Data Breach Update

Announcements made here about the game and the company.

Data Breach Update

Postby Achilles » Wed Jan 02, 2019 6:01 pm

We have found and removed 3 different php files from our webserver that allowed the hacker to have a backdoor into the server. Rackspace is also running a malware check on all of our servers. We believe we have stopped their ability to continue gathering data but we are in the process of contacting security auditing firms and potentially discussing reinstalling all of our servers from scratch just to be 100% sure.

We are in the process of starting to email users but as you can imagine it takes some time to process and send out 8 million emails.

The community and mods have been helping us look into websites that have the data to see what is being done with it. Passwords were stored as a salted MD5 hash and not plaintext, but it appears that these hashes can still be brute forced to get the plain text password if it wasn't a very secure password. We have seen passwords as long as 10 characters being cracked.

If your Town of Salem password was the same on any other site you should change your passwords immediately to be safe.

No credit card/payment info or personal identifying information outside of your email/IP was stored.

As long as users who had a shared password update it on other sites they should be safe. Emails are starting to go out soon so that everyone will know about this.

We are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn't store plaintext passwords we can't easily update everyones hashes to a new algorithm but we are investigating our options.
User avatar
Achilles
Developer
Developer
 
Posts: 868
Joined: Sat Feb 08, 2014 5:02 pm

Re: Data Breach Update

Postby Villagerlover » Wed Jan 02, 2019 6:06 pm

Thank y'all so much for taking action when you did.
ImageImageImageImage
I like doing custom ToS skins. Wanna tell me somethin'? Just send a PM! ^U^
User avatar
Villagerlover
Blackmailer
Blackmailer
 
Posts: 1145
Joined: Wed Jun 03, 2015 3:59 pm
Location: Hang on I need to ask Google Maps

Re: Data Breach Update

Postby ChocoMousse » Wed Jan 02, 2019 7:49 pm

Hi, I just want to update you regarding the payment information statement.

From some of my sources, it appears that the Payment informations leakead includes :

Email, Full Names, Billing & Shipping addresses, IP Information, payment amount, and other details. No Credit Card numbers.
ChocoMousse
Newbie
Newbie
 
Posts: 2
Joined: Tue Sep 06, 2016 3:39 pm

Re: Data Breach Update

Postby ObiWanCumnobi » Wed Jan 02, 2019 8:11 pm

ChocoMousse wrote:Hi, I just want to update you regarding the payment information statement.

From some of my sources, it appears that the Payment informations leakead includes :

Email, Full Names, Billing & Shipping addresses, IP Information, payment amount, and other details. No Credit Card numbers.


Phew, at least my ssn and dna sequence are safe, for now.
I'm Psyduck.
User avatar
ObiWanCumnobi
Lookout
Lookout
 
Posts: 91
Joined: Sun Aug 21, 2016 11:48 pm
Location: San Diego

Re: Data Breach Update

Postby ChocoMousse » Wed Jan 02, 2019 8:37 pm

ObiWanCumnobi wrote:
Phew, at least my ssn and dna sequence are safe, for now.

Equifax July 2017. Cough cough.
ChocoMousse
Newbie
Newbie
 
Posts: 2
Joined: Tue Sep 06, 2016 3:39 pm

Re: Data Breach Update

Postby NateNate60 » Wed Jan 02, 2019 9:01 pm

I don't think it takes very long to send out 8 million emails, especially if they all essentially say the same thing

10 KB message multiplied by eight million is 80 GB. At 100 megabytes (800 megabits per second) per second, it'll take 800 seconds to send 80 GB, in theory. If we assume they're sending at 20% the maximum capacity because of slow-running code or something, then it'll still take only about one hour.

