Forced Password Resets

[MadnessEternal]

In response to post #41166720. #41207065, #41223585 are all replies on the same post.

Thandal wrote:

@xanderh2404; In addition to reading all of Dark0ne's original post in this topic, see his Network News annoucements about this breech here and here, from back when we became aware of it (Dec 2015). Note that it appears from the date of the latest entries that the dataset in question was actually taken over three years ago, (still not sure how).

 

Yes the passwords were salted and hashed. And yes, after this long, someone may have simply brute-forced at least the simpler ones.

MadnessEternal wrote: A question concerning the data breach 3 years ago... when Nexus removes an account due to it being banned, is the data simply deleted, or do they scrub the data with the equivalent of a digital file shredder?

I ask because, if they're persistent enough, hackers can recover even removed accounts.

wPatriot wrote: @MadnessEternal: Uhh, unless Nexus is doing some weird things with their banned accounts (which I doubt, because it would be a whole lot of effort for a whole lot of nothing), I doubt a 'hacker' would need to be persistent. Usually, banned accounts aren't deleted *at all*. They're just locked out from using any of a websites features.

Enforcing a ban would be really tricky if you delete all data related to banned accounts.

Well, I asked simply because banned accounts do still carry passwords. Passwords that others may well be using to secure their accounts.

[sleekie]

I too would like to join the queue of people thanking the Nexus staff for their insufficient security. No, really, thanks guys.

 

On that note, I can't change my password. I can log in with it, but I get an 'incorrect password' error if I try to change it. Wat do?

[bben46]

Hint: The name of this topic is 'Forced Password Resets' posting about anything else is off topic and subject to removal.

[BonezDWB]

In response to post #41248535.

qwertyzeldar wrote: Your fine. This is only a problem for old users from back in 2013

I literally don't even know what my password is. xD Maybe one day a hacker will let me know. Lol

[bben46]

@BonzDWB

 

 

I literally don't even know what my password is. xD Maybe one day a hacker will let me know. Lol

 

 

It has been my personal experience that people who forget passwords often used the same forgotten passwords for other accounts. :pinch: Meaning IF your Nexus account is ever actually hacked, the hacker gets access to any other account you used that same username and password on.

 

You can request your account be closed, then open a new account using either the same email or another email you prefer. That will prevent any slimeball hacker from taking over your Nexus account. You really should get some method to remember passwords such as a password manager program.

[Roccondil]

In response to post #41198720. #41223970 is also a reply to the same post.

bben46 wrote:

Ten years ago ( some of our accounts go back much further than that) a simple password for a site like Nexus was sufficient. After all, there was no money to be had for the effort and the worst you could do was use a hijacked account to troll the site. Then, the criminal scum discovered that many of the members were dumb enough to use the same password on other accounts where they could steal real money. Not many as the majority of the users on a game site were young enough that they didn't have credit cards. But those kiddies grew up and many still didn't change their simple easy to crack passwords. But now they had jobs, money, bank accounts and credit cards. Now cracking a password on Nexus still didn't get them any money directly, but it might get them access to other accounts where they could steal some money. And access to social media accounts where they could harvest a lot of personal info that scammers and spammers will pay for.

 

I have a very close friend who posted her telephone number on an open FB post to someone. She has been swamped with spam and scam phone calls on that number. As many as 7 and 8 a day. That phone number was likely harvested by a scraper that reads thousands of FB posts every second looking for data like phone numbers, email addresses, mailing addresses and any other valid personal information. The scraper then sold her verified phone number, along with hundreds of others for about 5 cents per number, That doesn't sound like much, but they likely sold her number in a package that included around 10,000 already verified good numbers making them $500 from each of a dozen or so scammers making their total haul around $6 to 7k

 

Change your password if you haven't already - AND do not post private info on any public forum.

