Important Security Notice

[ClaraCatte]

Thank you for keeping us informed, even if it's a month later. I'm sure there's legal reasons to why you couldn't say anything sooner.

[Reszynnexus]

Thanks for giving us this info, appreciate all that you folks do!

[BryanMichaelD3]

In response to post #75844648.

artos0131 wrote: Why do I have to find out about this via Reddit? You're fine with sending ads and spam my mailbox but you don't have courtesy to send an email informing your users about the breach?

Umm... what mailbox of your's are they spamming? I believe they've said before that they don't usually send emails (I haven't gotten any), and I've never gotten any mail from them here on the Nexus besides site news which happens like 1 or 2 times a week. That being said, does seem a little weird not to get an email about this...

[HollyCeuin]

So first the egregious every-single-download premium beg, now this OVER AN ENTIRE MONTH LATE NOTIFYING US?! I'm out. Been a premium user before, never again.

[Guest deleted34304850]

Okay, well before you all get your panties in a twist over email notifications (way too late for some), read the details of the breach.

One of the data items that could have been compromised was - email address.

 

If your email address was compromised because you use the same password on your email account and your Nexusmods account - what would be the point of emailing you to tell you about the breach? If a hacker has got access to your email account, then they're changing your password so you can't get it back easily and then they're already busy wrecking your life.

 

And before anyone replies back saying that such a scenario is stupid - read the posts under the password change news item and ask yourself is it, really?

 

I have seen some seriously dumb posts on Nexusmods over the years, but the responses in that thread take the biscuit and I have no doubt whatsoever that there are people out there who use the same email/password combo across the world because their password is (in their arrogant opinion) "safe" - Go look up pentesting and brute force password for details on how that can be overcome.

 

If you fear about the safety around Nexusmods and their data maintenance procedures (I know I do), you'll take steps to secure your data as much as possible.

 

At a minimum, I would suggest the following;

 

1. enable 2FA everywhere you can across all your various websites, Gmail, Amazon, Nexusmods, your bank, everywhere. If you are using a site that doesn't have 2FA as an option, then you may want to ask them to consider it. at the same time, you may want to consider not using that website until they do enable 2FA.

 

2. Use a password manager. Your password isn't safe. Your arrogance will defeat you. Use a password manager to create and store random passwords and/or pass phrases. The longer the password, the more secure it is. The more random the password, the more secure it is.

 

3. Do not use your regular email account - the one that you use for your bank or online shopping - with sites like this. Make another account, secure it, use that. Create a DMZ around your online presence so that if a site you use suffers a data breach, the data they have on you is in isolation.

 

4. Make use of online sites like haveibeenpwned to see if your id's have been involved in data breaches.

 

5. Never assume - it will never happen to me - This week zynga were breached and 172 million customer records were breached. Breaches like this happen every. single. day. Search twitter for #infosec and #breach and you will see if/when breaches are announced (and no, they are never announced at the time of discovery).

 

Trust no-one with your data, because the technology they use cannot be trusted. There is no 100% perfect security mechanism out there. Fact. Only give up what you can afford to lose.

[HollyCeuin]

In response to post #75844648. #75847128 is also a reply to the same post.

artos0131 wrote: Why do I have to find out about this via Reddit? You're fine with sending ads and spam my mailbox but you don't have courtesy to send an email informing your users about the breach?

BryanMichaelD3 wrote: Umm... what mailbox of your's are they spamming? I believe they've said before that they don't usually send emails (I haven't gotten any), and I've never gotten any mail from them here on the Nexus besides site news which happens like 1 or 2 times a week. That being said, does seem a little weird not to get an email about this...

as far as I can see they didn't even f*#@ing tweet this on their official account

[Saggaris]

In response to post #75841508.

1ae0bfb8 wrote:

 

In response to post #75838293. #75839753 is also a reply to the same post.

bjornvaldr wrote: You don't think alerting us the moment this sort of thing happens and instead waiting an entire month to tell us is a bad idea?