Also, 10 KB is a pretty large email, especially considering the usual payload of the forum emails they send.
Rolled Jailer Exe Mayor
User avatar
NateNate60
Executioner
Executioner
 
Posts: 25
Joined: Thu Apr 13, 2017 5:16 pm

Re: Data Breach Update

Postby TheRetroPionner » Wed Jan 02, 2019 9:25 pm

There should be an official announcement in the game or something, if there isn't one already
User avatar
TheRetroPionner
Executioner
Executioner
 
Posts: 21
Joined: Sun Dec 13, 2015 8:31 pm
Location: USA

Re: Data Breach Update

Postby behindsight » Wed Jan 02, 2019 9:40 pm

Love the game, but MD5 hashes, salted or not, have been a meme of a solution for at least a decade now. I hope there will be a statement on choosing a better algorithm than something so laughably easy to crack. A ton of those hashes have been already converted to plaintext.
behindsight
Newbie
Newbie
 
Posts: 1
Joined: Tue Dec 25, 2018 11:52 pm

Re: Data Breach Update

Postby panapparos » Wed Jan 02, 2019 10:27 pm

I bought the game on Steam but I haven't made any in-game purchases (Town Points, skins etc).

Is my information (Email, Full Names, Billing & Shipping addresses, IP Information, payment amount etc)included in the hacked data?
panapparos
Jester
Jester
 
Posts: 14
Joined: Fri Dec 14, 2018 2:49 am

Re: Data Breach Update

Postby MysticMismagius » Wed Jan 02, 2019 11:05 pm

NateNate60 wrote:I don't think it takes very long to send out 8 million emails, especially if they all essentially say the same thing

10 KB message multiplied by eight million is 80 GB. At 100 megabytes (800 megabits per second) per second, it'll take 800 seconds to send 80 GB, in theory. If we assume they're sending at 20% the maximum capacity because of slow-running code or something, then it'll still take only about one hour.

Also, 10 KB is a pretty large email, especially considering the usual payload of the forum emails they send.
This doesn't account for the time it will take to write the email (deciding what to say and how to say it, especially since this message is kinda critical) which may add hours or more to the ETA.
User avatar
MysticMismagius
Transporter
Transporter
 
Posts: 123
Joined: Sun Apr 30, 2017 4:46 pm

Re: Data Breach Update

Postby James2 » Wed Jan 02, 2019 11:10 pm

Dehashed stated that some of the passwords were in phpass and others in MD5. Is this correct or were they all in MD5?
James2
Blackmailer
Blackmailer
 
Posts: 1187
Joined: Tue Jun 16, 2015 9:53 am

Re: Data Breach Update

Postby James2 » Thu Jan 03, 2019 12:17 am

Also, it's clear from reading the other thread that a lot of people don't know what they're talking about.

While it is true that the idiots running this country have, for some unfathomable reason, given a bunch of foreign countries the power to regulate US businesses, the GDPR only applies to businesses that target EU markets. Unless Turkey joins the EU (which is unlikely for a number of reasons at this point), BMG doesn't have to worry about it.

Of course BMG still needs to promptly notify everyone, but since few (if any) US states consider passwords and email addresses to be protected data, it's unlikely that BMG could face legal ramifications.
James2
Blackmailer
Blackmailer
 
Posts: 1187
Joined: Tue Jun 16, 2015 9:53 am

Re: Data Breach Update

Postby bkyblyat » Thu Jan 03, 2019 3:11 am

James that is completely false, GDPR applies to any business that stores EU citizen data, no matter where the business is residing.
bkyblyat
Newbie
Newbie
 
Posts: 4
Joined: Sun Oct 28, 2018 8:25 pm

Re: Data Breach Update

Postby ylyxa » Thu Jan 03, 2019 3:45 am

we can't easily update everyones hashes to a new algorithm

What about changing the algorithm and then forcing a password reset on every single user? Two birds with one stone right there: you'd move to a more secure algorithm and users would change their passwords, which they should after a security breach.
ylyxa
Newbie
Newbie
 
Posts: 4
Joined: Tue Aug 21, 2018 4:03 am

Re: Data Breach Update

Postby sportakus1 » Thu Jan 03, 2019 4:36 am

>We have seen passwords as long as 10 characters being cracked.

