Important Security Notice

[StriderOfTheWest]

In response to post #75815913. #75817563, #75818673, #75818978 are all replies on the same post.

PockyPunk1 wrote: Yeah, let's say I won't post any more mods on this platform.
The forced to Vortex migration (let's not talk about how Vortex works, don't get me talking on that ahahah); staff couldn't care less about mod authors; the new slow/fast download page popped and when people voice their concerns, premium fan-people are there to shame those poor souls, and security could be better. So glad I never paid anything.
Next time, don't take more than one month to tell your users (you know, people who pay your bills) about eventual stolen data and security flaws.

Eolhin wrote: I do not understand what people are complaining about, re timing. They sent out notification in the form of a message on Nexus over 4 weeks ago and forced the password change for everyone that logged out and back in at that time, and recommended that everyone make the change at that time. I know, as I still have the message in my notifications, and I posted a public service announcement about it on the mod FB group I am a moderator for. This is just a follow up to catch anyone that blithely ignored the first announcement, and give more details. So they did not wait a month, by any means.

Also, I don't use Vortex, so you can't really claim people are forced to use it. They aren't.

FastBlackCat wrote: I'm not sure what notification you are talking about. If it's this one here , there's not one word about a security breach in it. Do you have something different?

dimysama wrote: for all the flaws nexus has, vortex is not one of them, NMM was a mistake

Maybe it's better to fix the protection and make sure hackers won't access any more data before telling every last user on nexus that they too can hack nexus :D

[CabolaDK]

 

I was a Lifetime Premium Member but after resetting my password and gotten moved over to this new user database or what ever, I've lost it along with all my other settings, tracked mods etc.etc. Any chance on getting that back?

Try also using the "Contact Us" button at the bottom of the page.

 

 

 

 

In response to post #75814883.

 

 

 

Cabola wrote:

I was a Lifetime Premium Member but after resetting my password and gotten moved over to this new user database or what ever, I've lost it along with all my other settings, tracked mods etc.etc. Any chance on getting that back?

Sorry to hear about this Cabola. It isn't something that is possible with the system though.

 

It sounds like you may have signed into a different account. Please contact [email protected] with all the relevant details (usernames, etc) and we'll look into it. If possible please also include a copy of the PayPal/bank reference for your Premium purchase.

 

Thanks!

 

It was my bad, for some reason I actually had 2 account on nexus where this one was my actual account. I have no idea why I had registered 2 accounts..

 

This one has everything on it, premium, tracked mods etc.!

 

I've gone ahead and deleted the other account as nothing was on it except from 1 post on the forums, well 2 with my the post on this topic! :)

[tgstyle24]

In response to post #75806633. #75806923, #75807088, #75807518, #75809163, #75810108, #75815753, #75816753, #75817413 are all replies on the same post.

JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...

BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.

JimmyRJump wrote: Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.

tgstyle24 wrote: I am EU member and I know our law a little bit...
Nexus did nothing wrong in the eye of the law (as long as they reported the data security lack to the DPA within 72 hours). They are not forced to inform their users unless its absolutely clear that there is a high risk for the personal rights of the affected.

... but...

it would have been a nice move to make a quick post as information for all that sth happened... that its not clear what exactly... but that they recommend to change the passwords in any case... I always say "better save than sorry" ;)

JimmyRJump wrote: @tgstyle24: I'm from Belgium and know quite a bit about legal matters and laws, both local and international. My comment wasn't insinuating anything unlawful had happened on Nexus' part. But since when do lawyers need broken laws to sue yer arse? :P

Acacophony wrote: I understand that rationale and the importance of testing, but writing up a quick announcement and advisement for everyone to change their passwords would take a few minutes at most. I think everyone would have appreciated knowing sooner.
Hopefully this won't happen again, but if it does, I'm sure all of us would appreciate knowing earlier next time.

Keep up the good work on this site~

tgstyle24 wrote: @JimmyRJump: I give you that point, neighbor ;)

Saggaris wrote: Acacophony, the obvious reason is because they'd just pissed off a ton of people with the forced password changes...so they let the water settle for a month or so first.
I still say that the more data you collect on people the more data you have to be stolen/attacked for.

