Possible data breach

Announcements made here about the game and the company.

Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:01 am

Hey everyone,

The BMG staff is just coming back from Christmas/New years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again. You should update your Town of Salem passwords to be safe.

Important Notes:
We don't store any credit card or payment info. At all.
All passwords were hashed and not plain text. This means they do not know what your password is unless they run a program to attempt to guess it against the hashed password. Any reasonably strong password will take a very long time to be guessed.
Your accounts should all be safe still if they used the same password, but you can change that as well if you are worried.

The only important data compromised would be your Username/hashed password, IP and email. Everything else is just game related data.

Sorry that this happened, no game creator ever wants to be in this situation and having it happen over the holiday break when everyone was away was terrible timing.

Update: To clarify, we do not handle money. At all. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don't have access to that information.
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 2:11 am

What does it mean for a password to be hashed, exactly?
User avatar
Technetium
Serial Killer
Serial Killer
 
Posts: 2076
Joined: Fri Dec 18, 2015 8:25 am
Location: You can't do it unless the number is two

Re: Possible data breach

Postby FrankLeeAwful » Wed Jan 02, 2019 2:13 am

Technetium wrote:What does it mean for a password to be hashed, exactly?


It means that the number of characters is visible, but not the characters themselves.
User avatar
FrankLeeAwful
Bodyguard
Bodyguard
 
Posts: 201
Joined: Sun Jul 06, 2014 1:38 pm
Location: The depths of Tartarus

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 2:17 am

Technetium wrote:What does it mean for a password to be hashed, exactly?

https://docs.oracle.com/cd/E26180_01/Pl ... ing01.html

It turns your password into gobbledegook once created. You attempt to log in, type in your password, and it turns the attempt into gobbledegook and compares it to what it has on file to make sure it's accurate.
Image

Discord: William#2527

"Gems and humans, I mean... You put enough pressure on coal, it becomes a diamond. You put enough pressure on a human, he kills himself. So you see, they have a lot in common, just not that." -Chilled Chaos
"The world can't tell you who you are. You've just got to figure out who you are and be there, for better or worse." -Dave Chappelle
User avatar
williewest
Escort
Escort
 
Posts: 70
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Re: Possible data breach

Postby 4DEATH » Wed Jan 02, 2019 2:19 am

What is your average work/life balance like? I read more about your vacations than i read about you guys working on game.
Legacy Season, 2610 elo
Season 1, 2008 elo (bug abusers, only played 39 games)
Season 2, no games
Season 3, 2063 elo (few games but i dont have count)
Season 4, 2170 elo
User avatar
4DEATH
Spy
Spy
 
Posts: 129
Joined: Thu Apr 21, 2016 8:14 pm
Location: Turkey

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:29 am

4DEATH wrote:What is your average work/life balance like? I read more about your vacations than i read about you guys working on game.


Everyone on the team works more than 40 hour weeks and it is customary for every US company to give salaried employees the week after Christmas off. We rarely take time off so that's pretty a insulting thing to imply.
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:31 am

Technetium wrote:What does it mean for a password to be hashed, exactly?


Passwords are stored as a long string of letters/numbers that can't be computed without knowing the original plain text password. If someone has your hashed password they could still login to your ToS account if they know how to mimic our login networking message though, so you should change your ToS password to be safe.
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Shyyster » Wed Jan 02, 2019 2:35 am

So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?
TRIAL GANG GANG MEMBER
User avatar
Shyyster
Lookout
Lookout
 
Posts: 86
Joined: Mon Jul 24, 2017 2:23 am

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 2:36 am

Is the breach fixed? I figure since I have a smaller number of passwords than things I use passwords for, I should wait until it is fixed before changing the password (though I'm changing other passwords that were the same as the one here).
User avatar
Technetium
Serial Killer
Serial Killer
 
Posts: 2076
Joined: Fri Dec 18, 2015 8:25 am
Location: You can't do it unless the number is two

Re: Possible data breach

Postby PotheadPrincess » Wed Jan 02, 2019 2:37 am

Could you perhaps update your password security? 6 characters is easy for hackers to bypass. Update it to 8 characters or more, with special characters and numbers
I love my natural herbs
Refer to me as your "Highness"
User avatar
PotheadPrincess
Trial System Judge
Trial System Judge
 
Posts: 248
Joined: Thu Nov 03, 2016 1:16 pm

Re: Possible data breach

Postby Nopingout » Wed Jan 02, 2019 2:38 am

PotheadPrincess wrote:Could you perhaps update your password security? 6 characters is easy for hackers to bypass. Update it to 8 characters or more, with special characters and numbers

but that is the password security rn??
User avatar
Nopingout
Investigator
Investigator
 
Posts: 272
Joined: Thu Apr 27, 2017 2:45 am
Location: On the forums probably (UTC+10)

Re: Possible data breach

Postby TheGarner » Wed Jan 02, 2019 2:39 am

Anyway to delete an account? Haven’t used this for years and only remembered it due to the news of the breach.
TheGarner
Newbie
Newbie
 
Posts: 1
Joined: Fri Sep 30, 2016 2:09 pm

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:39 am

Shyyster wrote:So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?


