Database Breach - An Update

[Zaldir]

In response to post #32176955.

  Reveal hidden contents

  Quote

EArthurKIII wrote: Thx for the update, will be changing my password ASAP just to be on the safe side.

What the heck.. Went and tried to make sure my email is updated and get sent to the nexus forums. Tried to update password and get sent also to nexus forums.

Both my username and password is not recognized by nexus forums.

@Dark0ne, seems unable to send a PM to you about my account, since it sends me to nexus forums where it does not take my current username and password.

Question is Nexus Forums part of Nexus Mods or do need a new account just for the forums?

Thx

Nexus forums is part of NexusMods, and it is on the forums you change your password/e-mail.

[slhwood]

thanks for the heads up, no news is bad news in this situ.

 

[cylers]

Thanks for the heads up, looking forward to the coming changes.

[Hecket]

Plenty of laws on plenty of different countries, require that you inform all users with a direct e-mail message to them to inform them that their personal data has been breached. This gives them the notice to change their passwords and prevent further harm. Majority of users are stupid users and reuse their passwords elsewhere. Considering it's an old leak; the damage has already been done.

 

Posting a message on a board that only active people see is only going to autofallate you. Try telling it you 3.9 million people and see how they respond.

 

That being said. You have failed to uphold basic security stringent practice and got popped thanks to a sql injection. In cybersec terms that's basic amateur hour. Following a basic course on sql injection could have prevented it. Then again installing IPBoard doesn't take a brain.

 

 

I want the option to delete my account or you to remove me from the SQL tables. You have disabled the delete option for the user to have this ability from the IPBOARD software your running. Which says enough about your coding skills.

 

 

Using humble brags that u got 4 million members, guess what, the overwhelming majority aren't active. You are basically running a honeypot and an attractive target for scriptkiddies and are even aiding them by not allowing removal.

 

 

I can tell you that i have three 0days on IPboard. One through xml injection, one through brute forcing the an sql string to retrieve user data and a reflected cross site scripting method.

 

 

As such it is a garentee it will happen again, and you won't even notice because your to stupid to look at server logs and put your trust in a s#*! CMS.

 

Peace.

 

[nortalud]

In response to post #32287250.

  Reveal hidden contents

  Quote

Hecket wrote: Plenty of laws on plenty of different countries, require that you inform all users with a direct e-mail message to them to inform them that their personal data has been breached. This gives them the notice to change their passwords and prevent further harm. Majority of users are stupid users and reuse their passwords elsewhere. Considering it's an old leak; the damage has already been done.Posting a message on a board that only active people see is only going to autofallate you. Try telling it you 3.9 million people and see how they respond.That being said. You have failed to uphold basic security stringent practice and got popped thanks to a sql injection. In cybersec terms that's basic amateur hour. Following a basic course on sql injection could have prevented it. Then again installing IPBoard doesn't take a brain.I want the option to delete my account or you to remove me from the SQL tables. You have disabled the delete option for the user to have this ability from the IPBOARD software your running. Which says enough about your coding skills. Using humble brags that u got 4 million members, guess what, the overwhelming majority aren't active. You are basically running a honeypot and an attractive target for scriptkiddies and are even aiding them by not allowing removal.I can tell you that i have three 0days on IPboard. One through xml injection, one through brute forcing the an sql string to retrieve user data and a reflected cross site scripting method.As such it is a garentee it will happen again, and you won't even notice because your to stupid to look at server logs and put your trust in a s#*! CMS.Peace.

+1 internets for outstanding raginess
+1 internets for citing "laws on plenty of different countries" in a vaguely threatening manner
+1 internets for intentionally(?) misusing the the term "humblebrag"

-1 internets for misspelling auto-fellate; if there's one detail you really ought to get right, it's this one

[nortalud]

In response to post #31699195. #31709590, #31710865, #31717215, #31727420, #31727725, #31727755, #31735675, #31736475, #31737125, #31745975, #31747430, #31762590, #31770575, #31770655, #31770875, #31775185, #31778925, #31779245, #31780640, #31785130, #31785185, #31786765, #31806700, #31808850, #31811630, #31817170, #31846715, #31849190, #31856815, #31866030, #31877395, #31877985, #31881445, #31885980, #31893710, #31897225, #31899965, #31901575, #31906245, #31910235, #31914830, #31930150, #31951615, #31978895, #31980730, #31990045, #31998065, #32076080, #32098525, #32104420, #32105645, #32132805 are all replies on the same post.

