Possible data breach

Announcements made here about the game and the company.

Re: Possible data breach

Postby kruegerfreddy » Wed Jan 02, 2019 4:53 am

Was only the Forum Database breached?
Was the game account breached?

If I login though Steam is that account in danger as well?

Why was I informed about this by Firefox alarm and why didnt you guys reach out to your users?
kruegerfreddy
Newbie
Newbie
 
Posts: 1
Joined: Wed Jun 29, 2016 2:44 am

Re: Possible data breach

Postby PotheadPrincess » Wed Jan 02, 2019 4:56 am

yauaustin202 wrote:
lemonader666 wrote:
PotheadPrincess wrote:Could you perhaps update your password security? 6 characters is easy for hackers to bypass. Update it to 8 characters or more, with special characters and numbers

Symbols? Seriously? Jfc

It's the user's choice on how responsible the user wanna be on their password security, that responsibility should be held by the user not the company. The company just needs to keep the passwords secure and not have them leaked.
Some of us don't feel like making our password s5N=S7J&MrMX?JEy and that should be okay. If my password is unhackablepassword123, and i get hacked, i deserve that.

Doing these procedures makes it much more difficult for hackers to crack it. I agree it is the user's decision of course, but I also don't want users to have to ever come across this kind of situation.
I love my natural herbs
Refer to me as your "Highness"
User avatar
PotheadPrincess
Trial System Judge
Trial System Judge
 
Posts: 252
Joined: Thu Nov 03, 2016 1:16 pm

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 4:56 am

Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 4:58 am

Sting wrote:id ignore my phone over christmas too specially if it's a number i dont recognise. Might be negligence on BMG's part but that's not really important at this stage

Not the time to really point fingers and witch hunt until we know the full details in my opinion. Right now everybody associated with the game is in the same boat. Just cooperate until more news is broken then have your say. I'm sure they're all losing sleep tonight over this.



Sorry but they did pick up the call and answer on the 28th
Dehashed note another call on the 29th was not answered.
Therefore they ignored the warning of the database hack.

https://blog.dehashed.com/town-of-salem ... es-hacked/
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby s9yk3r » Wed Jan 02, 2019 5:01 am

So.. id' like to delete my town of salem account, how can i do?
s9yk3r
Newbie
Newbie
 
Posts: 1
Joined: Tue Jul 25, 2017 1:39 pm

Re: Possible data breach

Postby Dash2 » Wed Jan 02, 2019 5:05 am

Achilles wrote:The BMG staff is just coming back from Christmas/New years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again. You should update your Town of Salem passwords to be safe.
Achilles wrote:Sorry that this happened, no game creator ever wants to be in this situation and having it happen over the holiday break when everyone was away was terrible timing.

Sorry but I can't get it off my mind that you guys literally just left the site unmonitored to take a vacation even after brute force attacks and such happening recently. Even just minimal effort could have helped get your attention a lot sooner
Image

Spoiler: Never forget, spiritofspirits
Image
User avatar
Dash2
[Forum Mafia X] Winner
[Forum Mafia X] Winner
 
Posts: 3366
Joined: Wed Oct 21, 2015 4:05 pm
Location: A discord versiom of TRASH

Re: Possible data breach

Postby SirRainbowTortoise » Wed Jan 02, 2019 5:06 am

kruegerfreddy wrote:Was only the Forum Database breached?
Was the game account breached?

If I login though Steam is that account in danger as well?

Why was I informed about this by Firefox alarm and why didnt you guys reach out to your users?



Your Steam data is technically safe, unless there is any link between your ToS password and other services such as email, Steam, etc. If you don't reuse passwords you're fine, basically, just change the ToS password.

That said, BMG, just because you weren't storing passwords in plaintext is hardly a reason to celebrate. Hashes can be cracked and the people who use easily crackable passwords will likely reuse them elsewhere. You need to have a warning displayed on entering the game and the forums to change your passwords, don't ignore this. A way to change the password ingame would also be pretty nice.
SirRainbowTortoise
Newbie
Newbie
 
Posts: 2
Joined: Tue Apr 28, 2015 12:49 pm

Re: Possible data breach

Postby Dash2 » Wed Jan 02, 2019 5:06 am

Also that last part implies you somehow didn't expect an attack just because it was the holidays so ??????
Image

Spoiler: Never forget, spiritofspirits
Image
User avatar
Dash2
[Forum Mafia X] Winner
[Forum Mafia X] Winner
 
Posts: 3366
Joined: Wed Oct 21, 2015 4:05 pm
Location: A discord versiom of TRASH

Re: Possible data breach

Postby UnSpotibleShadow » Wed Jan 02, 2019 5:14 am

nu.nl wrote:De wachtwoorden zijn versleuteld volgens het MD5-algoritme, dat in de regel al jaren geldt als een zeer kwetsbare manier om wachtwoorden op te slaan.

