Jump to content

Important Security Notice


BigBizkit

Recommended Posts

In response to post #75806628. #75806658, #75807068 are all replies on the same post.


Hoamaii wrote: Does that mean if we changed our passwords on November 20 like you recommended in your last security notice, we should be safe?
JimmyRJump wrote: Yup. As safe as you were before.
BigBizkit wrote: The potentially affected data is from our old user service, so if you have migrated and changed your password after 20th November when we rolled out the new user service, then you do not need to change your password again.

If you were using your old password on other sites though, we strongly recommend changing it on those other sites. It is bad practice to reuse passwords across websites.


Thanks BigBiKit. I don't use passwords accross sites but I'd hate my email to be compromised as I use it for work too - I haven't noticed any suspicious activity but then I was not paying that much attention to spams either.
Link to comment
Share on other sites

  • Replies 287
  • Created
  • Last Reply

Top Posters In This Topic

In response to post #75806633. #75806923, #75807088 are all replies on the same post.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.
JimmyRJump wrote: Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.


I am EU member and I know our law a little bit...
Nexus did nothing wrong in the eye of the law (as long as they reported the data security lack to the DPA within 72 hours). They are not forced to inform their users unless its absolutely clear that there is a high risk for the personal rights of the affected.

... but...

it would have been a nice move to make a quick post as information for all that sth happened... that its not clear what exactly... but that they recommend to change the passwords in any case... I always say "better save than sorry" ;)
Link to comment
Share on other sites

In response to post #75807248.


1ae0bfb8 wrote:

Can you give an indication of the number of accounts that were compromised? I know the release above says "small number". Is it possible to quantify that?


I'm afraid it's not possible to quantify it exactly, we serve over 6,000 database queries per second, so it's impossible to log everything.

We do have around 10 saved logs for requests that look like direct attempts to access single users at a time, however, as we say in the main news post - we cannot be certain how many - if any - email addresses, password hashes and salts were actually accessed.
Link to comment
Share on other sites

In response to post #75807248. #75807713 is also a reply to the same post.


1ae0bfb8 wrote:

Can you give an indication of the number of accounts that were compromised? I know the release above says "small number". Is it possible to quantify that?

MrMason wrote: I'm afraid it's not possible to quantify it exactly, we serve over 6,000 database queries per second, so it's impossible to log everything.

We do have around 10 saved logs for requests that look like direct attempts to access single users at a time, however, as we say in the main news post - we cannot be certain how many - if any - email addresses, password hashes and salts were actually accessed.


that sounds like a single person rather than a bot or a team - which possibly means it was an inside job. Blame Dark0ne, it's his fault this stuff happens anyways.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...