Jump to content

Database Breach - An Update

Dark0ne

By Dark0ne
in Site Updates

 Share

Recommended Posts

Zaldir Grand Master

Zaldir

Posted
Posted
In response to post #32176955.


EArthurKIII wrote: Thx for the update, will be changing my password ASAP just to be on the safe side.

What the heck.. Went and tried to make sure my email is updated and get sent to the nexus forums. Tried to update password and get sent also to nexus forums.

Both my username and password is not recognized by nexus forums.

@Dark0ne, seems unable to send a PM to you about my account, since it sends me to nexus forums where it does not take my current username and password.

Question is Nexus Forums part of Nexus Mods or do need a new account just for the forums?

Thx


Nexus forums is part of NexusMods, and it is on the forums you change your password/e-mail.
Link to comment
Share on other sites
  • Replies 547
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Hecket Newbie

Hecket

Posted
Posted

Plenty of laws on plenty of different countries, require that you inform all users with a direct e-mail message to them to inform them that their personal data has been breached. This gives them the notice to change their passwords and prevent further harm. Majority of users are stupid users and reuse their passwords elsewhere. Considering it's an old leak; the damage has already been done.

 

Posting a message on a board that only active people see is only going to autofallate you. Try telling it you 3.9 million people and see how they respond.

 

That being said. You have failed to uphold basic security stringent practice and got popped thanks to a sql injection. In cybersec terms that's basic amateur hour. Following a basic course on sql injection could have prevented it. Then again installing IPBoard doesn't take a brain.

 

 

I want the option to delete my account or you to remove me from the SQL tables. You have disabled the delete option for the user to have this ability from the IPBOARD software your running. Which says enough about your coding skills.

 

 

Using humble brags that u got 4 million members, guess what, the overwhelming majority aren't active. You are basically running a honeypot and an attractive target for scriptkiddies and are even aiding them by not allowing removal.

 

 

I can tell you that i have three 0days on IPboard. One through xml injection, one through brute forcing the an sql string to retrieve user data and a reflected cross site scripting method.

 

 

As such it is a garentee it will happen again, and you won't even notice because your to stupid to look at server logs and put your trust in a s#*! CMS.

 

Peace.

 

Link to comment
Share on other sites
nortalud Newbie

nortalud

Posted
Posted
In response to post #32287250.


Hecket wrote: Plenty of laws on plenty of different countries, require that you inform all users with a direct e-mail message to them to inform them that their personal data has been breached. This gives them the notice to change their passwords and prevent further harm. Majority of users are stupid users and reuse their passwords elsewhere. Considering it's an old leak; the damage has already been done.Posting a message on a board that only active people see is only going to autofallate you. Try telling it you 3.9 million people and see how they respond.That being said. You have failed to uphold basic security stringent practice and got popped thanks to a sql injection. In cybersec terms that's basic amateur hour. Following a basic course on sql injection could have prevented it. Then again installing IPBoard doesn't take a brain.I want the option to delete my account or you to remove me from the SQL tables. You have disabled the delete option for the user to have this ability from the IPBOARD software your running. Which says enough about your coding skills. Using humble brags that u got 4 million members, guess what, the overwhelming majority aren't active. You are basically running a honeypot and an attractive target for scriptkiddies and are even aiding them by not allowing removal.I can tell you that i have three 0days on IPboard. One through xml injection, one through brute forcing the an sql string to retrieve user data and a reflected cross site scripting method.As such it is a garentee it will happen again, and you won't even notice because your to stupid to look at server logs and put your trust in a s#*! CMS.Peace.