RockenJenAnn wrote: I'm sure they wanted to gather as much information as possible so they could dispath the information properly, not to mention, it costed the Nexus time and money to notify everyone, no matter who.

So RockenJenAnn, if you ever have a family bereavement and the police come to tell you about it... seven weeks after the old man's stroke and later death you'll be ok with it will you?
"well Ms RocketJenAnn, several weeks ago a close relative of yours had an accident, He suffered a stroke and the fell down the stairs and was admitted to Hospital with a suspected fractured skull and a bruised arm within the hour, during his stay he contracted pneumonia and died three weeks later from complications... we thought we'd wait until we had all the details before contacting you so we could be sure that he was dead!"
Gooday maaaaaaaaam!

 

That is very surreal. I don't think you can make a more disparate comparison.

Yup, Well done on effectuating your 'Word for the Day'

Bet you can't guess mine

[trawzified]

In response to post #75850513.

1ae0bfb8 wrote:

Okay, well before you all get your panties in a twist over email notifications (way too late for some), read the details of the breach.

One of the data items that could have been compromised was - email address.

 

If your email address was compromised because you use the same password on your email account and your Nexusmods account - what would be the point of emailing you to tell you about the breach? If a hacker has got access to your email account, then they're changing your password so you can't get it back easily and then they're already busy wrecking your life.

 

And before anyone replies back saying that such a scenario is stupid - read the posts under the password change news item and ask yourself is it, really?

 

I have seen some seriously dumb posts on Nexusmods over the years, but the responses in that thread take the biscuit and I have no doubt whatsoever that there are people out there who use the same email/password combo across the world because their password is (in their arrogant opinion) "safe" - Go look up pentesting and brute force password for details on how that can be overcome.

 

If you fear about the safety around Nexusmods and their data maintenance procedures (I know I do), you'll take steps to secure your data as much as possible.

 

At a minimum, I would suggest the following;

 

1. enable 2FA everywhere you can across all your various websites, Gmail, Amazon, Nexusmods, your bank, everywhere. If you are using a site that doesn't have 2FA as an option, then you may want to ask them to consider it. at the same time, you may want to consider not using that website until they do enable 2FA.

 

2. Use a password manager. Your password isn't safe. Your arrogance will defeat you. Use a password manager to create and store random passwords and/or pass phrases. The longer the password, the more secure it is. The more random the password, the more secure it is.

 

3. Do not use your regular email account - the one that you use for your bank or online shopping - with sites like this. Make another account, secure it, use that. Create a DMZ around your online presence so that if a site you use suffers a data breach, the data they have on you is in isolation.

 

4. Make use of online sites like haveibeenpwned to see if your id's have been involved in data breaches.

 

5. Never assume - it will never happen to me - This week zynga were breached and 172 million customer records were breached. Breaches like this happen every. single. day. Search twitter for #infosec and #breach and you will see if/when breaches are announced (and no, they are never announced at the time of discovery).

 

Trust no-one with your data, because the technology they use cannot be trusted. There is no 100% perfect security mechanism out there. Fact. Only give up what you can afford to lose.

Solid advice, but I disagree with your point on not notifying people by email. Your password does not have to be the same as your e-mail account, getting your Nexus account details leaked != getting your e-mail hacked. The point is that Nexus should've taken action ASAP & be clear, so don't share you've got breached two months afterwards with a shitty tiny news item tucked away somewhere. If you even suspect password hashes have been stolen, why not immediately try to notify as many of your users? Only a matter of time before those hashes are resolved to an actual password.

What's the harm in sending an e-mail anyway? Users may or may not see it, but at least a lot more people will see it then over here.

[Guest deleted34304850]

In response to post #75850513. #75851898, #75852638 are all replies on the same post.

1ae0bfb8 wrote:

Okay, well before you all get your panties in a twist over email notifications (way too late for some), read the details of the breach.

One of the data items that could have been compromised was - email address.

