Data Breach Update

Announcements made here about the game and the company.

Data Breach Update

Postby Achilles » Wed Jan 02, 2019 6:01 pm

We have found and removed 3 different php files from our webserver that allowed the hacker to have a backdoor into the server. Rackspace is also running a malware check on all of our servers. We believe we have stopped their ability to continue gathering data but we are in the process of contacting security auditing firms and potentially discussing reinstalling all of our servers from scratch just to be 100% sure.

We are in the process of starting to email users but as you can imagine it takes some time to process and send out 8 million emails.

The community and mods have been helping us look into websites that have the data to see what is being done with it. Passwords were stored as a salted MD5 hash and not plaintext, but it appears that these hashes can still be brute forced to get the plain text password if it wasn't a very secure password. We have seen passwords as long as 10 characters being cracked.

If your Town of Salem password was the same on any other site you should change your passwords immediately to be safe.

No credit card/payment info or personal identifying information outside of your email/IP was stored.

As long as users who had a shared password update it on other sites they should be safe. Emails are starting to go out soon so that everyone will know about this.

We are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn't store plaintext passwords we can't easily update everyones hashes to a new algorithm but we are investigating our options.
User avatar
Achilles
Developer
Developer
 
Posts: 1038
Joined: Sat Feb 08, 2014 5:02 pm

Re: Data Breach Update

Postby Villagerlover » Wed Jan 02, 2019 6:06 pm

Thank y'all so much for taking action when you did.
Wanna say somethin'? >B3
PM
User avatar
Villagerlover
Consigliere
Consigliere
 
Posts: 1293
Joined: Wed Jun 03, 2015 3:59 pm
Location: Hang on I need to ask Google Maps

Re: Data Breach Update

Postby ChocoMousse » Wed Jan 02, 2019 7:49 pm

Hi, I just want to update you regarding the payment information statement.

From some of my sources, it appears that the Payment informations leakead includes :

Email, Full Names, Billing & Shipping addresses, IP Information, payment amount, and other details. No Credit Card numbers.
ChocoMousse
Newbie
Newbie
 
Posts: 2
Joined: Tue Sep 06, 2016 3:39 pm

Re: Data Breach Update

Postby ObiWanCumnobi » Wed Jan 02, 2019 8:11 pm

ChocoMousse wrote:Hi, I just want to update you regarding the payment information statement.

From some of my sources, it appears that the Payment informations leakead includes :

Email, Full Names, Billing & Shipping addresses, IP Information, payment amount, and other details. No Credit Card numbers.


Phew, at least my ssn and dna sequence are safe, for now.
Svin/Psyduck
User avatar
ObiWanCumnobi
Lookout
Lookout
 
Posts: 87
Joined: Sun Aug 21, 2016 11:48 pm
Location: San Diego

Re: Data Breach Update

Postby ChocoMousse » Wed Jan 02, 2019 8:37 pm

ObiWanCumnobi wrote:
Phew, at least my ssn and dna sequence are safe, for now.

Equifax July 2017. Cough cough.
ChocoMousse
Newbie
Newbie
 
Posts: 2
Joined: Tue Sep 06, 2016 3:39 pm

Re: Data Breach Update

Postby NateNate60 » Wed Jan 02, 2019 9:01 pm

I don't think it takes very long to send out 8 million emails, especially if they all essentially say the same thing

10 KB message multiplied by eight million is 80 GB. At 100 megabytes (800 megabits per second) per second, it'll take 800 seconds to send 80 GB, in theory. If we assume they're sending at 20% the maximum capacity because of slow-running code or something, then it'll still take only about one hour.

Also, 10 KB is a pretty large email, especially considering the usual payload of the forum emails they send.
Rolled Jailer Exe Mayor
User avatar
NateNate60
Witch
Witch
 
Posts: 51
Joined: Thu Apr 13, 2017 5:16 pm

Re: Data Breach Update

Postby panapparos » Wed Jan 02, 2019 10:27 pm

I bought the game on Steam but I haven't made any in-game purchases (Town Points, skins etc).

Is my information (Email, Full Names, Billing & Shipping addresses, IP Information, payment amount etc)included in the hacked data?
panapparos
Executioner
Executioner
 
Posts: 25
Joined: Fri Dec 14, 2018 2:49 am

Re: Data Breach Update

Postby MysticMismagius » Wed Jan 02, 2019 11:05 pm

NateNate60 wrote:I don't think it takes very long to send out 8 million emails, especially if they all essentially say the same thing

10 KB message multiplied by eight million is 80 GB. At 100 megabytes (800 megabits per second) per second, it'll take 800 seconds to send 80 GB, in theory. If we assume they're sending at 20% the maximum capacity because of slow-running code or something, then it'll still take only about one hour.