+1 internets for outstanding raginess
+1 internets for citing "laws on plenty of different countries" in a vaguely threatening manner
+1 internets for intentionally(?) misusing the the term "humblebrag"

-1 internets for misspelling auto-fellate; if there's one detail you really ought to get right, it's this one
Link to comment
Share on other sites
nortalud Newbie

nortalud

Posted
Posted
In response to post #31699195. #31709590, #31710865, #31717215, #31727420, #31727725, #31727755, #31735675, #31736475, #31737125, #31745975, #31747430, #31762590, #31770575, #31770655, #31770875, #31775185, #31778925, #31779245, #31780640, #31785130, #31785185, #31786765, #31806700, #31808850, #31811630, #31817170, #31846715, #31849190, #31856815, #31866030, #31877395, #31877985, #31881445, #31885980, #31893710, #31897225, #31899965, #31901575, #31906245, #31910235, #31914830, #31930150, #31951615, #31978895, #31980730, #31990045, #31998065, #32076080, #32098525, #32104420, #32105645, #32132805 are all replies on the same post.


rickman wrote: If you are reading this Robin, know this: the community is supportive BECAUSE you share this stuff outright, clearly, and with incredible haste. If you treated us like Sony did in December of 2012, knowing the problem and denying it for two weeks or more, we'd probably be a lot less kind. There is also this to consider: You told us EXACTLY what, who, when, and how, as soon as you could, and in plain, simple terminology. I (and most likely about 10,000,000 others) appreciate a straightforward answer when there is an issue. But MOST IMPORTANTLY, you are kind and humble about it. If someone was mad at the employees of Nexus after your immaculate behavior, They are clearly not the kind of individual that we should be associated with as a user base. I personally love this site for a myriad of reasons, to explain it would take a ten+ page essay to enumerate all of the reasons why. To be clear though, the biggest reason, THE STAFF TREATS THE USER BASE LIKE PEOPLE. Despite there being 10,000,000 of us, we don't feel like faceless numbers. And that is because you seem to CARE. Don't stop doing that, and this awesome community will probably never devolve.

Thank you for being the best you can be.
Richard.
JZSquared wrote: ^This sums up my feelings exactly. I couldn't have said it better myself.
Lokie7 wrote: I second this, entirely. Well said.
Netsplite wrote: ^ +1
ZedLeppelin wrote: A wee bit verbose, (and I know verbose!), but rather well said and pretty damn accurate. The Nexus staff treats people like people, not numbers.
Inboundwhisper wrote: +1
Inboundwhisper wrote: +1
Aricole wrote: +1
lordmanticore wrote: +1
btgbullseye wrote: +1
xenonblade wrote: +1
AlexZander40 wrote: Well said. May the modding goodness continue.
DFX2K9 wrote: Agreed. no matter who you are, and how much money you've got, you're going to get a breach at some point. At least you salted the passwords, and use a hashing algorithm..

More then I can say for my local Library's system. A breach in THAT database would be catastrophic (note, it sends you your old password via email, that should give you an idea of how terrible it is)
Legion563 wrote: +1.
ExtremeMod911 wrote: Absolutely :)
Domifax wrote: +1
Bernt wrote: Totally agree :)
Dragodian777 wrote: "Ditto"...well said.
Saltamontes1980 wrote: +1
I concur, thank you Dark0ne.
dagstar132 wrote: good point well made. transparency in operation and intention is paramount.

Thanks for sharing.

Dag
JD777 wrote: +(1 X infinity) :)
JD777 wrote: Sorry double post but no delete button. :(
MTZGG wrote: Ad Victoriam.
Mycu wrote: 100% agreed.
Mindprobe24 wrote: +1, nice words dude ;)
Jn_Panower wrote: +1 !
Stargazer2893 wrote: +1
Erez747 wrote: +1 Couldn't have said it better myself. :)
Slimysumocow wrote: Definitely +1 for the wonderful Dark0ne and the rest of the Nexus team! Thank you guys!
EWM333 wrote: well said Richard, this is a great community. Thanks Robin for giving modders and gamers a way to play games on a higher level
MooseUpNorth wrote: Very well said. +1
Bram1970 wrote: +1
grimgagorim wrote: +1 well said, well said
Terafir wrote: I only signed up for this site about 3 weeks ago. So it made me a bit wary on what was going on. But, as everything was extremely clearly said and given, I have no concerns whatsoever about the security of the site.

It's not often that things are spoken so clearly and honestly from any company.