  Reveal hidden contents

  Quote

rickman wrote: If you are reading this Robin, know this: the community is supportive BECAUSE you share this stuff outright, clearly, and with incredible haste. If you treated us like Sony did in December of 2012, knowing the problem and denying it for two weeks or more, we'd probably be a lot less kind. There is also this to consider: You told us EXACTLY what, who, when, and how, as soon as you could, and in plain, simple terminology. I (and most likely about 10,000,000 others) appreciate a straightforward answer when there is an issue. But MOST IMPORTANTLY, you are kind and humble about it. If someone was mad at the employees of Nexus after your immaculate behavior, They are clearly not the kind of individual that we should be associated with as a user base. I personally love this site for a myriad of reasons, to explain it would take a ten+ page essay to enumerate all of the reasons why. To be clear though, the biggest reason, THE STAFF TREATS THE USER BASE LIKE PEOPLE. Despite there being 10,000,000 of us, we don't feel like faceless numbers. And that is because you seem to CARE. Don't stop doing that, and this awesome community will probably never devolve.

Thank you for being the best you can be.
Richard.

  Quote

JZSquared wrote: ^This sums up my feelings exactly. I couldn't have said it better myself.

  Quote

Lokie7 wrote: I second this, entirely. Well said.

  Quote

Netsplite wrote: ^ +1

  Quote

ZedLeppelin wrote: A wee bit verbose, (and I know verbose!), but rather well said and pretty damn accurate. The Nexus staff treats people like people, not numbers.

  Quote

Inboundwhisper wrote: +1

  Quote

Inboundwhisper wrote: +1

  Quote

Aricole wrote: +1

  Quote

lordmanticore wrote: +1

  Quote

btgbullseye wrote: +1

  Quote

xenonblade wrote: +1

  Quote

AlexZander40 wrote: Well said. May the modding goodness continue.

  Quote

DFX2K9 wrote: Agreed. no matter who you are, and how much money you've got, you're going to get a breach at some point. At least you salted the passwords, and use a hashing algorithm..

More then I can say for my local Library's system. A breach in THAT database would be catastrophic (note, it sends you your old password via email, that should give you an idea of how terrible it is)

  Quote

Legion563 wrote: +1.

  Quote

ExtremeMod911 wrote: Absolutely :)

  Quote

Domifax wrote: +1

  Quote

Bernt wrote: Totally agree :)

  Quote

Dragodian777 wrote: "Ditto"...well said.

  Quote

Saltamontes1980 wrote: +1
I concur, thank you Dark0ne.

  Quote

dagstar132 wrote: good point well made. transparency in operation and intention is paramount.

Thanks for sharing.

Dag

  Quote

JD777 wrote: +(1 X infinity) :)

  Quote

JD777 wrote: Sorry double post but no delete button. :(

  Quote

MTZGG wrote: Ad Victoriam.

  Quote

Mycu wrote: 100% agreed.

  Quote

Mindprobe24 wrote: +1, nice words dude ;)

  Quote

Jn_Panower wrote: +1 !

  Quote

Stargazer2893 wrote: +1

  Quote

Erez747 wrote: +1 Couldn't have said it better myself. :)

  Quote

Slimysumocow wrote: Definitely +1 for the wonderful Dark0ne and the rest of the Nexus team! Thank you guys!

  Quote

EWM333 wrote: well said Richard, this is a great community. Thanks Robin for giving modders and gamers a way to play games on a higher level

  Quote

MooseUpNorth wrote: Very well said. +1

  Quote

Bram1970 wrote: +1

  Quote

grimgagorim wrote: +1 well said, well said

  Quote

Terafir wrote: I only signed up for this site about 3 weeks ago. So it made me a bit wary on what was going on. But, as everything was extremely clearly said and given, I have no concerns whatsoever about the security of the site.

It's not often that things are spoken so clearly and honestly from any company.

+1

  Quote

Arksum007 wrote: While I have not been a member before this year I have found that this site is great the constant updates are amazing and like everyone else is saying that being treated like a real person is a great benefit for me and makes me want to continue using this site for finding all my mods. thanks for the update and keep up the good work!

  Quote

padawanjedi wrote: +1

  Quote

shinru2004 wrote: +1 ^

  Quote

kev999 wrote: I second rickman. Well done, Team Nexus.

  Quote

zidders wrote: Well said.

