DanBennett Posted April 25, 2016 Share Posted April 25, 2016 All TruckersMP has sent the data of the forum database leak to https://haveibeenpwned.com Search your email and username. If you're on there - change all passwords. This was the database leak back in February. +1 Kudos to the Admins for willingly sending it to them. -1 Kudos to me finding this out by third party and not this site itself. [*] [*] By this I mean, finding out it's been put on HIBP. The announcement in Feb was publicly released. Apologies for the confusion. This teaches me not to post at 5am with no sleep! Link to comment Share on other sites More sharing options...
Takumi Fujiwara 86 Posted April 25, 2016 Share Posted April 25, 2016 lol 3 times thanks adobe thanks xsplit thanks tmp Link to comment Share on other sites More sharing options...
DanBennett Posted April 25, 2016 Author Share Posted April 25, 2016 ^ I have pateron on my list which I didn't know about ... Link to comment Share on other sites More sharing options...
Takumi Fujiwara 86 Posted April 25, 2016 Share Posted April 25, 2016 not that i care too much, email already gets plenty of 'those' emails (you know the ones about those certain pills) now that ive checked it its not too bad obviously they think my email is useless my spam email hasnt even been leaked alrighty then Link to comment Share on other sites More sharing options...
Takumi Fujiwara 86 Posted April 25, 2016 Share Posted April 25, 2016 i dont even use xsplit i signed up on it ages ago and never used it Link to comment Share on other sites More sharing options...
DanBennett Posted April 25, 2016 Author Share Posted April 25, 2016 3 minutes ago, Takumi Fujiwara said: not that i care too much, Your password was also leaked. If you use it anywhere else with the same email, or its the password for your email too then there's a risk. No one knows the extent of the leak. Whether it's known this database was taken or TruckersMP are just being precautious. But it take it seriously. As time goes on you can end up with more personal stuff available from your email and password. Link to comment Share on other sites More sharing options...
AbbieGator Posted April 25, 2016 Share Posted April 25, 2016 It was only the forum that got compromised and there was information around at the time of the leak including a post to the homepage that's since been hidden. Correction: The post isn't hidden, it only got hidden because there was more news that came out since then. Full information: http://truckersmp.com/en_US/blog/8 Link to comment Share on other sites More sharing options...
DanBennett Posted April 25, 2016 Author Share Posted April 25, 2016 Sorry yes- I meant info about them submitting it. Wording. No sleep. Meh! :-) Link to comment Share on other sites More sharing options...
Mike Dragon Posted April 25, 2016 Share Posted April 25, 2016 So apparently I have an account on a Final Fantasy forum. I really don't remember ever creating such account. I don't even play FF. O.o Some people should really get a license before even thinking about buying Euro Truck Simulator 2 or American Truck Simulator. Drive safely, folks! < < < Don't bet on sinking ships because they'll turn your chips to trash! > > > Link to comment Share on other sites More sharing options...
heyhococo Posted April 25, 2016 Share Posted April 25, 2016 My email address has been compromised, but I changed my password while I was in game when an IGA said we should all change our passwords in an admin announcement. I can't help but think that a web dev or higher member of staff should've posted this though... Link to comment Share on other sites More sharing options...
HumaneWolf Posted April 25, 2016 Share Posted April 25, 2016 @heyhococo It is real, and as @Clarkinator stated we did post it when it happened. HumaneWolf - Website - Twitter - GitHub Ex-Developer Link to comment Share on other sites More sharing options...
heyhococo Posted April 25, 2016 Share Posted April 25, 2016 I'm happy now perhaps it's time for me to get Facebook Link to comment Share on other sites More sharing options...