Which roughly translates to:

The passwords are encrypted using the MD5-Algorithm, which has shown in the past to be a vulnerable way to store passwords

Achilles wrote:The BMG staff is just coming back from Christmas/New years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again. You should update your Town of Salem passwords to be safe.


I surely agree you all should be free during the Christmas and New Years period, however why is there NOONE on call for security breaches? Sure nobody has to be in the office but there should atleast be someone available to be reached when a security breach like this happening and to fix it ASAP. BMG gave the hackers a couple of days to look around the database and steal close to 8m users their information.

Also, why is this not mailed to every registered user in the DB?! I had to find out thanks to the News site nu.nl that there was a breach, and yet no mail has been send from BMG! Shame!
Last edited by UnSpotibleShadow on Wed Jan 02, 2019 8:12 am, edited 1 time in total.
UnSpotibleShadow
Newbie
Newbie
 
Posts: 1
Joined: Thu Feb 12, 2015 2:10 am

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 5:32 am

Dash2 wrote:Also that last part implies you somehow didn't expect an attack just because it was the holidays so ??????

At this point, you're not really contributing anything. Yes this just happened, yes it was partly due to negligence, yes they should hire more people and probably seek help that isn't just in-house from their base of operations, and they definitely should consult a professional on this matter.
Seeing as this is all clear, known, stated, stamped, message sent and received, why are you still ranting like a broken record?

Be useful, or be quiet. Losing our heads satisfies the person(s) who did this.
Image

Discord: William#2527

"Gems and humans, I mean... You put enough pressure on coal, it becomes a diamond. You put enough pressure on a human, he kills himself. So you see, they have a lot in common, just not that." -Chilled Chaos
"The world can't tell you who you are. You've just got to figure out who you are and be there, for better or worse." -Dave Chappelle
User avatar
williewest
Escort
Escort
 
Posts: 70
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Re: Possible data breach

Postby lemonader666 » Wed Jan 02, 2019 5:34 am

Can you mega-sticky the thread?
User avatar
lemonader666
[Forum Mafia XVI] Winner
[Forum Mafia XVI] Winner
 
Posts: 1509
Joined: Tue Nov 08, 2016 9:24 pm
Location: there was something here

Re: Possible data breach

Postby Dash2 » Wed Jan 02, 2019 5:35 am

Fuck off. My info got leaked and the devs' choices made matters worse. I have a right to complain.
Image

Spoiler: Never forget, spiritofspirits
Image
User avatar
Dash2
[Forum Mafia X] Winner
[Forum Mafia X] Winner
 
Posts: 3366
Joined: Wed Oct 21, 2015 4:05 pm
Location: A discord versiom of TRASH

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 5:40 am

Dash2 wrote:Fuck off. My info got leaked and the devs' choices made matters worse. I have a right to complain.

You also have the right to remain silent.
You've left behind actual helpful comments and resorted to stating how you "cannot get over" that this happened. I got bad news for ya: No one who will respond can help you with your mental constipation. We cannot use that information. Go put it in a Steam review or something.
This happened, that bit is over, and repeating that you cannot believe this happened and just going "you're negligent" doesn't revert that.
Image

Discord: William#2527

"Gems and humans, I mean... You put enough pressure on coal, it becomes a diamond. You put enough pressure on a human, he kills himself. So you see, they have a lot in common, just not that." -Chilled Chaos
"The world can't tell you who you are. You've just got to figure out who you are and be there, for better or worse." -Dave Chappelle
User avatar
williewest
Escort
Escort
 
Posts: 70
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Re: Possible data breach

Postby MafiaMenace » Wed Jan 02, 2019 5:43 am

lol the shitshow that is this thread
Image


Hosted FM Games:
  • VFM30 (Town Wins)
  • SFM45 (Town Wins)
  • VFM39 (Mafia Wins)
User avatar
MafiaMenace
Sheriff
Sheriff
 
Posts: 591
Joined: Tue Nov 14, 2017 1:53 pm
Location: Somewhere in the deep, dark, depths of Canada. (UTC -7)

Re: Possible data breach

Postby Multiuniverse » Wed Jan 02, 2019 5:44 am

So why don't you guys change to use a better hashing software?

Thanks parker for the gif and SuperDuper for suggesting rotational sig
User avatar
Multiuniverse
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 484
Joined: Mon Dec 05, 2016 2:15 am
Location: If you know where nowhere is, look right into it. You'll spot me there.

Re: Possible data breach

Postby yauaustin202 » Wed Jan 02, 2019 5:45 am

lemonader666 wrote:Can you mega-sticky the thread?

This. Please.

