FYI: Planet Calypso forum Data Breach

Status
Not open for further replies.

Killahbee

Elite
Joined
Aug 30, 2005
Posts
4,873
Location
The Netherlands
Society
Silly Underground Family
Avatar Name
Killahbee Killer Bee Killahbee
Your password is 5258 days old, and has therefore expired.

Please change your password using this page.


Got that today :) 14,4 years... damn
 

TSCRYPTO

Stalker
Joined
Nov 28, 2005
Posts
1,593
Location
A stone's throw away from Antarctica
Society
Shaolin
Avatar Name
TS TSEC CRYPTO
Your password is 5258 days old, and has therefore expired.

Please change your password using this page.


Got that today :) 14,4 years... damn
Haha, that's gold :)
I have just returned after a very long absence. My password was 8 days old.
 

mspatterson

Old Alpha
Joined
Sep 26, 2015
Posts
777
Location
SPACE
Society
Odysseus Unbound
Avatar Name
Count Sinner Gism
Haha, that's gold :)
I have just returned after a very long absence. My password was 8 days old.
well u shud thank the hackers for keeping it upto date for u =p
 

TSCRYPTO

Stalker
Joined
Nov 28, 2005
Posts
1,593
Location
A stone's throw away from Antarctica
Society
Shaolin
Avatar Name
TS TSEC CRYPTO
well u shud thank the hackers for keeping it upto date for u =p

It's funny. When I saw the message I thought we had been hacked again, as 8 days is not your typical password timeout in any setting. So I closed the browser, got rid of the cookies and then came back in to the forum without logging on.
After a moment or two, I found the posts by 711 and then sorted the password.

:laugh:
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
Apologies for the inconvenience.
maybe also hand over the list of breached email-addresses to mindark, to make them reset their EU passwords too.
 

GxB

Guardian
Joined
Oct 3, 2019
Posts
212
maybe also hand over the list of breached email-addresses to mindark, to make them reset their EU passwords too.
MA has full access to anything happening on pcf. they know every private message etc. so there is no need to give them anything. they already have it
 

TSCRYPTO

Stalker
Joined
Nov 28, 2005
Posts
1,593
Location
A stone's throw away from Antarctica
Society
Shaolin
Avatar Name
TS TSEC CRYPTO
MA has full access to anything happening on pcf. they know every private message etc. so there is no need to give them anything. they already have it
And besides, no-one should be using the same password for the forum and for the game.
If your game account was compromised as a result of this breach, then you would already know about it.
Also, we all have smartphones these days. 2FA is a no-brainer.
 

San

Stalker
Joined
Aug 5, 2007
Posts
2,497
Location
That freaking cold place (in RL)
Society
OldTimers
Avatar Name
Sandal San Tolk
HTTPS has now been enabled site-wide on PlanetCalypsoForum.com. While the use of HTTPS would not have prevented the database breach that is referenced in this thread, it is still an extra layer of protection for PCF members which may prevent certain types of malicious attacks.
Thank you. Then what would have prevented the database breach that is referenced in this thread? That something had to happen first to motivate taking even most basic steps like https does not increase trust in a system administrator. (Well, don't worry. This is "just" a game forum and I assume managing it is "just" a hobby. It is never cool when users put standards on unpaid work without a note of appreciation for all the time it is kept up. But if I was to hire someone to take care of infrastructure who would give this as a reference...)
 

wizz

Elite
Joined
May 29, 2005
Posts
3,814
Location
Brabant
Society
The Ministry
Avatar Name
Wizzina Wizz Pale Moon
Is it just me or did we all have to change our password?
It said that my password hadn't changed in 5333 days and that I had to change it.

Did everybody get this message?
 
Joined
May 20, 2007
Posts
9,349
Location
England
Society
Guess Who
Avatar Name
George Ace Skywalker
As a security precaution, all members (who have not changed their password within the last 7 days) will be prompted to change their password upon their next visit to PCF.

It is strongly recommended to use a unique password that is at least 8 characters in length, difficult to guess, and that is not used for any other websites or services (i.e. Entropia Universe).

Apologies for the inconvenience.
Is it just me or did we all have to change our password?
It said that my password hadn't changed in 5333 days and that I had to change it.

