FYI: Planet Calypso forum Data Breach

[Killahbee]

Your password is 5258 days old, and has therefore expired.

Please change your password using this page.


Got that today 14,4 years... damn

 

[TSCRYPTO]

Your password is 5258 days old, and has therefore expired.

Please change your password using this page.


Got that today 14,4 years... damn

Haha, that's gold
I have just returned after a very long absence. My password was 8 days old.

 

[Deleted member 55358]

Haha, that's gold
I have just returned after a very long absence. My password was 8 days old.

well u shud thank the hackers for keeping it upto date for u =p

 

[TSCRYPTO]

well u shud thank the hackers for keeping it upto date for u =p

It's funny. When I saw the message I thought we had been hacked again, as 8 days is not your typical password timeout in any setting. So I closed the browser, got rid of the cookies and then came back in to the forum without logging on.
After a moment or two, I found the posts by 711 and then sorted the password.

 

[theProphet]

Apologies for the inconvenience.

maybe also hand over the list of breached email-addresses to mindark, to make them reset their EU passwords too.

 

[GxB]

maybe also hand over the list of breached email-addresses to mindark, to make them reset their EU passwords too.

MA has full access to anything happening on pcf. they know every private message etc. so there is no need to give them anything. they already have it

 

[TSCRYPTO]

MA has full access to anything happening on pcf. they know every private message etc. so there is no need to give them anything. they already have it

And besides, no-one should be using the same password for the forum and for the game.
If your game account was compromised as a result of this breach, then you would already know about it.
Also, we all have smartphones these days. 2FA is a no-brainer.

 

[San]

HTTPS has now been enabled site-wide on PlanetCalypsoForum.com. While the use of HTTPS would not have prevented the database breach that is referenced in this thread, it is still an extra layer of protection for PCF members which may prevent certain types of malicious attacks.

Thank you. Then what would have prevented the database breach that is referenced in this thread? That something had to happen first to motivate taking even most basic steps like https does not increase trust in a system administrator. (Well, don't worry. This is "just" a game forum and I assume managing it is "just" a hobby. It is never cool when users put standards on unpaid work without a note of appreciation for all the time it is kept up. But if I was to hire someone to take care of infrastructure who would give this as a reference...)

 

[wizz]

Is it just me or did we all have to change our password?
It said that my password hadn't changed in 5333 days and that I had to change it.

Did everybody get this message?

 

[GeorgeSkywalker]

As a security precaution, all members (who have not changed their password within the last 7 days) will be prompted to change their password upon their next visit to PCF.

It is strongly recommended to use a unique password that is at least 8 characters in length, difficult to guess, and that is not used for any other websites or services (i.e. Entropia Universe).

Apologies for the inconvenience.

Is it just me or did we all have to change our password?
It said that my password hadn't changed in 5333 days and that I had to change it.

Did everybody get this message?

You must have missed 711's post above. I've quoted it above.

 

[Deleted member 55358]

whats scary is were talking about this now.. wasn't the actual event in july 2019?

 

[theProphet]

whats scary is were talking about this now.. wasn't the actual event in july 2019?

that's when the hack supposedly happened. then everyone, but mindark, PCF, and us, found out about it, until finally some friendly internet people decided to inform the masses via their browser products or security websites.

then again, nothing happened for days and nearly weeks. which kinda isn't really what EU law says. (haha wordplay!)

 

[theProphet]

I am not sure why after 12 years I am having to change my password.

to be honest, i repeatedly had to laugh so hard at work, because of this single comment today, i can't even say...

thank you sir, you made my day!!!



https://en.wikipedia.org/wiki/Luser

 

[theProphet]

https://twitter.com/i/web/status/1218492518003810304

 

[TSCRYPTO]

https://twitter.com/i/web/status/1218492518003810304

John Macafee is awesome

 

[Detritus]

whats scary is were talking about this now.. wasn't the actual event in july 2019?

It's unlikely that it's the only time it's happened, this one just happened to be discovered. If you go look at compromised pw lists on the dark web, there's a pretty good chance you have at least one password on one of them. These "is this site compromised" type of services are basically just continually looking for those lists and reporting on them. They aren't catching all of them.

If you care about your account security (anywhere) you should simply change your pw frequently and don't use the same pw in more than one place; or better yet use 2FA wherever you can. The only "scary" thing in this thread is that this apparently isn't common sense for most people.

 

[Oleg]

A breach is not the same as a hack. Most of you don't seem to realise that.

 

[San]

A breach is not the same as a hack. Most of you don't seem to realise that.

It will be a hack when someone finds them in a MD5 database which have been collecting hashes for many years now and tries something with it. However, it is rather inconsequential in this context and should not be blown out of proportion, true. But it just shows something which in Swedish is called "nonchalans" (nonchalance). The word has quite a different meaning here than where I came from.

 

[Detritus]

It will be a hack when someone finds them in a MD5 database which have been collecting hashes for many years now and tries something with it.