+1
Arksum007 wrote: While I have not been a member before this year I have found that this site is great the constant updates are amazing and like everyone else is saying that being treated like a real person is a great benefit for me and makes me want to continue using this site for finding all my mods. thanks for the update and keep up the good work!
padawanjedi wrote: +1
shinru2004 wrote: +1 ^
kev999 wrote: I second rickman. Well done, Team Nexus.
zidders wrote: Well said.
LogikBomb wrote: Hear, hear
ijc1927 wrote: Excellently put. +1
conjior wrote: +1 as well! Treat people like people.
Thanks again to the Nexus community and the Nexus team!
I love this place! :)
rimshot47 wrote: nice recap of a potentially ugly situation.. Not sure what provokes hackers to do this...
Blake81 wrote: The Lulz.

The ones doing this kind of stuff are usually Script Kiddies looking for a scrap of fame, or just for the wicked accomplishment of looking at these news and cackling while they wish they had a dastardly whiplash they could twirl.
qqq122 wrote: +1
thank you robin for all the information
Mileniumman wrote: The same for me, my feelings exactly.

Mileniumman
seba1337 wrote: Damn right! +10
Toft wrote: +1 and very well said

Simon (Toft)
BlueGunk wrote: Well said.
LaMuerte wrote: +1
stalphyr wrote: +10,000,000

I agree SUMS it to the Max how I feel. If i where a Suspicious person I would think Rickman had Invaded my mind and took the words form my WEWEEEE Little Brain. But since he did post it 1st I will .......HEY Wait a Minute If he HAD Access to my WEWEEEE Brain he could have stopped me from Posting those EXACT Words .... Requires thinking ......Willl get back to you Later I think........


Anywasy Great Job ALl
WightMage wrote: Keep this post bumped to the top, mates! Says everything that needs to be said, and more!

THANKS ROBIN! :D

bdasd5 wrote: Exactly! Keep up the good work.


+1
I'm not what I'd call an active "member" of the Nexus communicate, but I am a very active user of the Nexus sites, and therefore greatly appreciate transparency like this.
Link to comment
Share on other sites
Deleted23213994User

Deleted23213994User

Posted
Posted (edited)
In response to post #31699195. #31709590, #31710865, #31717215, #31727420, #31727725, #31727755, #31735675, #31736475, #31737125, #31745975, #31747430, #31762590, #31770575, #31770655, #31770875, #31775185, #31778925, #31779245, #31780640, #31785130, #31785185, #31786765, #31806700, #31808850, #31811630, #31817170, #31846715, #31849190, #31856815, #31866030, #31877395, #31877985, #31881445, #31885980, #31893710, #31897225, #31899965, #31901575, #31906245, #31910235, #31914830, #31930150, #31951615, #31978895, #31980730, #31990045, #31998065, #32076080, #32098525, #32104420, #32105645, #32132805, #32291890 are all replies on the same post.


rickman wrote: If you are reading this Robin, know this: the community is supportive BECAUSE you share this stuff outright, clearly, and with incredible haste. If you treated us like Sony did in December of 2012, knowing the problem and denying it for two weeks or more, we'd probably be a lot less kind. There is also this to consider: You told us EXACTLY what, who, when, and how, as soon as you could, and in plain, simple terminology. I (and most likely about 10,000,000 others) appreciate a straightforward answer when there is an issue. But MOST IMPORTANTLY, you are kind and humble about it. If someone was mad at the employees of Nexus after your immaculate behavior, They are clearly not the kind of individual that we should be associated with as a user base. I personally love this site for a myriad of reasons, to explain it would take a ten+ page essay to enumerate all of the reasons why. To be clear though, the biggest reason, THE STAFF TREATS THE USER BASE LIKE PEOPLE. Despite there being 10,000,000 of us, we don't feel like faceless numbers. And that is because you seem to CARE. Don't stop doing that, and this awesome community will probably never devolve.