 

If your email address was compromised because you use the same password on your email account and your Nexusmods account - what would be the point of emailing you to tell you about the breach? If a hacker has got access to your email account, then they're changing your password so you can't get it back easily and then they're already busy wrecking your life.

 

And before anyone replies back saying that such a scenario is stupid - read the posts under the password change news item and ask yourself is it, really?

 

I have seen some seriously dumb posts on Nexusmods over the years, but the responses in that thread take the biscuit and I have no doubt whatsoever that there are people out there who use the same email/password combo across the world because their password is (in their arrogant opinion) "safe" - Go look up pentesting and brute force password for details on how that can be overcome.

 

If you fear about the safety around Nexusmods and their data maintenance procedures (I know I do), you'll take steps to secure your data as much as possible.

 

At a minimum, I would suggest the following;

 

1. enable 2FA everywhere you can across all your various websites, Gmail, Amazon, Nexusmods, your bank, everywhere. If you are using a site that doesn't have 2FA as an option, then you may want to ask them to consider it. at the same time, you may want to consider not using that website until they do enable 2FA.

 

2. Use a password manager. Your password isn't safe. Your arrogance will defeat you. Use a password manager to create and store random passwords and/or pass phrases. The longer the password, the more secure it is. The more random the password, the more secure it is.

 

3. Do not use your regular email account - the one that you use for your bank or online shopping - with sites like this. Make another account, secure it, use that. Create a DMZ around your online presence so that if a site you use suffers a data breach, the data they have on you is in isolation.

 

4. Make use of online sites like haveibeenpwned to see if your id's have been involved in data breaches.

 

5. Never assume - it will never happen to me - This week zynga were breached and 172 million customer records were breached. Breaches like this happen every. single. day. Search twitter for #infosec and #breach and you will see if/when breaches are announced (and no, they are never announced at the time of discovery).

 

Trust no-one with your data, because the technology they use cannot be trusted. There is no 100% perfect security mechanism out there. Fact. Only give up what you can afford to lose.

trawzified wrote: Solid advice, but I disagree with your point on not notifying people by email. Your password does not have to be the same as your e-mail account, getting your Nexus account details leaked != getting your e-mail hacked. The point is that Nexus should've taken action ASAP & be clear, so don't share you've got breached two months afterwards with a shitty tiny news item tucked away somewhere. If you even suspect password hashes have been stolen, why not immediately try to notify as many of your users? Only a matter of time before those hashes are resolved to an actual password.

What's the harm in sending an e-mail anyway? Users may or may not see it, but at least a lot more people will see it then over here.

Withwiky wrote: Don't you have something better to do with your life? So sad.

In another post, I asked, as part of the process that was followed once the breach was identified - what step is notifying the userbase?

So far, that question hasn't been answered, nor do I expect it to be. I rather think that notifying the user base is not high on the agenda for any company, and when an announcement is made, it is as detail-free as possible.

In my post above, take a look at the replies on the news article where people are asked to change their passwords, and the resistance that met.
I mean, changing passwords is surely normal behaviour, but apparently not within the Nexusmods community. I have never seen such replies in my life, and I remarked that reading them saddened me as it shows in all its gory detail why cyber-crime is so lucrative. Basically people are lazy idiots.

Anyway, I've done my little bit for the community. I expect this reply to be washed away in a sea of entitled idiots cryarsing about having to click an extra button on a download. Let's hope they don't suffer anything more than that going forward.

This latest breach really has hollowed out any trust I had in Nexusmods safely managing the data I have given them. I hope they look at how they store their data, and I hope that they look at encrypting everything in their database. In 2020, there is no requirement for any piece of data to be stored in plain text any more.

[trawzified]

In response to post #75850513. #75851898, #75852638, #75853293 are all replies on the same post.

1ae0bfb8 wrote:

Okay, well before you all get your panties in a twist over email notifications (way too late for some), read the details of the breach.

One of the data items that could have been compromised was - email address.