There were some emails from dehashed in our spam folder that were missed and emails weren't actively being checked over the break. Apparently the website posted this stuff now and some people have registered for notifications from this website and then started posting on reddit.
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:41 am

Technetium wrote:Is the breach fixed? I figure since I have a smaller number of passwords than things I use passwords for, I should wait until it is fixed before changing the password (though I'm changing other passwords that were the same as the one here).


We have Rackspace looking into it and have reached out to dehashed for more info. We will let you know when we figure out what happened.
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby williewest » Wed Jan 02, 2019 2:42 am

Shyyster wrote:So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?

In-house source? There's like, 7 of them. That's few enough that they all could've been off enjoying their holidays without really checking into their missed calls and emails too intently. I doubt there's a little IT gremlin named Steve who just dwells in the office basement over Holiday break and monitors the intake of contacts.
Image

Discord: William#2527

"Gems and humans, I mean... You put enough pressure on coal, it becomes a diamond. You put enough pressure on a human, he kills himself. So you see, they have a lot in common, just not that." -Chilled Chaos
"The world can't tell you who you are. You've just got to figure out who you are and be there, for better or worse." -Dave Chappelle
User avatar
williewest
Escort
Escort
 
Posts: 70
Joined: Fri Nov 13, 2015 7:32 pm
Location: Pensacola, Florida

Re: Possible data breach

Postby PotheadPrincess » Wed Jan 02, 2019 2:42 am

Nopingout wrote:
PotheadPrincess wrote:Could you perhaps update your password security? 6 characters is easy for hackers to bypass. Update it to 8 characters or more, with special characters and numbers

but that is the password security rn??

Oh they changed it, nvm lmao
I love my natural herbs
Refer to me as your "Highness"
User avatar
PotheadPrincess
Trial System Judge
Trial System Judge
 
Posts: 248
Joined: Thu Nov 03, 2016 1:16 pm

Re: Possible data breach

Postby Technetium » Wed Jan 02, 2019 2:43 am

actually, I figure I might go ahead and change it once now and change it a second time (to what I'll keep as the new password longer-term) when the breach is known to be dealt with.
User avatar
Technetium
Serial Killer
Serial Killer
 
Posts: 2076
Joined: Fri Dec 18, 2015 8:25 am
Location: You can't do it unless the number is two

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 2:46 am

How come that dehashed and I have been pwned state to know this from 28th december, yet you write about it now, 5 days later?
https://blog.dehashed.com/town-of-salem ... es-hacked/
They even state they made contact on the phone and email yet no statement just because it is vacation?
There should always be a person with focus on security available for contact during vacations in case something like this happens so customers get to know it ASAP and not 5 days after a breach...

If you thought you could just cover it up then that is even worse.

Why are you using MD5 hashing according to dehashed and have I been pwned?
MD5 can easily be cracked. Even various tech institutes consider MD5 essentially "cryptographically broken and unsuitable for further use".

It can't be true that a large company like this with 7.6M registered accounts and some paying customers can't handle security correctly and in good time when something happens.
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby PotheadPrincess » Wed Jan 02, 2019 2:47 am

kristian818 wrote:How come that dehashed and I have been pwned state to know this from 28th december, yet you write about it now, 5 days later?
https://blog.dehashed.com/town-of-salem ... es-hacked/
They even state they made contact on the phone and email yet no statement just because it is vacation?
There should always be a person with focus on security available for contact during vacations in case something like this happens so customers get to know it ASAP and not 5 days after a breach...

If you thought you could just cover it up then that is even worse.

Why are you using MD5 hashing according to dehashed and have I been pwned?
MD5 can easily be cracked. Even various tech institutes consider MD5 essentially "cryptographically broken and unsuitable for further use".

It can't be true that a large company like this with 7.6M registered accounts and some paying customers can't handle security correctly and in good time when something happens.

The more security, the more money it will cost them
I love my natural herbs
Refer to me as your "Highness"
User avatar
PotheadPrincess
Trial System Judge
Trial System Judge
 
Posts: 248
Joined: Thu Nov 03, 2016 1:16 pm

Re: Possible data breach

Postby MysticMismagius » Wed Jan 02, 2019 2:50 am

kristian818 wrote:How come that dehashed and I have been pwned state to know this from 28th december, yet you write about it now, 5 days later?
https://blog.dehashed.com/town-of-salem ... es-hacked/
They even state they made contact on the phone and email yet no statement just because it is vacation?
There should always be a person with focus on security available for contact during vacations in case something like this happens so customers get to know it ASAP and not 5 days after a breach...

