Old 09-6-2016, 07:56 PM   #41
Azpb Djbread
FFR Player
 
Azpb Djbread's Avatar
 
Join Date: Jan 2016
Posts: 345
Default Re: FFR Hacked.

Question: Who is this person http://www.flashflashrevolution.com/profile/IwasHacked/
And how did he get those stats, 1 point? idk
Azpb Djbread is offline  
Old 09-6-2016, 08:24 PM   #42
Mahou
魔法少女
FFR Veteran
 
Mahou's Avatar
 
Join Date: Jan 2006
Age: 33
Posts: 2,150
Default Re: FFR Hacked.

Quote:
Originally Posted by Azpb Djbread View Post
Question: Who is this person http://www.flashflashrevolution.com/profile/IwasHacked/
And how did he get those stats, 1 point? idk
??? ??? ?? ?? ???
Mahou is offline  
Old 09-6-2016, 08:46 PM   #43
Winrar
Quasi-porn
FFR Veteran
 
Winrar's Avatar
 
Join Date: Jan 2008
Age: 31
Posts: 1,842
Send a message via Skype™ to Winrar
Default Re: FFR Hacked.

Ehh, I'm not worried. It's only on this site and I have a different complex password for everything.
__________________

Quote:
Originally Posted by Staiain View Post
I'm sorry but... *flicks hair* I don't DO 0.x rates 8)
Winrar is offline  
Old 09-6-2016, 09:13 PM   #44
Coolgamer
Old-School Player
FFR Veteran
 
Coolgamer's Avatar
 
Join Date: Sep 2003
Age: 36
Posts: 677
Send a message via AIM to Coolgamer Send a message via MSN to Coolgamer Send a message via Skype™ to Coolgamer
Default Re: FFR Hacked.

Well, we'll see what happens. I expect a front-page notice regarding the situation, and hopefully a forced round of password resets.

Given how long this site has been around, it's a safe bet that many people used the same password here that they used everywhere else. Probably some of the more recent accounts made the same mistake as well.

This is the reality of the digital age. It's not the first breach I've been caught in. It won't be the last. But I'll certainly be keeping an eye on how staff responds.
__________________




Quote:
Originally Posted by Synthlight View Post
St1cky only proves that he has no life and that his parents are alcoholics. They probably abused him with rubber duckies when he was a baby. Why else would you exploit scores on FFR?
Coolgamer is offline  
Old 09-7-2016, 05:54 PM   #45
Izzy
Snek
FFR Simfile AuthorFFR Veteran
 
Izzy's Avatar
 
Join Date: Jan 2003
Location: Kansas
Age: 33
Posts: 9,192
Default Re: FFR Hacked.

Guess I'll change my password. I use a password unique to FFR, but it was a stupid password that is probably able to be cracked.
Izzy is offline  
Old 09-8-2016, 01:15 AM   #46
Coolgamer
Old-School Player
FFR Veteran
 
Coolgamer's Avatar
 
Join Date: Sep 2003
Age: 36
Posts: 677
Send a message via AIM to Coolgamer Send a message via MSN to Coolgamer Send a message via Skype™ to Coolgamer
Default Re: FFR Hacked.

...still no front page announcement, e-mail, or sticky.
__________________




Quote:
Originally Posted by Synthlight View Post
St1cky only proves that he has no life and that his parents are alcoholics. They probably abused him with rubber duckies when he was a baby. Why else would you exploit scores on FFR?
Coolgamer is offline  
Old 09-8-2016, 01:21 PM   #47
Untimely Friction
D6 Challeneged
Retired StaffFFR Veteran
 
Untimely Friction's Avatar
 
Join Date: Aug 2012
Age: 31
Posts: 1,267
Default Re: FFR Hacked.

