Town of Salem Game Forums

[Blood0kishin]

Okay, so slight issue with this whole breach. I have no idea what my password was at the time of the breach (I’m fairly sure it was not anything that matched an other account) so will there be a further in depth email sent out later detailing the exact information the hackers got? At this point I can only guess and its been so long since I have used this account I don’t remember what information was on here or how to do a quick overview of the account in detail. Any help would be greatly appreciated!

The information has already been provided.

Perhaps I did not make myself clear; because the information has not been provided. All I recieved today was one of those mass emails notifying me of the breach and the suspected information that was exposed. It did not tell me what the password was that was exposed and required to be changed. In short; I want an email that says for sure “The password: xxxxxx” was exposed and needs to be changed. By default I had to reset my password to get back into this account due to my inactivity on this game.

I doubt the password used here matches anything else used online but I need to know EXACTLY what the hackers got; because I do not remember the exact password used orginally which has now been exposed.

[LevinSnakesRise]

Okay, so slight issue with this whole breach. I have no idea what my password was at the time of the breach (I’m fairly sure it was not anything that matched an other account) so will there be a further in depth email sent out later detailing the exact information the hackers got? At this point I can only guess and its been so long since I have used this account I don’t remember what information was on here or how to do a quick overview of the account in detail. Any help would be greatly appreciated!

The information has already been provided.

Perhaps I did not make myself clear; because the information has not been provided. All I recieved today was one of those mass emails notifying me of the breach and the suspected information that was exposed. It did not tell me what the password was that was exposed and required to be changed. In short; I want an email that says for sure “The password: xxxxxx” was exposed and needs to be changed. By default I had to reset my password to get back into this account due to my inactivity on this game.

I doubt the password used here matches anything else used online but I need to know EXACTLY what the hackers got; because I do not remember the exact password used orginally which has now been exposed.

viewtopic.php?f=11&t=95378
viewtopic.php?f=11&t=95412

That explains what was exposed. The second one is from the beginning of this thread. The email also addressed what was accessed. You need to re-read that.

[DarthaNyan]

The change password link in the email cannot be any more suspicious even if you tried:

https://blankmediagames.us14.list-manage.com/track/click?u=xxx&id=yyy&e=zzz (sensitive info was omitted)

[DarthaNyan]

Password change doesn't require confirmation by email and even no notification about it after i have changed it? Like... WTF?

[James2]

Okay, so slight issue with this whole breach. I have no idea what my password was at the time of the breach (I’m fairly sure it was not anything that matched an other account) so will there be a further in depth email sent out later detailing the exact information the hackers got? At this point I can only guess and its been so long since I have used this account I don’t remember what information was on here or how to do a quick overview of the account in detail. Any help would be greatly appreciated!

The information has already been provided.

Perhaps I did not make myself clear; because the information has not been provided. All I recieved today was one of those mass emails notifying me of the breach and the suspected information that was exposed. It did not tell me what the password was that was exposed and required to be changed. In short; I want an email that says for sure “The password: xxxxxx” was exposed and needs to be changed. By default I had to reset my password to get back into this account due to my inactivity on this game.

I doubt the password used here matches anything else used online but I need to know EXACTLY what the hackers got; because I do not remember the exact password used orginally which has now been exposed.

BMG, like most websites, hashes its stored passwords. Basically, when you set up a password, an algorithm turns it into jibberish, and that is what is stored in the database. When you try to log in, the site runs the same algorithm on the password you provide, and checks that the jibberish created matches the jibberish in the database. While the algorithm can turn a password into jibberish, it is (by design) difficult to turn the jibberish back into the original password.

What this means, in principle, is that your original password cannot be recovered, either by BMG or by hackers.

The problem is that BMG was using a notoriously weak hashing algorithm, meaning that if your password wasn't long enough, it can be reconstructed from the jibberish by hackers. So the password is compromised, but BMG can't tell you what it was. Since the hackers made most or all of the stolen data public, you can search haveibeenpwned.com to see if your password was compromised. Note however, that if your password is relatively weak, odds are that it will have shown up in a previous hack, whether or not it was compromised here.

