Potential ResetEra Data Breach (Appears to be False, See Threadmark)

[B-Dubs]

Let's clear this up: Our tech team investigated claims of a data breach and found no evidence of such on our end. We have no reason to believe our database has been compromised. What appears to have happened is that a determined troll gained access to a small number of accounts through known-leaked passwords (from breaches on other sites) and/or brute forcing weak passwords. One of the IPs used by the troll in question, not to mention the writing style, matches those used by a banned member who has long been engaged in alt right harassment against our community.

With all of that in mind we declined to engage the troll. What we did do is force the affected accounts to reset their passwords, and each of those individuals was contacted to inform them of what happened. We also updated our General Guide with recommendations on personal and account security.

Again, we have no reason to believe there has been a data breach, but both here and everywhere all members should take care to use strong passwords that are unique to each site.

 

[Kinthey]

We have no reason to believe our database has been compromised. What appears to have happened is that a determined troll gained access to a small number of accounts through known-leaked passwords (from breaches on other sites) and/or brute forcing weak passwords. One of the IPs used by the troll in question, not to mention the writing style, matches those used by a banned member who has long been engaged in alt right harassment against our community.

Click to shrink...

But how did the troll get those email addresses?

 

[Deleted member 5086]

Yeah, if you don't have access to the email you originally signed up with, that means 2FA is not an option for you, I guess? I asked a mod about this predicament ages ago but they couldn't help.

Click to shrink...

Our 2FA works through apps like Authy and Google Authenticator, and not through email, so it should still be an option. We'll look into what's possible regarding changing emails.

 

[BDS]

But how did the troll get those email addresses?

Click to shrink...

Because they logged into the person's account using their password from another site, then checked to see what email their account was registered under.

 

[Sign My Guestbook!]

But how did the troll get those email addresses?

Click to shrink...

I would imagine if it was done through guessing/brute-forcing, just go into the account details and get the e-mails there.

 

[Deleted member 3812]

Thanks to this thread, I've already changed my password for this site and enabled 2FA on here.

 

[MinusTydus]

This Sophia person seems very confident that this leak is true.

For their sake as a journalist, it better be true, otherwise they may have just ruined their credibility going forward, which IMO is everything.

Click to shrink...

Sophia Narwitz

Journalist at RT with bylines elsewhere. Primary writer for Colin Moriarty.

LMFAO

 

[Aiii]

But how did the troll get those email addresses?

Click to shrink...

By one of the many leaks they're in. Check yours at www.haveibeenpwnd.com

This is why everyone is telling people to get a password manager.

 

[Kinthey]

Because they logged into the person's account using their password from another site, then checked to see what email their account was registered under.

Click to shrink...

Ah, right. Didn't realize you can also login with the account name

 

[BigHatPaul]

Thanks for the heads up. Two-factor, guys. It's important to use.

 

[cognizant]

Our 2FA works through apps like Authy and Google Authenticator, and not through email, so it should still be an option. We'll look into what's possible regarding changing emails.

Click to shrink...

Thanks, appreciate it.

 

[Naga]

I didn't even know there was 2FA on Era...
But yeah, both the explanation (brute forcing/other passwords breached) makes sense, especially given the alt-right's obsession with this website, and the usual tips for those situations (2FA, change password etc).

 

[Deleted member 3812]

A heads up, 2FA using app authentication is more secure than email 2FA because if someone has access to your email and has a password to a site that does email-based 2FA they will have access to that site's user account because the 2FA code is emailed to you.

Fortunately, I see that ERA has app based 2FA which gives you a rotating 2FA code that changes frequently.

 

[PeskyToaster]

people must really want to post here because getting banned really sets them off.

 

[B-Dubs]

But how did the troll get those email addresses?

Click to shrink...

We've been able to confirm that at least some of the emails/passwords were part of publicly known breaches from other websites and services. This is why it is important to use unique passwords.

As others have mentioned, one tool that's good for checking this is www.haveibeenpwned.com

 

[Getlucky12341]

Don't think there's any worry about ruining what you don't have.

Click to shrink...

They're the one who discovered the ESA leak and got them to remove the personal info of everyone at E3, so they have some credibility.

 

[Mobyduck]

Thanks for the thread. It's good to change your password from time to time. Also activated 2FA.

 

[Rocketz]

Turned on 2FA just for extra insurance in the future.

 

[Baji Boxer]

I checked how long it would take to brute force my password and learned a new number: "duodecillion"

 

[Chopchop]

that is fucking weird. I guess that reinforces why I don't speak directly about who I am then

Click to shrink...

It's a good practice in general. This is a public forum, and there's no telling how many lurkers are reading your posts.

It's not terribly hard for someone to search a single person's posts and put together a profile of their information. Some people just have nothing better to do with their lives than to do shit like this, and it's both scary and sad.

 

[CyberWolfBia]

apparently someone used my account to post some things here... I got a panic attack and changed my passwords in every e-mail that I got, including the one associated with my Era account...

