Data Breach Update

Announcements made here about the game and the company.

Re: Data Breach Update

Postby PredictedCyborg » Thu Jan 03, 2019 2:22 pm

Technetium wrote:
HellnoRO wrote:You still haven't addressed the hashing issue.
I assume you're gonna immediately switch to a different algorithm, like bcrypt and not use the old and insecure md5, right?

That, I think, is one of the things they're trying to figure out how to do, since they don't have the plaintext passwords available to convert.


Yeah, that they were going to find a new method of coding the passwords was something stated in the original post. Like right there at the end...

Achilles wrote:We are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn't store plaintext passwords we can't easily update everyones hashes to a new algorithm but we are investigating our options.


(Bolding is mine to draw attention to important parts.)
Sucks that this happened, but hackers are relentless and will try to crack everything - even more secure stuff.

Should the hashing algorithm have been one so easily cracked? No. That's a fail on BMG's part.
I respect the fact that they've kept the community fairly updated from the moment they noticed what was happening. Some companies don't do that and some don't even tell their users about breaches.

I echo the sentiment that the login screen needs a notice posted to it, and also that every account needs to have their passwords set to be redone at next login.
Do my best to make games a nicer place!
PredictedCyborg
Jester
Jester
 
Posts: 10
Joined: Thu Jan 12, 2017 5:33 pm

Re: Data Breach Update

Postby Iamien » Thu Jan 03, 2019 2:26 pm

viewtopic.php?f=14&t=90494

How about forcing https so when we login to forums the password is not in plain text for anyone in wifi range to read? Is there any concern at all for user security at this studio. Forcing https will take all of 10 minutes to do.
Last edited by Iamien on Thu Jan 03, 2019 2:30 pm, edited 1 time in total.
Iamien
Amnesiac
Amnesiac
 
Posts: 6
Joined: Sat Feb 21, 2015 6:17 pm

Re: Data Breach Update

Postby mamazavulan » Thu Jan 03, 2019 2:28 pm

Password must be between 8 and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols.

For the record, this is really obnoxious. Was not a previous requirement, nor should this be a requirement.
mamazavulan
Newbie
Newbie
 
Posts: 1
Joined: Wed Jul 20, 2016 12:27 pm

Re: Data Breach Update

Postby PaxEtRomana » Thu Jan 03, 2019 2:30 pm

panapparos wrote:I bought the game on Steam but I haven't made any in-game purchases (Town Points, skins etc).

Is my information (Email, Full Names, Billing & Shipping addresses, IP Information, payment amount etc)included in the hacked data?


Sorry, is anyone gonna take a stab at answering this or just nerd out about what kind of security algorithms should have been used? I bought this game like four years ago on Steam and played it once. I don't remember it even having a login system; I thought it just used Steam IDs? Apparently I have an account on this phpBB which I don't remember making. Is there a relationship between the forum accounts and the game accounts? Do I have to re-download and attempt to login to the game to figure out if I had an account?

This is probably obvious stuff to people who still play the game, but to me this is a bizarre situation and I feel like I've already waded through too much shitposting looking for these deets. I'm certainly not gonna be the last person frustrated by this.
PaxEtRomana
Newbie
Newbie
 
Posts: 1
Joined: Fri Aug 21, 2015 1:34 am

Re: Data Breach Update

Postby PredictedCyborg » Thu Jan 03, 2019 2:39 pm

PaxEtRomana wrote:
panapparos wrote:I bought the game on Steam but I haven't made any in-game purchases (Town Points, skins etc).

Is my information (Email, Full Names, Billing & Shipping addresses, IP Information, payment amount etc)included in the hacked data?


Sorry, is anyone gonna take a stab at answering this or just nerd out about what kind of security algorithms should have been used? I bought this game like four years ago on Steam and played it once. I don't remember it even having a login system; I thought it just used Steam IDs? Apparently I have an account on this phpBB which I don't remember making. Is there a relationship between the forum accounts and the game accounts? Do I have to re-download and attempt to login to the game to figure out if I had an account?

This is probably obvious stuff to people who still play the game, but to me this is a bizarre situation and I feel like I've already waded through too much shitposting looking for these deets. I'm certainly not gonna be the last person frustrated by this.



I have the game on Steam and my details are apparently in the list taken.
Mind you, I did originally play in browser and made the account there so maybe my situation isn't the exact same as yours.

