Potential ResetEra Data Breach (Appears to be False, See Threadmark)

B-Dubs · Mar 6, 2020

Official Staff Communication

Let's clear this up: Our tech team investigated claims of a data breach and found no evidence of such on our end. We have no reason to believe our database has been compromised. What appears to have happened is that a determined troll gained access to a small number of accounts through known-leaked passwords (from breaches on other sites) and/or brute forcing weak passwords. One of the IPs used by the troll in question, not to mention the writing style, matches those used by a banned member who has long been engaged in alt right harassment against our community.

With all of that in mind we declined to engage the troll. What we did do is force the affected accounts to reset their passwords, and each of those individuals was contacted to inform them of what happened. We also updated our General Guide with recommendations on personal and account security.

Again, we have no reason to believe there has been a data breach, but both here and everywhere all members should take care to use strong passwords that are unique to each site.

Kyra · Mar 6, 2020

saenima said:
Lol that youtube channel.

Holy shit lol

Deleted member 43084 · Mar 6, 2020

RolandOfGilead said:
Are you able to confirm that passwords are stored encrypted and not in plain text?

Kyuuji said:
xenForo (the forum software) should have baseline encryption and salting if installed and implemented correctly.
Users should be using 2FA regardless if concerned about their account.

Quick Googling shows XenForo 2 uses bcrypt, which is sufficient protection.

ColdSun · Mar 6, 2020

Mzril said:
You guys store passwords as salted hashes right?

Yes the passwords are hashed. The system utilizes 10 iterations of bcrypt as well.

It is absolutely untrue that the passwords were stored in plaintext.

krae_man · Mar 6, 2020

Recently I logged into a local used media stores site where you can set up a wish list and be emailed when said movie/game becomes in stock and google gave me a pop up that said "This email/password combo is in known data breaches".

That was a cool popup. Hackers can have my wish list if they somehow care.

Kyuuji · Mar 6, 2020

minimaxir said:
Quick Googling shows XenForo 2 uses bcrypt, which is sufficient protection.

ColdSun said:
Yes the passwords are hashed. The system utilizes 10 iterations of bcrypt.

👌

mugurumakensei · Mar 6, 2020

ColdSun said:
Yes the passwords are hashed. The system utilizes 10 iterations of bcrypt.

Hmm should probably not have mentioned that, but I guess if someone wants to waste the money you can just up the iterations if you notice activity.

SinCityAssassin · Mar 6, 2020

I mean in the hypothetical that there actually was a data breach wouldn't that mean gaf would have the same exact breach since they use the same forum system. Too bad this person Isn't making that public, could be saving hundreds of hundreds. ;)

TheDestructiveSquirrel · Mar 6, 2020

Are we able to change our e-mail to free ones? Or would I have to change it to an ISP one?

TheDutchSlayer · Mar 6, 2020

Thanks for the fast update and looking out for us!

I use unique passwords on every website but still.

Deleted member 43084 · Mar 6, 2020

mugurumakensei said:
Hmm should probably not have mentioned that, but I guess if someone wants to waste the money you can just up the iterations if you notice activity.

Stating the number of rounds of bcrypt won't make the passwords any easier to crack; it just hints that it's infeasible to even try.

Chessguy1 · Mar 6, 2020

This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

Megasoum · Mar 6, 2020

Even if the thing is a giant troll, perfect opportunity to remind people that EVERYBODY should be using a password manager and 2 factor for every website you go to.

There's really no excuses in 2020... It's free and super easy to use.

Also it's weirdly satisfying to sign up to websites using a ridiculously complex 30 characters password haha.

mugurumakensei · Mar 6, 2020

minimaxir said:
Stating the number of rounds of bcrypt won't make the passwords any easier to crack; it just hints that it's infeasible to even try.

well it can tell you how much computing power you should buy to try to brute force now 10 rounds will take an absurd amount of computing power and 2FA is likely enabled by most users so shouldn't be an issue

Josh378 · Mar 6, 2020

...so did they find out if ResetERA gold membership exist?