 

If your email address was compromised because you use the same password on your email account and your Nexusmods account - what would be the point of emailing you to tell you about the breach? If a hacker has got access to your email account, then they're changing your password so you can't get it back easily and then they're already busy wrecking your life.

 

And before anyone replies back saying that such a scenario is stupid - read the posts under the password change news item and ask yourself is it, really?

 

I have seen some seriously dumb posts on Nexusmods over the years, but the responses in that thread take the biscuit and I have no doubt whatsoever that there are people out there who use the same email/password combo across the world because their password is (in their arrogant opinion) "safe" - Go look up pentesting and brute force password for details on how that can be overcome.

 

If you fear about the safety around Nexusmods and their data maintenance procedures (I know I do), you'll take steps to secure your data as much as possible.

 

At a minimum, I would suggest the following;

 

1. enable 2FA everywhere you can across all your various websites, Gmail, Amazon, Nexusmods, your bank, everywhere. If you are using a site that doesn't have 2FA as an option, then you may want to ask them to consider it. at the same time, you may want to consider not using that website until they do enable 2FA.

 

2. Use a password manager. Your password isn't safe. Your arrogance will defeat you. Use a password manager to create and store random passwords and/or pass phrases. The longer the password, the more secure it is. The more random the password, the more secure it is.

 

3. Do not use your regular email account - the one that you use for your bank or online shopping - with sites like this. Make another account, secure it, use that. Create a DMZ around your online presence so that if a site you use suffers a data breach, the data they have on you is in isolation.

 

4. Make use of online sites like haveibeenpwned to see if your id's have been involved in data breaches.

 

5. Never assume - it will never happen to me - This week zynga were breached and 172 million customer records were breached. Breaches like this happen every. single. day. Search twitter for #infosec and #breach and you will see if/when breaches are announced (and no, they are never announced at the time of discovery).

 

Trust no-one with your data, because the technology they use cannot be trusted. There is no 100% perfect security mechanism out there. Fact. Only give up what you can afford to lose.

trawzified wrote: Solid advice, but I disagree with your point on not notifying people by email. Your password does not have to be the same as your e-mail account, getting your Nexus account details leaked != getting your e-mail hacked. The point is that Nexus should've taken action ASAP & be clear, so don't share you've got breached two months afterwards with a shitty tiny news item tucked away somewhere. If you even suspect password hashes have been stolen, why not immediately try to notify as many of your users? Only a matter of time before those hashes are resolved to an actual password.

What's the harm in sending an e-mail anyway? Users may or may not see it, but at least a lot more people will see it then over here.

Withwiky wrote: Don't you have something better to do with your life? So sad.

1ae0bfb8 wrote: In another post, I asked, as part of the process that was followed once the breach was identified - what step is notifying the userbase?

So far, that question hasn't been answered, nor do I expect it to be. I rather think that notifying the user base is not high on the agenda for any company, and when an announcement is made, it is as detail-free as possible.

In my post above, take a look at the replies on the news article where people are asked to change their passwords, and the resistance that met.
I mean, changing passwords is surely normal behaviour, but apparently not within the Nexusmods community. I have never seen such replies in my life, and I remarked that reading them saddened me as it shows in all its gory detail why cyber-crime is so lucrative. Basically people are lazy idiots.

Anyway, I've done my little bit for the community. I expect this reply to be washed away in a sea of entitled idiots cryarsing about having to click an extra button on a download. Let's hope they don't suffer anything more than that going forward.

This latest breach really has hollowed out any trust I had in Nexusmods safely managing the data I have given them. I hope they look at how they store their data, and I hope that they look at encrypting everything in their database. In 2020, there is no requirement for any piece of data to be stored in plain text any more.

They're not storing passwords in plain text (thank god!) according to above news article passwords are hashed and salted, as they should be. This stuff happens all the time, but when it happens it's best to communicate loud and clearly. I can understand people being annoyed by that and the recent change to downloads, no excuse for being rude though.