But suppose that you might have had yours taken to be on the safe side.
Change passwords. Take no chances.
Do my best to make games a nicer place!
PredictedCyborg
Jester
Jester
 
Posts: 10
Joined: Thu Jan 12, 2017 5:33 pm

Re: Data Breach Update

Postby xXWeaponPrimeXx » Thu Jan 03, 2019 2:44 pm

Maybe I'm just horrifically incompetent but I can't find where to change my password. Can someone tell me where to click/look?
xXWeaponPrimeXx
Benefactor
Benefactor
 
Posts: 2
Joined: Mon Oct 20, 2014 4:02 pm

Re: Data Breach Update

Postby S0me0ne23 » Thu Jan 03, 2019 2:48 pm

mamazavulan wrote:
Password must be between 8 and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols.

For the record, this is really obnoxious. Was not a previous requirement, nor should this be a requirement.

It's not that hard to keep your password under 32 characters, 8 characters is rather low for a minimum, and your password should contain mixed case, numbers, and symbols anyways. If you can't remember a password the fits those criteria, use a password manager.
User avatar
S0me0ne23
Lookout
Lookout
 
Posts: 83
Joined: Fri Dec 05, 2014 10:25 pm

Re: Data Breach Update

Postby ElderSivart » Thu Jan 03, 2019 3:49 pm

binbash3r wrote:The more important question for me is:

Is there a way to remove my forum account, and if so, how do I start that process? I do not plan on using the forums at any point apart from making this post. As far as I can tell, I've not used it before. I would rather remove my account entirely if there's a data breach on a forum that I never use, so that it does not happen again. I value my personal information and see this as a good reason to go ahead and cut ties, regardless if that data has already been breached or not. There are things that I can do to keep this from happening, like using fake emails or removing the account entirely - the second being the most optimal option in my case.

The forum account is the same account as your game account, with everything connected.
So no, you cannot delete just the forum-side without being unable to play the game.
ElderSivart
Vigilante
Vigilante
 
Posts: 621
Joined: Sat Apr 30, 2016 8:55 pm
Location: Alrest

Re: Data Breach Update

Postby 99Pineapples » Thu Jan 03, 2019 3:54 pm

xXWeaponPrimeXx wrote:Maybe I'm just horrifically incompetent but I can't find where to change my password. Can someone tell me where to click/look?
Someone please help! I've looked for probably 20-25 minutes and can't find anywhere to change my password from the string of numbers and letters the e-mail password reset gave me.
99Pineapples
Newbie
Newbie
 
Posts: 1
Joined: Mon Nov 27, 2017 5:13 pm

Re: Data Breach Update

Postby HellnoRO » Thu Jan 03, 2019 3:55 pm

Technetium wrote:
HellnoRO wrote:You still haven't addressed the hashing issue.
I assume you're gonna immediately switch to a different algorithm, like bcrypt and not use the old and insecure md5, right?

That, I think, is one of the things they're trying to figure out how to do, since they don't have the plaintext passwords available to convert.


How is it hard to convert? There're multiple approaches as well.
First would be to simply rehash it and replace it when the users logs in. It wouldn't protect the users who don't login, but there's another approach that I personally find good.
Switch to the new algorithm and don't allow anyone to login until they have changed their password. This should pretty much be the best solution.
HellnoRO
Jester
Jester
 
Posts: 17
Joined: Wed Apr 27, 2016 3:51 am

Re: Data Breach Update

Postby PredictedCyborg » Thu Jan 03, 2019 4:18 pm

HellnoRO wrote:
Technetium wrote:
HellnoRO wrote:You still haven't addressed the hashing issue.
I assume you're gonna immediately switch to a different algorithm, like bcrypt and not use the old and insecure md5, right?

That, I think, is one of the things they're trying to figure out how to do, since they don't have the plaintext passwords available to convert.


How is it hard to convert? There're multiple approaches as well.
First would be to simply rehash it and replace it when the users logs in. It wouldn't protect the users who don't login, but there's another approach that I personally find good.
Switch to the new algorithm and don't allow anyone to login until they have changed their password. This should pretty much be the best solution.


I think they're weighing up options right now, pros and cons.
As you say, the rehashing and replace would be a good method - but for the accounts that are abandoned and not logged into, it's not gonna work. As a F2P game there's probably many, many abandoned accounts that could then be occupied by malicious forces and cause an even bigger headache down the road.

They will probably go with this method but I'd like to think they might be trying to find out if there is another solution that would nip in the bud the potential down-the-line issue of necro'd accounts going rogue. >.<;
Do my best to make games a nicer place!
PredictedCyborg
Jester
Jester
 
Posts: 10
Joined: Thu Jan 12, 2017 5:33 pm

Re: Data Breach Update

Postby shapesifter13 » Thu Jan 03, 2019 5:12 pm

Going to try to shotgun answer a few things I saw asked.

