Jump to content

Important Security Notice

BigBizkit

By BigBizkit
in Site Updates

 Share

Recommended Posts

Hallier Apprentice

Hallier

Posted
Posted
In response to post #75810278. #75811368, #75812753 are all replies on the same post.


reptileye wrote: And people pay for premium here uh? lol
Gameslover wrote: this site is a disaster these days.....
mcbarker wrote: No one ever said that using NexusMods was mandatory, either as a free member, or as a premium member. You can always go to the Steam site and BUY your mods there... and see how that works out for you.

It's very expensive to run a website as large as this one, with as many users. I know that Nexus isn't perfect... no website is, but the guys who created and run this site work hard to maintain it... and let's not forget the mod creators who supply all of the great mods free. Please show a little appreciation and respect for them. Everything considered, I think they do a really good job with the amount of traffic they get.

As far as paying for premium membership... well, that's just my way of saying thank you for a site which I use daily.


I agree absolutely. The site hasn't offered me ANYTHING to complain about in the year and some that I've used it. They even IMPROVED things that I would have complained about. Their support service is fantastic and they do a great job with maintenance and keeping the site up. The new function of the download pages requiring further authorization is a drop in the ocean of awesome stuff provided here, especially since the site runs ONE video ad at the bottom of the page, a total of TWO on the sides (that nobody looks at anyways and sometimes don't even function), and again TWO at the top and bottom . That's THREE ads, a maximum of FIVE running this whole site if you don't count premium membership income. This site is totally rad!
Link to comment
Share on other sites
  • Replies 287
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

tgstyle24 Rookie

tgstyle24

Posted
Posted
In response to post #75806633. #75806923, #75807088, #75807518, #75809163, #75810108 are all replies on the same post.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.
JimmyRJump wrote: Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.
tgstyle24 wrote: I am EU member and I know our law a little bit...
Nexus did nothing wrong in the eye of the law (as long as they reported the data security lack to the DPA within 72 hours). They are not forced to inform their users unless its absolutely clear that there is a high risk for the personal rights of the affected.

... but...

it would have been a nice move to make a quick post as information for all that sth happened... that its not clear what exactly... but that they recommend to change the passwords in any case... I always say "better save than sorry" ;)
JimmyRJump wrote: @tgstyle24: I'm from Belgium and know quite a bit about legal matters and laws, both local and international. My comment wasn't insinuating anything unlawful had happened on Nexus' part. But since when do lawyers need broken laws to sue yer arse? :P
Acacophony wrote: I understand that rationale and the importance of testing, but writing up a quick announcement and advisement for everyone to change their passwords would take a few minutes at most. I think everyone would have appreciated knowing sooner.
Hopefully this won't happen again, but if it does, I'm sure all of us would appreciate knowing earlier next time.

Keep up the good work on this site~


@JimmyRJump: I give you that point, neighbor ;)
Link to comment
Share on other sites
PockyPunk1 Enthusiast

PockyPunk1

Posted
Posted (edited)

Yeah, let's say I won't post any more mods on this platform.

The forced to Vortex migration (let's not talk about how Vortex works, don't get me talking on that ahahah); staff couldn't care less about mod authors; the new slow/fast download page popped and when people voice their concerns, premium fan-people are there to shame those poor souls, and security could be better. So glad I never paid anything.

Next time, don't take more than one month to tell your users (you know, people who pay your bills) about eventual stolen data and security flaws.

 

 

Edited by PockyPunk1
Link to comment
Share on other sites
Guest deleted34304850

Guest deleted34304850

Posted
Posted

So that explains how my Paypal account has been hacked, even though I'm pretty precautionous about passwords... Thanks for telling us so late.

not that safety concious if you use the same password across sites and don't make use of 2FA.

Link to comment
Share on other sites
Saggaris Collaborator

Saggaris

Posted
Posted
In response to post #75806633. #75806923, #75807088, #75807518, #75809163, #75810108, #75815753 are all replies on the same post.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.
JimmyRJump wrote: Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.
tgstyle24 wrote: I am EU member and I know our law a little bit...
Nexus did nothing wrong in the eye of the law (as long as they reported the data security lack to the DPA within 72 hours). They are not forced to inform their users unless its absolutely clear that there is a high risk for the personal rights of the affected.

... but...

it would have been a nice move to make a quick post as information for all that sth happened... that its not clear what exactly... but that they recommend to change the passwords in any case... I always say "better save than sorry" ;)
JimmyRJump wrote: @tgstyle24: I'm from Belgium and know quite a bit about legal matters and laws, both local and international. My comment wasn't insinuating anything unlawful had happened on Nexus' part. But since when do lawyers need broken laws to sue yer arse? :P
Acacophony wrote: I understand that rationale and the importance of testing, but writing up a quick announcement and advisement for everyone to change their passwords would take a few minutes at most. I think everyone would have appreciated knowing sooner.
Hopefully this won't happen again, but if it does, I'm sure all of us would appreciate knowing earlier next time.

Keep up the good work on this site~
tgstyle24 wrote: @JimmyRJump: I give you that point, neighbor ;)


Acacophony, the obvious reason is because they'd just pissed off a ton of people with the forced password changes...so they let the water settle for a month or so first.
I still say that the more data you collect on people the more data you have to be stolen/attacked for.
Link to comment
Share on other sites
Eolhin Collaborator

Eolhin

Posted
Posted
In response to post #75806633. #75806923, #75807088, #75807518, #75809163, #75810108, #75815753, #75816753 are all replies on the same post.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.
JimmyRJump wrote: Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.
tgstyle24 wrote: I am EU member and I know our law a little bit...
Nexus did nothing wrong in the eye of the law (as long as they reported the data security lack to the DPA within 72 hours). They are not forced to inform their users unless its absolutely clear that there is a high risk for the personal rights of the affected.

... but...

it would have been a nice move to make a quick post as information for all that sth happened... that its not clear what exactly... but that they recommend to change the passwords in any case... I always say "better save than sorry" ;)
JimmyRJump wrote: @tgstyle24: I'm from Belgium and know quite a bit about legal matters and laws, both local and international. My comment wasn't insinuating anything unlawful had happened on Nexus' part. But since when do lawyers need broken laws to sue yer arse? :P
Acacophony wrote: I understand that rationale and the importance of testing, but writing up a quick announcement and advisement for everyone to change their passwords would take a few minutes at most. I think everyone would have appreciated knowing sooner.
Hopefully this won't happen again, but if it does, I'm sure all of us would appreciate knowing earlier next time.

Keep up the good work on this site~
tgstyle24 wrote: @JimmyRJump: I give you that point, neighbor ;)
Saggaris wrote: Acacophony, the obvious reason is because they'd just pissed off a ton of people with the forced password changes...so they let the water settle for a month or so first.
I still say that the more data you collect on people the more data you have to be stolen/attacked for.


I do not understand what people are complaining about, re timing. They sent out notification in the form of a message on Nexus over 4 weeks ago and forced the password change for everyone that logged out and back in at that time, and recommended that everyone make the change at that time. I know, as I still have the message in my notifications, and I posted a public service announcement about it on the mod FB group I am a moderator for. This is just a follow up to catch anyone that blithely ignored the first announcement, and give more details. So they did not wait a month, by any means.
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...