Mercifull Posted September 2, 2013 Share Posted September 2, 2013 [email protected] <[email protected]>18:22 (4 hours ago) to meDear <player>, At Jagex, the security of your information is especially important to us, so we’re really sorry to share with you that it’s possible that some of your Ace of Spades Forum account information may have been compromised during the last few days. We know that some usernames, e-mail addresses, salted password hashes, and some other very limited forum profile information could have been accessed, all other more important data wasn’t at risk. All credit card, addresses, and other personal information held by Jagex is maintained in a separate high security system on a different network and have not been accessed and are not at risk. As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe. We recommend you change your Ace of Spades Forum password as soon as possible, and your password on any website where you may have used the same login information as a precaution. We are currently working to restore service to the forums, and ensure they are secure. Within 24 hours of the forums being restored we will require players logging into the forums to change their passwords. We recommend all users select a password consisting of letters, numbers, and special characters of at least 8 characters in length. We apologise about this situation and any inconvenience it may cause you. We will continue to prioritise account security in the future. If you have any questions or concerns relating to this, please contact us at [email protected]. Sincerely,Jagex Security Team. FAQ How did this happen?The breach appears to have occurred due to a new exploit in the popular vBulletin forum software that is used on the website, which has been affecting many other vBulletin customers. How could I be affected?As usernames, e-mails, and hashed and salted passwords could have been accessed briefly, it’s possible a hacker could use these details to attempt to login to other accounts where you have used the same login details. You are particularly at risk if you use a simple password. Has any of my billing information been stolen, should I notify my bank?Jagex holds no billing details of customers who purchased Ace of Spades via Steam, Amazon, or other online stores. All credit card, addresses, and other personal information held by Jagex for other products is maintained in a separate high security system on a different network and have not been accessed and are not at risk. How do I know if my password has been compromised?As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information. Should I change my password on the Ace of Spades Forum & other websites as well?As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information. What is a strong password?A strong password is considered to be at least 8 characters in length, and contains a combination of at least three upper and/or lower case letters, punctuation, symbols, and numerals. The more variety you use, the better. Passwords such as “bubbles52” are not considered secure. Websites such as howsecureismypassword.net are a good guide to how secure your password is. What are you doing about this?The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe. We have taken additional steps to prevent this kind of attack occurring in the future. All players will be sent a communication to their registered e-mail address. I have additional questions, how can I contact you?If you have any questions or concerns relating to this, please contact us at [email protected]. Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
Ambler Posted September 2, 2013 Share Posted September 2, 2013 This could be pretty nasty. :wall: Hopefully it's all sorted soon. ^^My blog of EoC PvM, lols and Therapy.^^My livestream- Currently: Offline :(Offical Harpy Therapist of the Mad[hide=Lewtations]Barrows drops: Dharok's helm x2, Guthan's helm, Ahrim's top, Hood and skirt, Torag's hammers, Karils skirt, Karil's top, Torag's helm, Verac's skirt, Verac's Flail, Dharok's Platebody.Dag kings drops: Lost count! :wall:4k+ Glacors, 7 Ragefires, 4 Steadfasts, 4 Glaivens, 400+ shards![/hide] Link to comment Share on other sites More sharing options...
Zantareous Posted September 2, 2013 Share Posted September 2, 2013 'Accessed' by <BugAbuse> :~)Its funny. These JMods are using the same passwords on other forums/websites, as they do elsewhere!.-https://twitter.com/...302712088645632 I expected nothing less, haha. ----- Screenshots of @jagexphoenix's and @sallythebutcher's accounts in their current state (censored some stuff to stay within TIF rules): ----- Topic on reddit: http://www.reddit.co...t_click_on_any/ @sallythebutcher and @jagexrocket are still "hacked," apparently some others were as well (though it looks like they were able to quickly fix their accounts), and the passwords of other accounts are known and are to be revealed later. Link to comment Share on other sites More sharing options...
