09-6-2016, 07:56 PM | #41 |
FFR Player
Join Date: Jan 2016
Posts: 345
|
Re: FFR Hacked.
Question: Who is this person http://www.flashflashrevolution.com/profile/IwasHacked/
And how did he get those stats, 1 point? idk |
09-6-2016, 08:24 PM | #42 | |
魔法少女
Join Date: Jan 2006
Age: 33
Posts: 2,151
|
Re: FFR Hacked.
Quote:
|
|
09-6-2016, 08:46 PM | #43 |
Quasi-porn
|
Re: FFR Hacked.
Ehh, I'm not worried. It's only on this site and I have a different complex password for everything.
|
09-6-2016, 09:13 PM | #44 |
Old-School Player
|
Re: FFR Hacked.
Well, we'll see what happens. I expect a front-page notice regarding the situation, and hopefully a forced round of password resets.
Given how long this site has been around, it's a safe bet that many people used the same password here that they used everywhere else. Probably some of the more recent accounts made the same mistake as well. This is the reality of the digital age. It's not the first breach I've been caught in. It won't be the last. But I'll certainly be keeping an eye on how staff responds. |
09-7-2016, 05:54 PM | #45 |
Snek
Join Date: Jan 2003
Location: Kansas
Age: 34
Posts: 9,192
|
Re: FFR Hacked.
Guess I'll change my password. I use a password unique to FFR, but it was a stupid password that is probably able to be cracked.
|
09-8-2016, 01:15 AM | #46 |
Old-School Player
|
Re: FFR Hacked.
...still no front page announcement, e-mail, or sticky.
|
09-8-2016, 01:21 PM | #47 |
D6 Challeneged
Join Date: Aug 2012
Age: 31
Posts: 1,267
|
Re: FFR Hacked.
I've been asking who I can and Im not getting much an answer, I think at this time the scale of whatever happened it probably still being uncovered to its fullest, I personally suggest you send admins a pivate message expressing your discomfort not knowing how they have and plan to handle your data in the future, I'm doing it. Don't harass or be rude though, that wont get you anywhere but in trouble.
|
09-8-2016, 04:50 PM | #48 |
FFR Hall of Fame
|
Re: FFR Hacked.
what do you think they're going to do? pay out the ass for a security audit? there are way too many attack vectors for this given that the site runs some old fuckin version of vbulletin, some old fuckin version of wordpress, and hasn't had its core updated in like 10 years at this point. the page you're whining on right now isn't even https.
if your password or email here exposes anything amazing about your life then you should probably rethink your security strategy.
__________________
Last edited by aperson; 09-8-2016 at 04:51 PM.. |
09-8-2016, 06:39 PM | #49 | |
Old-School Player
|
Re: FFR Hacked.
Quote:
Ideally, like most other sites, passwords should be reset given that the breach is confirmed on two sites, with info that I know is valid. Look, I joined what... 13 years ago? Back then, me and most other young people probably didn't pratice the best web security. I'm willing to bet that a large number of accounts here use the same password for their registered e-mail, and who knows where else. Facebook, Twitter... it's in the best interest for FFR to be upfront and alert people to what happened. In fact, I'd argue that it's their moral responsibility. Last edited by Coolgamer; 09-8-2016 at 06:44 PM.. |
|
09-8-2016, 06:43 PM | #50 |
longing
Join Date: Dec 2007
Location: Ontario, Canada
Posts: 2,680
|
Re: FFR Hacked.
Lol admins pls respond
I guess it just being like "yo bro we got haxked pls change passerino thnx" when you log in would be ok I mean like, I used an email to register for this in 2007 and I don't even remember what the email is anymore to be honest |
09-8-2016, 06:52 PM | #51 | |
Old-School Player
|
Re: FFR Hacked.
Quote:
Granted, most of those are larger companies, but those last few are forums, some smaller then FFR, some larger. The longer it takes to address, the more risk people are at for being affected. |
|
09-8-2016, 07:06 PM | #52 |
longing
Join Date: Dec 2007
Location: Ontario, Canada
Posts: 2,680
|
Re: FFR Hacked.
