to be hashed, exactly?


It means that the number of characters is visible, but not the characters themselves.
User avatar
FrankLeeAwful
Doctor
Doctor
 
Posts: 198
Joined: Sun Jul 06, 2014 1:38 pm
Location: The depths of Tartarus

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 2:17 am

Technetium wrote:What does it mean for a password to be hashed, exactly?

https://docs.oracle.com/cd/E26180_01/Pl ... ing01.html

It turns your password into gobbledegook once created. You attempt to log in, type in your password, and it turns the attempt into gobbledegook and compares it to what it has on file to make sure it's accurate.
Everything in my signature is a clickable link
Image
Spoiler: Discord: William#2527


Image
User avatar
williewest
Transporter
Transporter
 
Posts: 121
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:29 am

4DEATH wrote:What is your average work/life balance like? I read more about your vacations than i read about you guys working on game.


Everyone on the team works more than 40 hour weeks and it is customary for every US company to give salaried employees the week after Christmas off. We rarely take time off so that's pretty a insulting thing to imply.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:31 am

Technetium wrote:What does it mean for a password to be hashed, exactly?


Passwords are stored as a long string of letters/numbers that can't be computed without knowing the original plain text password. If someone has your hashed password they could still login to your ToS account if they know how to mimic our login networking message though, so you should change your ToS password to be safe.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Shyyster » Wed Jan 02, 2019 2:35 am

So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?
TRIAL GANG GANG MEMBER
User avatar
Shyyster
Easter 2020 Winner
Easter 2020 Winner
 
Posts: 229
Joined: Mon Jul 24, 2017 2:23 am

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 2:36 am

Is the breach fixed? I figure since I have a smaller number of passwords than things I use passwords for, I should wait until it is fixed before changing the password (though I'm changing other passwords that were the same as the one here).
Image

In memory of those who have been deleted.
The last poster to survive Blindside Island will win a cookie. Or perhaps 1500...
Technetium#8515 on Discord
User avatar
Technetium
Godfather
Godfather
 
Posts: 1941
Joined: Fri Dec 18, 2015 8:25 am
Location: The city, she's been dead, for years now...

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:39 am

Shyyster wrote:So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?


There were some emails from dehashed in our spam folder that were missed and emails weren't actively being checked over the break. Apparently the website posted this stuff now and some people have registered for notifications from this website and then started posting on reddit.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:41 am

Technetium wrote:Is the breach fixed? I figure since I have a smaller number of passwords than things I use passwords for, I should wait until it is fixed before changing the password (though I'm changing other passwords that were the same as the one here).


We have Rackspace looking into it and have reached out to dehashed for more info. We will let you know when we figure out what happened.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 2:42 am

Shyyster wrote:So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?

In-house source? There's like, 7 of them. That's few enough that they all could've been off enjoying their holidays without really checking into their missed calls and emails too intently. I doubt there's a little IT gremlin named Steve who just dwells in the office basement over Holiday break and monitors the intake of contacts.
Everything in my signature is a clickable link
Image
Spoiler: Discord: William#2527


Image
User avatar
williewest
Transporter
Transporter
 
Posts: 121
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 2:43 am

actually, I figure I might go ahead and change it once now and change it a second time (to what I'll keep as the new password longer-term) when the breach is known to be dealt with.
Image

In memory of those who have been deleted.
The last poster to survive Blindside Island will win a cookie. Or perhaps 1500...
Technetium#8515 on Discord
User avatar
Technetium
Godfather
Godfather
 
Posts: 1941
Joined: Fri Dec 18, 2015 8:25 am
Location: The city, she's been dead, for years now...

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 2:46 am

How come that dehashed and I have been pwned state to know this from 28th december, yet you write about it now, 5 days later?
https://blog.dehashed.com/town-of-salem ... es-hacked/
They even state they made contact on the phone and email yet no statement just because it is vacation?
There should always be a person with focus on security available for contact during vacations in case something like this happens so customers get to know it ASAP and not 5 days after a breach...

