Town of Salem Game Forums

[Achilles]

We are in the process of finishing a contract with a professional security firm to audit our servers and guarantee we are safe. After that has been conducted we will be making some sweeping changes to force a password reset on all accounts as well as change our hashing algorithm to be something more secure. Were hoping to do all of this in one pass to make it as convenient as possible for our users. We have also added 2FA to admin accounts on PHPBB as a temporary measure and will be looking to migrate to a newer forum technology as a long term solution.

We are also in the process of forcing everything on the website to go through https.

Addition by TurdPile: Forums have been toggled to prefer HTTPS. Users may experience weirdness trying to log into the forums if they are not using HTTPS. (https:// in the URL). This will persist until everything is done being forced to HTTPS. If you are having this issue, just add the s to "http" to the URL.

[Chemist1422]

Will people who changed their passwords after the announcement have to change it again?

[Achilles]

Will people who changed their passwords after the announcement have to change it again?

Most likely yes. The only way to be sure an account wasn't compromised will be to force a password reset through the registered email to the account. I realize some users may have used a fake email or lost their registered email to their accounts but we don't believe there is any other way to insure the integrity of accounts after the breach. Our community manager will respond to emails and help anyone he can that has proof of their account (valid receipts or Steam link proof for example). If an account has never made any kind of purchase and doesn't have a valid email registered to the account it will end up lost unfortunately but there isn't much else we can do about the scenario. Users should start making sure their account has a valid registered email. They should be able to update their email through the forums.

[Technetium]

So, the setup is, in order to perform a password reset when this happens, it will be via an email sent to the address associated with the account? Do I have that right?

[Phone0Ix]

Will people who changed their passwords after the announcement have to change it again?

Most likely yes. The only way to be sure an account wasn't compromised will be to force a password reset through the registered email to the account. I realize some users may have used a fake email or lost their registered email to their accounts but we don't believe there is any other way to insure the integrity of accounts after the breach. Our community manager will respond to emails and help anyone he can that has proof of their account (valid receipts or Steam link proof for example). If an account has never made any kind of purchase and doesn't have a valid email registered to the account it will end up lost unfortunately but there isn't much else we can do about the scenario. Users should start making sure their account has a valid registered email. They should be able to update their email through the forums.

A friend of mine wasn't able to log in to the forums because account was inactive while he got Coven and stuff. Is it possible the email ended up being non valid after being valid for a while?

[Achilles]

So, the setup is, in order to perform a password reset when this happens, it will be via an email sent to the address associated with the account? Do I have that right?

Correct. There will be a random unique string generated in the email that will be used to verify legitimate email access upon the link redirect. Very similar to how email verification works.

[Achilles]

Will people who changed their passwords after the announcement have to change it again?

Most likely yes. The only way to be sure an account wasn't compromised will be to force a password reset through the registered email to the account. I realize some users may have used a fake email or lost their registered email to their accounts but we don't believe there is any other way to insure the integrity of accounts after the breach. Our community manager will respond to emails and help anyone he can that has proof of their account (valid receipts or Steam link proof for example). If an account has never made any kind of purchase and doesn't have a valid email registered to the account it will end up lost unfortunately but there isn't much else we can do about the scenario. Users should start making sure their account has a valid registered email. They should be able to update their email through the forums.

A friend of mine wasn't able to log in to the forums because account was inactive while he got Coven and stuff. Is it possible the email ended up being non valid after being valid for a while?

Due to a bug a long time ago in the past there are some accounts that have no registered email. We are hoping to work on specialty code to handle these accounts and help them get a valid email setup. They can email us ahead of time to get help setting one up as well, but response time may take a while. As you could imagine we are getting a lot of emails requesting account deletion and other information about what happened so emails are backed up.

[Phone0Ix]

Will people who changed their passwords after the announcement have to change it again?

Most likely yes. The only way to be sure an account wasn't compromised will be to force a password reset through the registered email to the account. I realize some users may have used a fake email or lost their registered email to their accounts but we don't believe there is any other way to insure the integrity of accounts after the breach. Our community manager will respond to emails and help anyone he can that has proof of their account (valid receipts or Steam link proof for example). If an account has never made any kind of purchase and doesn't have a valid email registered to the account it will end up lost unfortunately but there isn't much else we can do about the scenario. Users should start making sure their account has a valid registered email. They should be able to update their email through the forums.