I've been asking who I can and Im not getting much an answer, I think at this time the scale of whatever happened it probably still being uncovered to its fullest, I personally suggest you send admins a pivate message expressing your discomfort not knowing how they have and plan to handle your data in the future, I'm doing it. Don't harass or be rude though, that wont get you anywhere but in trouble.
Untimely Friction is offline  
Old 09-8-2016, 04:50 PM   #48
aperson
FFR Hall of Fame
Retired StaffFFR Simfile AuthorFFR Veteran
 
aperson's Avatar
 
Join Date: Jul 2003
Location: Houston
Posts: 3,427
Send a message via AIM to aperson
Default Re: FFR Hacked.

what do you think they're going to do? pay out the ass for a security audit? there are way too many attack vectors for this given that the site runs some old fuckin version of vbulletin, some old fuckin version of wordpress, and hasn't had its core updated in like 10 years at this point. the page you're whining on right now isn't even https.

if your password or email here exposes anything amazing about your life then you should probably rethink your security strategy.
__________________


Last edited by aperson; 09-8-2016 at 04:51 PM..
aperson is offline  
Old 09-8-2016, 06:39 PM   #49
Coolgamer
Old-School Player
FFR Veteran
 
Coolgamer's Avatar
 
Join Date: Sep 2003
Age: 36
Posts: 677
Send a message via AIM to Coolgamer Send a message via MSN to Coolgamer Send a message via Skype™ to Coolgamer
Default Re: FFR Hacked.

Quote:
Originally Posted by aperson View Post
what do you think they're going to do? pay out the ass for a security audit? there are way too many attack vectors for this given that the site runs some old fuckin version of vbulletin, some old fuckin version of wordpress, and hasn't had its core updated in like 10 years at this point. the page you're whining on right now isn't even https.

if your password or email here exposes anything amazing about your life then you should probably rethink your security strategy.
Nobody is asking them to perform a security audit. At the very least though, there should be a news post or automated mail to registered users.

Ideally, like most other sites, passwords should be reset given that the breach is confirmed on two sites, with info that I know is valid.

Look, I joined what... 13 years ago? Back then, me and most other young people probably didn't pratice the best web security. I'm willing to bet that a large number of accounts here use the same password for their registered e-mail, and who knows where else. Facebook, Twitter... it's in the best interest for FFR to be upfront and alert people to what happened.

In fact, I'd argue that it's their moral responsibility.
__________________




Quote:
Originally Posted by Synthlight View Post
St1cky only proves that he has no life and that his parents are alcoholics. They probably abused him with rubber duckies when he was a baby. Why else would you exploit scores on FFR?

Last edited by Coolgamer; 09-8-2016 at 06:44 PM..
Coolgamer is offline  
Old 09-8-2016, 06:43 PM   #50
Dinglesberry
longing
FFR Veteran
 
Dinglesberry's Avatar
 
Join Date: Dec 2007
Location: Ontario, Canada
Posts: 2,680
Default Re: FFR Hacked.

Lol admins pls respond

I guess it just being like "yo bro we got haxked pls change passerino thnx" when you log in would be ok

I mean like, I used an email to register for this in 2007 and I don't even remember what the email is anymore to be honest
Dinglesberry is offline  
Old 09-8-2016, 06:52 PM   #51
Coolgamer
Old-School Player
FFR Veteran
 
Coolgamer's Avatar
 
Join Date: Sep 2003
Age: 36
Posts: 677
Send a message via AIM to Coolgamer Send a message via MSN to Coolgamer Send a message via Skype™ to Coolgamer
Default Re: FFR Hacked.

Quote:
Originally Posted by Dinglesberry View Post
Lol admins pls respond

I guess it just being like "yo bro we got haxked pls change passerino thnx" when you log in would be ok

I mean like, I used an email to register for this in 2007 and I don't even remember what the email is anymore to be honest
I keep up with the latest data breaches. I remember the huge leaks. I was part of Dropbox, Adobe, Tumblr, Linkedin, Nihonomaru, FFshrine, MyDigitalLife.info, Hongfire... all notified users and forced password resets.

