Town of Salem Game Forums

[InsidiousRex]

Dear Blank Media Games,

I'm contacting you regarding a breach on my account between the hours of 10 pm EST on January 1st, 2020 and 2 pm EST on January 2nd, 2020. It has been brought to my attention that my account was compromised in the December 28th, 2018 breach that was reported last year. However, I have records of a password change that I requested and completed in June, 2019.

The result of this breach dropped me from approximately 3032 to 632 ELO, or roughly 2400 ELO, by queueing and immediately leaving games. Using your punitive system, to drain my account of 15 ELO per match, it would require 160 consecutive abandoned matches to reach that number, for which it would require 8 hours if the attacker queued every 3 minutes. I believe it was the intent of the bad actor to sabotage my account or to sabotage random accounts still accessible from the 2018 breach, but I cannot determine how either is possible without additional metadata on who tried to access my account, from where, and how many failed attempts were made to do so.

Whether this was a brute force attack, a new breach, or something else entirely remains to be seen, but I sincerely hope we can discuss this matter as well as changes that could prevent further sabotage in the future.

Sincerely,
Rex

(Edit: I replaced this post with the email I sent to the developers after the fact. Hopefully it is more productive than my initial reaction.)

[ColbyBryant]

People who changed their passwords have gotten hit. BMG at it again with tight security on user information.

[InsidiousRex]

People who changed their passwords have gotten hit. BMG at it again with tight security on user information.

This appears to be the case. I assumed my account password differed from my forum password because I had no other explanation for why my account was still vulnerable.

In light of my recent password change, I can affirm that the passwords are shared and that my account was compromised despite my password being changed. This means one of two things is possible:

1) BMG failed to stop a bot from cracking my updated password from June
2) BMG has been breached a second time and hasn't discovered or admitted it yet

[ColbyBryant]

That sucks OP.

Don't worry I hear they are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn't store plaintext passwords we can't easily update everyones hashes to a new algorithm but we are investigating our options.

It doesn't take over a year to do that. BMG still will not secure their user information and Trial judges wont ban accounts reported as breached.

[ColbyBryant]

That sucks OP.

Don't worry I hear they are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn't store plaintext passwords we can't easily update everyones hashes to a new algorithm but we are investigating our options.

It doesn't take over a year to do that. BMG still will not secure their user information and Trial judges wont ban accounts reported as breached.

Did I really need the /s colby?

what is /s

[ColbyBryant]

That sucks OP.

Don't worry I hear they are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn't store plaintext passwords we can't easily update everyones hashes to a new algorithm but we are investigating our options.

It doesn't take over a year to do that. BMG still will not secure their user information and Trial judges wont ban accounts reported as breached.

Did I really need the /s colby?

what is /s

salami

please support my most recent thread

[GeniusWind]

I am shocked at how those evil hackers with their gang tattoo of black panther were able to hack OP's account even though Rex had changed his password back in June 2019 :O

[LevinSnakesRise]

I just want to point out, not to discredit Rex at all because this does suck and this shouldn't have ever happened, but there's no note of a password change on the account for June (or at any point since the breach) as claimed.

From a bystander's point of view, with what I'm given and can see, it just looks like the password was never changed.

I've inquired about this and asked for a Developer to at least make a comment on this thread, but again, this is just from what I can see. Dunno when they'll comment, if they do, but hopefully they can shed some sort of light on this, in additon to the email you sent in Rex.

Cheers.

[InsidiousRex]

I just want to point out, not to discredit Rex at all because this does suck and this shouldn't have ever happened, but there's no note of a password change on the account for June (or at any point since the breach) as claimed.

From a bystander's point of view, with what I'm given and can see, it just looks like the password was never changed.

I've inquired about this and asked for a Developer to at least make a comment on this thread, but again, this is just from what I can see. Dunno when they'll comment, if they do, but hopefully they can shed some sort of light on this, in additon to the email you sent in Rex.

Cheers.

To be clear, are you saying you don't have confirmation of my password change, or I never requested one?

I have a pretty good idea of what I changed my password from and what I changed it to. Insinuating I did not change my password, as Katiya did in trials chat at least six times today, is not funny. Blend even confirmed he told me to change my password in June.

Edit: I also changed my password today, prior to your post. I assume you've omitted that as irrelevant. Regardless, feel free to message me about this on discord.

