Possible data breach

Announcements made here about the game and the company.

Re: Possible data breach

Postby bkyblyat » Wed Jan 02, 2019 10:39 am

That website claims they were made aware december 28. Besides, I don't think a simple forum post even qualifies for informing affected users
bkyblyat
Newbie
Newbie
 
Posts: 4
Joined: Sun Oct 28, 2018 8:25 pm

Re: Possible data breach

Postby TurdPile » Wed Jan 02, 2019 10:43 am

bkyblyat wrote:That website claims they were made aware december 28. Besides, I don't think a simple forum post even qualifies for informing affected users


Just because they said they contacted, doesn't mean they got in contact.

I got a message at 2am saying "Just now seeing all this shit about a data breach, Anything in the trial's code that could compromise db access?" - that doesn't scream awareness about having known about the issue to you, does it?
Do not PM me about your open appeal. It will be ignored.

DISCLAIMER: I am a Moderator of the forums and the game.
I manage the clutter so the developers can do their work.
My voice and my opinions are of my own and shouldn't be taken as the
word of the developers (although I may be slightly more informed of
certain matters). Therefore, rude remarks I may occasionally make
should not impact the reputation of the developers.
Cheers.
User avatar
TurdPile
Site Admin
Site Admin
 
Posts: 8038
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Possible data breach

Postby YFYDB » Wed Jan 02, 2019 10:55 am

Dare I touch this post with a 10 metre stick, but are you roleplaying your outrage?

No idea, what you mean by roleplaying my outrage, i am writing it over.

Of course, you can't forsee everything, but you have forseen a bit too little. No forgiveness for you all.
My avatar is a random picture found in the internet.
User avatar
YFYDB
Survivor
Survivor
 
Posts: 33
Joined: Thu Aug 03, 2017 9:08 am

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 10:56 am

the biggest problem I see with this is people who don't know about this and all of their passwords are pretty much the same.
User avatar
Royee
Witch
Witch
 
Posts: 42
Joined: Wed Sep 30, 2015 1:11 pm

Re: Possible data breach

Postby KatiyaKramer » Wed Jan 02, 2019 10:57 am

YFYDB wrote:You were one of the safest websites i made an account on.

I would hate to know what other websites you use, because this was the farthest from being the safest site on the internet in terms of security... :BlobSweat:
Favorite roles: Jester, Witch, Consig, Veteran, Vampire Hunter, Jailor, Lookout, aannnndddd sometimes vampire.
Least favorite roles: Medium and Survivor

Image
All hail Shelbow

TRIAL GANG GANG MEMBER
User avatar
KatiyaKramer
St. Patrick's 2019 Winner
St. Patrick's 2019 Winner
 
Posts: 759
Joined: Thu Apr 02, 2015 9:51 am

Re: Possible data breach

Postby goigle » Wed Jan 02, 2019 10:58 am

MD5 in 2018? Is that a joke?

Being an indie developer is no excuse, that's a negligent disregard for security.
I've also heard the forums are 5 years out of date, I'd that true? Newer versions of phpbb use more secure hashing algorithms
goigle
Newbie
Newbie
 
Posts: 1
Joined: Sun Jun 04, 2017 5:49 pm

Re: Possible data breach

Postby YFYDB » Wed Jan 02, 2019 11:05 am

KatiyaKramer wrote:
YFYDB wrote:You were one of the safest websites i made an account on.

I would hate to know what other websites you use, because this was the farthest from being the safest site on the internet in terms of security... :BlobSweat:

It used to be.
Emm... Just regular websites with anime.


Yeah.... 5 years too old? It is named procrastination...
My avatar is a random picture found in the internet.
User avatar
YFYDB
Survivor
Survivor
 
Posts: 33
Joined: Thu Aug 03, 2017 9:08 am

Re: Possible data breach

Postby bkyblyat » Wed Jan 02, 2019 11:07 am

TurdPile wrote:
bkyblyat wrote:That website claims they were made aware december 28. Besides, I don't think a simple forum post even qualifies for informing affected users


Just because they said they contacted, doesn't mean they got in contact.

I got a message at 2am saying "Just now seeing all this shit about a data breach, Anything in the trial's code that could compromise db access?" - that doesn't scream awareness about having known about the issue to you, does it?


So you claim DeHashed is lying?

