Possible data breach

Announcements made here about the game and the company.

Re: Possible data breach

Postby Haaavier » Wed Jan 02, 2019 7:19 am

Question 1, are you going to email everyone to inform them of the breach? Not everyone checks the subreddit or the forums so not everyone will be aware of it.

Question 2, what steps are you going to take to prevent this from happening again in the future?
Haaavier
Newbie
Newbie
 
Posts: 1
Joined: Wed Jan 02, 2019 7:18 am

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 7:29 am

ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?
User avatar
Royee
Witch
Witch
 
Posts: 57
Joined: Wed Sep 30, 2015 1:11 pm
Location: UTC +3

Re: Possible data breach

Postby Bodhrak » Wed Jan 02, 2019 7:32 am

Royee wrote:
ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?

It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.
You can call me Bod.
No, that's not my real name. Thanks for asking.
Bodhrak
Witch
Witch
 
Posts: 58
Joined: Fri Nov 04, 2016 8:26 am

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 7:41 am

Bodhrak wrote:
Royee wrote:
ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?

It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.

It is updated. I am affected. Damn i moved email address because i was leaked in 3 sites.
User avatar
Royee
Witch
Witch
 
Posts: 57
Joined: Wed Sep 30, 2015 1:11 pm
Location: UTC +3

Re: Possible data breach

Postby Chemist1422 » Wed Jan 02, 2019 7:42 am

So what should we do about it if we have been pwned?
Image


FM: 29-35
Last: SFM64
Highest BtM placement: 2nd (twice)
User avatar
Chemist1422
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 827
Joined: Tue Mar 20, 2018 5:39 pm
Location: Fogbound Lake (UTC-7)

Re: Possible data breach

Postby Royee » Wed Jan 02, 2019 7:44 am

Chemist1422 wrote:So what should we do about it if we have been pwned?

I am joining the question too.
What do we do besides changing the password?
User avatar
Royee
Witch
Witch
 
Posts: 57
Joined: Wed Sep 30, 2015 1:11 pm
Location: UTC +3

Re: Possible data breach

Postby iggyvolz » Wed Jan 02, 2019 7:46 am

Royee wrote:
Chemist1422 wrote:So what should we do about it if we have been pwned?

I am joining the question too.
What do we do besides changing the password?

If you use the password elsewhere (first off don't do that), change that too. No confirmation afaik that the breach is fixed so be ready to change it again if needed. That's pretty much it.

@Achilles - any idea if the breach has in fact been fixed?
Image
(removed lolcard thing because I was DDoS'ing my own server because of it)
Wall of Quotes (it outgrew my signature)
User avatar
iggyvolz
Werewolf
Werewolf
 
Posts: 3330
Joined: Wed Mar 26, 2014 12:21 pm
Location: /dev/null

Re: Possible data breach

Postby punjian » Wed Jan 02, 2019 8:10 am

Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Wow can we ban him for being toxic pls? Keep this community clean please.
Tucker the
punjian
Survivor
Survivor
 
Posts: 37
Joined: Thu Nov 10, 2016 8:51 am

Re: Possible data breach

Postby ChubbyMooshroom9 » Wed Jan 02, 2019 8:15 am

Bodhrak wrote:
Royee wrote:
ChubbyMooshroom9 wrote:https://haveibeenpwned.com/

if you want to check

i am not in there, do i consider myself as safe?

It's pretty much impossible not to be on there as the whole database was leaked.
Unless you changed your e-mail recently or you want to imply that wasn't the whole database, I guess you made an error.

mfw my alts are fine but not my main

not like it matters lol the password is different
Image

me in vldr tbh
User avatar
ChubbyMooshroom9
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 1479
Joined: Wed Jun 10, 2015 2:31 pm
Location: Memory Lane

Re: Possible data breach

Postby GoogleFeud » Wed Jan 02, 2019 8:30 am

Someone tried to access my account 13 hours ago from El Limón, Aragua, Venezuela, with IP 190.38.37.97, but Google stopped them :BlobTea:
User avatar
GoogleFeud
Role Ideas Moderator
Role Ideas Moderator
 
Posts: 455
Joined: Fri Jul 08, 2016 9:09 am
Location: AHHHHHHHHHHHHHHHHHHHHHHHH

Re: Possible data breach

Postby Chemist1422 » Wed Jan 02, 2019 8:32 am

GoogleFeud wrote:Someone tried to access my account 13 hours ago from El Limón, Aragua, Venezuela, with IP 190.38.37.97, but Google stopped them :BlobTea:

So who do we report that to
Image


FM: 29-35
Last: SFM64
Highest BtM placement: 2nd (twice)
User avatar
Chemist1422
[Forum Mafia XVII] Winner
[Forum Mafia XVII] Winner
 
Posts: 827
Joined: Tue Mar 20, 2018 5:39 pm
Location: Fogbound Lake (UTC-7)

Re: Possible data breach

Postby TurdPile » Wed Jan 02, 2019 8:32 am

The password hashing is controlled by the forum software; the forum at the moment is deeply ingrained with interactions with the game, which makes any changes to the forum software literally game-breaking. With the Unity development, the BMG devs are working on completely decoupling the game from the forum and ditching PhpBB altogether for a better forum software (Vanilla is what was being discussed).
Do not PM me about your open appeal. It will be ignored.