[lalasex]

you know Naru is really something else when hes trying to have nice talk with Church member

[InsidiousRex]

He didn't insinuate anything. He said they don't have any record of you changing it. Further, the screenshot you have posted only shows proof that you requested to change your password and is not indicative of you actually changing your password.

That either means:
A) You didn't follow through on the link in your screenshot;
B) There was a technical issue that either prevented your password from actually changing; or,
C) There was a technical issue that prevented the password change from being registered in their back-end.

I just want to point out, not to discredit Rex at all because this does suck and this shouldn't have ever happened, but there's no note of a password change on the account for June (or at any point since the breach) as claimed.

I added the bold emphasis. Now I'm going to quote my response out of order to spell it out for you, Hagg1s, since you enjoy interjecting where you don't belong.

Edit: I also changed my password today, prior to your post. I assume you've omitted that as irrelevant. Regardless, feel free to message me about this on discord.

See Naru's quote. If he says there's no note of a password change at all, then his notes are not accurate. I literally changed my password yesterday, just after seeking TurdPile in Trials, hours before his reply, and before this post ever made it to the forums.

To be clear, are you saying you don't have confirmation of my password change, or I never requested one?

I'm way ahead of you on all of your points, pal. Hence, I asked if there was no record at all (for which I clearly have a record), or if there's some note of a request but not a completion.



And now I'm going to be very clear. Stop harassing me for your own amusement. It's tiresome.

[GeniusWind]

I just want to point out, not to discredit Rex at all because this does suck and this shouldn't have ever happened, but there's no note of a password change on the account for June (or at any point since the breach) as claimed.

From a bystander's point of view, with what I'm given and can see, it just looks like the password was never changed.

I've inquired about this and asked for a Developer to at least make a comment on this thread, but again, this is just from what I can see. Dunno when they'll comment, if they do, but hopefully they can shed some sort of light on this, in additon to the email you sent in Rex.

Cheers.

To be clear, are you saying you don't have confirmation of my password change, or I never requested one?

(deleted link)

I have a pretty good idea of what I changed my password from and what I changed it to. Insinuating I did not change my password, as Katiya did in trials chat at least six times today, is not funny. Blend even confirmed he told me to change my password in June.

Edit: I also changed my password today, prior to your post. I assume you've omitted that as irrelevant. Regardless, feel free to message me about this on discord.

He didn't insinuate anything. He said they don't have any record of you changing it. Further, the screenshot you have posted only shows proof that you requested to change your password and is not indicative of you actually changing your password.

That either means:
A) You didn't follow through on the link in your screenshot;
B) There was a technical issue that either prevented your password from actually changing; or,
C) There was a technical issue that prevented the password change from being registered in their back-end.

Stop trolling the good man Rex. I've seen you kept trolling him in trial server. The mods of their server let you troll him for hours. You kept making fun of him for losing his ELO. Typical attitude of looking down on HIGH ELO players there, implying implicit support of bullying poor Rex. :feelsbadman: Click on the link Rex posted of him showing he changed his password back in June 2019. Pathetic troll

[InsidiousRex]

I've inquired about this and asked for a Developer to at least make a comment on this thread, but again, this is just from what I can see. Dunno when they'll comment, if they do, but hopefully they can shed some sort of light on this, in additon to the email you sent in Rex.

Cheers.

I assume you had something to do with today's announcement. Thank you for that.

Not only have accounts been made more secure, but ranked lobbies will no longer feature countless bots auto-leaving, and Town of Salem is better off for it.

[InsidiousRex]

I added the bold emphasis. Now I'm going to quote my response out of order to spell it out for you, Hagg1s, since you enjoy interjecting where you don't belong.

TIL I don't belong on a public forum or in a public discord.

Private messages exist my man. Don't want attention? Use them.

If you want attention, find a girlfriend. Otherwise, stop trying to sound important on a post where I'm trying to raise awareness of these hacks to the developers. This isn't something you have the ability to disagree with, since the only input you have on my post is questioning whether or not I have changed my password, which you have no way of knowing.

Naru can find out. And that's why I'm talking to Naru. Let the adults speak.

[LevinSnakesRise]

My intent wasn't to downplay or make anyone look like a liar, or make them out to be one, nor was I intending on insinuating anything. I was making a statement based off the facts that I can see. I can see your Board Warning from Turdpile on December 23rd. There's no other logs (including password changes) on your account. Now yes Mod Logs were cleared in January by the few accounts who gained Admin privileges, but if you changed it in June, it would have been logged, as we weren't having log issues around that time (that I recall). I also don't see the one for today, to put that out there. Did you just use the first part to generate the random one, or did you also change it to your own personal one? I know that BMG had to fix an issue with the random passwords generated causing issues for login, etc. They fixed it shortly after.