Holy smuck. Thats is some hard-cracking they got in their minds to even get that

Too bad mine is very long.
My Role Ideas:
Informator

List of roles I like:
Spoiler: -investigator
-Consigliere
-Jailor
-Retributionist


List of roles I do not like:
Spoiler: -Framer
-Medium
-Mayor
-witch
-werewolf
(Only if someone else play werewolf role.)
User avatar
sportakus1
Medium
Medium
 
Posts: 168
Joined: Mon Oct 27, 2014 4:43 am

Re: Data Breach Update

Postby 4DEATH » Thu Jan 03, 2019 6:28 am

Achilles wrote:Passwords were stored as a salted MD5 hash and not plaintext, but it appears that these hashes can still be brute forced to get the plain text password if it wasn't a very secure password.

Spoiler: Image

Just in two clicks i have found some info about MD5.

Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities.


MD5 and SHA-1 are emphatically poor choices for storing passwords.


But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.

There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.


Spoiler: Image
Legacy Season, 2610 elo
Season 1, 2008 elo (bug abusers, only played 39 games)
Season 2, no games
Season 3, 2063 elo (few games but i dont have count)
Season 4, 2170 elo
User avatar
4DEATH
Trial System Judge
Trial System Judge
 
Posts: 128
Joined: Thu Apr 21, 2016 8:14 pm
Location: Turkey

Re: Data Breach Update

Postby Villagerlover » Thu Jan 03, 2019 7:21 am

4DEATH wrote:
Achilles wrote:Passwords were stored as a salted MD5 hash and not plaintext, but it appears that these hashes can still be brute forced to get the plain text password if it wasn't a very secure password.


Just in two clicks i have found some info about MD5.

Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities.


MD5 and SHA-1 are emphatically poor choices for storing passwords.


But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.

There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.



I know nothing about coding, hacking or all of that stuff...but the fact that 4DEATH is starting to use memes against Achilles's statements is now starting to worry me. ;u;
ImageImageImageImage
I like doing custom ToS skins. Wanna tell me somethin'? Just send a PM! ^U^
User avatar
Villagerlover
Blackmailer
Blackmailer
 
Posts: 1145
Joined: Wed Jun 03, 2015 3:59 pm
Location: Hang on I need to ask Google Maps

Re: Data Breach Update

Postby YFYDB » Thu Jan 03, 2019 8:09 am

4Death, memes make no sense. For me the pikachu's face is shocked, so when you use that meme i think you're schocked, but i don't think it's actually what you mean.

Dudes, do i have to change my password again?
My avatar is a random picture found in the internet.
User avatar
YFYDB
Survivor
Survivor
 
Posts: 31
Joined: Thu Aug 03, 2017 9:08 am

Re: Data Breach Update

Postby TheRetroPionner » Thu Jan 03, 2019 8:17 am

Is anybody else having problems? My forum password changed, but my in-game password is the same
User avatar
TheRetroPionner
Executioner
Executioner
 
Posts: 21
Joined: Sun Dec 13, 2015 8:31 pm
Location: USA

Re: Data Breach Update

Postby VoidRuler » Thu Jan 03, 2019 8:19 am

I have no idea why MD5 was used, as been pointed out by many other users. It was already known to be a bad way of storing passwords by the time the game came out. It sucks that there's been so much hurled at the game recently, first the botting thing, then this, and I saw on the other thread about this someone said there might be DDOSing too? But I don't know if there really is DDOSing or if that was just an assumption.

Also, I don't mean to victim blame since it really isn't any of the users' faults, but it's common knowledge by now that people shouldn't be using the same password on multiple accounts (and if it's hard to remember all the different ones, write them down). I recommend everyone use 2-step authentication on their email. As long as you don't have the same password on anything else and your email has 2-step authentication, you should be fine. I mean, even without the 2-step authentication, your email should be fine, but it's just another precaution you can take. Another tip I have for other users is to stay updated on this, or at least start getting in the habit of changing your password for Town of Salem frequently - in case the breachers leak data again.