Eolhin wrote: I do not understand what people are complaining about, re timing. They sent out notification in the form of a message on Nexus over 4 weeks ago and forced the password change for everyone that logged out and back in at that time, and recommended that everyone make the change at that time. I know, as I still have the message in my notifications, and I posted a public service announcement about it on the mod FB group I am a moderator for. This is just a follow up to catch anyone that blithely ignored the first announcement, and give more details. So they did not wait a month, by any means.

@ Eolhin:
I think the outrage about the delay for this information has the main reason in the possible attack with possible stolen user data at the 8th of Nov. which nobody mentioned in the post from 20th Nov.

Lemme show you what I mean:

original text post 20thNov:
"Due to its reliance on old IP Board code, we cannot vouch for the security of the current, dated user system, as vulnerabilities in old software code may or may not become exposed as time goes on. Such vulnerabilities could potentially be exploited by malicious actors, which is why our web team has spent a substantial amount of time upgrading the user system to bring it up to modern security standards."

Its just about "may or may not" and "could" ... not about "we probably got attacked and they probably have stolen user data"
The information WHY they improved their system is something everyone who has an account in the world wide web should be aware of... nobody is really safe in the internet.
I am sure everybody apprechiate that they set their protection priorities higher and worked like hell on those improvements... well I do at least.
I just think people are a bit disappointed on how this information situation got handled... it has sth to do with trust imo.

But well, s#*! happens... we all are not free of mistakes... but humankind is able to learn from them... ;)

[JZSquared]

Why am I having to find this out through a Reddit thread and not through an email? Why have you not notified people via email yet? Not everyone checks the site everyday you know? And not everyone checks the notifications either.

[TheCoolest7248]

In response to post #75822278.

JZSquared wrote: Why am I having to find this out through a Reddit thread and not through an email? Why have you not notified people via email yet? Not everyone checks the site everyday you know? And not everyone checks the notifications either.

I cannot agree with this statement more...

[Vlad254]

So I just now logged out of Nexus and when I clicked the "Log in" link I was asked if it was ok for Nexus to access my account, I said yes and clicked the log in and was immediately logged in. My question is; is that how it works?

[Yggdrasil7557]

In response to post #75815913. #75817563, #75818673, #75818978, #75819648 are all replies on the same post.

PockyPunk1 wrote: Yeah, let's say I won't post any more mods on this platform.
The forced to Vortex migration (let's not talk about how Vortex works, don't get me talking on that ahahah); staff couldn't care less about mod authors; the new slow/fast download page popped and when people voice their concerns, premium fan-people are there to shame those poor souls, and security could be better. So glad I never paid anything.
Next time, don't take more than one month to tell your users (you know, people who pay your bills) about eventual stolen data and security flaws.

Eolhin wrote: I do not understand what people are complaining about, re timing. They sent out notification in the form of a message on Nexus over 4 weeks ago and forced the password change for everyone that logged out and back in at that time, and recommended that everyone make the change at that time. I know, as I still have the message in my notifications, and I posted a public service announcement about it on the mod FB group I am a moderator for. This is just a follow up to catch anyone that blithely ignored the first announcement, and give more details. So they did not wait a month, by any means.

Also, I don't use Vortex, so you can't really claim people are forced to use it. They aren't.

FastBlackCat wrote: I'm not sure what notification you are talking about. If it's this one here , there's not one word about a security breach in it. Do you have something different?

dimysama wrote: for all the flaws nexus has, vortex is not one of them, NMM was a mistake

StriderOfTheWest wrote: Maybe it's better to fix the protection and make sure hackers won't access any more data before telling every last user on nexus that they too can hack nexus :D

