Toribash
Originally Posted by smaux57 View Post
Sorry if i sound like a dumbass here. (Maybe im going to get infracted for this.)
But long time ago... (Srsly long. Like starting of 2015)
I saw a guy that said he "hacked" an acc. (Forgot the name) Obviously that account was old af. And dead.
I taked some screenshots.
But idk if they can help (i think they wont) and maybe this post is unless but i just wanted to make the admins know that. :u
I cant upload the screenshots rn because its 3:00 am and im posting with my phone.
Sorry if this dont have any point and cant help.
Bye.

Since it sounds like an isolated incident one year ago I think it's likely not related to this. It's also very rare that 'hacking' cases are actually anything more than users sharing account logins with each other and getting hijacked that way.
I can remember that he said how he get the password of that acc.
And he said that the password of the acc was ez, making get the password easelier (obviously.)
Ill check the screens later to confirm this.
And... I dont think an oldfag (the guy of "hacked" acc) shared a password with someone that was excited because of get a free custom belt acc.
I mean, it can happen. But it sounds wierd. Atleast for me.
Cya later!!! (Low battery on my phone :/)
ルアナ
IceBreak3R
Originally Posted by Moonshake View Post
It shouldn't be frustrating, changing your password often is a good practice, and that should extend to every account you use, regardless of website. What's frustrating is finding out someone else has gotten into your account and you're locked out.

Not even national security clearance in my country requires 7 day / 14 day password expiry, actually I think most people in security would agree that's far too aggressive. At best it's a bandaid fix, the underlying problem is lack of security on the server side.

For example, cooldown on repeated guesses is not aggressive enough allowing people to bruteforce. Or allowing people to login with far away IPs without email verification (which is weird because we used to have that feature, I used to get location verification emails). Or allowing a password change without email verification (why does this exist?!).

These are very basic security measures, and I know that there is the capacity to carry them out because either they are done already (but badly), they were done in the past (but apparently removed), and because all the information exists (email has been a required field for a few years now).

This is the very basics that I would expect from any website, let alone one that has had consistent problems and regular forced global password resets...

Originally Posted by Bodhisattva View Post
We don't want to give away anything we don't have to. That'd be silly. Trust in your administration, we are working around the clock to make everyone's account, money, art, etc. all protected. We're all making sacrifices to make that happen.

If you rely on volunteer staff with limited power to manually enforce your security that is worrying in itself!
<Faint> the rules have been stated quite clearly 3 times now from high staff
Originally Posted by War_Hero View Post
He's not a hacker.

He obviously bruteforced it with that old PW leak.

There was a password leak before? Well, shit man.
A lot of other people are probably quite vulnerable if that's the case.
i suck
Originally Posted by calumfionn View Post
There was a password leak before? Well, shit man.
A lot of other people are probably quite vulnerable if that's the case.

I asked around and apparently around 09 someone got a hold of a copy of the forum db. From that some passwords were brute forced, but if you changed password since 2010 you should be safe.
<Faint> the rules have been stated quite clearly 3 times now from high staff
you must be talking about when the forum got a rollback too,
then not only passwords got compromised but also thousands of
forum posts were erased because of that solution.
No, from what I've heard this event was different to the rollback. I believe the rollback happened 1 or 2 years later in 2010 or 2011 (I can't remember the year).

Apparently the db leak was due to improper backups, but I don't know any more than that. The two are definitely separate events.
<Faint> the rules have been stated quite clearly 3 times now from high staff
probably you are right,the rollback was around 2010,i remember
how it ruined one of the best events,nblx's light vs dark 2
Ruined my group event too, and ended up with a certain TSA taking my full void and selling it off ("whoops"), and the winner of my event was lost... I managed to get the void back, but one day I will have to make a new event to give it away lol.
<Faint> the rules have been stated quite clearly 3 times now from high staff
"And please, while I recognise that this is frustrating, let me remind everyone not to take this out on the smods or even the administration. Contrary to popular belief we have little control and say over security/servers/more complex developmental matters and additions/logs etc. We work with and deal with lots of front end forum and community matters and that's pretty much what we're limited to. :s "

So who does? I got a very short email from toribash three days ago. I've waited for more information, but I'm not seeing anything else about the breach. That's not acceptable.
:s
http://blog.eyewire.org/security-dat...on-2016-02-23/ <- this is how you handle a security breach. Not "Change your password, everywhere. We're looking into it, we promise. We hope nothing bad is happening!" Details about whether the passwords were encrypted, whether the encryption used salted hashes, what information might be compromised other than generic "privacy", etc. This isn't information that you keep to yourselves to further your "investigation," you can't keep it to yourself to catch the bad guy (if the police are requesting that you not release it, say so!) this is vital information for your user's own security. I gather passwords "may or may not" be compromised, but emails? Names? Birthdays? All of these things can be used to steal a person's identity and ruin their lives using other breached databases, and the only defense is rapid response from the individuals affected. Worst yet, game websites are often places kids congregate, kids that may not even know that something as innocuous as their birthday can be used to <i>destroy</i> them years later. Criminal negligence is a thing.

If you can pass this on to the people that have the information behind this breach, that would be appreciated. I really love your game, I think it should be on school computers for what it does to teach analytical thinking about motion, but if you don't understand how serious people's personally identifiable information is, I seriously question whether you should be collecting it.