Guest Posted February 24, 2017 Report Posted February 24, 2017 Yesterday Cloudflare, which TruckersMP use for layer 7 protection, made a chilling incident report available. The issue was discovered by Tavis Ormandy from Google Project Zero, and was disclosed to Cloudflare, who mitigated the issue within 1 hour of the report. They had a bug in their software which caused secret information to be exposed in HTTP reponses. The issue is so wide spread that in effect, it could potentially have exposed TruckersMP credentials, as well as other sites who use their services' information. We're making this post as a quick heads-up and urge you to change passwords on your accounts, not just TruckersMP but any other site that use Cloudflare (ie. Discord). If you are a developer, or power user, roll your API keys as well. ps. Just to make this explicitly clear: TruckersMP infrastructure has not been compromised, this applies to everyone who used Cloudflare, not just us. FAQ Q: But Cloudflare said only some sites where affected A: That's true, only some sites leaked information, but there is no guarantee that the data leaked wasn't from us or someone else. Q: Was any TruckersMP data leaked? A: Not that we're aware of, but we operate with a better safe than sorry mentality. Q: What is PSA? A: Public Service Announcement we're not alone Q: I'm running out of ideas for passwords! A: We can suggest switching to a password manager like LastPass, 1Password, Dashlane, Keepass, KeepassX or Enpass Title image by KacaKTV View post on homepage
SadisticSweety Posted February 24, 2017 Report Posted February 24, 2017 Yah, along with Discord and all that. Change your passwords every couple months anyway peeps
Smalley Posted February 24, 2017 Report Posted February 24, 2017 I'm running out of ideas for passwords :L 1
Guest Posted February 24, 2017 Report Posted February 24, 2017 Be sure to check out haveibeenpwned.com to make sure they havent been leaked and if they did, please change.
Ratcho Posted February 24, 2017 Report Posted February 24, 2017 Thank you for the quick notice. It's good to see that TruckersMP take security seriously and inform there users of issues as soon as they are informed, even if they aren't directly linked with their services but could effect users within the community 1
Guest Posted February 24, 2017 Report Posted February 24, 2017 18 minutes ago, Smalley said: I'm running out of ideas for passwords :L Switch to a password manager like LastPass and have it make you a good long, strong password 13 minutes ago, Ratcho said: Thank you for the quick notice. It's good to see that TruckersMP take security seriously and inform there users of issues as soon as they are informed, even if they aren't directly linked with their services but could effect users within the community Doing what I think is the best, since we where potentially affected by the issue, it just makes sense to me. Also, updated the post with another Q related to Smalley's comment some links to various password managers.
[Reach Radio] JogR Posted February 24, 2017 Report Posted February 24, 2017 i spouse i better start thinking of new passwords that i wont forget Also Presenter At TruckersFM
Guest Posted February 24, 2017 Report Posted February 24, 2017 Thank you very much for letting us know. Very kind of you!
Matt #CarLadMatt Posted February 24, 2017 Report Posted February 24, 2017 Thanks for the warning! Just changed all my passcodes
FIRE SLAYER20 Posted February 24, 2017 Report Posted February 24, 2017 Thanks @Tuxy Fluffyclaws for the update Generate your own dynamic signature at http://jmdev.ca/twitch/
Guest Posted February 26, 2017 Report Posted February 26, 2017 Completely separate events @SuperSteve2345, this was on cloudflare and affected a lot more than just us, as I wrote in the blog post.
Guest Posted February 26, 2017 Report Posted February 26, 2017 Even if the database were compromised, aren't the passwords stored in an encrypted format anyway?
HumaneWolf Posted February 26, 2017 Report Posted February 26, 2017 5 hours ago, Sentinel_ said: Even if the database were compromised, aren't the passwords stored in an encrypted format anyway? This post is not about the database being compromised, because it wasn't. It's about a company providing a service we utilize, and that all our traffic passes through, which had a security flaw occasionally causing more data than intended to be sent to users. This flaw could happen on a few websites using their service, but the data that would be sent in addition could be from any costumer website. However, to answer your question, yes, the passwords are salted and hashed before they are stored on our servers. HumaneWolf - Website - Twitter - GitHub Ex-Developer
Ebins Posted March 1, 2017 Report Posted March 1, 2017 And this is why I hate cloud services. Who ever thought up the "bright" idea that storing information on a virtual server was smart? I wish Truckers had never used cloud services. This is so aggravating! I have to go around changing passwords now because you guys used cloud!!!!!
Trucking Australia Posted March 2, 2017 Report Posted March 2, 2017 @Ebins Almost everyone these days uses CloudFare or virtual servers for their websites. It makes things a lot easier and quicker. If you can think of a better service that doesn't involve any virtual server please suggest it but this is the way that the future is heading and there is nothing that can be done. The security of these severs is getting better and better as time goes on and eventually it will be almost impossible to get into one. FYI, this is not our problem and there is nothing we could have done to stop the attack or even prevent it. It was all out of our control. -- TruckersMP Rules -- Appeal Your Ban -- How to become a Game Moderator -- My Stream --Virtual Truck Log -- GlobEx Hub --
Guest Posted March 2, 2017 Report Posted March 2, 2017 On 01/03/2017 at 5:16 PM, Ebins said: And this is why I hate cloud services. Who ever thought up the "bright" idea that storing information on a virtual server was smart? I wish Truckers had never used cloud services. This is so aggravating! I have to go around changing passwords now because you guys used cloud!!!!! You would have had to do it regardless, more services than us use Cloudflare and the likelihood of you and your credentials being exposed to their infrastructure is extremely high. If we didn't use cloud services, we wouldn't have been able to do the kind of things we do today, it'd simply be too expensive to do and protect (we're seeing near constant attacks on our infrastructure, and CF helps us mitigate that, making our site and services quite stable). Mind you, VMs are not to blame, Cloudflare uses dedicated hardware. As a final note, going around changing passwords is something you should do regardless, pick this opportunity to pick your password manager of choice, and maybe even automate some of the chore that is password changing across hundreds of sites.
Recommended Posts