Important Security Notice

[Guest deleted34304850]

"Your password isn't secure" Then why bother having one? Why bother having all the complexities required? Why use a third-party program? It's all a colossal waste of time. Memberships are the primary cause of data breaches, because if someone doesn't smell money and spam opportunities for lulz, then they have a problem with the way the site is administered and are going to try to do bad things. In our 1st World efforts to increase security we've simply made ourselves a bigger target for those who want to take us down a peg. Linux was a mistake, apparently.

That is quite utterly stupid and apalling.

[ShadeTailUS]

In response to post #75879178.

XarisD wrote: "Your password isn't secure" Then why bother having one? Why bother having all the complexities required? Why use a third-party program? It's all a colossal waste of time. Memberships are the primary cause of data breaches, because if someone doesn't smell money and spam opportunities for lulz, then they have a problem with the way the site is administered and are going to try to do bad things. In our 1st World efforts to increase security we've simply made ourselves a bigger target for those who want to take us down a peg. Linux was a mistake, apparently.

Did you seriously type this BS? "Oh, let's have no passwords so that anyone at all can access our personal accounts at any time! That'll make things more secure!" Either your brain isn't working, or someone else accessed your account and typed this while pretending to be you. If the first, get off the internet because you're too naive to live in this jungle. If the second, well, there's your proof that you need to password your accounts to cut off access for thieves and scammers.

[Zpyzix]

A couple of questions:

 

1) Why did you guys only post about this over a month later, AFTER a reddit post, made by someone else, notifies the userbase?

 

2) Should I ask the data breachers for my old account? Since your "support" never wanted to bother to help me recover my old account through alternate means, all in the name of "security" then I have to ask...

 

3) What security? This isn't this sites first breach. It makes me very reluctant to buy premium membership when support staff is unsupportive, and your security, sucks.

[Guest deleted34304850]

This is very apt, given the recent issues that this thread discusses;

 

[Nassens]

In response to post #75850513. #75851898, #75852638, #75853293, #75853933 are all replies on the same post.

1ae0bfb8 wrote:

Okay, well before you all get your panties in a twist over email notifications (way too late for some), read the details of the breach.

One of the data items that could have been compromised was - email address.

 

If your email address was compromised because you use the same password on your email account and your Nexusmods account - what would be the point of emailing you to tell you about the breach? If a hacker has got access to your email account, then they're changing your password so you can't get it back easily and then they're already busy wrecking your life.

 

And before anyone replies back saying that such a scenario is stupid - read the posts under the password change news item and ask yourself is it, really?

 

I have seen some seriously dumb posts on Nexusmods over the years, but the responses in that thread take the biscuit and I have no doubt whatsoever that there are people out there who use the same email/password combo across the world because their password is (in their arrogant opinion) "safe" - Go look up pentesting and brute force password for details on how that can be overcome.

 

If you fear about the safety around Nexusmods and their data maintenance procedures (I know I do), you'll take steps to secure your data as much as possible.

 

At a minimum, I would suggest the following;

 

1. enable 2FA everywhere you can across all your various websites, Gmail, Amazon, Nexusmods, your bank, everywhere. If you are using a site that doesn't have 2FA as an option, then you may want to ask them to consider it. at the same time, you may want to consider not using that website until they do enable 2FA.

 

2. Use a password manager. Your password isn't safe. Your arrogance will defeat you. Use a password manager to create and store random passwords and/or pass phrases. The longer the password, the more secure it is. The more random the password, the more secure it is.

 

3. Do not use your regular email account - the one that you use for your bank or online shopping - with sites like this. Make another account, secure it, use that. Create a DMZ around your online presence so that if a site you use suffers a data breach, the data they have on you is in isolation.

 

4. Make use of online sites like haveibeenpwned to see if your id's have been involved in data breaches.

 

5. Never assume - it will never happen to me - This week zynga were breached and 172 million customer records were breached. Breaches like this happen every. single. day. Search twitter for #infosec and #breach and you will see if/when breaches are announced (and no, they are never announced at the time of discovery).

