Potential Database Breach

[bben46]

DO NOT remove the system32 file - If you do your entire Windows is borked and will have to be reinstalled - Just don't do that. Not even to test.

[GrnGbln]

In response to post #31627115.

bben46 wrote:

DO NOT remove the system32 file - If you do your entire Windows is borked and will have to be reinstalled - Just don't do that. Not even to test.

So, to be absolutely, 100% clear, I should NOT remove the dsound.dll from the system32 folder?

[Doxxy]

In response to post #31549260. #31549755, #31550235, #31623575 are all replies on the same post.

Dark0ne wrote: It is with a heavy heart that I must inform you of a potential database breach at Nexus Mods. I understand that sounds horrifically ambiguous at best, but the simple truth of the matter is that we have yet to fully confirm the database breach has occurred any time recently but, in light of recent events, I cannot in good conscience not warn you of the potential for such an eventuality.

I was first tipped off to a problem late on Friday night when a link to a Reddit post was sent to me about a possible breach. The post explained that a security firm that looks after (or helps with the security for) several universities in America had contacted the IT departments who had then contacted the university network users about a database breach at Nexus Mods. The email wasn't particularly informative.

I reached out to the security firm for more information but was required to jump through hoops to access sensitive information, finally succumbing to sleep around 3am on Saturday morning, and have yet to hear back from them, likely because this has happened over a weekend and they don't work weekends.

While it seems clear cut that we've had a breach from that email, unfortunately, it's too ambiguous to draw any concrete conclusions. We indeed had a database breach several years ago when hackers gained entry to our systems by hacking our file server hosts (a horrible way to be hacked, when it's not even directly your fault), so this could potentially be a result of that previous leak, or it could be a result of recent database breaches at other major networks (like the Playstation Network, EBay or otherwise) and hackers correlating information from reused passwords, or any number of things.

Things became more suspicious yesterday when three Fallout 4 mods from three separate authors had their files changed by the author's themselves, but the file change contained a .dll file that while it isn't being reported as a virus by our Virus Total system (that scans files using 56 different virus scanners), it is still highly suspicious, and the authors have reported it wasn't them who did it. Indications suggest these author accounts were compromised. Which, once again, isn't conclusive proof of a total database breach, but is rather damning.

It was at this point I decided that the possibility of a breach had increased enough that it couldn't wait for us to fully confirm it before informing the user base. Despite the fact there's still the potential there hasn't been a recent breach, the evidence is mounting up now and I invoked Occam's Razor in writing this news post.

To clarify, we store all passwords in our database in a hashed and salted system (i.e. not plain text). This does not mean your passwords are completely safe, however. Because all encryption is a mathematical formula based around how complex it is to crack, given enough time and processing power almost all forms of encryption can be cracked eventually. The problem gets worse if your password is easily recognisable or very simple. If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). Because of this, it's possible this is a result of the database breach from a few years ago coming back to haunt users that haven't changed their passwords. The problem is, we're just not sure yet.

For any worried Premium Members, we do not store your credit card numbers, expiry dates or secure numbers at all. That's all handled by Pay Pal.

Because we haven't actually confirmed a recent breach it means we haven't plugged any holes related to such a breach. Unfortunately this isn't like someone breaking and entering into your home, where there are obvious signs of tampering; broken locks or windows and missing or damaged things. This is an extremely complex process where we look for the slightest of anomalies to try and work out whether anything bad has actually happened, and then try to work out how that bad thing actually happened so we can plug it. It's not easy, and we're really trying our hardest. And obviously, we'll keep you updated as and when we have any more information.

Right now, we wholeheartedly recommend changing your password here and please ensure it's not a password you use anywhere else. Just in case it's not obvious; because we haven't found a breach yet, if there is a breach, it means they could access the database again, so just updating your password now won't make it completely secure. However, if you update it now and make sure it's a complex password (minimum 8 characters in length, including special characters and numbers) then you're ensuring that anyone who does have your hash and salt would take such a considerable time trying to crack it that it would largely be a waste of time for them to even try. On top of that, if you use your Nexus password anywhere else, especially on "high profile" accounts like Steam, XBox, Playstation or the like, change it immediately to be on the safe side.

Please respect and follow safe password practises. Complex passwords of a minimum length of 8 characters that you change regularly (ideally every couple of months) really are a must on any account you care about.

On the site security front, while not related to a database breach such as this, we have been actively working to get the entirety of our network under SSL/an encrypted connection rather than just our Premium Member payment pages for some time now. Unfortunately this isn't as simple as paying for an SSL cert and slapping it on the site. There are complications with the way we serve and transmit our files, especially in regards to our CDN, that make things complex.

