Jump to content

Forced Password Resets

Dark0ne

By Dark0ne
in Site Updates

 Share

Recommended Posts

Dark0ne Grand Master

Dark0ne

Posted
Posted

As you may be aware, we discovered a database breach in November 2015. The “good” news was that the data was very old, with the last registration date in the database being July 22nd 2013. This means anyone who registered on Nexus Mods after that date was not included in the database breach, and anyone before that date was included in the breach. The breach included email addresses, usernames and encrypted passwords.

 

As time has gone by, we’ve placed a number of warnings on the site alerting everyone of this breach, urging everyone to change their passwords.

 

We’ve recently received multiple confirmations that a fully decrypted version of this data is now being sold and shared on the black market so we’ve taken the only action left to us - we’ve forced a password change on any account that was created before August 2013 and that hasn’t logged on to the site in the whole of 2016.

 

Anyone who has logged in to the site since December 2015 will have seen a notification on the site telling them to change their password. You should have changed your password at that time. If you STILL haven't changed your password then you really, really, REALLY should now as we know for a fact that the passwords in the database leak have now been completely cracked. If you haven't changed your password yet, despite all these warnings, then you only have yourself to blame at this point.

 

We have been forced to automatically change user's passwords without warning to ensure that user's accounts remain safe, to prevent unauthorised logins and also to prevent "hackers" from gaining access to inactive mod author accounts and defacing or deleting mods from our database (or worse).

 

If you have had your password changed you will need to use the password reset form on the login page to request a new password. This is the only way you can regain access to your account. All passwords were changed to a random very long string of characters that we have not saved on our end in any sort of plain-text, so even we cannot tell you what your password is. 

 

I once again want to apologise for this database leak and the inconvenience it has caused to all of us.

Link to comment
Share on other sites
  • Replies 181
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Brigand231 Experienced

Brigand231

Posted
Posted
In response to post #41053635.


Dark0ne wrote: As you may be aware, we discovered a database breach in November 2015. The “good” news was that the data was very old, with the last registration date in the database being July 22nd 2013. This means anyone who registered on Nexus Mods after that date was not included in the database breach, and anyone before that date was included in the breach. The breach included email addresses, usernames and encrypted passwords.

As time has gone by, we’ve placed a number of warnings on the site alerting everyone of this breach, urging everyone to change their passwords.

We’ve recently received multiple confirmations that a fully decrypted version of this data is now being sold and shared on the black market so we’ve taken the only action left to us - we’ve forced a password change on any account that was created before August 2013 and that hasn’t logged on to the site in the whole of 2016.

Anyone who has logged in to the site since December 2015 will have seen a notification on the site telling them to change their password. You should have changed your password at that time. If you STILL haven't changed your password then you really, really, REALLY should now as we know for a fact that the passwords in the database leak have now been completely cracked. If you haven't changed your password yet, despite all these warnings, then you only have yourself to blame at this point.

We have been forced to automatically change user's passwords without warning to ensure that user's accounts remain safe, to prevent unauthorised logins and also to prevent "hackers" from gaining access to inactive mod author accounts and defacing or deleting mods from our database (or worse).

If you have had your password changed you will need to use the password reset form on the login page to request a new password. This is the only way you can regain access to your account. All passwords were changed to a random very long string of characters that we have not saved on our end in any sort of plain-text, so even we cannot tell you what your password is. 

I once again want to apologise for this database leak and the inconvenience it has caused to all of us.


Thanks for the prompt action on this. If anybody has any doubt, I'll vouch that I've seen a couple compromised mods altered. Kudos to staff for getting it sorted quickly and the damage mitigated as much as possible.
Link to comment
Share on other sites
BlueGunk Mentor

BlueGunk

Posted
Posted
Thanks to your robust, up front warnings I have made sure I am covered on this site and on the odd site where I duplicated the password. Thank you Robin for being so helpful and communicative on this since it first happened!
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...