Friday, 12/28/2018 – 11:33 AM PST – Emailed BlankMediaGames
Friday, 12/28/2018 – 12:33 PM PST – Called BlankMediaGames
Saturday, 12/29/2018 – 15:01 PM PST – Emailed BlankMediaGames
Saturday, 12/29/2018 – 15:12 PM PST – Called BlankMediaGames (No Answer)
Sunday, 12/30/2018 – 09:12 AM PST – Emailed BlankMediaGames

They have received our emails per our original voice conversation, but are yet to respond or even acknowledge either the breach or the emails.
bkyblyat
Newbie
Newbie
 
Posts: 4
Joined: Sun Oct 28, 2018 8:25 pm

Re: Possible data breach

Postby RetroAddict » Wed Jan 02, 2019 11:20 am

How do I change my password? I can't find any link to change it.
RetroAddict
Newbie
Newbie
 
Posts: 1
Joined: Fri Jul 13, 2018 5:38 pm

Re: Possible data breach

Postby Tusillody » Wed Jan 02, 2019 11:23 am

williewest wrote:
orangeandblack5 wrote:Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol

I can help with this. From what I've just tested, going into your bookmarks and editing the BMG ones to contain https:// at the beginning, and also adding it to the url of the page you're currently on in the url bar does seem to make it default to https instead of http.
Alternatively, if your browser does not do this as a function or it reverts back to http, there's a handy extension for Chrome, Firefox and Opera called Redirector by Einar Egilsson that can be used to make sure it redirects to https every time a BMG site is entered.

Edit: Better alternative- "HTTPS everywhere" (Thank kristian818 a couple posts down)



I have just logged into the town of salem website and was redirected here with an insecure link. We should not have to add the "s" to "https", these devs have left all of our data wide open for years. Now it's caught up to all of us.

"We're not a large company we are an indie company"

This excuse is bollocks. No excuse is good enough for all of the incompetence from this team. They will find the legal trouble they deserve, and soon.
Tusillody
Jester
Jester
 
Posts: 15
Joined: Wed Aug 05, 2015 4:07 am

Re: Possible data breach

Postby Flavorable » Wed Jan 02, 2019 11:26 am

Tusillody wrote:
williewest wrote:
orangeandblack5 wrote:Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol

I can help with this. From what I've just tested, going into your bookmarks and editing the BMG ones to contain https:// at the beginning, and also adding it to the url of the page you're currently on in the url bar does seem to make it default to https instead of http.
Alternatively, if your browser does not do this as a function or it reverts back to http, there's a handy extension for Chrome, Firefox and Opera called Redirector by Einar Egilsson that can be used to make sure it redirects to https every time a BMG site is entered.

Edit: Better alternative- "HTTPS everywhere" (Thank kristian818 a couple posts down)



I have just logged into the town of salem website and was redirected here with an insecure link. We should not have to add the "s" to "https", these devs have left all of our data wide open for years. Now it's caught up to all of us.

"We're not a large company we are an indie company"

This excuse is bollocks. No excuse is good enough for all of the incompetence from this team. They will find the legal trouble they deserve, and soon.


I sincerely doubt there's any legal trouble over this. No one is ever obligated to use an https website.
Steam ToS Moderator and Bug Report buttinsky.
Image
User avatar
Flavorable
Global Moderator
Global Moderator
 
Posts: 2836
Joined: Thu Apr 28, 2016 3:24 am
Location: Netherlands

Re: Possible data breach

Postby BonnieThePenguin » Wed Jan 02, 2019 11:30 am

MafiaMenace wrote:
ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie

You should leave this one to the community manager I think
CaO :3

Favorite roles: Coven Leader, Coven Leader, Witch, Coven Leader, Coven Leader, and also Coven Leader!
Least favorite roles: All that other stuff. But screw Amnesiac in particular.
BonnieThePenguin
Witch
Witch
 
Posts: 41
Joined: Sat Mar 14, 2015 9:54 pm

Re: Possible data breach

Postby Tusillody » Wed Jan 02, 2019 11:31 am

Flavorable wrote:
Tusillody wrote:
williewest wrote:
orangeandblack5 wrote:Now would be a great time to switch to https for the forums too, no? Unless I'm seeing things my browser keeps flashing "WEBSITE NOT SECURE" at me in bright red every time I try to log in lol

I can help with this. From what I've just tested, going into your bookmarks and editing the BMG ones to contain https:// at the beginning, and also adding it to the url of the page you're currently on in the url bar does seem to make it default to https instead of http.
Alternatively, if your browser does not do this as a function or it reverts back to http, there's a handy extension for Chrome, Firefox and Opera called Redirector by Einar Egilsson that can be used to make sure it redirects to https every time a BMG site is entered.

