Important Security Notice

[trawzified]

Please send an e-mail to users, instead of hiding it away in the news tab here where a lot of people that have an account will miss it. I myself found out on reddit instead of here.

[derekthedj]

Because some of us don't hang around on this site! That's why we need an email notifying us of a data breach.

[Guest deleted34304850]

What has happened?

 

In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service.

 

Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place.

 

We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.

 

Further, and as is required by law, we have informed the ICO about this incident and we are in the process of fulfilling our obligations related to the matter.

 

 

What does this mean for you?

 

While we noticed the suspicious activity on 8th November 2019, and we have no evidence of past activity in our logs, we cannot say for certain whether the exploit had been used before, and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed.

 

Recognising our obligation to all of you, however, we are strongly urging you to be vigilant of potential phishing and credential stuffing attacks.

 

 

General Recommendations

 

• If you haven’t already, please log out and back in, in order to update your account and password and migrate to the new user service. If you’ve already used the new user service, then there is no need to change your password again.
• If you were using the same password you had on our old user service on other sites, please, change your password on these other sites as soon as possible.
• We strongly recommend using a password manager and to not reuse passwords across sites.
• Always use unique and strong passwords of at least 12 characters for each service you use.
• Consider using Two-Factor Authentication, especially if you are a mod author.

 

Will the reason for the fact that it took you over a month to disclose the breach be published on the site?

 

I have read a few websites today, all reporting the breach, but also saying that there has been no further comment from Nexusmods. I get its holiday season, but still, a wall of silence isn't a good response.

 

Is the data that was exposed in the latest breach the same data that was exposed in 2013? The announcement above mentions userids, password hashes and salts, and this old news report mentions the same types of data; https://news.softpedia.com/news/nexus-mods-data-breach-confirmed-6-million-accounts-compromised-499084.shtml?utm_content=buffer30b63&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

 

It may be a complete coincidence, but I've been in IT long enough to know that coincidence like this is an indication of repeated poor practice. Is that the case here?

 

Any further insight into this is gratefully received. In the meantime I'm going to seriously contemplate future use of this site. I don't care about download speeds, I care about how the data I share with companies is managed. I'm not getting a warm & fuzzy feeling from this.

[BigBizkit]

In response to post #75829688.

1ae0bfb8 wrote:

What has happened?

In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service.

Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place.

We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.

Further, and as is required by law, we have informed the ICO about this incident and we are in the process of fulfilling our obligations related to the matter.


What does this mean for you?

While we noticed the suspicious activity on 8th November 2019, and we have no evidence of past activity in our logs, we cannot say for certain whether the exploit had been used before, and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed.

Recognising our obligation to all of you, however, we are strongly urging you to be vigilant of potential phishing and credential stuffing attacks.


General Recommendations

If you haven’t already, please log out and back in, in order to update your account and password and migrate to the new user service. If you’ve already used the new user service, then there is no need to change your password again.If you were using the same password you had on our old user service on other sites, please, change your password on these other sites as soon as possible.We strongly recommend using a password manager and to not reuse passwords across sites.Always use unique and strong passwords of at least 12 characters for each service you use.Consider using Two-Factor Authentication, especially if you are a mod author.

 

Will the reason for the fact that it took you over a month to disclose the breach be published on the site?

 

I have read a few websites today, all reporting the breach, but also saying that there has been no further comment from Nexusmods. I get its holiday season, but still, a wall of silence isn't a good response.

 

Is the data that was exposed in the latest breach the same data that was exposed in 2013? The announcement above mentions userids, password hashes and salts, and this old news report mentions the same types of data; https://news.softpedia.com/news/nexus-mods-data-breach-confirmed-6-million-accounts-compromised-499084.shtml?utm_content=buffer30b63&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

 

It may be a complete coincidence, but I've been in IT long enough to know that coincidence like this is an indication of repeated poor practice. Is that the case here?

 

Any further insight into this is gratefully received. In the meantime I'm going to seriously contemplate future use of this site. I don't care about download speeds, I care about how the data I share with companies is managed. I'm not getting a warm & fuzzy feeling from this.

Hi 1ae0bfb8,

The situation addressed in this news post is very different from what you are referring to, as - in contrast to then - we know that there was no database dump. As the article you are linking is saying, the situation back then arose from "three user accounts with extremely simple passwords" - another reason why upgrading our security standard to a minimum of 12 characters, upper and lowercase, as well as at least one number, was necessary.

What we know from our logs is that there were ~10 attempts to access single users at a time, however, we do not know whether more data than that has de facto been accessed. We cannot, however, rule out that more data such as email addresses, password hashes and salts (i.e. encrypted passwords, as we don't store passwords in plain text) were accessed, which is why - as a precaution - we are informing everyone.