Also jord, just go change your login info man. Ranting here won't get the issues resolved any faster and won't make your account safer. You should be double checking all your passwords right now.
Spoiler:
User avatar
yauaustin202
Christmas 2016 Winner
Christmas 2016 Winner
 
Posts: 194
Joined: Sun Apr 19, 2015 8:29 am
Location: A calm, blissful tunnel in the middle of hell (GMT+7)

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 5:46 am

Multiuniverse wrote:So why don't you guys change to use a better hashing software?


Whether or not there were reasons for not changing other than inertia, is this going to be one of the things that is changed with fixing the site security?
User avatar
Technetium
Serial Killer
Serial Killer
 
Posts: 2078
Joined: Fri Dec 18, 2015 8:25 am
Location: Swatting time flies

Re: Possible data breach

Postby Moltac » Wed Jan 02, 2019 5:47 am

Sad, but thanks for letting us know!
German Adele in Ranked

Image

TP ON ME IM FAMOUS

Legacy Season Elo: Master

Ranked Season 1 Elo: Master

Ranked Season 2 Elo: Master

Ranked Season 3 Elo: Master

Ranked Season 4 Elo: Master

#Q U A K I N G
User avatar
Moltac
Executioner
Executioner
 
Posts: 28
Joined: Mon Apr 07, 2014 3:09 am

Re: Possible data breach

Postby S0me0ne23 » Wed Jan 02, 2019 5:51 am

Multiuniverse wrote:So why don't you guys change to use a better hashing software?

Switching to a different hash algorithm retroactively is hard because BMG shouldn't and hopefully don't have access to the unencrypted passwords. Maybe new passwords.
User avatar
S0me0ne23
Escort
Escort
 
Posts: 71
Joined: Fri Dec 05, 2014 10:25 pm

Re: Possible data breach

Postby Multiuniverse » Wed Jan 02, 2019 5:53 am

Oh, can't they just get a different hash algorithm and require users to put new passwords/the same password and confirm this is their account via email?

Thanks parker for the gif and SuperDuper for suggesting rotational sig
User avatar
Multiuniverse
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 484
Joined: Mon Dec 05, 2016 2:15 am
Location: If you know where nowhere is, look right into it. You'll spot me there.

Re: Possible data breach

Postby Michael007800 » Wed Jan 02, 2019 5:54 am

Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously

I'm sorry, but that is quite possibly the worst reply any dev could have possibly said at that moment.

I get it that the office may be stressed out over this issue and the community, aren't quite on your side, but the last thing anyone working for BMG should do is make a comment like that.
Better Mobile Forums? Support this!
viewtopic.php?f=14&t=9966


Don't click me!

Image
User avatar
Michael007800
Sponsor
Sponsor
 
Posts: 105
Joined: Fri Apr 25, 2014 11:56 pm
Location: England

Re: Possible data breach

Postby SnarkySneaks » Wed Jan 02, 2019 5:56 am

The IP and Email part are still pretty concerning..
SnarkySneaks
Newbie
Newbie
 
Posts: 1
Joined: Sun Jan 14, 2018 6:10 am

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 5:59 am

This is probably a stupid idea, but what would prevent them from, say, using a new hash algorithm on top of the old one, re-hash all the existing passwords, and have login run the two hashes in sequence?

So currently it uses what we'll call Hash A.
When a password is input on login, it goes plaintext>Hash A and is checked against the stored password, already converted plaintext>Hash A before storing.

What I'm thinking, is, they convert all the stored passwords with another hash, we'll call it B, and have the login setup hash the passwords twice to match, so it goes plaintext>Hash A>Hash B.

Now, I figure there's very likely some reason why this wouldn't work, so if there is, could someone explain what that reason is?
User avatar
Technetium
Serial Killer
Serial Killer
 
Posts: 2078
Joined: Fri Dec 18, 2015 8:25 am
Location: Swatting time flies

Re: Possible data breach

Postby EvanManManMan » Wed Jan 02, 2019 6:10 am

Image
User avatar
EvanManManMan
FM Awards: Town
FM Awards: Town
 
Posts: 208
Joined: Wed Oct 18, 2017 5:40 pm

Re: Possible data breach

Postby Jackparrot » Wed Jan 02, 2019 6:11 am

Thank you for letting us know BMG. However I feel that you should increase the security of the game in general, as we recently had the bot attacks, and now we have this. I’d really suggest upgrading security for the entire game.

Do you plan on, or are looking into who did this? I would really like to know who did this so that you can bring them to court. An attack this big is probably carried out by some very vengeful people, therefore I suspect that the botters could be behind this.
Jackparrot
Sheriff
Sheriff
 
Posts: 569
Joined: Thu Mar 30, 2017 10:16 am
Location: Canada

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: No registered users and 2 guests