Granted, most of those are larger companies, but those last few are forums, some smaller then FFR, some larger. The longer it takes to address, the more risk people are at for being affected.
__________________




Quote:
Originally Posted by Synthlight View Post
St1cky only proves that he has no life and that his parents are alcoholics. They probably abused him with rubber duckies when he was a baby. Why else would you exploit scores on FFR?
Coolgamer is offline  
Old 09-8-2016, 07:06 PM   #52
Dinglesberry
longing
FFR Veteran
 
Dinglesberry's Avatar
 
Join Date: Dec 2007
Location: Ontario, Canada
Posts: 2,680
Default Re: FFR Hacked.

Nah I 100% understand your argument.

On the bright side, I wonder if emails would bring people back lol, like oh that game.. I guess I could try it again

To be fair though to the staff, #1 that post isn't gonna write itself, I know it's just a simple thing I guess but it's easier said than done, #2 the staff is working on new site as prawn said earlier (hype, I wish yall staff would talk about new stuff more, get the hype comin)

Not only that, but I completely believe they wouldn't know about it until now.. For example, Google "FFR leak" or whatnot.. Can you explain why all the news articles about it are from like, Sept 6th? Actually on inspection it looks like some of them are auto generated sites pulled from some leak data, which would explain why people only know now..

To me it's a really bold assumption to say "it's been 8 months.." I mean, it's not like it's a matter of going "oh damn I knew I should have checked the logs, would you look at that! Someone ran the download algorithm on the backend hexadecimal to get the intranet to parse" like how would you even begin to know you were breached, you'd have to know how it happened, be looking for it and stuff.. Like shit man this sites written with php, I asked my artificial intelligence prof today if we could use Web languages like php and they were like "you can use any server side language, except php"
Dinglesberry is offline  
Old 09-8-2016, 07:38 PM   #53
andy-o24
Private Messages, please.
FFR Veteran
 
andy-o24's Avatar
 
Join Date: May 2006
Location: Central Indiana
Age: 30
Posts: 1,525
Send a message via Skype™ to andy-o24
Default Re: FFR Hacked.

FFR emails end up in my spam folder. They probably end up in other people's spam folder. An email alert will likely not work.

-o24
__________________
Quote:
Originally Posted by hi19hi19 View Post
Best strat: enjoy the game, play what you feel like when you feel like it. Don't think about what you are doing or why, enjoy the gameplay, the artistry behind the stepfile, and enjoy the music.

When the game isn't fun for you anymore, take a break. It's not a job, nobody here is professional and getting paid to play and force themselves to constantly improve... it's a game.

Quote:
Originally Posted by Shashakiro View Post
Yeah, FFR is addicting...I don't think I'll get bored with this game unless I somehow become the best at it, which won't happen.
andy-o24 is offline  
Old 09-8-2016, 09:43 PM   #54
inDheart
Picker @ JAX2
FFR Simfile Author
 
inDheart's Avatar
 
Join Date: Aug 2011
Posts: 505
Default Re: FFR Hacked.

Quote:
Originally Posted by aperson View Post
what do you think they're going to do? pay out the ass for a security audit? there are way too many attack vectors for this given that the site runs some old fuckin version of vbulletin, some old fuckin version of wordpress, and hasn't had its core updated in like 10 years at this point. the page you're whining on right now isn't even https.

if your password or email here exposes anything amazing about your life then you should probably rethink your security strategy.
there's a difference between doing these things that are more resource/time-intensive than what coolgamer is asking for, and doing nothing. social engineering has to happen on both ends if that's what you really want. i see no version of this where you can say staff is handling this well.
inDheart is offline  
Old 09-8-2016, 10:50 PM   #55
devonin
Very Grave Indeed
Retired StaffFFR Simfile AuthorFFR Veteran
 
devonin's Avatar
 
Join Date: Apr 2004
Location: Ontario, Canada
Age: 40
Posts: 10,098
Send a message via AIM to devonin Send a message via MSN to devonin
Default Re: FFR Hacked.