If you thought you could just cover it up then that is even worse.

Why are you using MD5 hashing according to dehashed and have I been pwned?
MD5 can easily be cracked. Even various tech institutes consider MD5 essentially "cryptographically broken and unsuitable for further use".

It can't be true that a large company like this with 7.6M registered accounts and some paying customers can't handle security correctly and in good time when something happens.
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby MysticMismagius » Wed Jan 02, 2019 2:50 am

kristian818 wrote:How come that dehashed and I have been pwned state to know this from 28th december, yet you write about it now, 5 days later?
https://blog.dehashed.com/town-of-salem ... es-hacked/
They even state they made contact on the phone and email yet no statement just because it is vacation?
There should always be a person with focus on security available for contact during vacations in case something like this happens so customers get to know it ASAP and not 5 days after a breach...

If you thought you could just cover it up then that is even worse.

Why are you using MD5 hashing according to dehashed and have I been pwned?
MD5 can easily be cracked. Even various tech institutes consider MD5 essentially "cryptographically broken and unsuitable for further use".

It can't be true that a large company like this with 7.6M registered accounts and some paying customers can't handle security correctly and in good time when something happens.
While this is far from an official statement, one of the several Reddit posts on the subject contains a discussion about why BMG may have kept quiet about this. PyroEagle and Turdpile suggested that if BMG were to speak up about the breach, it could entice other potential hackers to breach the system again and again, since they have been told it is vulnerable.

Source: https://www.reddit.com/r/TownofSalemgam ... reach_you/

From a user perspective I disagree with this line of logic: As TP mentioned, if a breached company says something and the system gets breached repeatedly, you have to keep changing your passwords, and your data is vulnerable until the system gets patched. But, if no one says anything about the breach, the users don’t know about their data being compromised, thus, your data is vulnerable until the system is patched anyways. Literally nothing changes as far as the security of the users’ data.
Last edited by MysticMismagius on Wed Jan 02, 2019 2:52 am, edited 1 time in total.
Image
User avatar
MysticMismagius
Consigliere
Consigliere
 
Posts: 1271
Joined: Sun Apr 30, 2017 4:46 pm
Location: The 12th Astral Plane of Zamboni

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:52 am

kristian818 wrote:large company


Our staff is myself, pyro, shapesifter (community manager), docexer and blueheatwave (Artist).

I'm sorry that this all happened and wasn't responded to quickly enough but people were on vacation spending time with their families (and his emails went to our spam filter). We aren't a large company we are an indie company. Yeah we have a lot of registered users but it was a F2P game and millions of those accounts played a few games and never came back.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Shyyster » Wed Jan 02, 2019 2:52 am

williewest wrote:
Shyyster wrote:So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?

In-house source? There's like, 7 of them. That's few enough that they all could've been off enjoying their holidays without really checking into their missed calls and emails too intently. I doubt there's a little IT gremlin named Steve who just dwells in the office basement over Holiday break and monitors the intake of contacts.


Customers data being possibly breach should be a top priority issue where the Devs should have a system in place for emails/calls, even if it's 10+ missed calls from X person. At some point the excuse "It's a small team" needs to stop being a defense for BMG screwing up, this is that point.
TRIAL GANG GANG MEMBER
User avatar
Shyyster
Easter 2020 Winner
Easter 2020 Winner
 
Posts: 229
Joined: Mon Jul 24, 2017 2:23 am

Re: Possible data breach

Postby Sting » Wed Jan 02, 2019 2:55 am

Everything else is just game related data.


Could you please elaborate on this for clarity? On some 0-Day websites I've seen them reference this as browser data, what exactly was stored here?
Sting
Medium
Medium
 
Posts: 162
Joined: Tue Aug 05, 2014 2:38 am
Location: Eire

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 2:56 am

Achilles wrote:
kristian818 wrote:large company


Our staff is myself, pyro, shapesifter (community manager), docexer and blueheatwave (Artist).