  Quote

LogikBomb wrote: Hear, hear

  Quote

ijc1927 wrote: Excellently put. +1

  Quote

conjior wrote: +1 as well! Treat people like people.
Thanks again to the Nexus community and the Nexus team!
I love this place! :)

  Quote

rimshot47 wrote: nice recap of a potentially ugly situation.. Not sure what provokes hackers to do this...

  Quote

Blake81 wrote: The Lulz.

The ones doing this kind of stuff are usually Script Kiddies looking for a scrap of fame, or just for the wicked accomplishment of looking at these news and cackling while they wish they had a dastardly whiplash they could twirl.

  Quote

qqq122 wrote: +1
thank you robin for all the information

  Quote

Mileniumman wrote: The same for me, my feelings exactly.

Mileniumman

  Quote

seba1337 wrote: Damn right! +10

  Quote

Toft wrote: +1 and very well said

Simon (Toft)

  Quote

BlueGunk wrote: Well said.

  Quote

LaMuerte wrote: +1

  Quote

stalphyr wrote: +10,000,000

I agree SUMS it to the Max how I feel. If i where a Suspicious person I would think Rickman had Invaded my mind and took the words form my WEWEEEE Little Brain. But since he did post it 1st I will .......HEY Wait a Minute If he HAD Access to my WEWEEEE Brain he could have stopped me from Posting those EXACT Words .... Requires thinking ......Willl get back to you Later I think........


Anywasy Great Job ALl

  Quote

WightMage wrote: Keep this post bumped to the top, mates! Says everything that needs to be said, and more!

THANKS ROBIN! :D

  Quote

bdasd5 wrote: Exactly! Keep up the good work.

+1
I'm not what I'd call an active "member" of the Nexus communicate, but I am a very active user of the Nexus sites, and therefore greatly appreciate transparency like this.

[margaretcurtains]

Many thanks for your hard word. This is a great idea. keeping up. and look forward to see more update.

[Deleted23213994User]

In response to post #31699195. #31709590, #31710865, #31717215, #31727420, #31727725, #31727755, #31735675, #31736475, #31737125, #31745975, #31747430, #31762590, #31770575, #31770655, #31770875, #31775185, #31778925, #31779245, #31780640, #31785130, #31785185, #31786765, #31806700, #31808850, #31811630, #31817170, #31846715, #31849190, #31856815, #31866030, #31877395, #31877985, #31881445, #31885980, #31893710, #31897225, #31899965, #31901575, #31906245, #31910235, #31914830, #31930150, #31951615, #31978895, #31980730, #31990045, #31998065, #32076080, #32098525, #32104420, #32105645, #32132805, #32291890 are all replies on the same post.

  Reveal hidden contents

  Quote

rickman wrote: If you are reading this Robin, know this: the community is supportive BECAUSE you share this stuff outright, clearly, and with incredible haste. If you treated us like Sony did in December of 2012, knowing the problem and denying it for two weeks or more, we'd probably be a lot less kind. There is also this to consider: You told us EXACTLY what, who, when, and how, as soon as you could, and in plain, simple terminology. I (and most likely about 10,000,000 others) appreciate a straightforward answer when there is an issue. But MOST IMPORTANTLY, you are kind and humble about it. If someone was mad at the employees of Nexus after your immaculate behavior, They are clearly not the kind of individual that we should be associated with as a user base. I personally love this site for a myriad of reasons, to explain it would take a ten+ page essay to enumerate all of the reasons why. To be clear though, the biggest reason, THE STAFF TREATS THE USER BASE LIKE PEOPLE. Despite there being 10,000,000 of us, we don't feel like faceless numbers. And that is because you seem to CARE. Don't stop doing that, and this awesome community will probably never devolve.

Thank you for being the best you can be.
Richard.

  Quote

JZSquared wrote: ^This sums up my feelings exactly. I couldn't have said it better myself.

  Quote

Lokie7 wrote: I second this, entirely. Well said.

  Quote

Netsplite wrote: ^ +1

  Quote

ZedLeppelin wrote: A wee bit verbose, (and I know verbose!), but rather well said and pretty damn accurate. The Nexus staff treats people like people, not numbers.

  Quote

Inboundwhisper wrote: +1

  Quote

Inboundwhisper wrote: +1

  Quote

Aricole wrote: +1

  Quote

lordmanticore wrote: +1

  Quote

btgbullseye wrote: +1

  Quote

xenonblade wrote: +1

  Quote

AlexZander40 wrote: Well said. May the modding goodness continue.

  Quote

DFX2K9 wrote: Agreed. no matter who you are, and how much money you've got, you're going to get a breach at some point. At least you salted the passwords, and use a hashing algorithm..