DISCLAIMER: I am a Moderator of the forums and the game.
I manage the clutter so the developers can do their work.
My voice and my opinions are of my own and shouldn't be taken as the
word of the developers (although I may be slightly more informed of
certain matters). Therefore, rude remarks I may occasionally make
should not impact the reputation of the developers.
Cheers.
User avatar
TurdPile
Site Admin
Site Admin
 
Posts: 8310
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Possible data breach

Postby ApolloRD » Wed Jan 02, 2019 8:48 am

Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.
ApolloRD
Newbie
Newbie
 
Posts: 1
Joined: Sat Oct 13, 2018 3:24 pm

Re: Possible data breach

Postby BoringLorik » Wed Jan 02, 2019 8:54 am

rip
Will Smith don't gotta cuss in his raps to sell records
Well, I do, so fuck him and fuck you too!
User avatar
BoringLorik
Jester
Jester
 
Posts: 14
Joined: Tue Mar 20, 2018 12:41 pm

Re: Possible data breach

Postby Stormbird » Wed Jan 02, 2019 9:01 am

Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


You got 7M accounts breached, and you can't even give responsibility. As for the emails falling in your "spam" folder, I call BS. You guys just sat on the breach for days.

Also, FYI, you are not GDPR-compliant. You'd better take action on this front too, or I have no doubt that you will be sued.
Stormbird
Newbie
Newbie
 
Posts: 3
Joined: Thu Feb 19, 2015 11:08 pm

Re: Possible data breach

Postby MafiaMenace » Wed Jan 02, 2019 9:03 am

ApolloRD wrote:
Achilles wrote:
Technetium wrote:
Wikipedia article on MD5 hash wrote:The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".


So...if the hashing isn't doing its job...why is that hashing method in use?


Because we’re terrible developers obviously


Achilles I would seriously consider deleting this comment and reaching out to someone with experience in Data Security Management / Public Relations.
There are going to be a lot of people looking in on this with interest and this comment shows a concerning lack of responsibility and professionalism.

very big oopsie
Image


Hosted FM Games:
  • VFM30 (Town Wins)
  • SFM45 (Town Wins)
  • VFM39 (Mafia Wins)
User avatar
MafiaMenace
Sheriff
Sheriff
 
Posts: 591
Joined: Tue Nov 14, 2017 1:53 pm
Location: Somewhere in the deep, dark, depths of Canada. (UTC -7)

Re: Possible data breach

Postby Operaismo » Wed Jan 02, 2019 9:14 am

omg.....

are you serious??? This is really bad omg.
User avatar
Operaismo
Amnesiac
Amnesiac
 
Posts: 8
Joined: Fri Jun 22, 2018 5:57 pm
Location: !!!!!

Re: Possible data breach

Postby RevengeoftheRaccoon » Wed Jan 02, 2019 9:43 am

RIP
ecs dee
User avatar
RevengeoftheRaccoon
Doctor
Doctor
 
Posts: 176
Joined: Thu Jul 19, 2018 10:56 am
Location: If you care about mine, hello sociopath buddy

Re: Possible data breach

Postby miksu56 » Wed Jan 02, 2019 9:57 am

Operaismo wrote:omg.....

are you serious??? This is really bad omg.


It's not that bad. If you change your Town of Salem password and your email password if it's the same as your Town of Salem password, and then you should be fine.

I doubt that anyone would bother to see if a username and password fit every single service they knew of and repeat that process for everyone they try to hack. Much easier to just see if email password is the same as the game password and from there to see how far they can go by using the same password.

Like Deagler wrote earlier:
Deagler wrote:- Change your ToS password to something secure
- If you used the same password somewhere else, Change that password
- Setup 2FA on important accounts and your e-mail


I also recommend going to Have I Been Pwned and signing up to get email notifications whenever they are informed of a data breach containing your email. Might also be a good idea to check if your email appears in any pastes and then report to pastes to Pastebin, even if the passwords were your old ones.
miksu56
Amnesiac
Amnesiac
 
Posts: 7
Joined: Tue Aug 19, 2014 9:48 am

Re: Possible data breach

Postby TurdPile » Wed Jan 02, 2019 9:57 am

Stormbird wrote:As for the emails falling in your "spam" folder, I call BS. You guys just sat on the breach for days.


They are working with vendors to investigate this.

And you wonder why he gave a snarky/sarcastic response when you make a comment like that right afterwards. Bravo.

Also, I just ran a test email on both Pwn and dehashed and both sent emails to my junk folder automatically (I am using hotmail). So it checks out on my side.
Do not PM me about your open appeal. It will be ignored.