Also, 10 KB is a pretty large email, especially considering the usual payload of the forum emails they send.
This doesn't account for the time it will take to write the email (deciding what to say and how to say it, especially since this message is kinda critical) which may add hours or more to the ETA.
Image
User avatar
MysticMismagius
Consigliere
Consigliere
 
Posts: 1271
Joined: Sun Apr 30, 2017 4:46 pm
Location: The 12th Astral Plane of Zamboni

Re: Data Breach Update

Postby James2 » Wed Jan 02, 2019 11:10 pm

Dehashed stated that some of the passwords were in phpass and others in MD5. Is this correct or were they all in MD5?
James2
Godfather
Godfather
 
Posts: 1555
Joined: Tue Jun 16, 2015 9:53 am

Re: Data Breach Update

Postby James2 » Thu Jan 03, 2019 12:17 am

Also, it's clear from reading the other thread that a lot of people don't know what they're talking about.

While it is true that the idiots running this country have, for some unfathomable reason, given a bunch of foreign countries the power to regulate US businesses, the GDPR only applies to businesses that target EU markets. Unless Turkey joins the EU (which is unlikely for a number of reasons at this point), BMG doesn't have to worry about it.

Of course BMG still needs to promptly notify everyone, but since few (if any) US states consider passwords and email addresses to be protected data, it's unlikely that BMG could face legal ramifications.
James2
Godfather
Godfather
 
Posts: 1555
Joined: Tue Jun 16, 2015 9:53 am

Re: Data Breach Update

Postby ylyxa » Thu Jan 03, 2019 3:45 am

we can't easily update everyones hashes to a new algorithm

What about changing the algorithm and then forcing a password reset on every single user? Two birds with one stone right there: you'd move to a more secure algorithm and users would change their passwords, which they should after a security breach.
ylyxa
Jester
Jester
 
Posts: 11
Joined: Tue Aug 21, 2018 4:03 am

Re: Data Breach Update

Postby sportakus1 » Thu Jan 03, 2019 4:36 am

>We have seen passwords as long as 10 characters being cracked.

Holy smuck. Thats is some hard-cracking they got in their minds to even get that

Too bad mine is very long.
My Role Ideas:
Informator

List of roles I like:
Spoiler: -investigator
-Consigliere
-Jailor
-Retributionist


List of roles I do not like:
Spoiler: -Framer
-Medium
-Mayor
-witch
-werewolf
(Only if someone else play werewolf role.)
User avatar
sportakus1
Medium
Medium
 
Posts: 162
Joined: Mon Oct 27, 2014 4:43 am

Re: Data Breach Update

Postby Villagerlover » Thu Jan 03, 2019 7:21 am

4DEATH wrote:
Achilles wrote:Passwords were stored as a salted MD5 hash and not plaintext, but it appears that these hashes can still be brute forced to get the plain text password if it wasn't a very secure password.


Just in two clicks i have found some info about MD5.

Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities.


MD5 and SHA-1 are emphatically poor choices for storing passwords.


But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.

There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.



I know nothing about coding, hacking or all of that stuff...but the fact that 4DEATH is starting to use memes against Achilles's statements is now starting to worry me. ;u;
Wanna say somethin'? >B3
PM
User avatar
Villagerlover
Consigliere
Consigliere
 
Posts: 1293
Joined: Wed Jun 03, 2015 3:59 pm
Location: Hang on I need to ask Google Maps

Re: Data Breach Update

Postby YFYDB » Thu Jan 03, 2019 8:09 am

4Death, memes make no sense. For me the pikachu's face is shocked, so when you use that meme i think you're schocked, but i don't think it's actually what you mean.

Dudes, do i have to change my password again?
My avatar is a random picture found in the internet.
User avatar
YFYDB
Witch
Witch
 
Posts: 41
Joined: Thu Aug 03, 2017 9:08 am

Re: Data Breach Update

Postby VoidRuler » Thu Jan 03, 2019 8:19 am

I have no idea why MD5 was used, as been pointed out by many other users. It was already known to be a bad way of storing passwords by the time the game came out. It sucks that there's been so much hurled at the game recently, first the botting thing, then this, and I saw on the other thread about this someone said there might be DDOSing too? But I don't know if there really is DDOSing or if that was just an assumption.

