Community Community Security Update

Hex

Keyboard & Tech Content Creator
Donor
Joined
Jan 13, 2013
Messages
625
Reaction score
1,112
Hello everyone,

It's recently come to our admin teams attention that during a forum breach at the end of 2015 (You can view the announcement about it here), that username/email lists were leaked from the Admin Control Panel on the forums. We take our users privacy seriously, and would like to stress that these lists do NOT include user passwords, which are not available at all from the ACP or anywhere else on the front-facing side of the forums. We knew in 2015 that the breach did not reach the backend of the forums, where all passwords are protected and hashed correctly. This was not a database breach, only a breach of the front end of our forums control panel.

After the breach in 2015, we upgraded our forums to include 2 Factor Authentication to improve our security. We'd like to take this moment to recommend users to take advantage of this extra security, both on our forums - and any other website that offers the service (email, other forums, etc.) You can go here to add it to your account on our forums: https://escaperestart.com/forum/account/two-step

How was the list obtained? Within the ACP is a feature to send email blasts to users. This tool can also be used to generate a list of email addresses, in the same format as was found to be leaked. Because of how Xenforo saved admin logs in the version we were using during the breach, the email list access was not logged. As was noted in the thread at the time, investigations of backend access showed no malicious access of our webserver.

It looks like this on our Admin CP


All in all, there is nothing to worry about, but we decided to act upon it quickly to make sure users no rumours or the likes are spread - and make sure we notify users because they have the right to know when things like this happen. If you have any questions, feel free to leave them below.

Thank you for reading,
Your friendly neighbourhood CA's
 

Ltin

Member
Mafia Host
Joined
Apr 7, 2013
Messages
951
Reaction score
1,481
How did this come to your attention so long after the breach? (I realize this probably sounds hostile, but it isn't meant to)


Also, I seem to recall that when the news of the breach first broke a mass email was sent out. Have the admins considered doing that again?
 

Nillbugwtw

Zombier than thou.
Community Admin
Donor
Joined
Aug 6, 2011
Messages
959
Reaction score
1,894
How did this come to your attention so long after the breach? (I realize this probably sounds hostile, but it isn't meant to)
It was brought to our attention by a 3rd party who happened upon the said email list.
Also, I seem to recall that when the news of the breach first broke a mass email was sent out. Have the admins considered doing that again?
In this case, we don't really feel that it's necessary - if more sensitive data such as passwords were involved, it would be more pressing, but because we don't expect this to impact the security of our users, as it hasn't for the past two and a half years (unless your username is your email password). All in all, it's less of a breaking news bulletin, and more of a "for your information" update.
 

Catcocomics

Member
Joined
Jul 20, 2013
Messages
1,523
Reaction score
682
If this happened to be around or not long before the summer of 2015, it could be the cause for why my minecraft account got hijacked via migration exploit around that time.
I didn't have much problem reclaiming my account and remigrating it for myself, though.
Think it was just a two-week process of contacting Mojang Support and verifying identity via purchase receipt.
 

Danni122112

The Drunk
Controller
Moderator
Donor
AoD Staff
Survival Staff
Joined
Nov 21, 2011
Messages
2,318
Reaction score
3,278
If this happened to be around or not long before the summer of 2015, it could be the cause for why my minecraft account got hijacked via migration exploit around that time.
I didn't have much problem reclaiming my account and remigrating it for myself, though.
Think it was just a two-week process of contacting Mojang Support and verifying identity via purchase receipt.
Was december, if you check the post linked.
 
Top