FFR Hacked.

Re: FFR Hacked.

...still no front page announcement, e-mail, or sticky.

Re: FFR Hacked.

I've been asking who I can and Im not getting much an answer, I think at this time the scale of whatever happened it probably still being uncovered to its fullest, I personally suggest you send admins a pivate message expressing your discomfort not knowing how they have and plan to handle your data in the future, I'm doing it. Don't harass or be rude though, that wont get you anywhere but in trouble.

Re: FFR Hacked.

what do you think they're going to do? pay out the ass for a security audit? there are way too many attack vectors for this given that the site runs some old fuckin version of vbulletin, some old fuckin version of wordpress, and hasn't had its core updated in like 10 years at this point. the page you're whining on right now isn't even https.

if your password or email here exposes anything amazing about your life then you should probably rethink your security strategy.

Re: FFR Hacked.

Nobody is asking them to perform a security audit. At the very least though, there should be a news post or automated mail to registered users.

Ideally, like most other sites, passwords should be reset given that the breach is confirmed on two sites, with info that I know is valid.

Look, I joined what... 13 years ago? Back then, me and most other young people probably didn't pratice the best web security. I'm willing to bet that a large number of accounts here use the same password for their registered e-mail, and who knows where else. Facebook, Twitter... it's in the best interest for FFR to be upfront and alert people to what happened.

In fact, I'd argue that it's their moral responsibility.

Re: FFR Hacked.

Lol admins pls respond

I guess it just being like "yo bro we got haxked pls change passerino thnx" when you log in would be ok

I mean like, I used an email to register for this in 2007 and I don't even remember what the email is anymore to be honest

Re: FFR Hacked.

I keep up with the latest data breaches. I remember the huge leaks. I was part of Dropbox, Adobe, Tumblr, Linkedin, Nihonomaru, FFshrine, MyDigitalLife.info, Hongfire... all notified users and forced password resets.

Granted, most of those are larger companies, but those last few are forums, some smaller then FFR, some larger. The longer it takes to address, the more risk people are at for being affected.

Re: FFR Hacked.

Nah I 100% understand your argument.

On the bright side, I wonder if emails would bring people back lol, like oh that game.. I guess I could try it again

To be fair though to the staff, #1 that post isn't gonna write itself, I know it's just a simple thing I guess but it's easier said than done, #2 the staff is working on new site as prawn said earlier (hype, I wish yall staff would talk about new stuff more, get the hype comin)

Not only that, but I completely believe they wouldn't know about it until now.. For example, Google "FFR leak" or whatnot.. Can you explain why all the news articles about it are from like, Sept 6th? Actually on inspection it looks like some of them are auto generated sites pulled from some leak data, which would explain why people only know now..

To me it's a really bold assumption to say "it's been 8 months.." I mean, it's not like it's a matter of going "oh damn I knew I should have checked the logs, would you look at that! Someone ran the download algorithm on the backend hexadecimal to get the intranet to parse" like how would you even begin to know you were breached, you'd have to know how it happened, be looking for it and stuff.. Like shit man this sites written with php, I asked my artificial intelligence prof today if we could use Web languages like php and they were like "you can use any server side language, except php"

Re: FFR Hacked.

FFR emails end up in my spam folder. They probably end up in other people's spam folder. An email alert will likely not work.

-o24

Re: FFR Hacked.

there's a difference between doing these things that are more resource/time-intensive than what coolgamer is asking for, and doing nothing. social engineering has to happen on both ends if that's what you really want. i see no version of this where you can say staff is handling this well.

Re: FFR Hacked.

It's been two days since this thread was made, and there have been a couple staff posts in the thread on the subject. The first we heard about this breach was this thread. Nothing in our logs indicates that it happened, given it was months and months ago. We needed to investigate it, assess what it meant and look at our options. I've got a post just waiting for some others to look at before I can put it out. So please, just a small bit more patience.

Re: FFR Hacked.

Thank you for keeping us up to date at least. Trust me, I wasn't trying to sound like a whiner or anything.

Re: FFR Hacked.

Hello everybody.

As some of you may have seen from the forums, the website haveibeenpwned.com is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there's no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact.

What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we'll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today's information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don't want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven't been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now.

We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something.

Devonin and the FFR Team

Re: FFR Hacked.

it's been a long time since i poked around an ACP as well, but i feel like the forum backend has some option like "prompt password change on next login" for things like this. either that, or it can be enforced through usergroups. the more things you can stick in front of people's faces to get them to take action, the better. what worries me, though, is someone on staff probably looked for that already, and if there's seriously no ACP function to handle this then VB is some staggeringly horrible software

like, it's one thing to say "change your passwords everyone" - which has come up several times now, but only in this thread in the forums - but another to actually require it, at least as a short-term stopgap while devs are at work doing something

Re: FFR Hacked.

Multiple people with a far better understanding of how FFR's backend works have strenuously advocated for -not- attempting a forcible password reset for the users. I tend to want to trust their judgment.

In what I'm sure is a shockingly large number of cases, the email address tied to people's accounts is years out of date and non-functional, which would mean your password gets reset, you have no way to get back at it, and you'll have to make a new account just to ask us to reset it manually for you.

Re: FFR Hacked.

hmm, okay, i get that. it just seems really counterintuitive to me, is all. certainly counter to my intuition.