Potential Database Breach

[Eradicati0n]

Do we have any idea if there were any other affected files besides the fallout 4 files? I would like to know so I can avoid downloading any of them. Specifically those that pertain to Skyrim mods.

[steelcamp]

In response to post #31620705. #31620800, #31621540, #31621625 are all replies on the same post.

kenjking wrote: I wonder if this would explain that as of this morning 12/7/15 every time I attempt to start Fallout 4, all of my mods are deactivated.

ZidanReign wrote: New PC Update dude.

That means until the mods you have are updated, their esps are auto disabled.

ZyaxScorn wrote: I feel dumb for asking, but can you elaborate on what you mean?

ZyaxScorn wrote: @ZidanReign
I feel dumb for asking, but could you elaborate?

Did you update to the FO4 beta patch? If so that disables mods for now.

[SjoertJansen]

In response to post #31618445. #31618745, #31619155, #31620605 are all replies on the same post.

Enyap wrote:

 

In response to post #31617625.

Enyap wrote:

I went to change my password as recommended in announcement and noticed that my current e-mail address shown in User CP is not one I recognize. Like unless I registered on Nexus drunk out of my mind, I'm positive it's not my e-mail. More so the shown e-mail is from yahoo mail and when trying to log in to that yahoo says that this id is not taken yet. How can this be possible? Is my account possibly not mine anymore?

So, change it? You can easily change it, you just have to re-activate the account... Seeing as you posted, you must still have the correct password to do the change.

 

Im kinda reluctant to enter my legit e-mail if I'm not sure that it's nice and safe.

SjoertJansen wrote: The email to activate the account will be send to the new email address.
But I can understand what you mean, but I wouldn't fear. I don't see how that would be a problem unless you use the same password for email and this website? You could change your password first, no emails will be sent (If you used the same for both email and nexus, change both! ) .
Unless you have a keylogger on your system, or someone listening in on your internet traffic, it should be completely safe. Safer, for sure, than having someone else's email, or as the strange email would suggest, someone else with your current password.

Joe

Eolath wrote: You shouldn't. It'll just add your email to the hackers database if there is indeed a breach. Don't change your email yet until we have confirmation that the breach is fixed.

SjoertJansen wrote: Fair point. But, what is the use of having someone's email address if you do no have the password.. It would basically mean you can't use email any-more?. Unless there is a continued breach on Nexus AND on your email client at the same time, why would it matter. Lets postulate there already is a breach, they know your current password, so they could change both email and password whenever they wish (you don't need your email for that). There would be no difference. Only if the password for your email is the same or really crappy.

Just to add. Obviously you should never have the same password/email combination on other websites. Especially after the PS network/Facebook security issues, previous Nexus breach etc etc. everyone should have at least addressed that. Comon sense really. So having your email doesn't do anything. And even if you have the same combination elsewhere, they somehow need to know where.... They have no use of a password/email combination, unless they can use it for spamming/malware spreading such as this website, or stealing financial information. For most of these they require access to your personal email. Most websites also inform you if your password was changed. Something lacking on this website though...

[meiner1er]

Sorry, but i'm maybe a little stupid, but why i cant activate the mods again, or better why it not works?
NMM shows me im not logged in but if i klick them it logs me in and the mod are not working? Whats my failure ?

 

Off topic - you are not going to get answers to that here. Instead use the NMM Beta topic - where it has been answered a dozen times.

Bben46

Edited December 7, 2015 by bben46

[jbartoli]

In response to post #31549260. #31549755, #31550235 are all replies on the same post.

Dark0ne wrote: It is with a heavy heart that I must inform you of a potential database breach at Nexus Mods. I understand that sounds horrifically ambiguous at best, but the simple truth of the matter is that we have yet to fully confirm the database breach has occurred any time recently but, in light of recent events, I cannot in good conscience not warn you of the potential for such an eventuality.

I was first tipped off to a problem late on Friday night when a link to a Reddit post was sent to me about a possible breach. The post explained that a security firm that looks after (or helps with the security for) several universities in America had contacted the IT departments who had then contacted the university network users about a database breach at Nexus Mods. The email wasn't particularly informative.