I'm sorry that this all happened and wasn't responded to quickly enough but people were on vacation spending time with their families (and his emails went to our spam filter). We aren't a large company we are an indie company. Yeah we have a lot of registered users but it was a F2P game and millions of those accounts played a few games and never came back.


Even though they are F2P accounts it is still a goldmine since many humans do pasaword reuse. I meant a large company in this way, large of value. Not as the team itself. Even a small team should get focus on security when handling values this large.
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:57 am

Sting wrote:
Everything else is just game related data.


Could you please elaborate on this for clarity? On some 0-Day websites I've seen them reference this as browser analytics data, what exactly was stored here?


It seems like they got our phpbb database, so the analytic data stored in there such as what browser you logged in on.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 3:03 am

Shyyster wrote:
williewest wrote:
Shyyster wrote:So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?

In-house source? There's like, 7 of them. That's few enough that they all could've been off enjoying their holidays without really checking into their missed calls and emails too intently. I doubt there's a little IT gremlin named Steve who just dwells in the office basement over Holiday break and monitors the intake of contacts.


Customers data being possibly breach should be a top priority issue where the Devs should have a system in place for emails/calls, even if it's 10+ missed calls from X person. At some point the excuse "It's a small team" needs to stop being a defense for BMG screwing up, this is that point.

Defense? It's not an excuse, more like "relevant and part of the fault in why these things happen." I'm not defending them and I don't intend to, I'm stating a fact: They have a small team, and this contributes towards the cons rather than the pros when issues arise.
My apologies for the lack of clarity.
Everything in my signature is a clickable link
Image
Spoiler: Discord: William#2527


Image
User avatar
williewest
Transporter
Transporter
 
Posts: 121
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Re: Possible data breach

Postby orangeandblack5 » Wed Jan 02, 2019 3:06 am

Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol
Image
Spoiler:
SwampRabbit wrote:your idea is that no town should ever be able to confirm themselves as town.

that is the dumbest idea I think I have heard.

ElderSivart wrote:I'm confused as to why BMG made a UI for Pirate and not Hypnotist.

Sarah Thorpe wrote:Role Ideas is great for masochists.
User avatar
orangeandblack5
Halloween 2017 Winner
Halloween 2017 Winner
 
Posts: 5767
Joined: Tue Mar 17, 2015 9:24 pm
Location: University of Michigan

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 3:07 am

orangeandblack5 wrote:Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol


I'm on https right now
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 3:09 am

I'm on https and it says something about "website not fully secure, attackers can see and modify images" in a notice in the taskbar (Chrome browser)
Image

In memory of those who have been deleted.
The last poster to survive Blindside Island will win a cookie. Or perhaps 1500...
Technetium#8515 on Discord
User avatar
Technetium
Godfather
Godfather
 
Posts: 1941
Joined: Fri Dec 18, 2015 8:25 am
Location: The city, she's been dead, for years now...

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 3:12 am

orangeandblack5 wrote:Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol


The forums currently allows both http and https connections. I don't know why they not just redirect http to https.
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 3:15 am

orangeandblack5 wrote:Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol

I can help with this. From what I've just tested, going into your bookmarks and editing the BMG ones to contain https:// at the beginning, and also adding it to the url of the page you're currently on in the url bar does seem to make it default to https instead of http.
Alternatively, if your browser does not do this as a function or it reverts back to http, there's a handy extension for Chrome, Firefox and Opera called Redirector by Einar Egilsson that can be used to make sure it redirects to https every time a BMG site is entered.

Edit: Better alternative- "HTTPS everywhere" (Thank kristian818 a couple posts down)
Last edited by williewest on Wed Jan 02, 2019 3:22 am, edited 1 time in total.
Everything in my signature is a clickable link
Image
Spoiler: Discord: William#2527


Image
User avatar
williewest
Transporter
Transporter
 
Posts: 121
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Next

Return to Announcements

Who is online

Users browsing this forum: No registered users and 3 guests