1: you never pay anything but you are complaining that you should have info because you paid (flawed logic)
2: other websites you probably still use are known to have been hacked with the website knowing about it for years before they announced it; like facebook (and by extension all oauth sites), yahoo, github, and many others. it is not viable to inform until the data breach is fixed, because informing causes the issue to be worse.
3: premium users arent shaming non-premium users, they are saying "why complain about something that you get for free, with no obligation that takes others thousands of hours and costs thousands of dollars when they inform you that there are limitations that have been in place for the last 12 years for unpaid members"
4: you can use mod organizer, kortex, wrye bash, nmm, or any other. they just brand download with manager buttons with vortex because they make vortex, not because you have to use vortex. Edited December 20, 2019 by Yggdrasil7557

[SnowFox35]

 

 

I was a Lifetime Premium Member but after resetting my password and gotten moved over to this new user database or what ever, I've lost it along with all my other settings, tracked mods etc.etc. Any chance on getting that back?

Try also using the "Contact Us" button at the bottom of the page.

 

 

 

 

In response to post #75814883.

 

 

 

Cabola wrote:

I was a Lifetime Premium Member but after resetting my password and gotten moved over to this new user database or what ever, I've lost it along with all my other settings, tracked mods etc.etc. Any chance on getting that back?

Sorry to hear about this Cabola. It isn't something that is possible with the system though.

 

It sounds like you may have signed into a different account. Please contact [email protected] with all the relevant details (usernames, etc) and we'll look into it. If possible please also include a copy of the PayPal/bank reference for your Premium purchase.

 

Thanks!

 

It was my bad, for some reason I actually had 2 account on nexus where this one was my actual account. I have no idea why I had registered 2 accounts..

 

This one has everything on it, premium, tracked mods etc.!

 

I've gone ahead and deleted the other account as nothing was on it except from 1 post on the forums, well 2 with my the post on this topic! :smile:

 

Good to hear! Glad you got it fixed.

[Yggdrasil7557]

In response to post #75810278. #75811368, #75812753, #75815603, #75819453, #75819583 are all replies on the same post.

reptileye wrote: And people pay for premium here uh? lol

Gameslover wrote: this site is a disaster these days.....

mcbarker wrote: No one ever said that using NexusMods was mandatory, either as a free member, or as a premium member. You can always go to the Steam site and BUY your mods there... and see how that works out for you.

It's very expensive to run a website as large as this one, with as many users. I know that Nexus isn't perfect... no website is, but the guys who created and run this site work hard to maintain it... and let's not forget the mod creators who supply all of the great mods free. Please show a little appreciation and respect for them. Everything considered, I think they do a really good job with the amount of traffic they get.

As far as paying for premium membership... well, that's just my way of saying thank you for a site which I use daily.

Hallier wrote: I agree absolutely. The site hasn't offered me ANYTHING to complain about in the year and some that I've used it. They even IMPROVED things that I would have complained about. Their support service is fantastic and they do a great job with maintenance and keeping the site up. The new function of the download pages requiring further authorization is a drop in the ocean of awesome stuff provided here, especially since the site runs ONE video ad at the bottom of the page, a total of TWO on the sides (that nobody looks at anyways and sometimes don't even function), and again TWO at the top and bottom . That's THREE ads, a maximum of FIVE running this whole site if you don't count premium membership income. This site is totally rad!

TheBottomhoodofSteel wrote: As if security breaches aren't a common thing that can happen anywhere and are more prone to happen to places where people might have stuff to lose...

GGs for your asinine post though.

zachtan1234 wrote: Congratulations to Reptileye for proving time and time again that he is nothing but an absolute macaco, and has offered nothing to the modding community that is worthwhile.

1: yes
2: this site costs money, without people paying for premium, it wouldnt exist anymore by now.
3: facebook's oauth has been hacked, but you can be sure people still use facebook. facebook didnt even tell people in the same year they knew about it being hacked.

[Yggdrasil7557]

In response to post #75818953.

AngryKarakuri wrote: NexusMods,
never gonna give you up,
never gonna let you down,
never gonna run around and desert you,
never gonna make you cry,
never gonna say goodbye.

Now I see why you wanted us to change our passwords and stuff. Thanks.
I'll keep sticking around. :psyduck:

thank you for being understanding and realizing that the password change request was the initial warning before nexus told the world to look for a way to hack into the site. you are clearly one of the good ones.