Our recent security breach...

[apophis775]

So, as many-to-all of you know, earlier today our security on CM forums was compromised. We are still not 100% sure of what was taken, but we are going on the premise that our entire forum database was nabbed. The fully events of "how" they got in, will be forever a mystery unless "he who must not be named" decides to reveal himself and explain the exact procedures. Suffice it to say, what the information I can gather it appears that the breach happened earlier today when a someone (believed to be a script-kiddy) was trying to break reddit passwords and managed to nab the account of my co-host. My co-host, made the unfortunate mistake of using the same password for reddit as he used for the forums, which was also not a "secure" password.

The result, was that the "cracker" was able to access our forum. While it is not clear what he was able to take, he DID have the potential ability to take our forum database, including hashs of all the players passwords.

I do NOT believe, his original intention of breaking our server was "to be malicious" or "planned", nor do I think that we were some sort of specific target, beyond him seeing an opportunity. Reason being, we could have ended up MUCH WORSE than we did if he had either planned this, or truly knew the scope of the access he got. Irregardless, we have reset passwords and refocused on security to prevent a future breach.

I would like to assure you however that our source-code, server, and server-logs were NOT compromised. However, there is a god chance, that he has the Hashs of all the passwords used on the server, and possibly everyone's emails, and IPs. As a result, we'd like to alert everyone with an account on our forums to change your passwords. We will be sending a similar announcement to this, to all email addresses we have registered with the server, and placing a copy of this announcement on Reddit.

Feel free to ask any questions here, and I will answer them.

[Seehund]

So, gonna ask a few technically unsavvy questions for the rest of us smerds.

First off, how strong is the hashing on the passwords?
That is to say, how likely is it this guy could just bruteforce or, God forbid, look them up on a rainbow table?

And of course, what are your suggestions regarding coming up with a secure password?

[MadSnailDisease]

So, gonna ask a few technically unsavvy questions for the rest of us smerds.

First off, how strong is the hashing on the passwords?
That is to say, how likely is it this guy could just bruteforce or, God forbid, look them up on a rainbow table?

And of course, what are your suggestions regarding coming up with a secure password?

use "correct horse battery staple"

[apophis775]

Our passwords are "slightly salted", making them slightly annoying to crack, but not impossible. So far as I know, he only released my password hash.

For admins and mods, you should use a "secure" password like:

SECure12#$

2-3 caps
2-3 lowercase
at least 2 numbers
at least 2 special characters

I know that can be asking a LOT for a forum board, but if your a staff member and have higher level function access, it's a must.

As far as regular members, I reccomend using a password not associated with reddit or anything else that you can use as a throw-away.

[quarantinetimer]

One more weird question: Is it possible that social engineering was involved? (i.e. RahIzel was tricked into giving away the password somehow.)

[UnknownMurder]

Is the Colonial Marines the only target by the "script kiddie" or has other forum noticed security breach?

Also: I, too am not a savvy... How was it noticed that there was a Security Breach?

[apophis775]

One more weird question: Is it possible that social engineering was involved? (i.e. RahIzel was tricked into giving away the password somehow.)

No, Reddit was the source of the password breaches.

Is the Colonial Marines the only target by the "script kiddie" or has other forum noticed security breach?

Also: I, too am not a savvy... How was it noticed that there was a Security Breach?

Only our forum has been "hit", but other forums have locked-down.


The guy had no real idea what he managed to do, so he posted all over reddit that he "hacked" us.

[Kryfrac]

So, A script kiddie managed to break into my favorite forum and take the password hashes of everyone including myself?
My question is, If you use the same password on two sites, Would the hash be the same or different?
And also, Could he dehash the passwords and get mine?

Potentially problematic for me as I stupidly use the same password for almost everything..

[Allan1234]

So, A script kiddie managed to break into my favorite forum and take the password hashes of everyone including myself?
My question is, If you use the same password on two sites, Would the hash be the same or different?
And also, Could he dehash the passwords and get mine?

Potentially problematic for me as I stupidly use the same password for almost everything..

The "Hash" would not be the same as a hash is a type of encryption if I remember correctly but they can still get your password from the hash so it is highly recommended to change any passwords that are the same as your CM one.

[Kryfrac]

The "Hash" would not be the same as a hash is a type of encryption if I remember correctly but they can still get your password from the hash so it is highly recommended to change any passwords that are the same as your CM one.

Change.. Every.. Password...
That's going to be really hard and strenuous.
Its the password for over 100+ things.
Gaaah.

[apophis775]

Change.. Every.. Password...
That's going to be really hard and strenuous.
Its the password for over 100+ things.
Gaaah.

I had to do the same thing, including make adjustments to my school passwords (remember, I'm a teacher).

[Ordukai]

http://passwordsgenerator.net/

Word document with all the stupid passwords you have for forums and skype and shit. Maybe even print it out. Even if you have to re-log in, you'll still have a silly strong password available on the document or piece of paper. Stick it in your drawer or something.

Done?

[qsleepy]

Yes, but consider a skin-walker takes over your body in a quest to murder someone else in your family who one day will lead the war against the machines. Do you really want your CM password just sitting on the wall? Makes almost zero sense when you look at it directly like that.

[Ordukai]

That's why you put in in the drawer, not frame it next to your bed.

[freemysoul]

For those admin/mods/Players. A guide to get a good strong password.

1. Use Letters (Uppercase and Lowercase), Numbers and Symbols.
2. Don't common words and passwords. 12345, apple, your fucking username (Yes I've seen people with their username as their password)
3. Don't USE banking details as your password. while they may be hard to crack, if they get it, they now have not just your account but your bank details.
4. Use something personal and secret only to you.
5. And for the love of god. Make sure you don't use the same password twice.
6. Specifically for Mods/Admins: Check your email account regularly, a tactic used by many attackers is to try and reset your password. If you see that you've received a password reset code that you didn't request for, inform the system administration they maybe able to freeze your account for awhile.