 

[Gentlemen]

They're the one who discovered the ESA leak and got them to remove the personal info of everyone at E3, so they have some credibility.

Click to shrink...

They also publicly posted the URL containing the personally identifiable information of hundreds of people, aligning her actions more closely with kiwi farms target painters than a professional security researcher and journalist.

she's a partisan crank, nothing more.

 

[Mgs2master2]

They also publicly posted the URL containing the personally identifiable information of hundreds of people, aligning her actions more closely with kiwi farms target painters than a professional security researcher and journalist.

she's a partisan crank, nothing more.

Click to shrink...

This. All of it

 

[Tabby]

joke's on them, the email attached to this account is broken

(i should probably fix that soon)

Click to shrink...

Oof, you've just reminded me that mine's attached to a broken email too.

 

[Raccoon]

joke's on them, the email attached to this account is broken

(i should probably fix that soon)

Click to shrink...

yeah I'd get on that

trust me when I say that can turn into quite a rabbithole

 

[Mathieran]

It really goes beyond stalking too. people have been doxxed and swatted *just for being a ResetEra member*
There are a nonzero number of psychopaths with a chip on their shoulder looking for any morsel of personal information shared here.
People like the "journalist" in the OP enable this behavior, especially with their actions during the E3 breach.

Click to shrink...

It's a good practice in general. This is a public forum, and there's no telling how many lurkers are reading your posts.

It's not terribly hard for someone to search a single person's posts and put together a profile of their information. Some people just have nothing better to do with their lives than to do shit like this, and it's both scary and sad.

Click to shrink...

Yeah I suspect someone could find out who I am if they did a little leg work but at least it's not too apparent.

 

[Zan]

Thanks to this thread, I signed up for a password managment service. Not sure if it'll help, but whatever.

 

[Deleted member 30544]

Can we puhleeease change our emails to gmail or something free once registered with a non-free one 🙏

Click to shrink...

I was actually thinking in contacting the adminitrators (way before this situation) and ask them that. IF there is that chance please let us know.

 

[Gaardus]

apparently someone used my account to post some things here... I got a panic attack and changed my passwords in every e-mail that I got, including the one associated with my Era account...

Click to shrink...

If you aren't already, I strongly encourage you to use a password manager like LastPass or Bitwarden. It can create unique, randomly generated passwords for each of your accounts and handle filling in login info, so the only password you need to memorize is the one for your password manager account.

 

[Fuzzy]

Can we puhleeease change our emails to gmail or something free once registered with a non-free one 🙏

Click to shrink...

Mine is a gmail account but that was back during the first hours when they let us use one to sign up.

 

[GulAtiCa]

Mine is a gmail account but that was back during the first hours when they let us use one to sign up.

Click to shrink...

Same lol

 

[CyberWolfBia]

If you aren't already, I strongly encourage you to use a password manager like LastPass or Bitwarden. It can create unique, randomly generated passwords for each of your accounts and handle filling in login info, so the only password you need to memorize is the one for your password manager account.

Click to shrink...

thanks for the suggestion.. now I'm really scared, I'll try everything I can to protect my data..

 

[Deleted member 5086]

thanks for the suggestion.. now I'm really scared, I'll try everything I can to protect my data..

Click to shrink...

I strongly recommend using 2FA for everything that supports it, as well.

 

[Deleted member 25606]

I strongly recommend using 2FA for everything that supports it, as well.

Click to shrink...

Second this. Though I just tried it here and locked up my account because my password must be written wrong.

 

[TaySan]

I searched and looks like my account wasn't compromised here and nothing wasn't posted by someone else. Going to look into getting a password manager just in case.

Trolls with nothing better to do out there.

 

[Fuzzy]

Same lol

Click to shrink...

October 25th represent!

 

[Hollywood Duo]

Luckily I set up this site with a burner account.

 

[Deleted member 43084]

For password managers I also recommend using KeePass (KeePassXC for Mac), which creates a database that is an individual file on your computer that can be backed up to any cloud service. (and can be configured to make it impossible to brute force; you can use Argon2 for the password hash which is already very strong)

 

[modoversus]

They're the one who discovered the ESA leak and got them to remove the personal info of everyone at E3, so they have some credibility.

Click to shrink...

Interesting first post in this forum.

 

[Lashley]

Use password managers like Lastpass

 

[Falchion]

Thanks to all the staff working behind the scenes on this, it seems like everything is well in hand! Also at the very least, this was a good opportunity to get more users to implement 2FA.

 

[Gunny T Highway]

Thanks for the quick responses. Also friendly reminder to those who have not please set up the 2FA here as well as everywhere you can.

 

[B-Dubs]

Members have raised some concerns that leaving this thread open will create new targets for off-site trolls. We've answered all questions to the best of our knowledge. Again, we'd like to remind everyone that using 2FA and strong/unique passwords is a good precaution to always take.

If you have any concerns about the privacy of your account, please contact administration and we will be happy to help.