More then I can say for my local Library's system. A breach in THAT database would be catastrophic (note, it sends you your old password via email, that should give you an idea of how terrible it is)

  Quote

Legion563 wrote: +1.

  Quote

ExtremeMod911 wrote: Absolutely :)

  Quote

Domifax wrote: +1

  Quote

Bernt wrote: Totally agree :)

  Quote

Dragodian777 wrote: "Ditto"...well said.

  Quote

Saltamontes1980 wrote: +1
I concur, thank you Dark0ne.

  Quote

dagstar132 wrote: good point well made. transparency in operation and intention is paramount.

Thanks for sharing.

Dag

  Quote

JD777 wrote: +(1 X infinity) :)

  Quote

JD777 wrote: Sorry double post but no delete button. :(

  Quote

MTZGG wrote: Ad Victoriam.

  Quote

Mycu wrote: 100% agreed.

  Quote

Mindprobe24 wrote: +1, nice words dude ;)

  Quote

Jn_Panower wrote: +1 !

  Quote

Stargazer2893 wrote: +1

  Quote

Erez747 wrote: +1 Couldn't have said it better myself. :)

  Quote

Slimysumocow wrote: Definitely +1 for the wonderful Dark0ne and the rest of the Nexus team! Thank you guys!

  Quote

EWM333 wrote: well said Richard, this is a great community. Thanks Robin for giving modders and gamers a way to play games on a higher level

  Quote

MooseUpNorth wrote: Very well said. +1

  Quote

Bram1970 wrote: +1

  Quote

grimgagorim wrote: +1 well said, well said

  Quote

Terafir wrote: I only signed up for this site about 3 weeks ago. So it made me a bit wary on what was going on. But, as everything was extremely clearly said and given, I have no concerns whatsoever about the security of the site.

It's not often that things are spoken so clearly and honestly from any company.

+1

  Quote

Arksum007 wrote: While I have not been a member before this year I have found that this site is great the constant updates are amazing and like everyone else is saying that being treated like a real person is a great benefit for me and makes me want to continue using this site for finding all my mods. thanks for the update and keep up the good work!

  Quote

padawanjedi wrote: +1

  Quote

shinru2004 wrote: +1 ^

  Quote

kev999 wrote: I second rickman. Well done, Team Nexus.

  Quote

zidders wrote: Well said.

  Quote

LogikBomb wrote: Hear, hear

  Quote

ijc1927 wrote: Excellently put. +1

  Quote

conjior wrote: +1 as well! Treat people like people.
Thanks again to the Nexus community and the Nexus team!
I love this place! :)

  Quote

rimshot47 wrote: nice recap of a potentially ugly situation.. Not sure what provokes hackers to do this...

  Quote

Blake81 wrote: The Lulz.

The ones doing this kind of stuff are usually Script Kiddies looking for a scrap of fame, or just for the wicked accomplishment of looking at these news and cackling while they wish they had a dastardly whiplash they could twirl.

  Quote

qqq122 wrote: +1
thank you robin for all the information

  Quote

Mileniumman wrote: The same for me, my feelings exactly.

Mileniumman

  Quote

seba1337 wrote: Damn right! +10

  Quote

Toft wrote: +1 and very well said

Simon (Toft)

  Quote

BlueGunk wrote: Well said.

  Quote

LaMuerte wrote: +1

  Quote

stalphyr wrote: +10,000,000

I agree SUMS it to the Max how I feel. If i where a Suspicious person I would think Rickman had Invaded my mind and took the words form my WEWEEEE Little Brain. But since he did post it 1st I will .......HEY Wait a Minute If he HAD Access to my WEWEEEE Brain he could have stopped me from Posting those EXACT Words .... Requires thinking ......Willl get back to you Later I think........


Anywasy Great Job ALl

  Quote

WightMage wrote: Keep this post bumped to the top, mates! Says everything that needs to be said, and more!

THANKS ROBIN! :D

  Quote

bdasd5 wrote: Exactly! Keep up the good work.

  Quote

nortalud wrote: +1
I'm not what I'd call an active "member" of the Nexus communicate, but I am a very active user of the Nexus sites, and therefore greatly appreciate transparency like this.

- Edited December 22, 2015 by Guest

[SubNova91]

Hey Guys,

 

I was wondering if there is an update on the .dll file and if it's a virus or not? Haven't heard anything about it.

Edited December 23, 2015 by SubNova91

[XanatosVonFiction]

Hibby Squibby