As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.

[Setekh79]

Why did I have to learn about this from a 3rd party website? Why is this not an announcement on THIS site? Why it is hidden away here in a section that mose of the userbase doesn't even check?

You lot need to get your heads out of your arses and start taking user security seriously or this site is going to be deserted in a god damn flash.

[Setekh79]

In response to post #75829048.

trawzified wrote: Please send an e-mail to users, instead of hiding it away in the news tab here where a lot of people that have an account will miss it. I myself found out on reddit instead of here.

It's disgusting that people are only finding ot about this because it was posted by users on third party sites. I think it's pretty telling just how Nexus staff are afraid that once again their security has been perforated and worried about the (rightly deserved) community backlash.
Wholly fking unacceptable.

[Hoamaii]

Wow, I cannot thank enough 1ae0bfb8 for mentioning haveibeenpwned.com service!..

 

Turns out I'm one of the "lucky" ones who's actually been pwned on the Nexus, except that was back in 2015, possibly 2013, and I never knew!.. Luckily, I've changed all my passwords many times since then and it would appear the harm was minor and containable. I'm one of these dinosaurs who keep a very low profile on the Internet, with no social media account whatsoever and very limited web usage, at least compared to most of my friends. The Nexus is the only online community I take part in and I apparently got hacked only months after I became a premium member!.. I'm not blaming anybody here, the mistake was mine, and that mistake was to think that my profile was low enough to be safe. Sure, I was aware enough as to use complicated passwords and change them every now and then but obviously that was not enough: I checked all my emails accounts on haveibeenpwned.com and turns out the only one which was ever compromised was the one I used on the Nexus and was indeed pwned on the Nexus!..

 

So the MOST IMPORTANT and definitely useful info I got from this whole thread came in the end from 1ae0bfb8's comment: everybody knows that breaches happen and there's no reason why the Nexus should be spared - BUT not everybody knows about that website where we can verify in real time if we're indeed safe or not. And I cannot urge enough other users to use it too if they haven't already.

 

I can only agree with other comments, BigBizKit and PickySaurus, if that's feasable, please do warn us by email next time a breach happens, and please don't wait weeks before you do, and do direct us to haveibeenpwned.com in that email. If some of us have been compromised, we need to know asap so we can take actions immediately.

 

There's a huge difference between wondering if you've been hacked like we all did in this thread and being able to actually verify if that's the case or not. When we know we've been compromised and when, we can do something about it - and that's what matters most. Changing our Nexus passwords is not enough, we may also need to change our emails' passwords, and that, we need to know as quickly as possible. Thanks.

Edited December 20, 2019 by Hoamaii

[Guest deleted34304850]

Why did I have to learn about this from a 3rd party website? Why is this not an announcement on THIS site? Why it is hidden away here in a section that mose of the userbase doesn't even check?

You lot need to get your heads out of your arses and start taking user security seriously or this site is going to be deserted in a god damn flash.

I found out about it on this site. I read the News section of the site daily. Don't be speaking for "most of", speak for yourself and tone down the abuse. It solves nothing.

[Guest deleted34304850]

Thank you for the further clarification.

I think I may not have made my initial point clearly enough. I wasn't comparing a database dump with the recent issue, I was asking more about the data involved. The article I linked, and your opening statement above mention userids, passwords, and salts, so there is a consistency that I was curious about.

Again, if you can't go too in-depth on that, I understand.

 

One final question. In your reply you state the following;

 

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

 

Where in the sequence of events is notifying your userbase? Given that the issue occurred over a month ago, is it safe to assume this is among the last steps in the sequence?

Again, I fully understand the need to investigate, analyse, patch and test before you release a fix into your production services, but it does worry me that this happened some weeks ago and we only find out yesterday, right before the holidays when people may be busy, or not around, due to travelling etc.

 

Anyway, thanks and appreciation to everyone for the very fast turnaround and remediation - I did as requested a few weeks back, changing my password and updating the 2FA as recommended, and did so without issue and impact. Good luck to the rest of the team as you come to terms with this, and finally, happy holidays. I hope you get some good time off.

Edited December 20, 2019 by 1ae0bfb8

[damanding]

 

MrMason, on 19 Dec 2019 - 08:15 AM, said:

 

We do have around 10 saved logs for requests that look like direct attempts to access single users at a time, however, as we say in the main news post - we cannot be certain how many - if any - email addresses, password hashes and salts were actually accessed.

 

Will the individual users who were targeted at least be notified personally to be on extra guard?