Steam and Facebook users did have their GAME INFORMATION compromised. Your Steam and Facebook information is safe, but you should change your Town of Salem password, and any password that is the same.

If you use this link it will send your username and a password reset with it. If you remember your password just don't activate the new password and it won't change: https://www.blankmediagames.com/phpbb/u ... ndpassword

Your username will be in the greeting line of the email.

If you want to change your password you can follow the instructions in this link: https://www.blankmediagames.com/phpbb/v ... 38&t=13987

If one of these links does not work because your account is not activated, then you can request another confirmation/activation email via this form: https://www.blankmediagames.com/phpbb/u ... resend_act

We are discussing how best to change the hashing algorithm currently. We are also discussing what security firm to hire to audit our code and make sure there are no backdoors left. We are also working to resolve a DDOS attack that recently took place.

Hopefully I answered everything, if not ask it again, and I will try to get back to you. We are doing everything we can to make sure things are secured, we improve what security measures can be improved, and we make sure that everyone is as safe as they can be.
shapesifter13
Developer
Developer
 
Posts: 4681
Joined: Fri Jan 02, 2015 4:55 pm

Re: Data Breach Update

Postby Chemist1422 » Thu Jan 03, 2019 5:13 pm

Also the game isn’t really shutting down, that’s a hoax
mist ~ she/her

i guess this is goodbye?
(still here for danganronpa i guess)


stop sending reports to me i'm not a tos game moderator
User avatar
Chemist1422
FM Game Moderator
FM Game Moderator
 
Posts: 1026
Joined: Tue Mar 20, 2018 5:39 pm
Location: on the beach at dusk (CST/CDT)

Re: Data Breach Update

Postby TurdPile » Thu Jan 03, 2019 5:14 pm

Stu34666 wrote:see my post above viewtopic.php?f=11&t=95412&start=25#p3053855

It's easy to quickly upgrade the password hashes. What's difficult is making the forum and game aware of how to deal with the new hash/algo.

But, you don't want to keep any of the current passwords anyway - assume they are now known/compromised


It isn't hard. But it definitely isn't "quick". You have 8 million users under a DB column that came with the forum software to support md5. Looking at my local copy of this version of phpbb, it supports 40 characters. This means before you can even rehash, you have to redefine the table schema to make that column large enough to support the new hash in the first place. This means on the back-end (IO subsystem), the database would need to move, re-organize, add new leafs, etc to accomplish this. And that is a very, very expensive operation in terms of IO when there's this much existing data. The downtime for forum AND game during this would be many, many, hours.

But of course as a DBA, I have to make a disclaimer to say it would be much quicker to create an empty table with the new schema and import into that one the current user data and flip the table names when its done. But that introduces its own set of problems.

Hence options are being discussed.
I have mostly rescinded my role as Admin.

All previous contact should instead be redirected to Flavorable.

If your inquiry doesn't directly have to do with Trial 2.0 or TrialBot, then please refrain from messaging.

Thank you.
User avatar
TurdPile
Vampire
Vampire
 
Posts: 8900
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Data Breach Update

Postby Bodhrak » Thu Jan 03, 2019 5:14 pm

99Pineapples wrote:
xXWeaponPrimeXx wrote:Maybe I'm just horrifically incompetent but I can't find where to change my password. Can someone tell me where to click/look?
Someone please help! I've looked for probably 20-25 minutes and can't find anywhere to change my password from the string of numbers and letters the e-mail password reset gave me.

To the top left of every page there's the User Control Panel from there go to Profile and finally Edit account settings
or https://www.blankmediagames.com/phpbb/ucp.php?i=profile&mode=reg_details
You can call me Bod.
No, that's not my real name. Thanks for asking.
Bodhrak
Witch
Witch
 
Posts: 58
Joined: Fri Nov 04, 2016 8:26 am

Re: Data Breach Update

Postby TurdPile » Thu Jan 03, 2019 5:15 pm

SukhKnight wrote:How do I request for my data to be completely wiped under GDPR regulations?


Refer to viewtopic.php?f=38&t=38940 and be sure to mention your EU citizenship / GDPR purview.
I have mostly rescinded my role as Admin.

All previous contact should instead be redirected to Flavorable.

If your inquiry doesn't directly have to do with Trial 2.0 or TrialBot, then please refrain from messaging.

