Important Security Notice

[Yggdrasil7557]

In response to post #75816293. #75817488, #75817988 are all replies on the same post.

Teraorn wrote: So that explains how my Paypal account has been hacked, even though I'm pretty precautionous about passwords... Thanks for telling us so late.

Eolhin wrote: They sent out the first notification about this over four weeks ago. I still have it in my notifications. That is also when they forced the password change for anyone logging out, and back in again.

Thaiauxn wrote: Unless your PayPal email and password is the same as your Nexus Site email and password, which is also the same as your email password and/or the cellphone number authentication just so happens to be the phone of the hacker who hacked the Nexus...... that is very unlikely to be the same. Unless you are the hacker and authenticated the PayPal login so you could hack yourself, or, you got a notification about an attempted PayPal login and replied to accept that it was you when it wasn't you, then it could be the same incident. (Unless you have no 2nd authentication on your PayPal or email, which you absolutely should.)

Unless that's the case, I'm fairly positive that is not correlated.

nexus doesnt work with paypal any differently than it works with any other credit/debit card. no differently than any other website. if your paypal is hacked, it isnt nexus that caused it.

[jessip123]

In response to post #75815913. #75817563, #75818673, #75818978, #75819648, #75823548 are all replies on the same post.

PockyPunk1 wrote: Yeah, let's say I won't post any more mods on this platform.
The forced to Vortex migration (let's not talk about how Vortex works, don't get me talking on that ahahah); staff couldn't care less about mod authors; the new slow/fast download page popped and when people voice their concerns, premium fan-people are there to shame those poor souls, and security could be better. So glad I never paid anything.
Next time, don't take more than one month to tell your users (you know, people who pay your bills) about eventual stolen data and security flaws.

Eolhin wrote: I do not understand what people are complaining about, re timing. They sent out notification in the form of a message on Nexus over 4 weeks ago and forced the password change for everyone that logged out and back in at that time, and recommended that everyone make the change at that time. I know, as I still have the message in my notifications, and I posted a public service announcement about it on the mod FB group I am a moderator for. This is just a follow up to catch anyone that blithely ignored the first announcement, and give more details. So they did not wait a month, by any means.

Also, I don't use Vortex, so you can't really claim people are forced to use it. They aren't.

FastBlackCat wrote: I'm not sure what notification you are talking about. If it's this one here , there's not one word about a security breach in it. Do you have something different?

dimysama wrote: for all the flaws nexus has, vortex is not one of them, NMM was a mistake

StriderOfTheWest wrote: Maybe it's better to fix the protection and make sure hackers won't access any more data before telling every last user on nexus that they too can hack nexus :D

Yggdrasil7557 wrote: 1: you never pay anything but you are complaining that you should have info because you paid (flawed logic)
2: other websites you probably still use are known to have been hacked with the website knowing about it for years before they announced it; like facebook (and by extension all oauth sites), yahoo, github, and many others. it is not viable to inform until the data breach is fixed, because informing causes the issue to be worse.
3: premium users arent shaming non-premium users, they are saying "why complain about something that you get for free, with no obligation that takes others thousands of hours and costs thousands of dollars when they inform you that there are limitations that have been in place for the last 12 years for unpaid members"
4: you can use mod organizer, kortex, wrye bash, nmm, or any other. they just brand download with manager buttons with vortex because they make vortex, not because you have to use vortex.

That's is the only one I saw, and sure it was annoying to change credentials but really not too much of a bother for continued use of this great system. The way they flaunt the chokie download speed for non premium members is way more insulting. Does it really gain them that much? It doesn't seem to affect me. The mods I want to download seem to come fast enough at the slow speed but the way its presented makes me feel like a second class citizen.

[UWShocks]

In response to post #75822278. #75822623 is also a reply to the same post.

JZSquared wrote: Why am I having to find this out through a Reddit thread and not through an email? Why have you not notified people via email yet? Not everyone checks the site everyday you know? And not everyone checks the notifications either.

TheCoolest7248 wrote: I cannot agree with this statement more...