I reached out to the security firm for more information but was required to jump through hoops to access sensitive information, finally succumbing to sleep around 3am on Saturday morning, and have yet to hear back from them, likely because this has happened over a weekend and they don't work weekends.

While it seems clear cut that we've had a breach from that email, unfortunately, it's too ambiguous to draw any concrete conclusions. We indeed had a database breach several years ago when hackers gained entry to our systems by hacking our file server hosts (a horrible way to be hacked, when it's not even directly your fault), so this could potentially be a result of that previous leak, or it could be a result of recent database breaches at other major networks (like the Playstation Network, EBay or otherwise) and hackers correlating information from reused passwords, or any number of things.

Things became more suspicious yesterday when three Fallout 4 mods from three separate authors had their files changed by the author's themselves, but the file change contained a .dll file that while it isn't being reported as a virus by our Virus Total system (that scans files using 56 different virus scanners), it is still highly suspicious, and the authors have reported it wasn't them who did it. Indications suggest these author accounts were compromised. Which, once again, isn't conclusive proof of a total database breach, but is rather damning.

It was at this point I decided that the possibility of a breach had increased enough that it couldn't wait for us to fully confirm it before informing the user base. Despite the fact there's still the potential there hasn't been a recent breach, the evidence is mounting up now and I invoked Occam's Razor in writing this news post.

To clarify, we store all passwords in our database in a hashed and salted system (i.e. not plain text). This does not mean your passwords are completely safe, however. Because all encryption is a mathematical formula based around how complex it is to crack, given enough time and processing power almost all forms of encryption can be cracked eventually. The problem gets worse if your password is easily recognisable or very simple. If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). Because of this, it's possible this is a result of the database breach from a few years ago coming back to haunt users that haven't changed their passwords. The problem is, we're just not sure yet.

For any worried Premium Members, we do not store your credit card numbers, expiry dates or secure numbers at all. That's all handled by Pay Pal.

Because we haven't actually confirmed a recent breach it means we haven't plugged any holes related to such a breach. Unfortunately this isn't like someone breaking and entering into your home, where there are obvious signs of tampering; broken locks or windows and missing or damaged things. This is an extremely complex process where we look for the slightest of anomalies to try and work out whether anything bad has actually happened, and then try to work out how that bad thing actually happened so we can plug it. It's not easy, and we're really trying our hardest. And obviously, we'll keep you updated as and when we have any more information.

Right now, we wholeheartedly recommend changing your password here and please ensure it's not a password you use anywhere else. Just in case it's not obvious; because we haven't found a breach yet, if there is a breach, it means they could access the database again, so just updating your password now won't make it completely secure. However, if you update it now and make sure it's a complex password (minimum 8 characters in length, including special characters and numbers) then you're ensuring that anyone who does have your hash and salt would take such a considerable time trying to crack it that it would largely be a waste of time for them to even try. On top of that, if you use your Nexus password anywhere else, especially on "high profile" accounts like Steam, XBox, Playstation or the like, change it immediately to be on the safe side.

Please respect and follow safe password practises. Complex passwords of a minimum length of 8 characters that you change regularly (ideally every couple of months) really are a must on any account you care about.

On the site security front, while not related to a database breach such as this, we have been actively working to get the entirety of our network under SSL/an encrypted connection rather than just our Premium Member payment pages for some time now. Unfortunately this isn't as simple as paying for an SSL cert and slapping it on the site. There are complications with the way we serve and transmit our files, especially in regards to our CDN, that make things complex.

In a similar vein, we've had two-factor authentication on our to-do list for a while now. Considering the ever increasing popularity of the network we'll bump the priority of this functionality right up the list and hopefully we'll get something out very soon in that regard. I'd highly recommend you ensure the email address tied to your Nexus account right now is the correct email address, as it's likely any such system will make use of a proper and valid email address in order to function properly.