Thank you.
User avatar
TurdPile
Vampire
Vampire
 
Posts: 8900
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

Re: Data Breach Update

Postby shapesifter13 » Thu Jan 03, 2019 5:21 pm

And be aware there is a large influx of emails, so we are doing what we can to process them, but it will still take time. I will be working through the weekend to make sure that I can get as many done as possible.
shapesifter13
Developer
Developer
 
Posts: 4681
Joined: Fri Jan 02, 2015 4:55 pm

Re: Data Breach Update

Postby Bodhrak » Thu Jan 03, 2019 5:22 pm

InfantaIsabel wrote:The "DDOS" attack was the result of sending out millions of emails to millions of users. You DDOS'ed yourselves.

No, the DDoS was yesterday, before any emails were sent. This was the last record of the forum
Most users ever online was 9984 on Wed Jan 02, 2019 9:39 pm

After that the server went offline. Then DDoS protection from Cloudflare kicked in.
You can call me Bod.
No, that's not my real name. Thanks for asking.
Bodhrak
Witch
Witch
 
Posts: 58
Joined: Fri Nov 04, 2016 8:26 am

Re: Data Breach Update

Postby Varanus » Thu Jan 03, 2019 5:23 pm

shapesifter13 wrote:And be aware there is a large influx of emails, so we are doing what we can to process them, but it will still take time. I will be working through the weekend to make sure that I can get as many done as possible.

Best of luck to you

Now would probably be a good time to consider finding a way to allow users to delete their own accounts without you having to manually do it
You were expecting a decent signature...

BUT IT WAS ME! DIO!
User avatar
Varanus
FM Lead Moderator
FM Lead Moderator
 
Posts: 698
Joined: Fri Mar 06, 2015 10:08 am
Location: Lurking

Re: Data Breach Update

Postby DalekRaptor » Thu Jan 03, 2019 5:50 pm

Hey, I haven't been on this game for like the longest time but like, thanks for the email though.
DalekRaptor
Jester
Jester
 
Posts: 19
Joined: Wed Mar 04, 2015 9:55 am

Re: Data Breach Update

Postby Blood0kishin » Thu Jan 03, 2019 5:58 pm

Okay, so slight issue with this whole breach. I have no idea what my password was at the time of the breach (I’m fairly sure it was not anything that matched an other account) so will there be a further in depth email sent out later detailing the exact information the hackers got? At this point I can only guess and its been so long since I have used this account I don’t remember what information was on here or how to do a quick overview of the account in detail. Any help would be greatly appreciated!
Blood0kishin
Newbie
Newbie
 
Posts: 3
Joined: Sat Mar 19, 2016 12:17 am

Re: Data Breach Update

Postby LevinSnakesRise » Thu Jan 03, 2019 6:01 pm

Blood0kishin wrote:Okay, so slight issue with this whole breach. I have no idea what my password was at the time of the breach (I’m fairly sure it was not anything that matched an other account) so will there be a further in depth email sent out later detailing the exact information the hackers got? At this point I can only guess and its been so long since I have used this account I don’t remember what information was on here or how to do a quick overview of the account in detail. Any help would be greatly appreciated!

The information has already been provided.
Please contact BMG with any questions regarding your account issues;
support@blankmediagames.zendesk.com

Thanks.
User avatar
LevinSnakesRise
Site Admin
Site Admin
 
Posts: 16789
Joined: Thu Aug 07, 2014 9:45 pm
Location: USA

Re: Data Breach Update

Postby TheLoneWolfNZL » Thu Jan 03, 2019 6:06 pm

On the topic of Security you might want to fix your forums so it defaults to HTTPS instead of HTTP...
TheLoneWolfNZL
Newbie
Newbie
 
Posts: 1
Joined: Tue May 24, 2016 12:08 am

Re: Data Breach Update

Postby Ypsilon » Thu Jan 03, 2019 6:13 pm

I changed my password, and now I can't log into the game. Loggin into forum works fine, but game login screen says "Your username or password is invalid".
Ypsilon
Donor
Donor
 
Posts: 4
Joined: Wed Jul 02, 2014 10:34 am

Re: Data Breach Update

Postby TurdPile » Thu Jan 03, 2019 6:18 pm

Ypsilon wrote:I changed my password, and now I can't log into the game. Loggin into forum works fine, but game login screen says "Your username or password is invalid".


I checked and your details are identical. Please make sure you are using the right username for both.
I have mostly rescinded my role as Admin.

All previous contact should instead be redirected to Flavorable.

If your inquiry doesn't directly have to do with Trial 2.0 or TrialBot, then please refrain from messaging.

Thank you.
User avatar
TurdPile
Vampire
Vampire
 
Posts: 8900
Joined: Tue Feb 11, 2014 10:25 am
Location: Massachusetts

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: No registered users and 15 guests

cron