Edit: Better alternative- "HTTPS everywhere" (Thank kristian818 a couple posts down)



I have just logged into the town of salem website and was redirected here with an insecure link. We should not have to add the "s" to "https", these devs have left all of our data wide open for years. Now it's caught up to all of us.

"We're not a large company we are an indie company"

This excuse is bollocks. No excuse is good enough for all of the incompetence from this team. They will find the legal trouble they deserve, and soon.


I sincerely doubt there's any legal trouble over this. No one is ever obligated to use an https website.


I hope you are playing dumb, I do not mean they will find legal trouble over their https problem, but the data breach of almost 7 million accounts. No mass email to warn people, no way to request what info they store, they are in SERIOUS violation of GDPR and I'm excited to see what happens next.

Edit: Just saw TurdPile's comment on GDPR time limit being 72 hours. This breach happened on December 22nd according to DeHashed and December 28th according to HaveIBeenPwnd.. That's a little longer than 72 hours. If you (The devs) expect anyone to believe that you had no clue about the breach until today then you're dumber than you think we are.

Further edit: Data from this breach was being sold on December 10th. Good luck with the GDPR.
Last edited by Tusillody on Wed Jan 02, 2019 11:44 am, edited 2 times in total.
Tusillody
Jester
Jester
 
Posts: 15
Joined: Wed Aug 05, 2015 4:07 am

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 11:35 am

I don't really think yelling at BMG about how they let this happen is going to get it fixed.
User avatar
Technetium
Serial Killer
Serial Killer
 
Posts: 2078
Joined: Fri Dec 18, 2015 8:25 am
Location: Swatting time flies

Re: Possible data breach

Postby ChubbyMooshroom9 » Wed Jan 02, 2019 11:39 am

TurdPile wrote:The password hashing is controlled by the forum software; the forum at the moment is deeply ingrained with interactions with the game, which makes any changes to the forum software literally game-breaking. With the Unity development, the BMG devs are working on completely decoupling the game from the forum and ditching PhpBB altogether for a better forum software (Vanilla is what was being discussed).

Will I lose prosilver?
Image
User avatar
ChubbyMooshroom9
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 1469
Joined: Wed Jun 10, 2015 2:31 pm
Location: Memory Lane

Re: Possible data breach

Postby MafiaMenace » Wed Jan 02, 2019 11:41 am

BonnieThePenguin wrote:
MafiaMenace wrote:
ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie

You should leave this one to the community manager I think

lol bro sis? this entire mess is a joke
Last edited by MafiaMenace on Wed Jan 02, 2019 11:48 am, edited 1 time in total.
Image


Hosted FM Games:
  • VFM30 (Town Wins)
  • SFM45 (Town Wins)
  • VFM39 (Mafia Wins)
User avatar
MafiaMenace
Sheriff
Sheriff
 
Posts: 591
Joined: Tue Nov 14, 2017 1:53 pm
Location: Somewhere in the deep, dark, depths of Canada. (UTC -7)

Re: Possible data breach

Postby TurdPile » Wed Jan 02, 2019 11:45 am

Tusillody wrote:Edit: Just saw TurdPile's comment on GDPR time limit being 72 hours. This breach happened on December 22nd according to DeHashed and December 28th according to HaveIBeenPwnd.. That's a little longer than 72 hours. If you (The devs) expect anyone to believe that you had no clue about the breach until today then you're dumber than you think we are.


I, (not a dev, nor employee) do not care if you believe what I state as fact. Me doing my part to give proper information is enough to let me sleep at night; whether or not you want to believe the facts I tell you is up to you. The fact is GDPR regulations state 72 hours after awareness, not after occurrence. That is all I'm saying. Nothing more, nothing less. You can easily verify that information yourself.
Do not PM me about your open appeal. It will be ignored.

DISCLAIMER: I am a Moderator of the forums and the game.
I manage the clutter so the developers can do their work.
My voice and my opinions are of my own and shouldn't be taken as the
word of the developers (although I may be slightly more informed of
certain matters). Therefore, rude remarks I may occasionally make
should not impact the reputation of the developers.
Cheers.
User avatar
TurdPile
Site Admin
Site Admin
 
Posts: 8038
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Possible data breach

Postby ChubbyMooshroom9 » Wed Jan 02, 2019 11:49 am

TurdPile wrote:
Tusillody wrote:Edit: Just saw TurdPile's comment on GDPR time limit being 72 hours. This breach happened on December 22nd according to DeHashed and December 28th according to HaveIBeenPwnd.. That's a little longer than 72 hours. If you (The devs) expect anyone to believe that you had no clue about the breach until today then you're dumber than you think we are.