I'm pretty sure someone's already said this on the last thread about this but there really should be a large warning at the top of the login screen for the game itself, if there isn't one already, for the people who don't check their email a lot.
My favorite roles: Jailor, Janitor, Hypnotist, Potion Master

profile picture credit: homriette on tumblr

Image
User avatar
VoidRuler
Godfather
Godfather
 
Posts: 1555
Joined: Wed Jul 23, 2014 5:59 pm
Location: EST (GMT-5, UTC-4)

Re: Data Breach Update

Postby Michael007800 » Thu Jan 03, 2019 9:09 am

VoidRuler wrote:I'm pretty sure someone's already said this on the last thread about this but there really should be a large warning at the top of the login screen for the game itself, if there isn't one already, for the people who don't check their email a lot.

Or never check their spam folder, like some people. ;)
Better Mobile Forums? Support this!
viewtopic.php?f=14&t=9966


Don't click me!

Image
User avatar
Michael007800
Sponsor
Sponsor
 
Posts: 100
Joined: Fri Apr 25, 2014 11:56 pm
Location: England

Re: Data Breach Update

Postby James2 » Thu Jan 03, 2019 9:34 am

bkyblyat wrote:James that is completely false, GDPR applies to any business that stores EU citizen data, no matter where the business is residing.


According to Forbes, there needs to be some sort of attempt to target an EU market for a non-EU company (with no physical presence) to be subject to the law.

https://www.forbes.com/sites/forbestech ... 567c726ff2

In any case, BMG is already non-compliant with GDPR on a number of fronts. Hopefully, if it ever came to it, a US court would reject the theory that simply having a web presence makes one a subject of the EU.
James2
Blackmailer
Blackmailer
 
Posts: 1187
Joined: Tue Jun 16, 2015 9:53 am

Re: Data Breach Update

Postby MysticMismagius » Thu Jan 03, 2019 9:39 am

For those asking why, the simplest explanation I can think of for why BMG continued to use the MD5 hashing is because that’s probably the hashing system that was already in place when they made/last updated the forum, and they just never changed it for some reason. Maybe they thought “we have better shit to do” and so changing the hashing wasn’t a priority to them, maybe they were hoping there wouldn’t be a problem like this, maybe they thought MD5 was good enough, whatever. That kind of thing happens all the time.
User avatar
MysticMismagius
Transporter
Transporter
 
Posts: 123
Joined: Sun Apr 30, 2017 4:46 pm

Re: Data Breach Update

Postby Flavorable » Thu Jan 03, 2019 10:45 am

TheRetroPionner wrote:Is anybody else having problems? My forum password changed, but my in-game password is the same


Are you using the same username on the forums as you are ingame?
Steam ToS Moderator and Bug Report buttinsky.
Image
User avatar
Flavorable
Global Moderator
Global Moderator
 
Posts: 1734
Joined: Thu Apr 28, 2016 3:24 am
Location: Netherlands

Re: Data Breach Update

Postby Jerme » Thu Jan 03, 2019 11:17 am

TheRetroPionner wrote:Is anybody else having problems? My forum password changed, but my in-game password is the same

This is because you aren't using your ingame account login to the forums. You haven't played a single match with the current account of yours.
Visit my role suggestions and give me feedback: http://www.blankmediagames.com/phpbb/viewtopic.php?f=27&t=28949

I tend to write small stories into my will and dislike Forgers and Janitors for removing them.

If you see a Grim Reaper called 'Zoroark', know that you might have encountered me.

Image
Occupation: A developers pain and joy (QA-fox), currently "hired" by Ralozey
User avatar
Jerme
Global Moderator
Global Moderator
 
Posts: 16796
Joined: Thu Apr 30, 2015 2:09 pm

Next

Return to Announcements

Who is online

Users browsing this forum: No registered users and 6 guests