Information Breach

Posted in Flash Flash Revolution on September 8th, 2016

Hello everybody.

As some of you may have seen from the forums, the website https://haveibeenpwned.com/ is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there’s no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact.

What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we’ll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today’s information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don’t want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven’t been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now.

We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something.

Devonin and the FFR Team

17 Responses to “Information Breach”

  1. I haven’t used this password since I was 12.

    If you wanna hack this account and gain absolutely nothing be my guest.

  2. Dang it Tonic what have you done now

  3. I have been PWNED!

  4. Youre telling me my neopets, battleon, and even RUNESCAPE passwords are at stake here?! WTF!

  5. I hope someone logs into my account and Aaas some songs :p

  6. Hey FFR team, maybe you’ll see this, maybe you won’t.

    I’m a software engineer, and I’d be happy to work with you all to add some more robust-ness to the security. Out of the kindness of my heart and the fact that I’ve enjoyed FFR since I was in middle school.

    Shoot me a PM if you guys would like some help, I’d hate to see the site go to shit just because you guys don’t have the manpower to deal with this.

    Ricky

  7. It’s honestly less of a manpower issue and more of a “The versions of everything we’re running are years out of date, and we don’t have any way to move them to newer versions” issue.

  8. For compatibility reasons? I’d definitely be happy to help, if it’s something you all want. I don’t want to see FFR die, it’s definitely been my go-to rhythm game for a decade now lol

  9. Let him help. Id offer my help, im fluent in C, learning asm, wrote an mmorpg, script engine and did a wide variety of shit that i just never got finished due to drugs being more fun.

    it totally is a manpower issue if the issue is that no one feels like re-writing crap.

    i can understand that though and i can understand that these types of hackers are just scumbags who have nothing better to do. i used to find this kind of shit funny but really all it does is piss me off now a days

    it’s like witchcraft but instead it’s niggercraft

  10. Lol man the hell does that mean fluent in C? You mean you understand memory management and pointer manipulation?

    The issue is everything is a tangled Web of links and dependencies, if you ever looked at the source codes that are available, you would realize this. Like for example, the engine for the game is hard coded to the site, so if they wanted to move the site forward, they would need a complete engine rewrite.

    The scope is alot larger than you think unfortunately, the first thing is rewriting the engine, but to do that you need to rewrite the site, but to do that you need to rewrite the engine, but to do…

  11. Sure, but switching over to better authentication, possibly 2FA and a better solution to storing passwords is something I can definitely help with. Did InfoSec at Visa for awhile, and engineering at tons of other places. If it’s something I can help with, PM me, otherwise if not nbd.

  12. Lol, the saddest thing to hack FFR! :D

  13. If you need security help I’m around. I’ve got 7 years experience in database management and security (both MSSQL and MySQL)

  14. Im gonna be hated for this but im one of the few lucky ones who hasnt got their stuff compromised. Phew

  15. lol my pettalad account was compromised… boo

  16. jokes on ya’ll i still havent changed my password since, hack me bruh i dare you

Leave a Reply

You must be logged in or registered to post a comment.