Thank you for being the best you can be.
Richard.
JZSquared wrote: ^This sums up my feelings exactly. I couldn't have said it better myself.
Lokie7 wrote: I second this, entirely. Well said.
Netsplite wrote: ^ +1
ZedLeppelin wrote: A wee bit verbose, (and I know verbose!), but rather well said and pretty damn accurate. The Nexus staff treats people like people, not numbers.
Inboundwhisper wrote: +1
Inboundwhisper wrote: +1
Aricole wrote: +1
lordmanticore wrote: +1
btgbullseye wrote: +1
xenonblade wrote: +1
AlexZander40 wrote: Well said. May the modding goodness continue.
DFX2K9 wrote: Agreed. no matter who you are, and how much money you've got, you're going to get a breach at some point. At least you salted the passwords, and use a hashing algorithm..

More then I can say for my local Library's system. A breach in THAT database would be catastrophic (note, it sends you your old password via email, that should give you an idea of how terrible it is)
Legion563 wrote: +1.
ExtremeMod911 wrote: Absolutely :)
Domifax wrote: +1
Bernt wrote: Totally agree :)
Dragodian777 wrote: "Ditto"...well said.
Saltamontes1980 wrote: +1
I concur, thank you Dark0ne.
dagstar132 wrote: good point well made. transparency in operation and intention is paramount.

Thanks for sharing.

Dag
JD777 wrote: +(1 X infinity) :)
JD777 wrote: Sorry double post but no delete button. :(
MTZGG wrote: Ad Victoriam.
Mycu wrote: 100% agreed.
Mindprobe24 wrote: +1, nice words dude ;)
Jn_Panower wrote: +1 !
Stargazer2893 wrote: +1
Erez747 wrote: +1 Couldn't have said it better myself. :)
Slimysumocow wrote: Definitely +1 for the wonderful Dark0ne and the rest of the Nexus team! Thank you guys!
EWM333 wrote: well said Richard, this is a great community. Thanks Robin for giving modders and gamers a way to play games on a higher level
MooseUpNorth wrote: Very well said. +1
Bram1970 wrote: +1
grimgagorim wrote: +1 well said, well said
Terafir wrote: I only signed up for this site about 3 weeks ago. So it made me a bit wary on what was going on. But, as everything was extremely clearly said and given, I have no concerns whatsoever about the security of the site.

It's not often that things are spoken so clearly and honestly from any company.

+1
Arksum007 wrote: While I have not been a member before this year I have found that this site is great the constant updates are amazing and like everyone else is saying that being treated like a real person is a great benefit for me and makes me want to continue using this site for finding all my mods. thanks for the update and keep up the good work!
padawanjedi wrote: +1
shinru2004 wrote: +1 ^
kev999 wrote: I second rickman. Well done, Team Nexus.
zidders wrote: Well said.
LogikBomb wrote: Hear, hear
ijc1927 wrote: Excellently put. +1
conjior wrote: +1 as well! Treat people like people.
Thanks again to the Nexus community and the Nexus team!
I love this place! :)
rimshot47 wrote: nice recap of a potentially ugly situation.. Not sure what provokes hackers to do this...
Blake81 wrote: The Lulz.

The ones doing this kind of stuff are usually Script Kiddies looking for a scrap of fame, or just for the wicked accomplishment of looking at these news and cackling while they wish they had a dastardly whiplash they could twirl.
qqq122 wrote: +1
thank you robin for all the information
Mileniumman wrote: The same for me, my feelings exactly.

Mileniumman
seba1337 wrote: Damn right! +10
Toft wrote: +1 and very well said

Simon (Toft)
BlueGunk wrote: Well said.
LaMuerte wrote: +1
stalphyr wrote: +10,000,000

I agree SUMS it to the Max how I feel. If i where a Suspicious person I would think Rickman had Invaded my mind and took the words form my WEWEEEE Little Brain. But since he did post it 1st I will .......HEY Wait a Minute If he HAD Access to my WEWEEEE Brain he could have stopped me from Posting those EXACT Words .... Requires thinking ......Willl get back to you Later I think........


Anywasy Great Job ALl
WightMage wrote: Keep this post bumped to the top, mates! Says everything that needs to be said, and more!

THANKS ROBIN! :D

bdasd5 wrote: Exactly! Keep up the good work.
nortalud wrote: +1
I'm not what I'd call an active "member" of the Nexus communicate, but I am a very active user of the Nexus sites, and therefore greatly appreciate transparency like this.


- Edited by Guest
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...