DISCLAIMER: I am a Moderator of the forums and the game.
I manage the clutter so the developers can do their work.
My voice and my opinions are of my own and shouldn't be taken as the
word of the developers (although I may be slightly more informed of
certain matters). Therefore, rude remarks I may occasionally make
should not impact the reputation of the developers.
Cheers.
User avatar
TurdPile
Site Admin
Site Admin
 
Posts: 8310
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Possible data breach

Postby YFYDB » Wed Jan 02, 2019 10:09 am

WATCH OUT IT'S A LONG ESSAY ABOUT HOW MUCH YOU DISSAPOINTED ME. DO NOT OPEN THE SPOILERS IF YOU DO NOT WANT TO READ THAT ALL.
Admins... I am a Christian, my religion forces me to respect every human being, but you lost my respect.
Spoiler: I never used to care if a website is safe or not. I was looking for anime for hours on unsafe websites will millions troyans on them... Nothing. Once when i was playing another game i was in a very small sect. I made an account on their forum, and then i left them, when i realized they are a sect... Nothing. I used to play a game, where players have been literally screaming from for the fear of hackers... Nothing.
You were one of the safest websites i made an account on. When i was making my account, i was only afraid, that people will recognise my nickname, because i am YFYDB in a few places, or that i will waste the account by leaving it and never using it again, but those didn't happen.
Spoiler: I used to tolerate the haters, who are all over the ToS, because i am rude myself.
I used to tolerate the spammers, because i know from my experience, that the boundary between spammers and just much talking people is small. I thought somebody is just teasing you, admins.
I forgave you the fact, that people responsible for spam-attack were your entrusted people, because i understand, that you may trust a wrong person.
I used to tolerate the annoying mods on the official Discord, who find me a hater and an anbleist. Are you psychopaths/sociopaths or do you understand, that it was humilitiating, when i was muted, only because troll and hater said "i have autism and YFYDB is rude to me" (when he was the rude one)? Do you find it okey, that moderators believe any troll, who says "i have autism"? Everybody can say "i have autism, tolerate me" and you should never make mods people who don't know it.


But that breanch (how ever it is typed) is the thing i CAN'T FORGIVE YOU.
I can't believe ToS, the community, where i belong, where i have found people, that means anything for me, where i became for the very first time "an experienced player", was hacked.

You should have known, there might be an attack. Why? I have no idea, if this is caused by people, who made spamming bots, but i know one thing for sure: spam-attack encouraged hackers to hack the game, because they knew, you struggled with the spam-bots, so hackers thought "if they struggled with something like that, they will never deal with proffesional attack". That's why you should have prepared stronger defense before your vacation.
I blame you.
OMG, i should become a proffesional writer for real. Sorry for such a long post.
tl;dr Admins should have forseen the attack and i don't like them anymore.


EDIT: i agree with that dude who said he has the right to complain. We must show admins that we need to be safe, because if we remain silent, they will think "users don't mind".
Last edited by YFYDB on Wed Jan 02, 2019 10:38 am, edited 1 time in total.
My avatar is a random picture found in the internet.
User avatar
YFYDB
Survivor
Survivor
 
Posts: 33
Joined: Thu Aug 03, 2017 9:08 am

Re: Possible data breach

Postby Flavorable » Wed Jan 02, 2019 10:15 am

Companies get hacked and securities get breached all the time. While it's unfortunate, to the general consumer it's not as big a deal as everyone makes it out to be. If you use proper internet security etiquette yourself, there's not much people can do with your username and an encrypted password.
Steam ToS Moderator and Bug Report buttinsky.
Image
User avatar
Flavorable
Global Moderator
Global Moderator
 
Posts: 3119
Joined: Thu Apr 28, 2016 3:24 am
Location: Netherlands

Re: Possible data breach

Postby bkyblyat » Wed Jan 02, 2019 10:29 am

Sitting on a data breach like this is against GDPR. Considering EU citizens data got hacked, BMG can be fined. Interesting how this will turn out
bkyblyat
Newbie
Newbie
 
Posts: 4
Joined: Sun Oct 28, 2018 8:25 pm

Re: Possible data breach

Postby TurdPile » Wed Jan 02, 2019 10:34 am

bkyblyat wrote:Sitting on a data breach like this is against GDPR. Considering EU citizens data got hacked, BMG can be fined. Interesting how this will turn out


GDPR is 72 hours for reporting, they made the announcement post at 3am (my time), about 4 or so hours after we were made aware of legitimacy of the breach. I was contacted about this at 2am by the devs asking if I knew any info about the breach that wasn't already made available, so really 1 hour from discovering to posting an announcement is well within GDPR regulation. The data deletion matter is a separate topic under GDPR though, but kind of outside the scope of this discussion.
Do not PM me about your open appeal. It will be ignored.

DISCLAIMER: I am a Moderator of the forums and the game.
I manage the clutter so the developers can do their work.
My voice and my opinions are of my own and shouldn't be taken as the
word of the developers (although I may be slightly more informed of
certain matters). Therefore, rude remarks I may occasionally make
should not impact the reputation of the developers.
Cheers.
User avatar
TurdPile
Site Admin
Site Admin
 
Posts: 8310
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Possible data breach

Postby AnnoymousGracey » Wed Jan 02, 2019 10:37 am

But BMG new 4 days before it happened. That's too late.
AnnoymousGracey
Jester
Jester
 
Posts: 14
Joined: Tue Jul 11, 2017 4:09 am

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: No registered users and 2 guests