Go Back   Flash Flash Revolution: Community Forums > Announcements

View All Announcements (2) Global Announcement
07-20-2019 until 09-30-2025
Very Grave Indeed
FFR Simfile AuthorFFR Veteran
devonin's Avatar
Join Date: Apr 2004
Location: Ontario, Canada
Age: 37
Posts: 10,098
Send a message via AIM to devonin Send a message via MSN to devonin
FFR Information Breach/Security

Hello everybody.

As some of you may have seen from the forums, there is reporting that there was a breach of FFR in July of 2019, resulting in the compromising of Usernames, Email Addresses, Dates of Birth and IP information, as well as Salted MD5 password hashes. We had a similar breach in 2016, and this latest breach appears to have compromised an additional ~85,000 accounts.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away.

What it means for FFR passwords is a little more complicated. Some leveling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll ever be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. Our version of vBulletin is as updated as we can make it, and our version of Wordpress is one we're stuck with because none of those things can be changed without Synthlight's involvement, so in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 150,000 of them remained uncracked. Those were likely users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked today, sufficiently strong passwords are at least some deterrent to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass or lastpass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblance to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

We are definitely sympathetic to anybody who had passwords and information compromised that are used in any other places, especially if they are newer users who joined the site after the last breach, at which time we also had to be frank about the reasons why we're unable to properly secure user data. But as much as we would love to make the changes needed to secure FFR, our hands are sadly, tied.

Devonin and the FFR Team

Update: It is believed that the particular vulnerability that led to this breach has been found and closed. It appears that whoever carried out the breach took advantage of a disabled Wordpress plugin which has since been deleted completely. As well, as a precaution, every such plugin has been completely removed. This seems the most likely source of the breach as a number of other sites have also been breached in recent months via Wordpress Plugin issues. While this does appear to be a fix that will prevent further breaches exploiting this same vulnerability, the general weakness of site security remains, so all precautions above regarding passwords and data management still apply. Thank you everybody for your patience, and willingness to hear our explanations regarding our difficulties in safeguarding your data.
devonin is offline  

Forum Jump

All times are GMT -5. The time now is 01:40 AM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Copyright FlashFlashRevolution