Jump to content

Database Breach - An Update


Dark0ne

Recommended Posts

  • Replies 547
  • Created
  • Last Reply

Top Posters In This Topic

In response to post #31666000. #31672105 is also a reply to the same post.


Moksha8088 wrote: Should those users who joined Nexus before 7/22/2013 refrain from any further downloads from Nexus till you give the all-clear signal?
jeffwareham wrote: No just change your password.


Whether you joined before or after makes no difference to you downloading or not. Go change your password though, especially if you are uploading mods and have good rep.

Being able to login with your account will allow the other party to upload bad mods under your name. That is the issue here. Though, like article mention, they would first have to actually figure out what your password is from the hashed data. If you did not know, the passwords are encoded into something that resembled random alphanumeric characters so it is not like the guys who got access can just see your password.
Link to comment
Share on other sites

So, since you're taking control of the member database and login security, is there any chance you'll be adding a way to change our usernames?

 

I know this is pretty unrelated, but I figured it might be a nice feature to implement now you're working on the handling of login details anyway.

Edited by Revolvist
Link to comment
Share on other sites

In response to post #31667815.


TheTurtleOfDoom wrote: lol rip i registered 18th of july 2013. Does this mean someone has my password now and I need to change it asap?


Yes it does. If you're using the same password on other sites, change it there as well.
 
The more difficult your password is, meaning, the less likely you're to find it in a dictionary (and things like m0nkey count as well), the greater the chance that they haven't taken the time to crack it.

Reading this though, it seems that even 10-character-long random passwords could've been cracked within a week if the attacker used some serious hardware. That is, if Nexus used standard SHA-512 hashes (whatever that means). If Nexus used PBKDF2 and the attacker a regular PC, it might take decades to crack a password, according to these guys.
Edited by Revolvist
Link to comment
Share on other sites

In response to post #31660700. #31662030, #31663985, #31667970 are all replies on the same post.


JaschMedia wrote: May I recommend contacting https://haveibeenpwned.com/ about adding the emails from the dump to the list?
It is a service that allows you to see if your email has been in any data breach they know of.
Lokie7 wrote: Maybe a dumb question, but I presume any of us, "I", could go there and check it out?
If so, Great info.

Edit; I went to the site, as recommended, did a check and so far, I'm good. Thanks for the tip.
BTW, I got my answer, ;)
Telmaron wrote: You don't make yourself more secure by sending your info to even more people. Do you know anything about the people that even run that site or how they secure data?
JaschMedia wrote: Troy Hunt, the guy running the site, is not an unkown person in the information security scene.
https://mvp.microsoft.com/en-us/PublicProfile/4031649?fullName=troy%20hunt


The site only askes for email/username, which is silly to worry about 'giving' out. Emails get scraped like nothin.
Link to comment
Share on other sites

In response to post #31660700. #31662030, #31663985, #31667970, #31673015 are all replies on the same post.


JaschMedia wrote: May I recommend contacting https://haveibeenpwned.com/ about adding the emails from the dump to the list?
It is a service that allows you to see if your email has been in any data breach they know of.
Lokie7 wrote: Maybe a dumb question, but I presume any of us, "I", could go there and check it out?
If so, Great info.

Edit; I went to the site, as recommended, did a check and so far, I'm good. Thanks for the tip.
BTW, I got my answer, ;)
Telmaron wrote: You don't make yourself more secure by sending your info to even more people. Do you know anything about the people that even run that site or how they secure data?
JaschMedia wrote: Troy Hunt, the guy running the site, is not an unkown person in the information security scene.
https://mvp.microsoft.com/en-us/PublicProfile/4031649?fullName=troy%20hunt
LuciferIAm wrote: The site only askes for email/username, which is silly to worry about 'giving' out. Emails get scraped like nothin.


You make a good point, Telmaron, but that particular site and its operator are known, trusted quantities. Troy Hunt is definitely in the good guy column.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...