Gharuk wrote: > there was no money to be had for the effort

I think a significant danger is the use of hijacked mods to distribute malware (ie: to grow botnets). If I were a nexus coder, I'd build some kind of tripwire into the nexus that would be set on any account that had more than N downloads a day on it and post an email to moderators to check out uploads if they came from IP addresses that the account owner had never uploaded a mod from before, or something like that.

that or at least if an account has been inactive and then suddenly re-uploads/updates an old mod that hasn't been touched in years it should be flagged.

[Roccondil]

In response to post #41166720. #41207065, #41223585, #41312795 are all replies on the same post.

Thandal wrote:

@xanderh2404; In addition to reading all of Dark0ne's original post in this topic, see his Network News annoucements about this breech here and here, from back when we became aware of it (Dec 2015). Note that it appears from the date of the latest entries that the dataset in question was actually taken over three years ago, (still not sure how).

 

Yes the passwords were salted and hashed. And yes, after this long, someone may have simply brute-forced at least the simpler ones.

MadnessEternal wrote: A question concerning the data breach 3 years ago... when Nexus removes an account due to it being banned, is the data simply deleted, or do they scrub the data with the equivalent of a digital file shredder?

I ask because, if they're persistent enough, hackers can recover even removed accounts.

wPatriot wrote: @MadnessEternal: Uhh, unless Nexus is doing some weird things with their banned accounts (which I doubt, because it would be a whole lot of effort for a whole lot of nothing), I doubt a 'hacker' would need to be persistent. Usually, banned accounts aren't deleted *at all*. They're just locked out from using any of a websites features.

Enforcing a ban would be really tricky if you delete all data related to banned accounts.

MadnessEternal wrote: Well, I asked simply because banned accounts do still carry passwords. Passwords that others may well be using to secure their accounts.

well, now that there's been a forced password change for older accounts, if any of those were banned accounts, then they are safe because the password does not work for them any more.

[KenanS8]

In response to post #41166720. #41207065, #41223585, #41312795, #41504765 are all replies on the same post.

Thandal wrote:

@xanderh2404; In addition to reading all of Dark0ne's original post in this topic, see his Network News annoucements about this breech here and here, from back when we became aware of it (Dec 2015). Note that it appears from the date of the latest entries that the dataset in question was actually taken over three years ago, (still not sure how).

 

Yes the passwords were salted and hashed. And yes, after this long, someone may have simply brute-forced at least the simpler ones.

MadnessEternal wrote: A question concerning the data breach 3 years ago... when Nexus removes an account due to it being banned, is the data simply deleted, or do they scrub the data with the equivalent of a digital file shredder?

I ask because, if they're persistent enough, hackers can recover even removed accounts.

wPatriot wrote: @MadnessEternal: Uhh, unless Nexus is doing some weird things with their banned accounts (which I doubt, because it would be a whole lot of effort for a whole lot of nothing), I doubt a 'hacker' would need to be persistent. Usually, banned accounts aren't deleted *at all*. They're just locked out from using any of a websites features.

Enforcing a ban would be really tricky if you delete all data related to banned accounts.

MadnessEternal wrote: Well, I asked simply because banned accounts do still carry passwords. Passwords that others may well be using to secure their accounts.

Roccondil wrote: well, now that there's been a forced password change for older accounts, if any of those were banned accounts, then they are safe because the password does not work for them any more.

I think what Madness Eternal is trying to say is that if an account is banned, that person may have another account with the same password. This could also apply to people with two or more accounts that aren't banned. However, I'm not sure how the hackers could find the person's other (still active) account, especially if it was created after July 2013. After all, you can't create two accounts with the same username and/or email.

[Korodic]

This explains why some A'hole russian tried to hijack my EA and Ubisoft account. Wasn't hard to take it back, I'll be more careful going forward. Plenty more breaches coming up -- too many websites to have a custom setup for anyone really. :/

[KenzakiJirou]

Sup Guys!

 

About password recovery, can I get my old account back? I tried to change my password, the email is not sent to my email. Anyone, please help. //Sorry for my bad English.