• Home
  • Download FFR
  • Play in-browser
  • --- Info ---
  • New Player FAQ
  • Song List
  • Daily Stats
  • Credit Shop
  • Tokens
  • Wiki
• Leaderboards
• Community
  • Forums
  • Profile Search
  • Random Thoughts
  • Latest Photos
  • --- Contact Us ---
  • FFR Staff
  • Suggestions
  • Report a Bug
• Sign Up!

FFR Data Breach / Account Security Announcement

Hello everybody.

As some of you may have seen from the forums, there is reporting that there was a breach of FFR in July of 2019, resulting in the compromising of Usernames, Email Addresses, Dates of Birth and IP information, as well as Salted MD5 password hashes. We had a similar breach in 2016, and this latest breach appears to have compromised an additional ~85,000 accounts.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away.

What it means for FFR passwords is a little more complicated. Some leveling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we’ll ever be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. Our version of vBulletin is as updated as we can make it, and our version of WordPress is one we’re stuck with because none of those things can be changed without Synthlight’s involvement, so in the near-term in today’s information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 150,000 of them remained uncracked. Those were likely users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked today, sufficiently strong passwords are at least some deterrent to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass or lastpass to generate you very strong passwords unique to each source. If you don’t want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblance to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

We are definitely sympathetic to anybody who had passwords and information compromised that are used in any other places, especially if they are newer users who joined the site after the last breach, at which time we also had to be frank about the reasons why we’re unable to properly secure user data. But as much as we would love to make the changes needed to secure FFR, our hands are sadly, tied.

Devonin and the FFR Team

Update: It is believed that the particular vulnerability that led to this breach has been found and closed. It appears that whoever carried out the breach took advantage of a disabled WordPress plugin which has since been deleted completely. As well, as a precaution, every such plugin has been completely removed. This seems the most likely source of the breach as a number of other sites have also been breached in recent months via WordPress Plugin issues. While this does appear to be a fix that will prevent further breaches exploiting this same vulnerability, the general weakness of site security remains, so all precautions above regarding passwords and data management still apply. Thank you everybody for your patience, and willingness to hear our explanations regarding our difficulties in safeguarding your data.

This entry was posted on Sunday, July 21st, 2019 at 5:32 pm and is filed under Flash Flash Revolution. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

11 Responses to “FFR Data Breach / Account Security Announcement”

1. 1: MrPoptart
   Posted at 5:39pm on July 21st, 2019

   thanks ffr team for putting up with the site to keep it alive for all of us for so long. <3
2. 2: Antori
   Posted at 5:51pm on July 21st, 2019

   hang in there FFR
3. 3: Gravity Kitten
   Posted at 8:32pm on July 21st, 2019

   thanks ffr
4. 4: MikeShinoda12345
   Posted at 8:57pm on July 21st, 2019

   Thanks for the post~
5. 5: Frank Munoz
   Posted at 9:35pm on July 21st, 2019

   Good work! Very hasty too
6. 6: -cookiezi-
   Posted at 10:25pm on July 21st, 2019

   its a good thing i legit didnt change my password since last breach lol
7. 7: Chubisque
   Posted at 8:02am on July 22nd, 2019

   Can someone tell me a good password for my account?
8. 8: SK8R43
   Posted at 10:06am on July 22nd, 2019

   Ive never gotten an email or notification about a breach, does that mean it doesnt apply to me? lol
9. 9: ULTIMEGA
   Posted at 11:24am on July 22nd, 2019

   Shout out to the staff for getting on this in a timely fashion.
10. 10: V-Ormix
    Posted at 12:11pm on July 22nd, 2019

    oo00oo00oo00 buttermuffinsss n_n
11. 11: Travis_Flesher
    Posted at 9:56am on July 23rd, 2019

    OH TEH N0ES!!11!

Leave a Reply

You must be logged in or registered to post a comment.