If you thought you could just cover it up then that is even worse.

Why are you using MD5 hashing according to dehashed and have I been pwned?
MD5 can easily be cracked. Even various tech institutes consider MD5 essentially "cryptographically broken and unsuitable for further use".

It can't be true that a large company like this with 7.6M registered accounts and some paying customers can't handle security correctly and in good time when something happens.
While this is far from an official statement, one of the several Reddit posts on the subject contains a discussion about why BMG may have kept quiet about this. PyroEagle and Turdpile suggested that if BMG were to speak up about the breach, it could entice other potential hackers to breach the system again and again, since they have been told it is vulnerable.

Source: https://www.reddit.com/r/TownofSalemgam ... reach_you/

From a user perspective I disagree with this line of logic: As TP mentioned, if a breached company says something and the system gets breached repeatedly, you have to keep changing your passwords, and your data is vulnerable until the system gets patched. But, if no one says anything about the breach, the users don’t know about their data being compromised, thus, your data is vulnerable until the system is patched anyways. Literally nothing changes as far as the security of the users’ data.
Last edited by MysticMismagius on Wed Jan 02, 2019 2:52 am, edited 1 time in total.
User avatar
MysticMismagius
Retributionist
Retributionist
 
Posts: 308
Joined: Sun Apr 30, 2017 4:46 pm

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:52 am

kristian818 wrote:large company


Our staff is myself, pyro, shapesifter (community manager), docexer and blueheatwave (Artist).

I'm sorry that this all happened and wasn't responded to quickly enough but people were on vacation spending time with their families (and his emails went to our spam filter). We aren't a large company we are an indie company. Yeah we have a lot of registered users but it was a F2P game and millions of those accounts played a few games and never came back.
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Re: Possible data breach

Postby Shyyster » Wed Jan 02, 2019 2:52 am

williewest wrote:
Shyyster wrote:So why didn't BMG hear about this data breach from an in-house source before the Reddit post was made on this topic?

In-house source? There's like, 7 of them. That's few enough that they all could've been off enjoying their holidays without really checking into their missed calls and emails too intently. I doubt there's a little IT gremlin named Steve who just dwells in the office basement over Holiday break and monitors the intake of contacts.


Customers data being possibly breach should be a top priority issue where the Devs should have a system in place for emails/calls, even if it's 10+ missed calls from X person. At some point the excuse "It's a small team" needs to stop being a defense for BMG screwing up, this is that point.
TRIAL GANG GANG MEMBER
User avatar
Shyyster
Lookout
Lookout
 
Posts: 86
Joined: Mon Jul 24, 2017 2:23 am

Re: Possible data breach

Postby Sting » Wed Jan 02, 2019 2:55 am

Everything else is just game related data.


Could you please elaborate on this for clarity? On some 0-Day websites I've seen them reference this as browser data, what exactly was stored here?
Sting
Medium
Medium
 
Posts: 152
Joined: Tue Aug 05, 2014 2:38 am
Location: Eire

Re: Possible data breach

Postby kristian818 » Wed Jan 02, 2019 2:56 am

Achilles wrote:
kristian818 wrote:large company


Our staff is myself, pyro, shapesifter (community manager), docexer and blueheatwave (Artist).

I'm sorry that this all happened and wasn't responded to quickly enough but people were on vacation spending time with their families (and his emails went to our spam filter). We aren't a large company we are an indie company. Yeah we have a lot of registered users but it was a F2P game and millions of those accounts played a few games and never came back.


Even though they are F2P accounts it is still a goldmine since many humans do pasaword reuse. I meant a large company in this way, large of value. Not as the team itself. Even a small team should get focus on security when handling values this large.
kristian818
Jester
Jester
 
Posts: 13
Joined: Thu May 12, 2016 4:22 am

Re: Possible data breach

Postby Achilles » Wed Jan 02, 2019 2:57 am

Sting wrote:
Everything else is just game related data.


Could you please elaborate on this for clarity? On some 0-Day websites I've seen them reference this as browser analytics data, what exactly was stored here?


It seems like they got our phpbb database, so the analytic data stored in there such as what browser you logged in on.
User avatar
Achilles
Developer
Developer
 
Posts: 913
Joined: Sat Feb 08, 2014 5:02 pm

Next

Return to Announcements

Who is online

Users browsing this forum: No registered users and 1 guest