Brass Body Dave · Mar 6, 2020

ColdSun said:
Yes the passwords are hashed. The system utilizes 10 iterations of bcrypt as well.

It is absolutely untrue that the passwords were stored in plaintext.

Are the email addresses also encrypted?

DownUnderCoder · Mar 6, 2020

krae_man said:
Recently I logged into a local used media stores site where you can set up a wish list and be emailed when said movie/game becomes in stock and google gave me a pop up that said "This email/password combo is in known data breaches".

This site now does a similar compromised password check. It is actually part of the NIST password standards to check for compromised passwords when changing them.

DoubleTake · Mar 6, 2020

Look guys we're actually important enough for trolls to fake a password breach for our site!

Back pats all around lol

Hecht · Mar 6, 2020

Chessguy1 said:
This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

Don't think there's any worry about ruining what you don't have.

Komo · Mar 6, 2020

Also I should mentioned Xenforo literally doesn't store passwords lol? It's almost always been using bcrypt, and or allowing custom solutionjs.

Van Bur3n · Mar 6, 2020

Updated some stuff regardless, as I needed to do it anyway.

Stop It · Mar 6, 2020

Chessguy1 said:
This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

They work for Russia Today.

Using the word journalist in regards to them is an insult to the term.

The Adder · Mar 6, 2020

Chessguy1 said:
This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

They aren't a journalist and neither their audience nor employer cares about integrity or credibility.

Deleted member 30544 · Mar 6, 2020

The alt-right really hates this site.

That means we are doing something great...carry on chaps.

Kyuuji · Mar 6, 2020

Van Bur3n said:
Updated some stuff regardless, as I needed to do it anyway.

No one would want to hack a Dredgen, you can relax Van.

FantasticMrFoxdie · Mar 6, 2020

Didn't realize we had Two-Step options here now.

Activated!

Bless you ERAteam for your great work

Komo · Mar 6, 2020

krae_man said:
Recently I logged into a local used media stores site where you can set up a wish list and be emailed when said movie/game becomes in stock and google gave me a pop up that said "This email/password combo is in known data breaches".

That was a cool popup. Hackers can have my wish list if they somehow care.

This was something new they added actually both Firefox and Mozilla will alert you if you account info for any login matches hashes for public and private leaks.

Google launches leaked-password checker, will bake it into Chrome in December

The company plans to add a hacked-password alert system into its browser by the end of year; Firefox aims to do much the same thing this month.

www.computerworld.com

Perfect Chaos · Mar 6, 2020

Chessguy1 said:
This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

lol

Mgs2master2 · Mar 6, 2020

Chessguy1 said:
This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

She doesn't care. Look who she writes for and the content she creates. This is exactly what she wants and does.

Van Bur3n · Mar 6, 2020

Kyuuji said:
No one would want to hack a Dredgen, you can relax Van.

Bruv, just because I got the title doesn't mean I wear that amateur shit. I identify as the smasher of eggs, the flipper of omelets, a Cursebreaker.

Stop It · Mar 6, 2020

FantasticMrFoxdie said:
Didn't realize we had Two-Step options here now.

Activated!

Bless you ERAteam for your great work

If this gets people to use 2FA more, all the better.

Don't use the same password everywhere and use 2FA.

Kyuuji · Mar 6, 2020

Van Bur3n said:
Bruv, just because I got the title doesn't mean I wear that amateur shit. I identify as the smasher of eggs, the flipper of omelets, a Cursebreaker.

Some stains can't be washed out 💔

B-Dubs · Mar 6, 2020

FantasticMrFoxdie said:
Didn't realize we had Two-Step options here now.

Activated!

Bless you ERAteam for your great work

We've had it since the start of the site. If you're not using it you should be.

Deleted member 43084 · Mar 6, 2020

mugurumakensei said:
well it can tell you how much computing power you should buy to try to brute force now 10 rounds will take an absurd amount of computing power and 2FA is likely enabled by most users so shouldn't be an issue

You strongly underestimate how much computing power you'd need to crack a bcrypted password. It's not something you "buy."