Did everybody get this message?
You must have missed 711's post above. I've quoted it above.
 

mspatterson

Old Alpha
Joined
Sep 26, 2015
Posts
777
Location
SPACE
Society
Odysseus Unbound
Avatar Name
Count Sinner Gism
whats scary is were talking about this now.. wasn't the actual event in july 2019?
 

theProphet

Prowler
Joined
Mar 8, 2006
Posts
1,292
Location
Austria / Vienna
Society
Calypso Rescue Team
Avatar Name
Prophet the Prophet from Planet Zen
whats scary is were talking about this now.. wasn't the actual event in july 2019?
that's when the hack supposedly happened. then everyone, but mindark, PCF, and us, found out about it, until finally some friendly internet people decided to inform the masses via their browser products or security websites.

then again, nothing happened for days and nearly weeks. which kinda isn't really what EU law says. (haha wordplay!)
 

Detritus

Sel-requested Deactivation
Joined
Sep 25, 2016
Posts
1,084
Avatar Name
Detritus the Troll
whats scary is were talking about this now.. wasn't the actual event in july 2019?

It's unlikely that it's the only time it's happened, this one just happened to be discovered. If you go look at compromised pw lists on the dark web, there's a pretty good chance you have at least one password on one of them. These "is this site compromised" type of services are basically just continually looking for those lists and reporting on them. They aren't catching all of them.

If you care about your account security (anywhere) you should simply change your pw frequently and don't use the same pw in more than one place; or better yet use 2FA wherever you can. The only "scary" thing in this thread is that this apparently isn't common sense for most people.
 

Oleg

Mutated
Joined
Aug 15, 2006
Posts
19,022
Location
Leeds, UK
Society
Rangers
Avatar Name
Oleg Oleg McMullery
A breach is not the same as a hack. Most of you don't seem to realise that.
 

San

Stalker
Joined
Aug 5, 2007
Posts
2,497
Location
That freaking cold place (in RL)
Society
OldTimers
Avatar Name
Sandal San Tolk
A breach is not the same as a hack. Most of you don't seem to realise that.
It will be a hack when someone finds them in a MD5 database which have been collecting hashes for many years now and tries something with it. However, it is rather inconsequential in this context and should not be blown out of proportion, true. But it just shows something which in Swedish is called "nonchalans" (nonchalance). The word has quite a different meaning here than where I came from.
 

Detritus

Sel-requested Deactivation
Joined
Sep 25, 2016
Posts
1,084
Avatar Name
Detritus the Troll
It will be a hack when someone finds them in a MD5 database which have been collecting hashes for many years now and tries something with it.

The breach is more serious, since that means personal information has been exposed.

It would be a hack if that's how they obtained the data (as opposed to negligence).

Though it would be useful to discover how the data was obtained, the most relevant part to us as the users is that it was in fact a breach.

Not sure why anyone would care to roll these into an MD5 rainbow table though (I think what you were implying), since nobody with even a basic understanding of security has used MD5 for passwords in the last 20 something years, so it would be relatively useless for almost all other sites.
 

San

Stalker
Joined
Aug 5, 2007
Posts
2,497
Location
That freaking cold place (in RL)
Society
OldTimers
Avatar Name
Sandal San Tolk
The breach is more serious, since that means personal information has been exposed.

It would be a hack if that's how they obtained the data (as opposed to negligence).
You can interpret this in different ways -- hacking into a somehow secured system to steal data vs. their admin accidentally letting it lie in the open, or hacking away at a tarball you obtained from somewhere and trying to harvest something from it. Let's not split hairs. The MD5 hint was taken from further above and I found it superfluous to comment further. There are people on both sides of IT security who approach it with the good ole "never change a running system" up to this day.
 

Detritus

Sel-requested Deactivation
Joined
Sep 25, 2016
Posts
1,084
Avatar Name
Detritus the Troll
There are people on both sides of IT security who approach it with the good ole "never change a running system" up to this day.
Sadly yes, you make a good point.
 

mspatterson

Old Alpha
Joined
Sep 26, 2015
Posts
777
Location
SPACE
Society
Odysseus Unbound
Avatar Name
Count Sinner Gism
It's unlikely that it's the only time it's happened, this one just happened to be discovered. If you go look at compromised pw lists on the dark web, there's a pretty good chance you have at least one password on one of them. These "is this site compromised" type of services are basically just continually looking for those lists and reporting on them. They aren't catching all of them.

If you care about your account security (anywhere) you should simply change your pw frequently and don't use the same pw in more than one place; or better yet use 2FA wherever you can. The only "scary" thing in this thread is that this apparently isn't common sense for most people.
oh so yur not even the slightest bit concerned they hacked your acct 6m ago and have been sending everyone nudies? what if theyre not decent nudies? id be really upset if it were me!!
 

