Jump to content

Important Security Notice

BigBizkit

By BigBizkit
in Site Updates

 Share

Recommended Posts

JimmyRJump Grand Master

JimmyRJump

Posted
Posted (edited)
In response to post #75806633. #75806923, #75807088, #75807518 are all replies on the same post.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.
JimmyRJump wrote: Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.
tgstyle24 wrote: I am EU member and I know our law a little bit...
Nexus did nothing wrong in the eye of the law (as long as they reported the data security lack to the DPA within 72 hours). They are not forced to inform their users unless its absolutely clear that there is a high risk for the personal rights of the affected.

... but...

it would have been a nice move to make a quick post as information for all that sth happened... that its not clear what exactly... but that they recommend to change the passwords in any case... I always say "better save than sorry" ;)


@tgstyle24: I'm from Belgium and know quite a bit about legal matters and laws, both local and international. My comment wasn't insinuating anything unlawful had happened on Nexus' part. But since when do lawyers need broken laws to sue yer arse? :P Edited by JimmyRJump
Link to comment
Share on other sites
  • Replies 287
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

CrEaToXx Collaborator

CrEaToXx

Posted
Posted

So that what all the recent fuzz was about? I figured the whole website was acting completely weird, the last copple of weeks. It would continously send me back to my profile section, whenever I log back in. 2fa is used from the day you've enabled it.

 

I guess that's just the side effect, if you want your website to grow. Just make sure this is not happening even more frequent, because that's the actual feeling I get. Insecuritys seem to happen more and more often.

 

You're still my favourite website. Just make sure you grant the security us users deserve...:)

Link to comment
Share on other sites
Acacophony Apprentice

Acacophony

Posted
Posted
In response to post #75806633. #75806923, #75807088, #75807518, #75809163 are all replies on the same post.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.
JimmyRJump wrote: Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.
tgstyle24 wrote: I am EU member and I know our law a little bit...
Nexus did nothing wrong in the eye of the law (as long as they reported the data security lack to the DPA within 72 hours). They are not forced to inform their users unless its absolutely clear that there is a high risk for the personal rights of the affected.

... but...

it would have been a nice move to make a quick post as information for all that sth happened... that its not clear what exactly... but that they recommend to change the passwords in any case... I always say "better save than sorry" ;)
JimmyRJump wrote: @tgstyle24: I'm from Belgium and know quite a bit about legal matters and laws, both local and international. My comment wasn't insinuating anything unlawful had happened on Nexus' part. But since when do lawyers need broken laws to sue yer arse? :P


I understand that rationale and the importance of testing, but writing up a quick announcement and advisement for everyone to change their passwords would take a few minutes at most. I think everyone would have appreciated knowing sooner.
Hopefully this won't happen again, but if it does, I'm sure all of us would appreciate knowing earlier next time.

Keep up the good work on this site~
Link to comment
Share on other sites
Tasaar Apprentice

Tasaar

Posted
Posted
In response to post #75808388. #75810073 is also a reply to the same post.


fredlaus wrote: According to https://haveibeenpwned.com/ I have not been pawned.
I reckon solid measures have been taken.
DRAGONJOE69 wrote: I wasn't so lucky, my email has been hit twice, once on this site in Dec 2015?? and again in 2017 on some exposed spam site. thank god I don't have any critical info stored here.


You can sign up for notifications on Firefox Monitor. That way, if your email is added to haveibeenpwned.com, you're emailed about it.
Link to comment
Share on other sites
Thaiauxn Rising Star

Thaiauxn

Posted
Posted (edited)

The fact that we're aware of it is the solution. It's the stuff we're unaware of that's dangerous. Whoever it is wants to target specific users and is probably a banned user who was a mod thief (or troll) who has beef with those users which reported them.

 

No one is really to blame here. Malicious intents are hard to predict in a site this massive with so many users.

Edited by Thaiauxn
Link to comment
Share on other sites
EvilTwinz Apprentice

EvilTwinz

Posted
Posted

Thank You for alerting me and others to the issue that you stated.

I appreciate that in spite what others here have posted.

I can only imagine the mega task that you all have trying to monitor and secure your site.

I have already updated my account password 30 days ago but, I added the Authy app to my iPhone and the 2FA today.

Thank you ,again Nexus for alerting me and others! :- )

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...