I, (not a dev, nor employee) do not care if you believe what I state as fact. Me doing my part to give proper information is enough to let me sleep at night; whether or not you want to believe the facts I tell you is up to you. The fact is GDPR regulations state 72 hours after awareness, not after occurrence. That is all I'm saying. Nothing more, nothing less. You can easily verify that information yourself.

Ok that's cool and all but what about prosilver the masses await
Image
User avatar
ChubbyMooshroom9
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 1469
Joined: Wed Jun 10, 2015 2:31 pm
Location: Memory Lane

Re: Possible data breach

Postby Tusillody » Wed Jan 02, 2019 11:52 am

TurdPile wrote:
Tusillody wrote:Edit: Just saw TurdPile's comment on GDPR time limit being 72 hours. This breach happened on December 22nd according to DeHashed and December 28th according to HaveIBeenPwnd.. That's a little longer than 72 hours. If you (The devs) expect anyone to believe that you had no clue about the breach until today then you're dumber than you think we are.


I, (not a dev, nor employee) do not care if you believe what I state as fact. Me doing my part to give proper information is enough to let me sleep at night; whether or not you want to believe the facts I tell you is up to you. The fact is GDPR regulations state 72 hours after awareness, not after occurrence. That is all I'm saying. Nothing more, nothing less. You can easily verify that information yourself.


The team was aware days ago due to Dehashed calling and emailing before going public. They verified that emails had been read. Dehashed will be the bane of these excuses.
Tusillody
Jester
Jester
 
Posts: 15
Joined: Wed Aug 05, 2015 4:07 am

Re: Possible data breach

Postby BonnieThePenguin » Wed Jan 02, 2019 11:57 am

MafiaMenace wrote:
BonnieThePenguin wrote:
MafiaMenace wrote:
ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie

You should leave this one to the community manager I think

lol bro sis? this entire mess is a joke


Smooth edit :Clapping:
CaO :3

Favorite roles: Coven Leader, Coven Leader, Witch, Coven Leader, Coven Leader, and also Coven Leader!
Least favorite roles: All that other stuff. But screw Amnesiac in particular.
BonnieThePenguin
Witch
Witch
 
Posts: 41
Joined: Sat Mar 14, 2015 9:54 pm

Re: Possible data breach

Postby Tusillody » Wed Jan 02, 2019 12:00 pm

Achilles wrote:
Sting wrote:
Everything else is just game related data.


Could you please elaborate on this for clarity? On some 0-Day websites I've seen them reference this as browser analytics data, what exactly was stored here?


It seems like they got our phpbb database, so the analytic data stored in there such as what browser you logged in on.


"Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well."

Hmm.
Tusillody
Jester
Jester
 
Posts: 15
Joined: Wed Aug 05, 2015 4:07 am

Re: Possible data breach

Postby Tusillody » Wed Jan 02, 2019 12:09 pm

Dash2 wrote:Hey Tusil, I'm about as upset as you are but you're just reaching for a reason at this point lmao


Reaching? Take your spam elsewhere, adults are trying to talk here. Spend the time you're making these useless comments and go look at how hard this dev team has fucked you.
Tusillody
Jester
Jester
 
Posts: 15
Joined: Wed Aug 05, 2015 4:07 am

Re: Possible data breach

Postby Razbae » Wed Jan 02, 2019 12:10 pm

Why would someone want to login to a town of salem account that badly? People are weird.
User avatar
Razbae
Vigilante
Vigilante
 
Posts: 679
Joined: Tue Sep 02, 2014 8:34 am
Location: NC

Re: Possible data breach

Postby Tusillody » Wed Jan 02, 2019 12:13 pm

Razbae wrote:Why would someone want to login to a town of salem account that badly? People are weird.


The account information found in this breach will be used to hack accounts on other websites or services. The information was being sold in early December, so it's already being used.
Tusillody
Jester
Jester
 
Posts: 15
Joined: Wed Aug 05, 2015 4:07 am

Re: Possible data breach

Postby Razbae » Wed Jan 02, 2019 12:23 pm

Tusillody wrote:
Razbae wrote:Why would someone want to login to a town of salem account that badly? People are weird.


The account information found in this breach will be used to hack accounts on other websites or services. The information was being sold in early December, so it's already being used.


Oh that makes sense. Thanks for that.
User avatar
Razbae
Vigilante
Vigilante
 
Posts: 679
Joined: Tue Sep 02, 2014 8:34 am
Location: NC

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: No registered users and 6 guests