Nah I 100% understand your argument.
On the bright side, I wonder if emails would bring people back lol, like oh that game.. I guess I could try it again To be fair though to the staff, #1 that post isn't gonna write itself, I know it's just a simple thing I guess but it's easier said than done, #2 the staff is working on new site as prawn said earlier (hype, I wish yall staff would talk about new stuff more, get the hype comin) Not only that, but I completely believe they wouldn't know about it until now.. For example, Google "FFR leak" or whatnot.. Can you explain why all the news articles about it are from like, Sept 6th? Actually on inspection it looks like some of them are auto generated sites pulled from some leak data, which would explain why people only know now.. To me it's a really bold assumption to say "it's been 8 months.." I mean, it's not like it's a matter of going "oh damn I knew I should have checked the logs, would you look at that! Someone ran the download algorithm on the backend hexadecimal to get the intranet to parse" like how would you even begin to know you were breached, you'd have to know how it happened, be looking for it and stuff.. Like shit man this sites written with php, I asked my artificial intelligence prof today if we could use Web languages like php and they were like "you can use any server side language, except php" |
09-8-2016, 07:38 PM | #53 | |
Private Messages, please.
|
Re: FFR Hacked.
FFR emails end up in my spam folder. They probably end up in other people's spam folder. An email alert will likely not work.
-o24
__________________
Quote:
|
|
09-8-2016, 09:43 PM | #54 | |
Picker @ JAX2
Join Date: Aug 2011
Posts: 505
|
Re: FFR Hacked.
Quote:
|
|
09-8-2016, 10:50 PM | #55 |
Very Grave Indeed
|
Re: FFR Hacked.
It's been two days since this thread was made, and there have been a couple staff posts in the thread on the subject. The first we heard about this breach was this thread. Nothing in our logs indicates that it happened, given it was months and months ago. We needed to investigate it, assess what it meant and look at our options. I've got a post just waiting for some others to look at before I can put it out. So please, just a small bit more patience.
|
09-8-2016, 11:02 PM | #56 | |
Old-School Player
|
Re: FFR Hacked.
Quote:
|
|
09-8-2016, 11:08 PM | #57 |
Very Grave Indeed
|
Re: FFR Hacked.
Hello everybody.
As some of you may have seen from the forums, the website haveibeenpwned.com is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext. What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there's no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact. What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now. Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password. Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc). While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven't been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now. We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something. Devonin and the FFR Team |
09-8-2016, 11:47 PM | #58 |
Picker @ JAX2
Join Date: Aug 2011
Posts: 505
|
Re: FFR Hacked.
it's been a long time since i poked around an ACP as well, but i feel like the forum backend has some option like "prompt password change on next login" for things like this. either that, or it can be enforced through usergroups. the more things you can stick in front of people's faces to get them to take action, the better. what worries me, though, is someone on staff probably looked for that already, and if there's seriously no ACP function to handle this then VB is some staggeringly horrible software
like, it's one thing to say "change your passwords everyone" - which has come up several times now, but only in this thread in the forums - but another to actually require it, at least as a short-term stopgap while devs are at work doing something |
09-8-2016, 11:54 PM | #59 |
Very Grave Indeed
|
Re: FFR Hacked.
Multiple people with a far better understanding of how FFR's backend works have strenuously advocated for -not- attempting a forcible password reset for the users. I tend to want to trust their judgment.
In what I'm sure is a shockingly large number of cases, the email address tied to people's accounts is years out of date and non-functional, which would mean your password gets reset, you have no way to get back at it, and you'll have to make a new account just to ask us to reset it manually for you. Last edited by devonin; 09-8-2016 at 11:59 PM.. |
09-8-2016, 11:59 PM | #60 |
Picker @ JAX2
Join Date: Aug 2011
Posts: 505
|
Re: FFR Hacked.
hmm, okay, i get that. it just seems really counterintuitive to me, is all. certainly counter to my intuition.
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|