It's been two days since this thread was made, and there have been a couple staff posts in the thread on the subject. The first we heard about this breach was this thread. Nothing in our logs indicates that it happened, given it was months and months ago. We needed to investigate it, assess what it meant and look at our options. I've got a post just waiting for some others to look at before I can put it out. So please, just a small bit more patience.
devonin is offline  
Old 09-8-2016, 11:02 PM   #56
Coolgamer
Old-School Player
FFR Veteran
 
Coolgamer's Avatar
 
Join Date: Sep 2003
Age: 36
Posts: 677
Send a message via AIM to Coolgamer Send a message via MSN to Coolgamer Send a message via Skype™ to Coolgamer
Default Re: FFR Hacked.

Quote:
Originally Posted by devonin View Post
It's been two days since this thread was made, and there have been a couple staff posts in the thread on the subject. The first we heard about this breach was this thread. Nothing in our logs indicates that it happened, given it was months and months ago. We needed to investigate it, assess what it meant and look at our options. I've got a post just waiting for some others to look at before I can put it out. So please, just a small bit more patience.
Thank you for keeping us up to date at least. Trust me, I wasn't trying to sound like a whiner or anything.
__________________




Quote:
Originally Posted by Synthlight View Post
St1cky only proves that he has no life and that his parents are alcoholics. They probably abused him with rubber duckies when he was a baby. Why else would you exploit scores on FFR?
Coolgamer is offline  
Old 09-8-2016, 11:08 PM   #57
devonin
Very Grave Indeed
Retired StaffFFR Simfile AuthorFFR Veteran
 
devonin's Avatar
 
Join Date: Apr 2004
Location: Ontario, Canada
Age: 40
Posts: 10,098
Send a message via AIM to devonin Send a message via MSN to devonin
Default Re: FFR Hacked.

Hello everybody.

As some of you may have seen from the forums, the website haveibeenpwned.com is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there's no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact.

What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven't been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now.

We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something.

Devonin and the FFR Team
devonin is offline  
Old 09-8-2016, 11:47 PM   #58
inDheart
Picker @ JAX2
FFR Simfile Author
 
inDheart's Avatar
 
Join Date: Aug 2011
Posts: 505
Default Re: FFR Hacked.

it's been a long time since i poked around an ACP as well, but i feel like the forum backend has some option like "prompt password change on next login" for things like this. either that, or it can be enforced through usergroups. the more things you can stick in front of people's faces to get them to take action, the better. what worries me, though, is someone on staff probably looked for that already, and if there's seriously no ACP function to handle this then VB is some staggeringly horrible software

like, it's one thing to say "change your passwords everyone" - which has come up several times now, but only in this thread in the forums - but another to actually require it, at least as a short-term stopgap while devs are at work doing something
inDheart is offline  
Old 09-8-2016, 11:54 PM   #59
devonin
Very Grave Indeed
Retired StaffFFR Simfile AuthorFFR Veteran
 
devonin's Avatar
 
Join Date: Apr 2004
Location: Ontario, Canada
Age: 40
Posts: 10,098
Send a message via AIM to devonin Send a message via MSN to devonin
Default Re: FFR Hacked.

Multiple people with a far better understanding of how FFR's backend works have strenuously advocated for -not- attempting a forcible password reset for the users. I tend to want to trust their judgment.

In what I'm sure is a shockingly large number of cases, the email address tied to people's accounts is years out of date and non-functional, which would mean your password gets reset, you have no way to get back at it, and you'll have to make a new account just to ask us to reset it manually for you.

Last edited by devonin; 09-8-2016 at 11:59 PM..
devonin is offline  
Old 09-8-2016, 11:59 PM   #60
inDheart
Picker @ JAX2
FFR Simfile Author
 
inDheart's Avatar
 
Join Date: Aug 2011
Posts: 505
Default Re: FFR Hacked.

Quote:
Originally Posted by devonin View Post
Multiple people with a far better understanding of how FFR's backend works have strenuously advocated for -not- attempting a forcible password reset for the users. I tend to want to trust their judgment.
hmm, okay, i get that. it just seems really counterintuitive to me, is all. certainly counter to my intuition.
inDheart is offline  
Closed Thread


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 08:04 AM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright FlashFlashRevolution