Also, I don't mean to victim blame since it really isn't any of the users' faults, but it's common knowledge by now that people shouldn't be using the same password on multiple accounts (and if it's hard to remember all the different ones, write them down). I recommend everyone use 2-step authentication on their email. As long as you don't have the same password on anything else and your email has 2-step authentication, you should be fine. I mean, even without the 2-step authentication, your email should be fine, but it's just another precaution you can take. Another tip I have for other users is to stay updated on this, or at least start getting in the habit of changing your password for Town of Salem frequently - in case the breachers leak data again.

I'm pretty sure someone's already said this on the last thread about this but there really should be a large warning at the top of the login screen for the game itself, if there isn't one already, for the people who don't check their email a lot.
User avatar
VoidRuler
Mafioso
Mafioso
 
Posts: 1467
Joined: Wed Jul 23, 2014 5:59 pm

Re: Data Breach Update

Postby Michael007800 » Thu Jan 03, 2019 9:09 am

VoidRuler wrote:I'm pretty sure someone's already said this on the last thread about this but there really should be a large warning at the top of the login screen for the game itself, if there isn't one already, for the people who don't check their email a lot.

Or never check their spam folder, like some people. ;)
Better Mobile Forums? Support this!
viewtopic.php?f=14&t=9966


Don't click me!

Image
User avatar
Michael007800
Sponsor
Sponsor
 
Posts: 104
Joined: Fri Apr 25, 2014 11:56 pm
Location: England

Re: Data Breach Update

Postby James2 » Thu Jan 03, 2019 9:34 am

bkyblyat wrote:James that is completely false, GDPR applies to any business that stores EU citizen data, no matter where the business is residing.


According to Forbes, there needs to be some sort of attempt to target an EU market for a non-EU company (with no physical presence) to be subject to the law.

https://www.forbes.com/sites/forbestech ... 567c726ff2

In any case, BMG is already non-compliant with GDPR on a number of fronts. Hopefully, if it ever came to it, a US court would reject the theory that simply having a web presence makes one a subject of the EU.
James2
Godfather
Godfather
 
Posts: 1555
Joined: Tue Jun 16, 2015 9:53 am

Re: Data Breach Update

Postby MysticMismagius » Thu Jan 03, 2019 9:39 am

For those asking why, the simplest explanation I can think of for why BMG continued to use the MD5 hashing is because that’s probably the hashing system that was already in place when they made/last updated the forum, and they just never changed it for some reason. Maybe they thought “we have better shit to do” and so changing the hashing wasn’t a priority to them, maybe they were hoping there wouldn’t be a problem like this, maybe they thought MD5 was good enough, whatever. That kind of thing happens all the time.
Image
User avatar
MysticMismagius
Consigliere
Consigliere
 
Posts: 1271
Joined: Sun Apr 30, 2017 4:46 pm
Location: The 12th Astral Plane of Zamboni

Re: Data Breach Update

Postby Flavorable » Thu Jan 03, 2019 10:45 am

TheRetroPionner wrote:Is anybody else having problems? My forum password changed, but my in-game password is the same


Are you using the same username on the forums as you are ingame?
No reply to your support ticket after 15 business days? PM me with your ticket number.

You may PM me for clarifications on appeal verdicts, but keep in mind the verdict will not change.

Do you have 151+ games played and want to help rid the community of toxic players and gamethrowers? Join the Trial System today: https://www.blankmediagames.com/Trial/#start

Also, check out the Trial System Discord Server: https://discord.gg/K5SnyJS
User avatar
Flavorable
Global Moderator
Global Moderator
 
Posts: 9279
Joined: Thu Apr 28, 2016 3:24 am
Location: Netherlands

Re: Data Breach Update

Postby Jerme » Thu Jan 03, 2019 11:17 am

TheRetroPionner wrote:Is anybody else having problems? My forum password changed, but my in-game password is the same

This is because you aren't using your ingame account login to the forums. You haven't played a single match with the current account of yours.
Disclaimer: I try to abide by the game's softfilter and use the appropriate replacements, when I am using the forums. Those will be set in brackets. Example: [tarnation]
Visit my role suggestions and give me feedback: http://www.blankmediagames.com/phpbb/viewtopic.php?f=27&t=28949

Visit the Testing Grounds
Occupation: A developers pain and joy (QA-fox), currently "hired" by Ralozey
User avatar
Jerme
Global Moderator
Global Moderator
 
Posts: 28197
Joined: Thu Apr 30, 2015 2:09 pm

Re: Data Breach Update

Postby hope64 » Thu Jan 03, 2019 12:07 pm

4DEATH wrote:But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.