Hecht · Mar 6, 2020

B-Dubs said:
We've had it since the start of the site. If you're not using it you should be.

Yeah, regardless it behooves everyone to use strong passwords and 2FA.

Fuzzy · Mar 6, 2020

B-Dubs said:
We've had it since the start of the site. If you're not using it you should be.

Yeah, I turned that shit on right after I joined.

Kasey · Mar 6, 2020

Gemüsepizza said:
Not going to link to this crap, but if you want to know who this person is, this is what she published recently on Russia Today:

Oh shit Era is a Jewish conspiracy!!!

Brass Body Dave · Mar 6, 2020

Hecht said:
Don't think there's any worry about ruining what you don't have.

Maybe you can answer this. Are email addresses encrypted the same as passwords, or are they not?

FantasticMrFoxdie · Mar 6, 2020

B-Dubs said:
We've had it since the start of the site. If you're not using it you should be.

Damn. I've been slackin.

I'm sure i'm not the only that missed that, so hopefully people take note.

Everyone get on that 2FA.

signal · Mar 6, 2020

Can we puhleeease change our emails to gmail or something free once registered with a non-free one 🙏

SuperHans · Mar 6, 2020

Komo said:
This was something new they added actually both Firefox and Mozilla will alert you if you account info for any login matches hashes for public and private leaks.

Google launches leaked-password checker, will bake it into Chrome in December

The company plans to add a hacked-password alert system into its browser by the end of year; Firefox aims to do much the same thing this month.

www.computerworld.com

This is really useful. I've a lot of work ahead of me. I've the same email address for nearly 20 years.

PSOreo · Mar 6, 2020

Didn't realise two-step was an option; appreciate the header reminder.

Sign My Guestbook! · Mar 6, 2020

signal said:
Can we puhleeease change our emails to gmail or something free once registered with a non-free one 🙏

Yeah. That would've been nice.

Instro · Mar 6, 2020

Not sure who is the bigger loser. The person wasting time trying to gain access to accounts on a gaming forum, or the person "reporting" on it.

Fuzzy · Mar 6, 2020

Guess I should just PM someone instead.

cognizant · Mar 6, 2020

signal said:
Can we puhleeease change our emails to gmail or something free once registered with a non-free one 🙏

Yeah, if you don't have access to the email you originally signed up with, that means 2FA is not an option for you, I guess? I asked a mod about this predicament ages ago but they couldn't help.

Stop It · Mar 6, 2020

Fuzzy said:
Guess I should just PM someone instead.

They don't deserve the platform.

It's already nonsense, no need to let the troll have a voice.

excelsiorlef · Mar 6, 2020

Chessguy1 said:
This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

She never had any in the first place

Fuzzy · Mar 6, 2020

Stop It said:
They don't deserve the platform.

It's already nonsense, no need to let the troll have a voice.

Yeah, I decided I really didn't care.

B-Dubs · Mar 6, 2020

The troll is still using hijacked accounts to post in here. We've removed the posts since, obviously, the proper account holders aren't responsible.

808s & Villainy · Mar 6, 2020

Brass Body Dave said:
Are the email addresses also encrypted?

There'd be no way to see them if they were...you encrypt passwords so that you're only comparing encrypted vs encrypted, and it's a one way process.

Potential ResetEra Data Breach (Appears to be False, See Threadmark)

That's some catch, that catch-22

The Eggplant Queen

Together, we are strangers

Master of Balan Wonderworld

The Favonius Fox

Elizabeth, I’m coming to join you!

Did you find it? Cuez I didn't!

Elizabeth, I’m coming to join you!

Blue light comes around

Info Analyst

Bad Cat

User Requested Account Closure

The Favonius Fox

Info Analyst

One Winged Slayer

Bad Cat

The Favonius Fox

That's some catch, that catch-22

Blue light comes around

Completely non-threatening

Completely non-threatening

Bad Cat

Bad Praxis

Completely non-threatening

That's some catch, that catch-22