The breach is more serious, since that means personal information has been exposed.

It would be a hack if that's how they obtained the data (as opposed to negligence).

Though it would be useful to discover how the data was obtained, the most relevant part to us as the users is that it was in fact a breach.

Not sure why anyone would care to roll these into an MD5 rainbow table though (I think what you were implying), since nobody with even a basic understanding of security has used MD5 for passwords in the last 20 something years, so it would be relatively useless for almost all other sites.

 

[San]

The breach is more serious, since that means personal information has been exposed.

It would be a hack if that's how they obtained the data (as opposed to negligence).

You can interpret this in different ways -- hacking into a somehow secured system to steal data vs. their admin accidentally letting it lie in the open, or hacking away at a tarball you obtained from somewhere and trying to harvest something from it. Let's not split hairs. The MD5 hint was taken from further above and I found it superfluous to comment further. There are people on both sides of IT security who approach it with the good ole "never change a running system" up to this day.

 

[Detritus]

There are people on both sides of IT security who approach it with the good ole "never change a running system" up to this day.

Sadly yes, you make a good point.

 

[Deleted member 55358]

It's unlikely that it's the only time it's happened, this one just happened to be discovered. If you go look at compromised pw lists on the dark web, there's a pretty good chance you have at least one password on one of them. These "is this site compromised" type of services are basically just continually looking for those lists and reporting on them. They aren't catching all of them.

If you care about your account security (anywhere) you should simply change your pw frequently and don't use the same pw in more than one place; or better yet use 2FA wherever you can. The only "scary" thing in this thread is that this apparently isn't common sense for most people.

oh so yur not even the slightest bit concerned they hacked your acct 6m ago and have been sending everyone nudies? what if theyre not decent nudies? id be really upset if it were me!!

 

[Detritus]

oh so yur not even the slightest bit concerned they hacked your acct 6m ago and have been sending everyone nudies? what if theyre not decent nudies? id be really upset if it were me!!

You do make a valid point. I would certainly not want anyone to question my taste in nudies.

 

[wizz]

oh so yur not even the slightest bit concerned they hacked your acct 6m ago and have been sending everyone nudies? what if theyre not decent nudies? id be really upset if it were me!!

what?! Nudies?

Why didnt I get any?!

 

[Westy]

HTTPS has now been enabled site-wide on PlanetCalypsoForum.com. While the use of HTTPS would not have prevented the database breach that is referenced in this thread, it is still an extra layer of protection for PCF members which may prevent certain types of malicious attacks.

Note that on some pages (mainly thread discussions where user signatures are displayed) your browser may indicate that some of the content being served is not secure; this is caused by non-HTTPS signature images hosted on other servers (i.e. EntropiaLife).

Scored an A. Noice. No SSL protocol or TLS 1.0 or 1.1. also noice. Thanks 711.
Encrypting authentication always good.

https://www.ssllabs.com/ssltest/analyze.html?d=planetcalypsoforum.com

 

[Westy]

And besides, no-one should be using the same password for the forum and for the game.
If your game account was compromised as a result of this breach, then you would already know about it.
Also, we all have smartphones these days. 2FA is a no-brainer.

I can understand some people wouldn't have bought the Gold card and reader. If they felt they didn't have much to protect. But now there is no reason not to. Download the app and do it yesterday. Cost u nothing.

Its not true that using 2FA causes loot to drop to 90% average. 0o0o0o0o0

 

[Max Hec]

Changed password, next day couldn't log in, changed password today, logged out and couldn't log in.
On a hunch I experimented and several password resets later.

If forum password is over 50, 60, and 70 characters long:
The forum password reset page will accept it 100%
But it will Not let you log in.

If forum password is up to a maximum of 50 characters long:
The forum password reset page will accept it 100%
And it'll let you log back in again.

It appears there is some password maximum length parsing/truncation in one part of forum but not the other.

Now I've only seen max password lengths for websites that save passwords in plaintext for "easy customer service" and/or just have really poor security practices. But I really hope neither is the case here and that max length is just some left over coding artifact from one of the earliest variations of the forums.



PS. This forum's 'contact us' form does not work in web browser Opera or FireFox, click send and nothing.

 

[Seventy Was]

I get change password as it is over 7 days old. Well yes, since this thread was posted I already had change password message, and changed it. Now again after 7 days? Have you been found in a compromising position yet again?

 

[Piotr]

I get change password as it is over 7 days old. Well yes, since this thread was posted I already had change password message, and changed it. Now again after 7 days? Have you been found in a compromising position yet again?

Same here, password 7 days old hence expired... whaaat?

 

[K_rupT]

I get change password as it is over 7 days old. Well yes, since this thread was posted I already had change password message, and changed it. Now again after 7 days? Have you been found in a compromising position yet again?

Got the 7 day as well. Kinda lame if we have to change it once a week