+1

Edit - I just read over the November 20th site news regarding 'Important Security Update to our User Portal', which can be found here: https://www.nexusmods.com/news/14163

Skimming over it I don't see any mention of a hack, data breach. What I do see is an explanation to change your Nexus passwords, with the impression this is for site maintenance. No mention of a data breach. Yet above, you say malicious activity was noticed November 8th.

Why are we making this change?

Over the last few years, our developers have been dedicating a lot of time and resources to reducing our reliance on the Invision Board forum which was the foundation of our user service. It has now reached a point where the only way we can be confident in the security of our user data is to build a bespoke, modern user portal.

Due to its reliance on old IP Board code, we cannot vouch for the security of the current, dated user system, as vulnerabilities in old software code may or may not become exposed as time goes on. Such vulnerabilities could potentially be exploited by malicious actors, which is why our web team has spent a substantial amount of time upgrading the user system to bring it up to modern security standards.

We understand that this may cause inconveniences for some of you, but we are convinced that this is a necessary step that will ultimately benefit the vast majority of our current and future users.

In the future, please use appropriate channels (emails please, a mandatory popup explaining the data breach, etc . . . ) to notify users of such a breach. Please be more upfront with the community next time. This whole series of events was handled poorly and borders on poor professionalism. I can imagine the stress and urgency the Nexus staff had during the event, but the truth should have been made known to us back on the November 20th article (essentially making today's site news article redundant).
- A disappointed Nexus user. Edited December 20, 2019 by UWShocks

[dirvish]

This again huh. I hope everybody is using every possible means of DEFLECTION/DISPOSABLE information. Sure was a long enough notification delay though, not good. Watch your own, folks. Nobody is going to do it for you....

 

[VikMorroHun]

In response to post #75815913. #75817563, #75818673, #75818978, #75819648, #75823548, #75824603 are all replies on the same post.

PockyPunk1 wrote: Yeah, let's say I won't post any more mods on this platform.
The forced to Vortex migration (let's not talk about how Vortex works, don't get me talking on that ahahah); staff couldn't care less about mod authors; the new slow/fast download page popped and when people voice their concerns, premium fan-people are there to shame those poor souls, and security could be better. So glad I never paid anything.
Next time, don't take more than one month to tell your users (you know, people who pay your bills) about eventual stolen data and security flaws.

Eolhin wrote: I do not understand what people are complaining about, re timing. They sent out notification in the form of a message on Nexus over 4 weeks ago and forced the password change for everyone that logged out and back in at that time, and recommended that everyone make the change at that time. I know, as I still have the message in my notifications, and I posted a public service announcement about it on the mod FB group I am a moderator for. This is just a follow up to catch anyone that blithely ignored the first announcement, and give more details. So they did not wait a month, by any means.

Also, I don't use Vortex, so you can't really claim people are forced to use it. They aren't.

FastBlackCat wrote: I'm not sure what notification you are talking about. If it's this one here , there's not one word about a security breach in it. Do you have something different?

dimysama wrote: for all the flaws nexus has, vortex is not one of them, NMM was a mistake

StriderOfTheWest wrote: Maybe it's better to fix the protection and make sure hackers won't access any more data before telling every last user on nexus that they too can hack nexus :D

Yggdrasil7557 wrote: 1: you never pay anything but you are complaining that you should have info because you paid (flawed logic)
2: other websites you probably still use are known to have been hacked with the website knowing about it for years before they announced it; like facebook (and by extension all oauth sites), yahoo, github, and many others. it is not viable to inform until the data breach is fixed, because informing causes the issue to be worse.
3: premium users arent shaming non-premium users, they are saying "why complain about something that you get for free, with no obligation that takes others thousands of hours and costs thousands of dollars when they inform you that there are limitations that have been in place for the last 12 years for unpaid members"
4: you can use mod organizer, kortex, wrye bash, nmm, or any other. they just brand download with manager buttons with vortex because they make vortex, not because you have to use vortex.

jessip123 wrote: That's is the only one I saw, and sure it was annoying to change credentials but really not too much of a bother for continued use of this great system. The way they flaunt the chokie download speed for non premium members is way more insulting. Does it really gain them that much? It doesn't seem to affect me. The mods I want to download seem to come fast enough at the slow speed but the way its presented makes me feel like a second class citizen.

