Jump to content

Important Security Notice


BigBizkit

Recommended Posts

What has happened?

 

In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service.

 

Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place.

 

We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.   

 

Further, and as is required by law, we have informed the ICO about this incident and we are in the process of fulfilling our obligations related to the matter.

 

 

What does this mean for you?

 

While we noticed the suspicious activity on 8th November 2019, and we have no evidence of past activity in our logs, we cannot say for certain whether the exploit had been used before, and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed. 

 

Recognising our obligation to all of you, however, we are strongly urging you to be vigilant of potential phishing and credential stuffing attacks.

 

 

General Recommendations

 

  • If you haven’t already, please log out and back in, in order to update your account and password and migrate to the new user service. If you’ve already used the new user service, then there is no need to change your password again.
  • If you were using the same password you had on our old user service on other sites, please, change your password on these other sites as soon as possible.
  • We strongly recommend using a password manager and to not reuse passwords across sites.
  • Always use unique and strong passwords of at least 12 characters for each service you use.
  • Consider using Two-Factor Authentication, especially if you are a mod author.

Link to comment
Share on other sites

  • Replies 286
  • Created
  • Last Reply

Top Posters In This Topic

8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
Link to comment
Share on other sites

In response to post #75806633.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...


As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.
Link to comment
Share on other sites

In response to post #75806628. #75806658 is also a reply to the same post.


Hoamaii wrote: Does that mean if we changed our passwords on November 20 like you recommended in your last security notice, we should be safe?
JimmyRJump wrote: Yup. As safe as you were before.


The potentially affected data is from our old user service, so if you have migrated and changed your password after 20th November when we rolled out the new user service, then you do not need to change your password again.

If you were using your old password on other sites though, we strongly recommend changing it on those other sites. It is bad practice to reuse passwords across websites.
Link to comment
Share on other sites

In response to post #75806633. #75806923 is also a reply to the same post.


JimmyRJump wrote: 8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...
BigBizkit wrote: As our immediate response we wanted to make sure the exploit is dealt with as quickly as possible, the new user service alleviating the issue is on its way - which required us to focus on testing a lot, and, lastly, we needed to assess the situation in its entirety before making rash decisions, especially considering EU regulations.

As an EU registered company we are required by law to perform certain tasks and we had to be sure that we were doing everything correctly, in the correct sequence.

If it was the intention of the actor to take user data, which we do not know, and then attempt to use any data maliciously, which we also do not know for sure, then the process of decrypting strong passwords isn't trivial and so it's unlikely anything would happen immediately.


Sure BiBizkit. I totally understand and agree. But if Nexus was a bank, you can bet your lilywhites I'd be on the phone with my lawyers. Presuming I have those.
Link to comment
Share on other sites

Guest deleted34304850

Can you give an indication of the number of accounts that were compromised? I know the release above says "small number". Is it possible to quantify that?

Link to comment
Share on other sites

Since the DP thing, Nexus has been targeted by people to hack users (especially big or retired mod authors) to get the money.

That's why the security need to be increased like in PayPal cause Nexus is no longer a mere site for mods.

Link to comment
Share on other sites

Guest deleted34304850

8 November? It's 19 December today. Why the delay in communicating? It's a bit late now. If ever there was malicious intent to make use of grabbed personal info then the potential damage will already have occurred in most cases...

Jimmy - and everyone else for that matter - you can use this service; https://haveibeenpwned.com/ to see if your email address has been compromised. - i belileve Mozilla have embedded this in their Firefox browser.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...