[Nobody]

What Happened

Apparently, there was a break in on another Curse community site that allowed attackers to gain access to the Curse Authentication system. This then allowed them to steal databases from Arenajunkies.com, Aionsource.com, diablofans.com, enterbf3.com, modernwarfare3forum.com, ffxivcore.com, and zybez.net.


How This Will Affect You

First of all, please note that passwords for all of your accounts are salted and hashed. This basically means that the attackers are unlikely to straight out steal your account since they have to break the encryption on the password to do so. I am still going to recommend that everybody change their password though, which you MUST DO ON CURSE.COM AND NOT HERE. Also, change your email password if it's the same as the password here.

Additionally, please make sure that your game login and password are not the same as the login and password for this site. This is the second time since we've been running that our database data has been compromised and it is actually very common for hackers to target fan sites like us. It's useful to have a different password for every site that you visit and to either use software like 1Password or just to have a special way that you create your passwords for different sites that you can remember. Please also never use terms in the dictionary for passwords.

The biggest affect on on users is going to be that your email addresses were stolen. This can be used immediately by the hackers in order to send you spam mail that suggests you need to enter your game account information onto their non-game site. This will allow hackers to gain access to your Aion or other game accounts.

NEVER, EVER, EVER CLICK A LINK IN AN EMAIL MESSAGE ABOUT A GAME ACCOUNT.

Oopsie, sorry about the caps.

If you always go to the site by typing it yourself, you are unlikely to ever be scammed through an email scam. It's a simple rule, but it's worked well for me.

So, in short for the tldr; crowd - change your password and ignore the spam mail you're about to get.

This post has been edited by Nobody: 08 March 2012 - 07:43 AM
Reason for edit: change email password if same

[dirtyklingon]

inc spam on a 3rd email account due to curse.

[Nobody]

yeah, it very much frustrates me since there isn't anything I could have done about it since it wasn't about our security at all

[dirtyklingon]

changed. :P

[0____________o]

my password is fullproof. I learned from the movie Hackers.

[Fiets]

0_________________o, on 07 March 2012 - 11:42 AM, said:

my password is fullproof. I learned from the movie Hackers.

That reminded me to go watch that movie again.

Oh nostalgia.

[Jubilee-]

pear

[0____________o]

Puddi, on 07 March 2012 - 11:47 AM, said:

pear

[Nobody]

Please note that Curse just changed a bunch of security stuff so that it's now impossible for another attack like that to work. So they're on it.

[puremallace]

[Device]

Nobody, on 07 March 2012 - 10:48 AM, said:

Additionally, please make sure that your game login and password are not the same as the login and password for this site.

People actually do this?

[Fiets]

Nobody, on 07 March 2012 - 12:07 PM, said:

Please note that Curse just changed a bunch of security stuff so that it's now impossible for another attack like that to work. So they're on it.

Now the questions that really matters..

Why the nyerk didn't they do that after the first hack?

[Neb]

WAY TO GO SCRUBS.

[0____________o]

what did they win an emmy?

[Nobody]

Please note that passwords should be changed on curse.com and not here. As we are linked with them.

[Shadowsword8]

Nobody, on 07 March 2012 - 02:41 PM, said:

Please note that passwords should be changed on curse.com and not here. As we are linked with them.

And is that a good idea? For damage containment, each should should have remained independant.

I got my account hacked 15 months ago when someone stole authentifications from Aionsource. And now this.

Since that Curse ID has just been proven a liability behond your control, how about throwing it away?

[LKaz]

Nobody, on 07 March 2012 - 10:48 AM, said:

The biggest affect on on users is going to be that your email addresses were stolen.

Using same one since last time DB was stolen

[Nobody]

Shadowsword8, on 07 March 2012 - 05:00 PM, said:

And is that a good idea? For damage containment, each should should have remained independant.

I got my account hacked 15 months ago when someone stole authentifications from Aionsource. And now this.

Since that Curse ID has just been proven a liability behond your control, how about throwing it away?

As a reminder - while I run this site, I am a volunteer. I do not pay the bills for the servers and I don't manage the infrastructure (including the DDOS mitigation service) that keeps us up when bad things happen. As much as I'd like to think that if I threw Curse away that I'd be better off, I know it's not true because the hackers are always looking for a potential weakness and they're actually pretty smart. We've had some crazy attacks on us that didn't work, but they were very well crafted all the same. And there's always the attack that you don't foresee. Remember that Sony - a company much bigger than Curse and with a lot more employees working on security got hacked multiple times.

Since I've been working with Curse the security has actually gotten a lot better - people have been hired specifically to work with making us more secure. The main issue that we and any other site has is that we're highly targeted by hackers and while Curse is getting better, the hackers are also getting better. So while the type of attack that was just used on Curse has now been blocked from ever being able to occur again, there will always be potential things that happen in the future.

There is no such thing as a site that is not hackable unless it's just not on the internet. And even then I'm sure somebody can James Bond sneak their way into the place... social engineering attacks are a whole category unto themselves.

The best thing that you can do as a user is to make any information the hackers could hope to gain useless if they do get it. I love you as users, but I don't want your game email/pwd - keep it with the game where it belongs.

BTW - I just want to state that after I found out about the db I also informed the community managers for NA and EU Aion. I am suggesting that they warn their users that they may see a rise in email scam targeted attacks. Because the only power the hackers really have is what you give them - if you ignore their spam (gmail actually puts it in spam already for me) and don't have your game login data stored with us, then there's just nothing they can do.

Sorry for wall of text.

[JeffWithaBird]

Another note, change your email account password if it was the same as your pass here.

A salted hash isn't as secure as you think, 14 character random charset takes 2minutes to crack with a single ati 6990.

This post has been edited by JeffWithaBird: 08 March 2012 - 04:12 AM

[Xenomorph]

Changed my password. :)

@Nobody,
Thx for letting us know. :-)

Really sick people keep busy with doing that stuff.
When you publish something online. Doesn't matter what. You are sometimes more busy with protecting just caus of those people.