[TheIronZombie]

I'm trying to change my password but every time I try to log in it says that I reached the maximum number of login attempts and that I have to wait for a certain number of minutes (15 the first time, 30 after I waited for the 15 minutes). I am fairly sure that I typed my username and password in right. I'm using this website to try to do it: http://www.blankmediagames.com/Store/my-account/ Anyone know what I might be doing wrong?

[Blood0kishin]

Sadly that is the issue. If memory serves me correctly I think it was already one of those number & letter chains in the suspected time of breach; however I don’t remember for sure. That’s what I was trying to determin, if they had an archive of what my password was say in the last six months or so I could say for sure if any other online accounts were exposed. At most I believe they got my email address, but without knowing for sure it’s just a guess.

[TurdPile]

I'm trying to change my password but every time I try to log in it says that I reached the maximum number of login attempts and that I have to wait for a certain number of minutes (15 the first time, 30 after I waited for the 15 minutes). I am fairly sure that I typed my username and password in right. I'm using this website to try to do it: http://www.blankmediagames.com/Store/my-account/ Anyone know what I might be doing wrong?

Use the forum login. Idk what is wrong with that, even I get the same error you do.

[Ypsilon]

I changed my password, and now I can't log into the game. Loggin into forum works fine, but game login screen says "Your username or password is invalid".

I checked and your details are identical. Please make sure you are using the right username for both.

I'm using the same username as I always have. Before changing the password I could log in without problem, but now I can't.

[TurdPile]

I changed my password, and now I can't log into the game. Loggin into forum works fine, but game login screen says "Your username or password is invalid".

I checked and your details are identical. Please make sure you are using the right username for both.

I'm using the same username as I always have. Before changing the password I could log in without problem, but now I can't.

I see you've changed your password again, and again I've confirmed the credentials match. What method are you using to log into TOS? Steam, browser, mobile?

[Ypsilon]

I changed my password, and now I can't log into the game. Loggin into forum works fine, but game login screen says "Your username or password is invalid".

I checked and your details are identical. Please make sure you are using the right username for both.

I'm using the same username as I always have. Before changing the password I could log in without problem, but now I can't.

I see you've changed your password again, and again I've confirmed the credentials match. What method are you using to log into TOS? Steam, browser, mobile?

Browser.

[TurdPile]

I changed my password, and now I can't log into the game. Loggin into forum works fine, but game login screen says "Your username or password is invalid".

I checked and your details are identical. Please make sure you are using the right username for both.

I'm using the same username as I always have. Before changing the password I could log in without problem, but now I can't.

I see you've changed your password again, and again I've confirmed the credentials match. What method are you using to log into TOS? Steam, browser, mobile?

Browser.

Whatever you did last, just a minute ago, can you PM me on the forums? Whatever that was made the passwords different (but it should have worked the first few times when I confirmed they were the same).

[Ozyrox]

Can't I just not change it? I don't see what they could possibly do with my information if it isn't linked to my email password. Haven't made any payments or done anything significant. I mean sure they can use my account to play a few rounds don't see what thats gonna do to me. I just don't want to change it to a more secure password since this hacking may happen again and we'd all be back to square one with my secure passwords no longer being secure. Sorry for not quite trusting the system but this is the reason why I didn't use a good password to begin with. I know that if I use a secure password it would be harder for them to figure it out but the keyword here is harder not impossible.

[Technetium]

If you don't use the password you used here for anything else, the only thing whoever breached the site can get at with the information they have is your ToS account. Is that the case?

[LevinSnakesRise]

Can't I just not change it? I don't see what they could possibly do with my information if it isn't linked to my email password. Haven't made any payments or done anything significant. I mean sure they can use my account to play a few rounds don't see what thats gonna do to me. I just don't want to change it to a more secure password since this hacking may happen again and we'd all be back to square one with my secure passwords no longer being secure. Sorry for not quite trusting the system but this is the reason why I didn't use a good password to begin with. I know that if I use a secure password it would be harder for them to figure it out but the keyword here is harder not impossible.

Oh shit boi, it's Ozy. God that's a name I haven't seen in years.