A friend of mine wasn't able to log in to the forums because account was inactive while he got Coven and stuff. Is it possible the email ended up being non valid after being valid for a while?

Due to a bug a long time ago in the past there are some accounts that have no registered email. We are hoping to work on specialty code to handle these accounts and help them get a valid email setup. They can email us ahead of time to get help setting one up as well, but response time may take a while. As you could imagine we are getting a lot of emails requesting account deletion and other information about what happened so emails are backed up.

Ok, but while it be handled before the password clearings?

[YFYDB]

I am so glad that we will be safe ^^
Okey so. I have normal not fake e-mail so i will survive it.
EDIT: Btw, Achilles check ur forum dms.

[williewest]

Any possibility in the future of setting up a secure security questions system so people will be able to prove ownership of an account they might have lost access to or has outdated email, lost password, etc.?

[Achilles]

Any possibility in the future of setting up a secure security questions system so people will be able to prove ownership of an account they might have lost access to or has outdated email, lost password, etc.?

Yeah this would be a great add in the future.

[TurdPile]

Any possibility in the future of setting up a secure security questions system so people will be able to prove ownership of an account they might have lost access to or has outdated email, lost password, etc.?

Yeah this would be a great add in the future.

I'm willing to bet Vanilla has this built-in already

[Flavorable]

Any possibility in the future of setting up a secure security questions system so people will be able to prove ownership of an account they might have lost access to or has outdated email, lost password, etc.?

Yeah this would be a great add in the future.

Tiny thing, Josh. If I log in and click on "Return to index page" it logs me back out.
Not sure if it was just bad timing on my part, or if there's some kind of relay issue.

[TurdPile]

Any possibility in the future of setting up a secure security questions system so people will be able to prove ownership of an account they might have lost access to or has outdated email, lost password, etc.?

Yeah this would be a great add in the future.

Tiny thing, Josh. If I log in and click on "Return to index page" it logs me back out.
Not sure if it was just bad timing on my part, or if there's some kind of relay issue.

Read the first post, I made a mention of this

[Flavorable]

Any possibility in the future of setting up a secure security questions system so people will be able to prove ownership of an account they might have lost access to or has outdated email, lost password, etc.?

Yeah this would be a great add in the future.

Tiny thing, Josh. If I log in and click on "Return to index page" it logs me back out.
Not sure if it was just bad timing on my part, or if there's some kind of relay issue.

Read the first post, I made a mention of this

Awesome. That wasn't there yet when I posted. Thanks.

[FrankLeeAwful]

Force-logged on another tab, I would assume this is the reason.

Good to see that steps are being taken.

[FrankLeeAwful]

TrialBot still defaults to http; is this something that is planned to change?

[ICECLIMBERS]

will be looking to migrate to a newer forum technology as a long term solution.

does this mean a NEW forum or will this be transferred over

either way you're going to make people unhappy ¯\_(ツ)_/¯

[Chemist1422]

Oh yeah

If the forums move to a new software will the threads from the old one be kept?

[NekroG]

so i cant login via steam anymore how do I reconnect the account to steam?

[Technetium]

Was the password reset forcing just done?

[TurdPile]

so i cant login via steam anymore how do I reconnect the account to steam?

If you are getting the disconnected message, you need to hit the clear password button below the steam login button.

[Technetium]

I had tried to view the forums on phone, and after logging in and it saying "logged in successfully" it took me right back to the login screen as if I wasn't. So I changed the password through the link in an email I had received...which must have been the original mass email.

[Malfoydragon]

Has the malware, the hackers, and all traces of the hackers been removed?

[ChubbyMooshroom9]

Will people who changed their passwords after the announcement have to change it again?

Most likely yes. The only way to be sure an account wasn't compromised will be to force a password reset through the registered email to the account. I realize some users may have used a fake email or lost their registered email to their accounts but we don't believe there is any other way to insure the integrity of accounts after the breach. Our community manager will respond to emails and help anyone he can that has proof of their account (valid receipts or Steam link proof for example). If an account has never made any kind of purchase and doesn't have a valid email registered to the account it will end up lost unfortunately but there isn't much else we can do about the scenario. Users should start making sure their account has a valid registered email. They should be able to update their email through the forums.

Given game went to P2P and some people don’t pay for anything this is probably a bad idea.