Detritus

Sel-requested Deactivation
Joined
Sep 25, 2016
Posts
1,084
Avatar Name
Detritus the Troll
oh so yur not even the slightest bit concerned they hacked your acct 6m ago and have been sending everyone nudies? what if theyre not decent nudies? id be really upset if it were me!!
You do make a valid point. I would certainly not want anyone to question my taste in nudies.
 

wizz

Elite
Joined
May 29, 2005
Posts
3,814
Location
Brabant
Society
The Ministry
Avatar Name
Wizzina Wizz Pale Moon
oh so yur not even the slightest bit concerned they hacked your acct 6m ago and have been sending everyone nudies? what if theyre not decent nudies? id be really upset if it were me!!
what?! Nudies?

Why didnt I get any?! :(
 

Westy

Stalker
Joined
Jan 18, 2006
Posts
1,781
Location
Australia
Society
Antipodean Army
Avatar Name
Buster Westy Westmoreland
HTTPS has now been enabled site-wide on PlanetCalypsoForum.com. While the use of HTTPS would not have prevented the database breach that is referenced in this thread, it is still an extra layer of protection for PCF members which may prevent certain types of malicious attacks.

Note that on some pages (mainly thread discussions where user signatures are displayed) your browser may indicate that some of the content being served is not secure; this is caused by non-HTTPS signature images hosted on other servers (i.e. EntropiaLife).
Scored an A. Noice. No SSL protocol or TLS 1.0 or 1.1. also noice. Thanks 711.
Encrypting authentication always good.

https://www.ssllabs.com/ssltest/analyze.html?d=planetcalypsoforum.com
 

Westy

Stalker
Joined
Jan 18, 2006
Posts
1,781
Location
Australia
Society
Antipodean Army
Avatar Name
Buster Westy Westmoreland
And besides, no-one should be using the same password for the forum and for the game.
If your game account was compromised as a result of this breach, then you would already know about it.
Also, we all have smartphones these days. 2FA is a no-brainer.
I can understand some people wouldn't have bought the Gold card and reader. If they felt they didn't have much to protect. But now there is no reason not to. Download the app and do it yesterday. Cost u nothing.

Its not true that using 2FA causes loot to drop to 90% average. 0o0o0o0o0
 

Max Hec

Dominant
Joined
Jun 25, 2016
Posts
360
Avatar Name
Max Hec Walker
Changed password, next day couldn't log in, changed password today, logged out and couldn't log in.
On a hunch I experimented and several password resets later.

If forum password is over 50, 60, and 70 characters long:
The forum password reset page will accept it 100%
But it will Not let you log in.

If forum password is up to a maximum of 50 characters long:
The forum password reset page will accept it 100%
And it'll let you log back in again.

It appears there is some password maximum length parsing/truncation in one part of forum but not the other.

Now I've only seen max password lengths for websites that save passwords in plaintext for "easy customer service" and/or just have really poor security practices. But I really hope neither is the case here and that max length is just some left over coding artifact from one of the earliest variations of the forums.



PS. This forum's 'contact us' form does not work in web browser Opera or FireFox, click send and nothing.
 
Last edited:

Seventy Was

Provider
Joined
Jan 10, 2011
Posts
192
Society
WildD3amons
Avatar Name
Seventy 70 Was
I get change password as it is over 7 days old. Well yes, since this thread was posted I already had change password message, and changed it. Now again after 7 days? Have you been found in a compromising position yet again?
 

Piotr

Elite
Joined
Mar 24, 2010
Posts
2,572
Location
Hungary
Society
BAHQ
Avatar Name
Iveline Ivi Stockhouse
I get change password as it is over 7 days old. Well yes, since this thread was posted I already had change password message, and changed it. Now again after 7 days? Have you been found in a compromising position yet again?
Same here, password 7 days old hence expired... whaaat?
 

K_rupT

Prowler
Joined
Apr 2, 2008
Posts
1,071
Location
Eudoria
Avatar Name
KrupT KrupT RaveR
I get change password as it is over 7 days old. Well yes, since this thread was posted I already had change password message, and changed it. Now again after 7 days? Have you been found in a compromising position yet again?
Got the 7 day as well. Kinda lame if we have to change it once a week
 
Status
Not open for further replies.
Top