Jump to content

Photo

Important Security Notice


  • This topic is locked This topic is locked
287 replies to this topic

#1
BigBizkit

BigBizkit

    Community Manager

  • Admin
  • 5,661 posts
What has happened?

In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service.

Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place.

We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.†††

Further, and as is required by law, we have informed the ICO about this incident and we are in the process of fulfilling our obligations related to the matter.


What does this mean for you?

While we noticed the suspicious activity on 8th November 2019, and we have no evidence of past activity in our logs, we cannot say for certain whether the exploit had been used before, and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed.†

Recognising our obligation to all of you, however, we are strongly urging you to be vigilant of potential phishing and credential stuffing attacks.


General Recommendations

  • If you havenít already, please†log out and back in, in order to update your account and password and migrate to the†new user service. If youíve already used the new user service, then there is no need to change your password again.
  • If you were using the same password you had on our old user service on other sites, please, change your password on these other sites as soon as possible.
  • We strongly recommend using a password manager†and to not reuse passwords across sites.
  • Always use unique and strong passwords of at least 12 characters for each service you use.
  • Consider using Two-Factor Authentication, especially if you are a mod author.


#2
Hoamaii

Hoamaii

    Resident poster

  • Premium Member
  • 3,156 posts
Does that mean if we changed our passwords on November 20 like you recommended in your last security notice, we should be safe?

#3
JimmyRJump

JimmyRJump

    MoralMinority

  • Premium Member
  • 10,810 posts
8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...

#4
JimmyRJump

JimmyRJump

    MoralMinority

  • Premium Member
  • 10,810 posts
In response to post #75806628.


Spoiler

Yup. As safe as you were before.

#5
BigBizkit

BigBizkit

    Community Manager

  • Admin
  • 5,661 posts
In response to post #75806633.


Spoiler

As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.

#6
BigBizkit

BigBizkit

    Community Manager

  • Admin
  • 5,661 posts
In response to post #75806628. #75806658 is also a reply to the same post.


Spoiler

The potentially affected data is from our old user service, so if you have migrated and changed your password after 20th November when we rolled out the new user service, then you do not need to change your password again.

If you were using your old password on other sites though, we strongly recommend changing it on those other sites. It is bad practice to reuse passwords across websites.

#7
JimmyRJump

JimmyRJump

    MoralMinority

  • Premium Member
  • 10,810 posts
In response to post #75806633. #75806923 is also a reply to the same post.


Spoiler

Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.

#8
1ae0bfb8

1ae0bfb8

    I don't suffer fools

  • Supporter
  • PipPipPipPipPip
  • 2,687 posts

Can you give an indication of the number of accounts that were compromised? I know the release above says "small number". Is it possible to quantify that?



#9
docteure

docteure

    Docco

  • Premium Member
  • 3,205 posts
Since the DP thing, Nexus has been targeted by people to hack users (especially big or retired mod authors) to get the money.
That's why the security need to be increased like in PayPal cause Nexus is no longer a mere site for mods.

#10
1ae0bfb8

1ae0bfb8

    I don't suffer fools

  • Supporter
  • PipPipPipPipPip
  • 2,687 posts

8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...

Jimmy - and everyone else for that matter - you can use this service; https://haveibeenpwned.com/  to see if your email address has been compromised. - i belileve Mozilla have embedded this in their Firefox browser.






Page loaded in: 1.023 seconds