Staff account compromise. What's happened and an apology.

Dark0ne · June 9, 2014

Back in March you might remember a news post written by myself titled Be Careful: Trojans masquerading as popular executables. To cut a long story short, a user was uploading a malicious file to the site that, when installed, would enable the user to find out your Nexus username and password, which was then in turn used to log in to other user's accounts with the stolen login information and continue to upload the same virus to the sites.

Today we were alerted to a malicious change to SkyUI, one of the most popular files on the Nexus network, at around about 12.30pm GMT. Within 20 minutes the file was removed and we got to work investigating how the file was added and who removed the original SkyUI file and replaced it with a malicious executable (thank you to those people who reported the file and were clever enough not to install it!).

Following on from that we noticed some strange actions coming from one of the staff member accounts here and, while I have not been able to get in contact with the staff member yet, we can conclude that the staff member's account has been compromised and this was how the "hacker" was able to remove files and upload new ones in their place. As part of their job the moderation team need to be able to access and edit the file pages on the site. If an unsavoury miscreant gains access to one of those accounts they can, potentially, do quite a bit of damage. Unfortunately that was the case today.

We were able to quickly identify and remove access to the account, however, a few more files were changed by the "hacker" before we could trace things. These files, on top of SkyUI for Skyrim, were:

ApacheiSkyHair for Skyrim
Fallout 3 Redesigned - Formerly Project Beauty for Fallout 3
Project Nevada for Fallout New Vegas
Oblivion Character Overhaul version 2 for Oblivion

It's clear the "hacker" was going for some of the most popular files for each of the main games the Nexus supports to gain maximum exposure.

It's important to note that staff members do not have access to any personal details (they can't even see your email address) including any Premium Member details and we do not store any credit card information so that's not an issue at all. This was not a traditional "hacking". Our server's themselves weren't compromised (indeed, we think we've got things locked up pretty damn tight right now to the point where you need to be on a specific IP address before you can even gain access to the server terminals and think about user accounts and passwords). Unfortunately the computer's of one of the staff members was compromised and this is the result.

Things have been tidied up and the threat has been removed. If you downloaded one of the compromised files listed above and ran it between the hours of 12pm and 2.30pm today then please run a full virus sweep of your system. If you did not download any of those files in that time then this breach will not have affected you. We've contacted each of the owners of the files listed above. For them, unfortunately, because their main files were removed they will need to be reuploaded and the stats will have been reset for those specific files. It's important to note that deleting an uploaded file does not reset or clear the main file's stats. It's just unfortunate that the stats for those specifically uploaded files will be lost. I'll have a word with the main database admin to see if we can't get the majority of stats for those files restored, with a bit of loss due to having to roll-back a day or two. If you're the owner of one of those files please send me a PM so we can look into that with you.

I apologise personally for what has happened because, at the end of the day, the buck stops with me. I am highly protective of the staff here who have individually volunteered thousands of hours of their time, some of them for many years, to keep this network of sites clean and tidy. Unfortunately these things happen and I will obviously have a word with all the staff here to remind them all of best internet practises to maintain account security.

On an unrelated note I've had a few reports from German users saying that one of the ads on the rotation is sending them to a fake java updater page. This seems to be localised to only German locations, which makes it tough for me to diagnose, but I have been in contact with the advertising supply chain to try and get to the bottom of this and hopefully the issue will be resolved shortly.