I didn't receive any notification _why_ I had to change my password.

[VikMorroHun]

In response to post #75822968.

Vlad254 wrote: So I just now logged out of Nexus and when I clicked the "Log in" link I was asked if it was ok for Nexus to access my account, I said yes and clicked the log in and was immediately logged in. My question is; is that how it works?

It was better than mine. I've changed my password, logged out, tried to log in, typed in my new password, proved that I'm not a robot, and received an error message that my username/password is invalid. The second iteration went better so I didn't lock myself out from my account.

[alpharomeo1]

In response to post #75822968. #75827368 is also a reply to the same post.

Vlad254 wrote: So I just now logged out of Nexus and when I clicked the "Log in" link I was asked if it was ok for Nexus to access my account, I said yes and clicked the log in and was immediately logged in. My question is; is that how it works?

Luke2135 wrote: It was better than mine. I've changed my password, logged out, tried to log in, typed in my new password, proved that I'm not a robot, and received an error message that my username/password is invalid. The second iteration went better so I didn't lock myself out from my account.

I had to use 'recover password' bcs It did not fixed it the same as in your case,was able to login after 24hrs past from "recovery".

[2Good4Yoe]

In response to post #75822278. #75822623, #75825248 are all replies on the same post.

JZSquared wrote: Why am I having to find this out through a Reddit thread and not through an email? Why have you not notified people via email yet? Not everyone checks the site everyday you know? And not everyone checks the notifications either.

TheCoolest7248 wrote: I cannot agree with this statement more...

UWShocks wrote: +1

Edit - I just read over the November 20th site news regarding 'Important Security Update to our User Portal', which can be found here: https://www.nexusmods.com/news/14163

Skimming over it I don't see any mention of a hack, data breach. What I do see is an explanation to change your Nexus passwords, with the impression this is for site maintenance. No mention of a data breach. Yet above, you say malicious activity was noticed November 8th.

Why are we making this change?

Over the last few years, our developers have been dedicating a lot of time and resources to reducing our reliance on the Invision Board forum which was the foundation of our user service. It has now reached a point where the only way we can be confident in the security of our user data is to build a bespoke, modern user portal.

Due to its reliance on old IP Board code, we cannot vouch for the security of the current, dated user system, as vulnerabilities in old software code may or may not become exposed as time goes on. Such vulnerabilities could potentially be exploited by malicious actors, which is why our web team has spent a substantial amount of time upgrading the user system to bring it up to modern security standards.

We understand that this may cause inconveniences for some of you, but we are convinced that this is a necessary step that will ultimately benefit the vast majority of our current and future users.

In the future, please use appropriate channels (emails please, a mandatory popup explaining the data breach, etc . . . ) to notify users of such a breach. Please be more upfront with the community next time. This whole series of events was handled poorly and borders on poor professionalism. I can imagine the stress and urgency the Nexus staff had during the event, but the truth should have been made known to us back on the November 20th article (essentially making today's site news article redundant).
- A disappointed Nexus user.

Same dude, ridiculous....

[Vlad254]

Oh I have not tried to log out again because when I went to settings to reset my password it would not recognize my password so after 2 tries I stopped.

[Vlad254]

In response to post #75822968. #75827368, #75827573, #75828433 are all replies on the same post.

Vlad254 wrote: So I just now logged out of Nexus and when I clicked the "Log in" link I was asked if it was ok for Nexus to access my account, I said yes and clicked the log in and was immediately logged in. My question is; is that how it works?

Luke2135 wrote: It was better than mine. I've changed my password, logged out, tried to log in, typed in my new password, proved that I'm not a robot, and received an error message that my username/password is invalid. The second iteration went better so I didn't lock myself out from my account.

alpharomeo1 wrote: I had to use 'recover password' bcs It did not fixed it the same as in your case,was able to login after 24hrs past from "recovery".

Vlad254 wrote: Oh I have not tried to log out again because when I went to settings to reset my password it would not recognize my password so after 2 tries I stopped.

So is anyone from Nexus going to advise by replying here on this matter/post? Edited December 21, 2019 by Vlad254