Potential Database Breach

[angryglock]

Thanks for being forthright. I've always thought Nexus is a good Stewart of our information. Breaches happen the trick is how you handle them.

 

I have one suggestion as a mod contributor. On the My Files list, show the last file update on the summary so we don't have to go to each one looking for activity. Just show the last file add/change/delete date for on the mod. That would help to alert us to something being amiss.

 

Also consider an auto email to the modder when any file is changed/added/deleted.

[RedBackDragon]

In response to post #31554230.

Oddball_E8 wrote: Considering the fact that I've forgotten my password to the site, and none of my "common" passwords work, I'd say I'm probably pretty safe :)

Well, they could still change my mods, but I don't do that many or that popular mods anyway.

Same here , its been so bloody long since ive had to log in i have no clue what it was.

[Kaine12]

In response to post #31559210. #31561830, #31562055 are all replies on the same post.

Kaine12 wrote:

When I tried to change my password, I got this :

http://i1377.photobucket.com/albums/ah74/Desmond_Kaine_Tay/Nexus%20Sec_zpswm1hkuxv.jpg

Should I proceed?

CreeperLava wrote: Strange, I didn't get this window when I modified mine. Did you reload the page and retried ? Alternatively, Ctrl+F5 clears the cache, maybe that will fix it.

umiluv wrote: I also didn't receive this message but someone on the Reddit post did. The recommendation was to wait until the security certificate was validated.

Yup reloaded and tried a few times and clearing the cache didn't change it same warning.

When I manually go to my CP instead of the using the link above I get the same warning. Using the link loads my CP but clicking on save changes gives the warning. Edited December 6, 2015 by Kaine12

[ultim8f8]

In response to post #31560095. #31560240, #31560385, #31561015 are all replies on the same post.

Eolath wrote: Perhaps it would be a good idea to tell us which mods had a .dll loaded into them yesterday.

As for password/email changes, I'll wait until we have more information, any attempt to do that right now would be useless if Nexus is indeed breached.

katleigh93 wrote: I agree with not changing the email, but a password change as described by Dark0ne for those who didnt use "special characters" is not a bad idea, it will slow the hackers down. It may not stop them, but it will give them a headache trying to hack them.

Eolath wrote: Of course, in that case it wouldn't be a bad idea to change the password.

In general however I'd be more worried about other websites that someone might use the same password on. Just presume they got into our accounts on the Nexus and that they have the capability to continue doing so, even after a password change.

katleigh93 wrote: Thats true Eolath, you can try and try to tell people not to use the same password for all accounts, but that doesnt always work. I have the luxuary of being at home, so I keep a log of all my passwords and I change them at least once a month. But even then, if hackers get into the sites data base, with the proper programs and equipment, no one is 100% safe. Its just part of being in the technical age we live in.

Listing known affected authors/mods would be good (but not for the authors).

If the site really is compromised, it is likely totally compromised. I haven't checked, but hopefully they do hashing properly where the client hashes the password before sending it to the server (so passwords are never transmitted in plaintext). Otherwise changing your password (or logging in) would give it directly to the hackers. Another great reason to not reuse passwords. Edited December 6, 2015 by ultim8f8

[Bernt]

Thank you for the heads up. Password changed :)

[xenonblade]

Thanks for not sitting on the information. Most entities just think they should keep it a secret for as long as possible. -.-

[Eolath]

In response to post #31554230. #31562270 is also a reply to the same post.

Oddball_E8 wrote: Considering the fact that I've forgotten my password to the site, and none of my "common" passwords work, I'd say I'm probably pretty safe :)

Well, they could still change my mods, but I don't do that many or that popular mods anyway.

RedBackDragon wrote: Same here , its been so bloody long since ive had to log in i have no clue what it was.

I share part of your frustration, I realized after reading Dark0ne's post that my account is still tied to one of my ancient email addresses that I last used in 2008 :D

Considering the present news that is not necessarily a bad thing.

[mokaiba]

In response to post #31561115. #31561180, #31561660, #31562180 are all replies on the same post.

mokaiba wrote: im not worried about anyone getting into my email since I dont even know my email password. I have it written down because its just a bunch of randomness. eg, SJDHF&yhfsdhgf&*^#&*$TGFg375r2hdehfbghus <- like that lol

katleigh93 wrote: Hehehehe, thats the best kind to have mokaiba :D

mokaiba wrote: I do this for all websites that i care about keeping others out. This was not one of them and had a really simple password because I didnt care if anyone gained access as they wouldnt gain anything from it. I think they gained access to my account but didnt change anything and only wrote down the email. I have noticed an increase of spam mail to my email address this past week. Just in case they try to change my password here, I went and changed it from my 'lower case eight-letter' password to an alphanumeric :)

btw, I dont use my real name or personal information anywhere as well. even facebook has a fake name for me.

ultim8f8 wrote: Difficulty to remember: maximum
Bits of entropy: maximum

But there are better ways: xkcd: Password Strength

I use entire sentences when it comes to work and financial-related passwords. I treat those as on an entirely different level than everything else. eg, ILikePinkButterFliesthatswimintheOcean1! good luck guessing that and cracking it lol

[mokaiba]

In response to post #31554230. #31562270, #31562600 are all replies on the same post.

Oddball_E8 wrote: Considering the fact that I've forgotten my password to the site, and none of my "common" passwords work, I'd say I'm probably pretty safe :)

Well, they could still change my mods, but I don't do that many or that popular mods anyway.

RedBackDragon wrote: Same here , its been so bloody long since ive had to log in i have no clue what it was.

Eolath wrote: I share part of your frustration, I realized after reading Dark0ne's post that my account is still tied to one of my ancient email addresses that I last used in 2008 :D

Considering the present news that is not necessarily a bad thing.

if in chrome, go to settings, click advance, click saved passwords. type nexus in search, show password, enter pc password, and now you know it. :)

[katleigh93]

In response to post #31560095. #31560240, #31560385, #31561015, #31562340 are all replies on the same post.

Eolath wrote: Perhaps it would be a good idea to tell us which mods had a .dll loaded into them yesterday.

As for password/email changes, I'll wait until we have more information, any attempt to do that right now would be useless if Nexus is indeed breached.

katleigh93 wrote: I agree with not changing the email, but a password change as described by Dark0ne for those who didnt use "special characters" is not a bad idea, it will slow the hackers down. It may not stop them, but it will give them a headache trying to hack them.

Eolath wrote: Of course, in that case it wouldn't be a bad idea to change the password.

In general however I'd be more worried about other websites that someone might use the same password on. Just presume they got into our accounts on the Nexus and that they have the capability to continue doing so, even after a password change.

katleigh93 wrote: Thats true Eolath, you can try and try to tell people not to use the same password for all accounts, but that doesnt always work. I have the luxuary of being at home, so I keep a log of all my passwords and I change them at least once a month. But even then, if hackers get into the sites data base, with the proper programs and equipment, no one is 100% safe. Its just part of being in the technical age we live in.

ultim8f8 wrote: Listing known affected authors/mods would be good (but not for the authors).

If the site really is compromised, it is likely totally compromised. I haven't checked, but hopefully they do hashing properly where the client hashes the password before sending it to the server (so passwords are never transmitted in plaintext). Otherwise changing your password (or logging in) would give it directly to the hackers. Another great reason to not reuse passwords.

Quote from Dark0ne: "To clarify, we store all passwords in our database in a hashed and salted system (i.e. not plain text)". So yes our passwords are hashed and salted.