In a similar vein, we've had two-factor authentication on our to-do list for a while now. Considering the ever increasing popularity of the network we'll bump the priority of this functionality right up the list and hopefully we'll get something out very soon in that regard. I'd highly recommend you ensure the email address tied to your Nexus account right now is the correct email address, as it's likely any such system will make use of a proper and valid email address in order to function properly.

While breaches often suggest the contrary, we take security extremely seriously and try our utmost hardest to ensure it. On a personal level, it's horrific for me to find out about these things. You guys trust me with your data and trust that I'll keep it secure, and sometimes I fail in that despite my best attempts. I'm very sorry about this. It leads to many sleepless nights and a toilet pan that utterly resents me. We spend about £40,000 ($60,000 USD) a year on professional mitigation and prevention systems trying to directly prevent malicious people from accessing or altogether destroying these sites. We prevent hundreds of malicious attacks on our network every day, sometimes even thousands. Often these come from automated bots constantly prodding away at our servers looking for weaknesses, sometimes from dedicated malicious individuals who want to gain access. We've prevented hundreds of thousands of attempted intrusions, but it only takes one to get through, despite our best efforts, for the failure to be complete.

I'm sorry for (potentially, at this point) breaking your trust in us. We'll continue working away at this to get a conclusive answer and, when we do, you'll be the first to know.

Update: Many people have asked about the three Fallout 4 files that were mentioned in this post. The three files affected were:

- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)

The suspect file contained in the archives was called "dsound.dll".

Coryus wrote: Dam.

I hope they catch the bastards.

I have been using this site for many years now, with much enjoyment.
Not holding you personally responsible in Anyway. With a site that has a user base of this magnitude sooner or later this is bound to happen.

Good luck.

MONSTERaider wrote: I'm so sorry to hear this, I hope the site will be safe again.
Thanks for the hard work.

jbartoli wrote: Transparency is much appreciated. You are doing a great job, no one can stop 100% of the hackers that are out there. We appreciate the great support we get from your site. Hope I can get my mods back up and working again soon, but I have other things to do in the mean time.

Incidentally Dark,
Getting hacked is at some point, is almost a certainty for any major site. Its virtually impossible to cover the multitude of seriously sneaky ass ways hackers manage to find to side step security. That doesn't mean I don't want you to take the best possible security measures you can, and protect whatever information you have on me in the best way you can.

It just means, I don't blame you nor do I feel like its a betrayal of trust that you didn't manage to personally come up with a quantum encryption that was impenetrable. That being said, keep on it, keep us in the loop, and I think you will have covered all your bases.

Cheers and merry xmas mate.

[Doxxy]

In response to post #31627115. #31627410 is also a reply to the same post.

bben46 wrote:

DO NOT remove the system32 file - If you do your entire Windows is borked and will have to be reinstalled - Just don't do that. Not even to test.

GrnGbln wrote: So, to be absolutely, 100% clear, I should NOT remove the dsound.dll from the system32 folder?

Generally a bad idea to start randomly deleting files out of the Sys32 folder. Im not saying you can't, Im just saying its a really bad idea, and you shouldn't.

[GrnGbln]

In response to post #31627115. #31627410, #31627650 are all replies on the same post.

bben46 wrote:

DO NOT remove the system32 file - If you do your entire Windows is borked and will have to be reinstalled - Just don't do that. Not even to test.

GrnGbln wrote: So, to be absolutely, 100% clear, I should NOT remove the dsound.dll from the system32 folder?

Doxxy wrote: Generally a bad idea to start randomly deleting files out of the Sys32 folder. Im not saying you can't, Im just saying its a really bad idea, and you shouldn't.

I know this but it is the file has the same name as the one we have just been warned about.

[mallak75]

i downloaded betterbuild on the 26th and it had the dll file in it

[AmyrlynBlue]

I wanted to know if it would be a good idea to uninstall the mods I have been using for Fallout 4 until the security breach has been dealt with. They are the only mods I have installed (and I have been grateful for them), but if it is too risky to use them atm, I need to know. Thanks.

[Antroz59]

In response to post #31628210.

AmyrlynBlue wrote: I wanted to know if it would be a good idea to uninstall the mods I have been using for Fallout 4 until the security breach has been dealt with. They are the only mods I have installed (and I have been grateful for them), but if it is too risky to use them atm, I need to know. Thanks.

I think that the "unsafe" mods are the ones listed below. If you don't use any of these, you might be able to use your mods without any security issues.

[literallybyronic]

I downloaded "BetterBuild" on Nov 27th and it still contains this dsound.dll, FYI.

[Fo0]

In response to post #31626905.

GrnGbln wrote: At the risk of coming across as a dunce, I did a system search for dsound.dll and found one instance in my System32 subfolder. Is this normal or should I remove it (no, I won't delete the System32 file so don't even try it)?

NO do not remove. your system needs dsound.dll to run properly.