 

Trust no-one with your data, because the technology they use cannot be trusted. There is no 100% perfect security mechanism out there. Fact. Only give up what you can afford to lose.

trawzified wrote: Solid advice, but I disagree with your point on not notifying people by email. Your password does not have to be the same as your e-mail account, getting your Nexus account details leaked != getting your e-mail hacked. The point is that Nexus should've taken action ASAP & be clear, so don't share you've got breached two months afterwards with a shitty tiny news item tucked away somewhere. If you even suspect password hashes have been stolen, why not immediately try to notify as many of your users? Only a matter of time before those hashes are resolved to an actual password.

What's the harm in sending an e-mail anyway? Users may or may not see it, but at least a lot more people will see it then over here.

Withwiky wrote: Don't you have something better to do with your life? So sad.

1ae0bfb8 wrote: In another post, I asked, as part of the process that was followed once the breach was identified - what step is notifying the userbase?

So far, that question hasn't been answered, nor do I expect it to be. I rather think that notifying the user base is not high on the agenda for any company, and when an announcement is made, it is as detail-free as possible.

In my post above, take a look at the replies on the news article where people are asked to change their passwords, and the resistance that met.
I mean, changing passwords is surely normal behaviour, but apparently not within the Nexusmods community. I have never seen such replies in my life, and I remarked that reading them saddened me as it shows in all its gory detail why cyber-crime is so lucrative. Basically people are lazy idiots.

Anyway, I've done my little bit for the community. I expect this reply to be washed away in a sea of entitled idiots cryarsing about having to click an extra button on a download. Let's hope they don't suffer anything more than that going forward.

This latest breach really has hollowed out any trust I had in Nexusmods safely managing the data I have given them. I hope they look at how they store their data, and I hope that they look at encrypting everything in their database. In 2020, there is no requirement for any piece of data to be stored in plain text any more.

trawzified wrote: They're not storing passwords in plain text (thank god!) according to above news article passwords are hashed and salted, as they should be. This stuff happens all the time, but when it happens it's best to communicate loud and clearly. I can understand people being annoyed by that and the recent change to downloads, no excuse for being rude though.

Sincerely... I rather beeing hacked than doing all you said... even if it was certain that I would be hacked xD Well... alright, that's an exageration but the point is... I don't think it won't happend to me, I know it can happen to me... but if I found logic to do so many steps to protec myself on the internet, I should wear armor when I go to the street. The thing is... bad people will do bad things, I prefer to pay consecuences after someone bad do me bad, than paying consecuences just to avoid it. Life's to short to be so worried about it.

Aaaaand statistically it is not so common beeing hacked. I'm more worried about the flu and car accidents and cancer (since I smoke). (Oh, and I think my data are leaked, since I am one of those that use the same password accros everywhere... not because I think it is safe, but because I don't care... and recently someone changed the password from that e-mail account, so maybe it's Nexus fault that... I don't even know if they have acces to pay anything with that account... should I find any weird payout I will worry and go to the police and do what is needed. Even if it has already happened to me it doesn't change my mind I rather live "insecure" than live obsesed with security. Edited December 22, 2019 by Nassens

[Deleted39534995User]

Seriously all the people complaining about the fact that Nexus's security must be really bad for this to happen need to get a grip on reality. There is NO SUCH THING as a fully secure site. When you realise that even the worlds greatest nations top Government and Military computers get hacked on a daily basis you might come to understand that hackers will always find a way in. Its just a game to these people and they play to win.

If you don't want personal info to be abused then don't put it online in the first place. I have been playing online games for years and have been a member of hundreds of sites since I got my first computer almost 20 years ago and I will tell you here and now that NOBODY knows my real name or where I live because it does not exist online. Create a fake online personality with its own email and use that for everything and you will never have to worry.

[wildgravity]

bless, ty for your labor

[MikeInWare]

I use a minimum of 3fa on every website.

[SnowFox35]

In response to post #75862498.

HadToRegister wrote:

First I heard about any of this was a thread someone started, asking why the site is insisting they make a new password.
That was around December 8 - 14

The lack of notification - or indication whatsoever - is what actually started this whole mess in the comment section. Trust me, you're not the only one who got it late.

[WakJack87]

YOUR ALL ON THE INTERNET OFC IT ISNT SAFE LOL

 

Upto Date system ios

Great fire wall - real time anti virus

change passwords often

 

so whats the big deal?

dont do or have one of them three things its your own fault shouldnt be online then