"And please, while I recognise that this is frustrating, let me remind everyone not to take this out on the smods or even the administration. Contrary to popular belief we have little control and say over security/servers/more complex developmental matters and additions/logs etc. We work with and deal with lots of front end forum and community matters and that's pretty much what we're limited to. :s "
So who does? I got a very short email from toribash three days ago. I've waited for more information, but I'm not seeing anything else about the breach. That's not acceptable.
:s
http://blog.eyewire.org/security-dat...on-2016-02-23/ <- this is how you handle a security breach. Not "Change your password, everywhere. We're looking into it, we promise. We hope nothing bad is happening!" Details about whether the passwords were encrypted, whether the encryption used salted hashes, what information might be compromised other than generic "privacy", etc. This isn't information that you keep to yourselves to further your "investigation," you can't keep it to yourself to catch the bad guy (if the police are requesting that you not release it, say so!) this is vital information for your user's own security. I gather passwords "may or may not" be compromised, but emails? Names? Birthdays? All of these things can be used to steal a person's identity and ruin their lives using other breached databases, and the only defense is rapid response from the individuals affected. Worst yet, game websites are often places kids congregate, kids that may not even know that something as innocuous as their birthday can be used to <i>destroy</i> them years later. Criminal negligence is a thing.
If you can pass this on to the people that have the information behind this breach, that would be appreciated. I really love your game, I think it should be on school computers for what it does to teach analytical thinking about motion, but if you don't understand how serious people's personally identifiable information is, I seriously question whether you should be collecting it.
Not even national security clearance in my country requires 7 day / 14 day password expiry, actually I think most people in security would agree that's far too aggressive. At best it's a bandaid fix, the underlying problem is lack of security on the server side.
For example, cooldown on repeated guesses is not aggressive enough allowing people to bruteforce. Or allowing people to login with far away IPs without email verification (which is weird because we used to have that feature, I used to get location verification emails). Or allowing a password change without email verification (why does this exist?!).
These are very basic security measures, and I know that there is the capacity to carry them out because either they are done already (but badly), they were done in the past (but apparently removed), and because all the information exists (email has been a required field for a few years now).
This is the very basics that I would expect from any website, let alone one that has had consistent problems and regular forced global password resets...
If you rely on volunteer staff with limited power to manually enforce your security that is worrying in itself!
That would be hampa - game owner/developer.
Telling people to change their passwords etc is about the most that the staff here can do. As moderators and community managers they don't predominantly deal in firefighting and security things.
I'm guessing full details haven't been released because they're not fully know. It's possible that the perpetrator obtained an old copy of /a part of the database - in which case they would have access to birthdays, emails etc etc if that data has been provided here. Contrast that to if they managed to abuse XSS somehow or used phishing then they would typically only obtain login info (and full details of specific targeted/compromised accounts).
I agree that it hasn't been handled optimally and to be frank the security here could be a lot better and seems to just be kept the way it is for...some reason? I don't know really. Security changes seem to be reactionary instead of precautionary as they should be.
Examples of obvious stuff: Toribash uses a vbulletin version from 2009. We don't have SSL (though it's hopefully on the way). There's no login attempt limit in the game client. Etc etc. So if you want to get angry at anyone aim for the top. Put enough pressure on and maybe it'll be enough to incite change.