[Ozyrox]

If you don't use the password you used here for anything else, the only thing whoever breached the site can get at with the information they have is your ToS account. Is that the case?

pretty much. The password is simplistic enough to be suitable to the site without the risk of exposing my other more secure passwords. I mean I've probably used something similar before but ive discontinued using those sites and there isn't any information that can be taken from them. Feel free to play on my LOL account tho, I tried installing that some years ago and made an account with them but never got to play because of my soddy internet connection that said I had negative years left for the download to finish. I think i got banned immediately for abandoning the only game I got to play so

[Ozyrox]

Can't I just not change it? I don't see what they could possibly do with my information if it isn't linked to my email password. Haven't made any payments or done anything significant. I mean sure they can use my account to play a few rounds don't see what thats gonna do to me. I just don't want to change it to a more secure password since this hacking may happen again and we'd all be back to square one with my secure passwords no longer being secure. Sorry for not quite trusting the system but this is the reason why I didn't use a good password to begin with. I know that if I use a secure password it would be harder for them to figure it out but the keyword here is harder not impossible.

Oh shit boi, it's Ozy. God that's a name I haven't seen in years.

It's nice to see some familiar names around as well, life unfortunately consumed me for a while and I don't know how long i'll be around for. Hopefully this password thing doesn't cause any mishaps tho, the only actual problem I see with not changing my password is that someone could impersonate me without my knowledge and possible say or do a few bad things

[PantherPage]

Thank you The Blank Media Games, for alerting me to this event. It is nice to see that a game company actually cares about their customer base.
Happy New Year.

[Metaphorical]

I've got to be honest with you, this pretty much sums up anything I'd have to say about the breach (from another user, on steam):

This

[ZoruaLuhansk]

Password must be between 8 and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols.

For the record, this is really obnoxious. Was not a previous requirement, nor should this be a requirement.

This.
For me, I just get a bunch of words from Random Word Generator and put that as my password. If my password is 27 characters, I feel that needing to add symbols and numbers to my password causes more harm trying to remember where I put them than the extra security it brings.

[TurdPile]

Password must be between 8 and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols.

For the record, this is really obnoxious. Was not a previous requirement, nor should this be a requirement.

This.
For me, I just get a bunch of words from Random Word Generator and put that as my password. If my password is 27 characters, I feel that needing to add symbols and numbers to my password causes more harm trying to remember where I put them than the extra security it brings.

I've dropped it back down to alphanumeric, since length is more important than complexity anyway. But I don't think people would appreciate if I upped the required minimum to something like 10 or more lol.

[Tiny3001]

And still, you're forum likes linking to HTTP by default... I was about to reset my password over HTTP, even though you have HTTPS available! It's silly security decisions like this that causes breaches in the first place!

[GeniusWind]

switching to a more secure hashing algorithm is not a problem? Simply have a flag for each user that is set when the user successfully resets their password. Don't allow the user to login without resetting their password such that only inactive accounts will not have reset their passwords. eZ
Algorithm should be switched ASAP. Y u no use SHA-2?

[TurdPile]

switching to a more secure hashing algorithm is not a problem? Simply have a flag for each user that is set when the user successfully resets their password. Don't allow the user to login without resetting their password such that only inactive accounts will not have reset their passwords. eZ
Algorithm should be switched ASAP. Y u no use SHA-2?

SHA1,2 and 3 are all as trivial as md5 at this point. Anyway, I touched on this topic here: #3054055

[Alicitzen]

Can't I just not change it? I don't see what they could possibly do with my information if it isn't linked to my email password. Haven't made any payments or done anything significant. I mean sure they can use my account to play a few rounds don't see what thats gonna do to me. I just don't want to change it to a more secure password since this hacking may happen again and we'd all be back to square one with my secure passwords no longer being secure. Sorry for not quite trusting the system but this is the reason why I didn't use a good password to begin with. I know that if I use a secure password it would be harder for them to figure it out but the keyword here is harder not impossible.

Oh shit boi, it's Ozy. God that's a name I haven't seen in years.

naarruuuu your avatar isnt appearing anymore