Important Security Notice

[draelon]

In response to post #75844648. #75847128, #75850738 are all replies on the same post.

artos0131 wrote: Why do I have to find out about this via Reddit? You're fine with sending ads and spam my mailbox but you don't have courtesy to send an email informing your users about the breach?

BryanMichaelD3 wrote: Umm... what mailbox of your's are they spamming? I believe they've said before that they don't usually send emails (I haven't gotten any), and I've never gotten any mail from them here on the Nexus besides site news which happens like 1 or 2 times a week. That being said, does seem a little weird not to get an email about this...

Zombirate wrote: as far as I can see they didn't even f*#@ing tweet this on their official account

Not sure I've ever gotten an email from them, other than my registration confirmation.... If you're getting a bunch of spam in your inbox, you may want to check for another culprit, LoL.

If you're complaining about ads on the site, they have to pay their bills somehow... Google sells your information to advertisers... You didn't think anything was free did you? Someone, somewhere, is paying for everything you do...

[HadToRegister]

First I heard about any of this was a thread someone started, asking why the site is insisting they make a new password.
That was around December 8 - 14

[ubronan]

I am very happy the guys here are vigilant and reported the crime, it allways will be an ongoing battle to keep the bad guys out.

Some sites never take action when you report something weird and start telling you the vault is entirely at your machine.

Those sites often are already breached often these people rely too much on the false idea that they are secure.

So in short well done.

[Aciel]

I agree that it's pretty shitty that most of use had to find out about this from Reddit, but also that you had the balls to then try to sell me a subscription service after resetting my password. Why would you think anyone would want to reward you after you f*#@ed up again?

[LeonidasNerevar]

Well, thanks for letting us know. Doing your best, as always.

[bjornvaldr]

In response to post #75871023.

LeonidasNerevar wrote: Well, thanks for letting us know. Doing your best, as always.

A month later. They let us know A MONTH LATER.

[zixi]

 

At a minimum, I would suggest the following;

 

1. enable 2FA everywhere you can across all your various websites, Gmail, Amazon, Nexusmods, your bank, everywhere. If you are using a site that doesn't have 2FA as an option, then you may want to ask them to consider it. at the same time, you may want to consider not using that website until they do enable 2FA.

 

2. Use a password manager. Your password isn't safe. Your arrogance will defeat you. Use a password manager to create and store random passwords and/or pass phrases. The longer the password, the more secure it is. The more random the password, the more secure it is.

 

3. Do not use your regular email account - the one that you use for your bank or online shopping - with sites like this. Make another account, secure it, use that. Create a DMZ around your online presence so that if a site you use suffers a data breach, the data they have on you is in isolation.

 

4. Make use of online sites like haveibeenpwned to see if your id's have been involved in data breaches.

 

5. Never assume - it will never happen to me - This week zynga were breached and 172 million customer records were breached. Breaches like this happen every. single. day. Search twitter for #infosec and #breach and you will see if/when breaches are announced (and no, they are never announced at the time of discovery).

 

Trust no-one with your data, because the technology they use cannot be trusted. There is no 100% perfect security mechanism out there. Fact. Only give up what you can afford to lose.

It'd be really useful if something like this was posted somewhere prominent (if it isn't already) and on registering to the forum as part of the process. I'd probably add : If you don't want to risk being cheated or hacked at all then don't go on line... ever... but your 'trust no one' says that...

[chris270818]

In response to post #75863148.

ubronan wrote: I am very happy the guys here are vigilant and reported the crime, it allways will be an ongoing battle to keep the bad guys out.
Some sites never take action when you report something weird and start telling you the vault is entirely at your machine.
Those sites often are already breached often these people rely too much on the false idea that they are secure.
So in short well done.

Totally Agree with Your Comments and Never had any Problems with Nexus..Actually wasn't Aware of any Problems until I had Difficulty in Logging In Last Week..Reset Password and all is OK..What are Password Salts ??....

[Guest deleted34304850]

a password salt is a form of encryption.

if you have a user name of 'johnsmith' and a password of 'password', salting is combining the userid and password, then enctypting it so you get a value, which looks something like this 'F4E6A2B1C988FEDC6A9000FF'. when you logon to a site using the username and password, what you provide via a logon form is taken, encrypted and the corresponding value of your userid/password is compared with the salted value in the database and if they are the same, you can logon. if they are different then one of the two values is wrong.

[XarisD]

"Your password isn't secure" Then why bother having one? Why bother having all the complexities required? Why use a third-party program? It's all a colossal waste of time. Memberships are the primary cause of data breaches, because if someone doesn't smell money and spam opportunities for lulz, then they have a problem with the way the site is administered and are going to try to do bad things. In our 1st World efforts to increase security we've simply made ourselves a bigger target for those who want to take us down a peg. Linux was a mistake, apparently.