Guest Posted April 25, 2016 Share Posted April 25, 2016 It was submitted because we know it's in someone's hands and we don't know what their intentions are, submitting it to HIBP was a seccond avenue for us to notify those affected of the breach that may not visit the website or check the news here on the forums that often. I see that it can be disconcerting for you to get an email from HIBP, but unfortunatley until yesterday our infrastructure simply wasn't set up to handle sending out 80k+ emails(I'm not sure I'd want to try push that many in one go now either to be honest) Link to comment Share on other sites More sharing options...
Mike Dragon Posted April 25, 2016 Share Posted April 25, 2016 I remember the incident. I was playing when a IGA alerted the players on ETS2'S EU#1. I pulled up to the shoulder, saved my game and changed my password and some other security details immediately. Some people should really get a license before even thinking about buying Euro Truck Simulator 2 or American Truck Simulator. Drive safely, folks! < < < Don't bet on sinking ships because they'll turn your chips to trash! > > > Link to comment Share on other sites More sharing options...
Darth Wazawai Posted April 25, 2016 Share Posted April 25, 2016 2 hours ago, Tuxy Fluffyclaws said: It was submitted because we know it's in someone's hands and we don't know what their intentions are, submitting it to HIBP was a seccond avenue for us to notify those affected of the breach that may not visit the website or check the news here on the forums that often. I see that it can be disconcerting for you to get an email from HIBP, but unfortunatley until yesterday our infrastructure simply wasn't set up to handle sending out 80k+ emails(I'm not sure I'd want to try push that many in one go now either to be honest) -.-' got 3 servers here m8... Just point a sub domain called ms#.truckersmp.com so the domains got temp url. Create a simple mailing form get 3 admins to do batches of 100-500 every hour per server... But nope, now my emails on another site... Awesome... Last part was a joke but seriously tho I don't give a duck about my email, it has text verification just like my steam account. All accounts use different passwords or if the same I either don't care or it's PayPal covered. Signature removed by a wondering ghost Link to comment Share on other sites More sharing options...
Guest Posted April 25, 2016 Share Posted April 25, 2016 6 minutes ago, Darth Wazawai said: Just point a sub domain called ms#.truckersmp.com so the domains got temp url. Create a simple mailing form get 3 admins to do batches of 100-500 every hour per server... It's not that easy, last time we mass emailed we had a delivery rate of 78%, on ~4k emails, that's quite a lot under sub-par, and that was doing it properly (DKIM+SPF). We're talking 84K emails here, not that easy to do. 6 minutes ago, Darth Wazawai said: But nope, now my emails on another site... Awesome... HIBP don't list the email address anywhere, you have to explicitly look it up. Link to comment Share on other sites More sharing options...
Darth Wazawai Posted April 25, 2016 Share Posted April 25, 2016 How exactly where you sending out emails(not the protocol)? I've never seen nor heard of such a deplorable fail rate, unless you tried to send too many within a hour (usually 1-5k will flag you) and got flagged by the provider... Also you have to look at the emails that failed, if all one provider you're likely blacklisted (hotmail loves doing this ), in which case you have to contact the email provider or your server provider to get that fixed. Whether or not HIBP lists it or not isn't the point... You guys sent all the emails into another db which has 300+ million other accounts. If their site is secure than it'll be ok but what if it isn't? The forum leak could of been done by that stupid noob who ddos the pace a while back that @mwl4 found and perm banned... If so than they likely wouldn't have a clue where to sell that information, let alone knowing what to do with it... Plus as I stated in another post next to the salt md5 encryption is one way and with billions of passwords no one's going to bother with passwords. They (if not that noob) just wanted emails, even with English words and numbers only you're looking at hundreds of millions of different passwords to cross reference... Signature removed by a wondering ghost Link to comment Share on other sites More sharing options...
