Potential Database Breach

[Midoryu]

@Dark0ne

The transparency you provided in a timely manner as well as how you shared your own concerns with your userbase is in itself commendable, thus, even in case of a confirmed breach, the way you handle this topic only reinforces my trust and confidence in the people that run this site.

Thank you for allowing us to take proper actions to protect our accounts.

Also for recognizing that we are sitting in the same boat here, as opposed to how other even bigger companies have misinterpreted similar situations in the past.

 

Keep up the good work,

 

Midoryu

[Hydraclone]

If we look at this mathematically, you fend off several thousand attacks every year, and within recent history, only 2 have got through, one which as you said wasn't your fault, and therefore there was nothing you could have done.

2 breaches, out of all the attacks. Even if it was just 1000 attacks, that's less than 1% that get through. Obviously you have stopped way more than that, so your efficiency is even better than saying less than 1%, as it's likely less than 0.01%. Which is pretty damn good.

 

I do not feel as if you have let me, or anybody else on this site down at all. You guys do a damn good job.

[guReMcO]

Thank you for informing us about the potential breach, there are plenty of sites that would keep this quiet until the very end.

 

Keep up the good work!

 

[ruddy88]

In response to post #31552690.

dominic2005 wrote: Seriously, who would hack a gaming mod site?

Not doing this place down, far from it, it's one of the best gaming mod sites I've ever seen, but what would someone have to gain from it other than simply being a pain in the arse!

Too many spotty teenagers with uber-rich parents who don't care that their child sits in their room on their PC all day and night.

Re the heads up: Thanks. Some of the big organisations could learn a thing or two from you guys.

Theres 10 million people registered to this site. If only 1% of them re-use the password on nexus for other things, such as emails (the gateway to many more things) then thats 100,000 passwords gained. Also, as the post says, there are reports of files from mod authors being changed. This means that they could potentially store malicious software in the files that get downloaded by the thousands. And since Nexus is a site that *MUST* allow the downloading of zipped files (which can contain virtually any kind of other files or exectuables in it) it would actually make it quite a high target. Its a very efficient way of getting your viruses on to other computers (which is one of the hardest parts of hackers, no point having malicious scripts if no-ones going to end up running them). Add to that, the nature of modding sites, being that they change default files, means that a lot of people are quite lax with security, I'd assume there is a great deal of people that would disregard a virus warning on files theyve downloaded from a site like this. not so much simple mods, like retextures and such, but for utility programs like nifskope, tesvsnip, BAE, etc, that could return false positives from virus scanners.

[tabranham68]

"A toilet pan that utterly resents me"... Talk about prostration.

 

Seriously, thank you for your completely limpid handling of this manner. It seems the rest of the world is in great need of such practices.

[FaRihr]

Then a tip of mine: Do not only salt the password hashes but also pepper the passwords: https://en.wikipedia.org/wiki/Pepper_%28cryptography%29

 

Like this, the attackers also have to find the pepper, and iirc there is a way to safe it so the attackers would need to hack your host and not only the site itself.

 

And if you pepper it, theoratically a simple "a" would generate a satisfying secure hash, so there still would be no need for such complex passwords, as long as your host has no breach. And then again it's not your fault.

[OddballE8]

Considering the fact that I've forgotten my password to the site, and none of my "common" passwords work, I'd say I'm probably pretty safe :)

 

Well, they could still change my mods, but I don't do that many or that popular mods anyway.

[95f890be]

Did my email address leaked or not?

 

Also, the link you provide is NOT HTTPS.

 

Correct one:

https://forums.nexusmods.com/index.php?app=core&module=usercp&tab=core&area=email

Edited December 6, 2015 by 95f890be

[JLander]

I would like to know the mods in question that were change against the authors knowledge... especially these that contain the drivers in their directories. I have scanned my mod and data directory and cannot find any "out-of-sorts" files... so I am hoping I by-passed these mods.

 

In the meantime, password changed - again.

 

Also, thanks for the transparency and for including all us users in the what's what. Much appreciated, and no matter the potentiality of any sort of breach... I will forever remain loyal to Nexus... I mean... like I have a choice, is there anywhere else quite like this place?

 

Best of luck!

[djehmli]

Your transparency is greatly appreciated. Their are sites out there (not necessarily gaming) who would not speak a word of such a situation until the users, due to nasty circumstances resulting from such breach, bring the issue to attention.

 

Heck, government sites have been in the news lately regarding hacking, and you are trying to keep us safer than they are.