If you say you changed your password, I believe you. However what I can see says you haven't, and I simply wanted to convey that.

None of this condones the handling of this issue of a year now, however, and this should have been settled when it first occurred.

Also may I suggest deleting the screenshot link now that you've provided it? It includes your email and would rather you not get some random emails.

[InsidiousRex]

My intent wasn't to downplay or make anyone look like a liar, or make them out to be one, nor was I intending on insinuating anything. I was making a statement based off the facts that I can see. I can see your Board Warning from Turdpile on December 23rd. There's no other logs (including password changes) on your account. Now yes Mod Logs were cleared in January by the few accounts who gained Admin privileges, but if you changed it in June, it would have been logged, as we weren't having log issues around that time (that I recall). I also don't see the one for today, to put that out there. Did you just use the first part to generate the random one, or did you also change it to your own personal one? I know that BMG had to fix an issue with the random passwords generated causing issues for login, etc. They fixed it shortly after.

If you say you changed your password, I believe you. However what I can see says you haven't, and I simply wanted to convey that.

None of this condones the handling of this issue of a year now, however, and this should have been settled when it first occurred.

I know that wasn't your intent, but it was the intent of several members of the trials discord when I broached this subject there. I know you're being truthful when you say you don't have notes of these password changes, but my most recent password change also confirms that your notes are inaccurate.

In June, I believe I used the "recover account" system at blankmediagames.com sign-in page and changed my password following the confirmation email. It was a password of my choosing.

My most recent password change used a link provided to me in the trials discord, which I can confirm resulted in the same confirmation email, and was changed successfully.

Also may I suggest deleting the screenshot link now that you've provided it? It includes your email and would rather you not get some random emails.

Done. Though I don't have access to delete the link quoted by others. You or another mod will have to do that.

[Daemon213]

Done. Though I don't have access to delete the link quoted by others. You or another mod will have to do that.

You didn't change it, it's right here.

In Rex's defense, numerous people's password change wasn't being recorded (similar appeals).

Latest one : december 2019 - viewtopic.php?f=40&t=105148

Phpbb isn't actually the most secure forum my dudes

[LevinSnakesRise]

Done. Though I don't have access to delete the link quoted by others. You or another mod will have to do that.

You didn't change it, it's right here.

In Rex's defense, numerous people's password change wasn't being recorded (similar appeals).

Latest one : december 2019 - viewtopic.php?f=40&t=105148

Phpbb isn't actually the most accurate software my dudes

That doesn't even relate to the quote you quoted.

He was referring to removing the link to the screenshot that shows his emails. We already discussed the password change.

[Daemon213]

What?

The quote was about password log not being shown.

The appeal was turdpile confirming some logs aren't shown.

Not sure why you are to rolling your eyes at it.

[LevinSnakesRise]

What?

Read my edit. It was related to the link that shows a screenshot that reveals his email, not the password issue. We already discussed that.

EDIT: Because that isn't what the quote was related to at all, my dude.

[Daemon213]

Oh I misunderstood. My bad.

Just saw some logs not being recorded wasn't mentioned so wanted to bring that up.

[InsidiousRex]

Done. Though I don't have access to delete the link quoted by others. You or another mod will have to do that.

You didn't change it, it's right here.

You're right. What I deleted was itself from a quote. I went through that a little too quickly.

[InsidiousRex]

If somebody doesn’t stop this guy from trolling, this forum is going to get a whole lot less pleasant.

There’s absolutely no need for you to keep insinuating I forgot to change my password. I spent yesterday with my girlfriend. I did this in passing. Just shut the fuck up already and mind your own business.

[Transcender]

If somebody doesn’t stop this guy from trolling, this forum is going to get a whole lot less pleasant.

There’s absolutely no need for you to keep insinuating I forgot to change my password. I spent yesterday with my girlfriend. I did this in passing. Just shut the fuck up already and mind your own business.

Is that a threat and what does that have to do with anything what

[Superalex11]

Hagg1s was just trying to help the old man, but he’s a grumpy old man it seems
Dont step on his lawn or he might throw a tantrum

Actually it's exactly this type of language I think Rex is referring to when he says the forums will get less pleasant. And while it seems Hagg1s' reminder was indeed helpful, the passive-aggressiveness in his posts is off-putting at best.