DanBennett Posted April 25, 2016 Author Share Posted April 25, 2016 ^ I think you need to calm down a bit, matey. Sending mass emails out is a right pain in the arse and the failure rate can range from 0.1% to 99%. It's fully dependent on the system used, the content of the emails and how they are sent out - as well as the recipient and their system, server and email host. I can speak about this first hand (IT Tech & Support background, I've had to deal with this many times). However, I do agree that it should've been more open that this was being posted to HIBP. The initial notice of the leak was great. Whole forum taken down and it was front page on the website. They also posted on Twitter. However, this was back in February. This is now April and it's come back again by being posted to HIBP which can send notifications out to everyone affected, too. Many people on here are youngsters or not technically minded and would've been worried by this email. So notification by TMP should've occurred that they were submitting to HIBP. As I stated initially, Kudos to TMP for submitting to HaveIBeenPwned. HIBP are a great service to help keep users safe on the web and anyone who finds that they have been "pwned" needs to take action. (Please read this blog post of the founder of HIBP who also show praise for this and the fact that it rarely happens by bigger websites) Quote Perhaps I've just become a little cynical after seeing literally hundreds of "we take security seriously" statements from organisations which clearly didn't and to see a response like this where they're not trying to spin the story to their own advantage or misconstrue facts is heartening. If only those with nation state budgets or billion dollar revenues could act so responsibly. Regarding the forum leak - information on how this happened was released in the initial blog post. The breach happened by obtaining the passwords of a team member's account and then dump the database using IPB's built-in utilities, hence only forum accounts where compromised. Passwords where stored in a cryptographically manner and were salted It happened because a team members account was accessed and used to create a database dump (a copy into a text file format). This is unfortunate but also impossible to avoid. I'm sure the team member who holds the account feels bad enough that it was their account that was used. The passwords were salted (this means encrypted against a special key which helps make them incredibly difficult to decrypt). So whereas passwords may be safe - It's not a guarantee as they cannot promise that the salt (special key) was not also taken - hence the reason this is a higher risk. As much as I gave a -1 Kudos to TMP in the way the hand over to HIBP was handled - they have my full support as a fellow IT Tech person who are simply running a forum and service for free and as a hobby. Shit happens. It's regretful. It could've been worse - but it's not. Change your passwords if you are affected and keep on trucking! Link to comment Share on other sites More sharing options...
Guest Posted April 25, 2016 Share Posted April 25, 2016 1 hour ago, Darth Wazawai said: How exactly where you sending out emails(not the protocol)? I've never seen nor heard of such a deplorable fail rate, unless you tried to send too many within a hour (usually 1-5k will flag you) and got flagged by the provider... Also you have to look at the emails that failed, if all one provider you're likely blacklisted (hotmail loves doing this ), in which case you have to contact the email provider or your server provider to get that fixed. We used a reputable provider for mass emailing, trust me, I did my homework before attempting. 1 hour ago, Darth Wazawai said: Whether or not HIBP lists it or not isn't the point... You guys sent all the emails into another db which has 300+ million other accounts. If their site is secure than it'll be ok but what if it isn't? The forum leak could of been done by that stupid noob who ddos the pace a while back that @mwl4 found and perm banned... If so than they likely wouldn't have a clue where to sell that information, let alone knowing what to do with it... Plus as I stated in another post next to the salt md5 encryption is one way and with billions of passwords no one's going to bother with passwords. They (if not that noob) just wanted emails, even with English words and numbers only you're looking at hundreds of millions of different passwords to cross reference... IPB's old password hashing scheme which was used in our case (because we used IPS 3 at the time of the breach) is known to be weak, which is why IPS4 updated it to use BCRYPT. In this case we are certain the person knew the value of the data and we know he tried(and perhaps did) capitalize on it. In any breach you should always assume the data is distributed and abused, hence why we took the approach we did, including self-submitting information to HIBP, anything less would be reckless in my professional opinion(I work in info-sec ;)). 47 minutes ago, DanBennett said: However, I do agree that it should've been more open that this was being posted to HIBP. The initial notice of the leak was great. Whole forum taken down and it was front page on the website. They also posted on Twitter. However, this was back in February. This is now April and it's come back again by being posted to HIBP which can send notifications out to everyone affected, too. Many people on here are youngsters or not technically minded and would've been worried by this email. So notification by TMP should've occurred that they were submitting to HIBP. We are work with HIBP on making this clear very soon to help clarify which exact breach it is regarding and provide additional information. On a side note, non-technical users are unlikely to have signed up to get notifications from HIBP. Link to comment Share on other sites More sharing options...