There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.



This might be the stupidest thing I’ve ever read, and the fact that you coincidentally cut off the rest of what your source said leads me to believe you said it out of malice rather than ignorance.

For anyone genuinely concerned, what I’m sure the devs mean when they said they salted your passwords is that they add a random string of characters somewhere in your password every time it’s entered and then hashes that modified version.

For example, password might turn into pass7$&@-word and then be hashed. You can find MD5’s algorithm online and enter that into it to see what it turns into from there.

But this won’t save you if you have a weak password because it’s always in the same spot for everyone and it’s always the same random characters. So if whoever breached the data knows the token, your password will be cracked in the same amount of time as it would be if there was no salt.

And this doesn’t excuse using such a mediocre hashing algorithm and failing to secure the data in the first place.
hope64
Jester
Jester
 
Posts: 13
Joined: Thu Jun 11, 2015 7:52 pm

Re: Data Breach Update

Postby HellnoRO » Thu Jan 03, 2019 2:06 pm

You still haven't addressed the hashing issue.
I assume you're gonna immediately switch to a different algorithm, like bcrypt and not use the old and insecure md5, right?
HellnoRO
Jester
Jester
 
Posts: 17
Joined: Wed Apr 27, 2016 3:51 am

Re: Data Breach Update

Postby HellnoRO » Thu Jan 03, 2019 2:08 pm

hope64 wrote:
4DEATH wrote:But you guys used "SALTED MD5" so i spent another click. You know, internet is full of how MD5 can be brute forced and such. BUT YOU GUYS USED SALTED MD5 HASH! That must be more secure than MD5, right, you guys wouldnt just plainly use unsecure cryptography.

There is, in fact, no such thing as "salted MD5" or "salted SHA-1". MD5 and SHA-1 are well-defined hash functions, which take as input a sequence of bits of (almost) arbitrary length, and output a sequence of bits of fixed length (128 and 160 bits, respectively). There is no salt anywhere in the definitions of MD5 and SHA-1; no password either, for that matter.



This might be the stupidest thing I’ve ever read, and the fact that you coincidentally cut off the rest of what your source said leads me to believe you said it out of malice rather than ignorance.

For anyone genuinely concerned, what I’m sure the devs mean when they said they salted your passwords is that they add a random string of characters somewhere in your password every time it’s entered and then hashes that modified version.

For example, password might turn into pass7$&@-word and then be hashed. You can find MD5’s algorithm online and enter that into it to see what it turns into from there.

But this won’t save you if you have a weak password because it’s always in the same spot for everyone and it’s always the same random characters. So if whoever breached the data knows the token, your password will be cracked in the same amount of time as it would be if there was no salt.

And this doesn’t excuse using such a mediocre hashing algorithm and failing to secure the data in the first place.


Salting isn't bad, it is very useful in fact. It provides immunity towards rainbow tables and it is especially useful for secure algorithms. However, it is pretty pointless in this case since they're using a very insecure algorithm.
HellnoRO
Jester
Jester
 
Posts: 17
Joined: Wed Apr 27, 2016 3:51 am

Re: Data Breach Update

Postby Technetium » Thu Jan 03, 2019 2:08 pm

HellnoRO wrote:You still haven't addressed the hashing issue.
I assume you're gonna immediately switch to a different algorithm, like bcrypt and not use the old and insecure md5, right?

That, I think, is one of the things they're trying to figure out how to do, since they don't have the plaintext passwords available to convert.
Image

In memory of those who have been deleted.
The last poster to survive Blindside Island will win a cookie. Or perhaps 1500...
Technetium#8515 on Discord
User avatar
Technetium
Godfather
Godfather
 
Posts: 1941
Joined: Fri Dec 18, 2015 8:25 am
Location: The city, she's been dead, for years now...

Re: Data Breach Update

Postby Tanafras » Thu Jan 03, 2019 2:19 pm

Kudos for you for emailing the user base immediately and ethically reporting the attack!
It would be a good idea to include a password change function in the front end gaming client.
Tanafras
Newbie
Newbie
 
Posts: 1
Joined: Mon Apr 03, 2017 10:14 pm

Next

Return to Announcements

Who is online

Users browsing this forum: No registered users and 7 guests