While breaches often suggest the contrary, we take security extremely seriously and try our utmost hardest to ensure it. On a personal level, it's horrific for me to find out about these things. You guys trust me with your data and trust that I'll keep it secure, and sometimes I fail in that despite my best attempts. I'm very sorry about this. It leads to many sleepless nights and a toilet pan that utterly resents me. We spend about £40,000 ($60,000 USD) a year on professional mitigation and prevention systems trying to directly prevent malicious people from accessing or altogether destroying these sites. We prevent hundreds of malicious attacks on our network every day, sometimes even thousands. Often these come from automated bots constantly prodding away at our servers looking for weaknesses, sometimes from dedicated malicious individuals who want to gain access. We've prevented hundreds of thousands of attempted intrusions, but it only takes one to get through, despite our best efforts, for the failure to be complete.

I'm sorry for (potentially, at this point) breaking your trust in us. We'll continue working away at this to get a conclusive answer and, when we do, you'll be the first to know.

Update: Many people have asked about the three Fallout 4 files that were mentioned in this post. The three files affected were:

- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)

The suspect file contained in the archives was called "dsound.dll".

Coryus wrote: Dam.

I hope they catch the bastards.

I have been using this site for many years now, with much enjoyment.
Not holding you personally responsible in Anyway. With a site that has a user base of this magnitude sooner or later this is bound to happen.

Good luck.

MONSTERaider wrote: I'm so sorry to hear this, I hope the site will be safe again.
Thanks for the hard work.

Transparency is much appreciated. You are doing a great job, no one can stop 100% of the hackers that are out there. We appreciate the great support we get from your site. Hope I can get my mods back up and working again soon, but I have other things to do in the mean time.

[czod]

Bravo! You deserve the highest praise for having the balls to publicly acknowledge the possibility of a security breach. One of the biggest contributing factors to our failure as a civilization to secure our communications is the unwillingness of targets to admit they've had a breach. If only the wider business community were more forthcoming. Your willingness to promptly notify your users of potential issues only strengthens my trust in your organization. Please continue to keep us updated.

 

As for the wannabe skanks who attacked your site: with all the bloated, greedy, rapacious, corrupt, blood-soaked mega-corps in the world who leave their user lists lying around their web sites in plain text, you stoop so low as to attack a volunteer web-site? Shame on you. I'd sooner lick the bottom of my shoe than soil my tongue with your name.

 

Yours,

Czod

[gsb444]

Your quick notification of the user base after being made aware of the issue is greatly appreciated, thanks. Unfortunately, this kind of stuff does happen. If I might make one suggestion, it would be for NMM to throw up a warning if a mod's zip contains a DLL or other obvious executable. This way the user could be warned to double check the mod description information to verify that this is a mod that is supposed to contain executable content -- there typically aren't many of them, so this shouldn't be too great an annoyance.

[Antroz59]

In response to post #31623115. #31625170, #31625325 are all replies on the same post.

meiner1er wrote: Sorry, but i'm maybe a little stupid, but why i cant activate the mods again, or better why it not works?
NMM shows me im not logged in but if i klick them it logs me in and the mod are not working? Whats my failure ?

WhoFace wrote: Can't use any of my mods either atm (sadly) so my settlement has a lot of floating objects because the foundations (rocks) where from a mod :). Guess I'll have to sit tight and wait this one out.

gl hope it is indeed sortedsoon

oxdeception wrote: Fallout 4 was updated today, and seems to have made it so the enablefileselection option no longer works.

Same problem here, probably due to the latest issues with security. Hope it doesn't mess up your game if you had important mods.

EDIT:
Forget about that. It is because of the new PC update, .esps are outdated as of yet. Just wait and the original creators will update it :)

Edited December 7, 2015 by Antroz59

[bben46]

Please stick to the possible data breach in this topic - We do have other forums for other topics. Use them instead of hijacking this one.

 

Removing off topic posts.

[GrnGbln]

At the risk of coming across as a dunce, I did a system search for dsound.dll and found one instance in my System32 subfolder. Is this normal or should I remove it (no, I won't delete the System32 file so don't even try it)?