Darth Wazawai Posted April 25, 2016 Share Posted April 25, 2016 @Tuxy Fluffyclaws I hope you're not referring to Amazon's mailing service (multi smiles bug Woohoo) But yea, as long as it's one way hashed I don't care about my passwords, and if other users passwords contain 2 words w/ or w/o spaces and a min of one capsized letter and 2 numbers (or more) the person be dead before they get it lol @DanBennett I've only ever sent basic text emails for automated mailing, because of outdated/lightweight email providers... But if the provider closed their server to automated systems (like Amazon's) you're going to get large numbers... That's why it's always better to do it in-house even if it takes forever... Also they could of forced a password reset function released a new version of the game and warn users via setup or download page... More easier options could of been taken that weren't. That's all I'm saying... The use of 3rd party should not of been needed for only 80k users... If it was the main site then yes but not for here. Signature removed by a wondering ghost Link to comment Share on other sites More sharing options...
Alex [ITA] Posted April 25, 2016 Share Posted April 25, 2016 Just a question: what does PWNED mean? I verified my e-mail and the site says that I'm pwned. I changed (only now, after 1 month from the alert) my password. Is this enough? | Need help? | Allowed mods | TMP Rules | If you liked what I wrote, just click the "Upvote" button! Thank you! ↗↗↗ Link to comment Share on other sites More sharing options...
John_24 Posted April 25, 2016 Share Posted April 25, 2016 Oh man, my email was affected and I am just now seeing this in April. I just changed my password but how do I know my email and password waa not used elsewhere? That email mentioned must have been sent to my spawn which I never check or get notified. Oh man I think I feel sick because the email and password is what I use on everything except my bank stuff. Trucking in multiplayer and helping others where I can. In game rules. Link to comment Share on other sites More sharing options...
Alex [ITA] Posted April 25, 2016 Share Posted April 25, 2016 I use my e-mail just for BeamNG forum, LGG forum (and VTC), TruckersMP.com, nVidia Forum and ProMods... Nothing very important! I don't really know what's the problem. | Need help? | Allowed mods | TMP Rules | If you liked what I wrote, just click the "Upvote" button! Thank you! ↗↗↗ Link to comment Share on other sites More sharing options...
DanBennett Posted April 25, 2016 Author Share Posted April 25, 2016 40 minutes ago, Alex [ITA] said: Just a question: what does PWNED mean? I verified my e-mail and the site says that I'm pwned. I changed (only now, after 1 month from the alert) my password. Is this enough? It means your email/username and password (encrypted or plain text) have been leaked. So yeah, just change your passwords for everything that was the same, if any. 19 minutes ago, littlefoot_22 said: Oh man, my email was affected and I am just now seeing this in April. I just changed my password but how do I know my email and password waa not used elsewhere? That email mentioned must have been sent to my spawn which I never check or get notified. Oh man I think I feel sick because the email and password is what I use on everything except my bank stuff. 2 This was part of my point with the initial post. Use the HIBP website and enter your username, then your email and see what comes up. 9 minutes ago, Alex [ITA] said: I use my e-mail just for BeamNG forum, LGG forum (and VTC), TruckersMP.com, nVidia Forum and ProMods... Nothing very important! I don't really know what's the problem. ..........The password part is the problem. Link to comment Share on other sites More sharing options...
John_24 Posted April 25, 2016 Share Posted April 25, 2016 Yep, I just changed all of my passwords for security reasons. Trucking in multiplayer and helping others where I can. In game rules. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.