Canada Crow Posted September 2, 2013 Share Posted September 2, 2013 'Accessed' by <BugAbuse> :~)Its funny. These JMods are using the same passwords on other forums/websites, as they do elsewhere!.-https://twitter.com/...302712088645632 I expected nothing less, haha. ----- Screenshot of @jagexphoenix's account in its current state (censored some stuff to stay within TIF rules): ----- Topic on reddit: http://www.reddit.co...t_click_on_any/ @sallythebutcher and @jagexrocket are still "hacked," apparently many others as well (I'm not sure where to find a list of employees, maybe a Twitter list will have it). (this comment is currently being edited a ton as I take pictures/add links, bear with me) I'm the OP on that Reddit thread (/u/WNCaptain) and I'd just like to clear some things up that we've just recently learned: It's unclear whether it was a jagex-specific database that was hacked into or a fan-site. The latter is more likely. There is a lot of confusion. All we know right now is that there are some JMod twitters hacked and that you SHOULD NOT be clicking links from any Jagex social media account. RSN: Canada CrowProfessional Noob"It's a known fact that you cannot lie on the internet." -Abraham Lincoln"Time that you enjoy wasting is not wasted time" -John LennonI am not a Jagex Moderator Link to comment Share on other sites More sharing options...
Kimberly Posted September 2, 2013 Share Posted September 2, 2013 Phoenix isn't a Jmod anymore though is she? I thought she was let go last week or the week before that. There was a farewell thread for her on reddit if I remember correctly. I dunno who @sallythebutcher is. Link to comment Share on other sites More sharing options...
Canada Crow Posted September 2, 2013 Share Posted September 2, 2013 Phoenix isn't a Jmod anymore though is she? I thought she was let go last week or the week before that. There was a farewell thread for her on reddit if I remember correctly. I dunno who @sallythebutcher is. Phoenix left to work with another big video game company in the UK. RSN: Canada CrowProfessional Noob"It's a known fact that you cannot lie on the internet." -Abraham Lincoln"Time that you enjoy wasting is not wasted time" -John LennonI am not a Jagex Moderator Link to comment Share on other sites More sharing options...
Mercifull Posted September 2, 2013 Author Share Posted September 2, 2013 Looking likely that the official forums for Ace Of Spades, which ran open source forum software (I'm told it was phpbb but as I don't play it I don't know) not jagex's proprietary one, got exploited. If you had an ace of spaces account then you might want to consider changing your passwords. Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
Kaur Posted September 2, 2013 Share Posted September 2, 2013 And this, my friends, is what you get for using the same password in multiple places and giving admin access to rookies. 4 Link to comment Share on other sites More sharing options...
D. V. Devnull Posted September 3, 2013 Share Posted September 3, 2013 Just saw this... 12 shades of NOT HAPPY... I hope no passwords for our RuneScape/FunOrb accounts have been acquired, because I really don't want to have to ever use that junky reset rigamarole for my own accounts. :wall: ~Mr. D. V. "Flat ticked off..." Devnull and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
Kaur Posted September 3, 2013 Share Posted September 3, 2013 Jagex's response. [email protected] <[email protected]>18:22 (4 hours ago) to meDear Kaur, At Jagex, the security of your information is especially important to us, so we’re really sorry to share with you that it’s possible that some of your Ace of Spades Forum account information may have been compromised during the last few days. We know that some usernames, e-mail addresses, salted password hashes, and some other very limited forum profile information could have been accessed, all other more important data wasn’t at risk. All credit card, addresses, and other personal information held by Jagex is maintained in a separate high security system on a different network and have not been accessed and are not at risk. As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe. We recommend you change your Ace of Spades Forum password as soon as possible, and your password on any website where you may have used the same login information as a precaution. We are currently working to restore service to the forums, and ensure they are secure. Within 24 hours of the forums being restored we will require players logging into the forums to change their passwords. We recommend all users select a password consisting of letters, numbers, and special characters of at least 8 characters in length. We apologise about this situation and any inconvenience it may cause you. We will continue to prioritise account security in the future. If you have any questions or concerns relating to this, please contact us at [email protected]. Sincerely,Jagex Security Team. FAQ How did this happen?The breach appears to have occurred due to a new exploit in the popular vBulletin forum software that is used on the website, which has been affecting many other vBulletin customers. How could I be affected?As usernames, e-mails, and hashed and salted passwords could have been accessed briefly, it’s possible a hacker could use these details to attempt to login to other accounts where you have used the same login details. You are particularly at risk if you use a simple password. Has any of my billing information been stolen, should I notify my bank?Jagex holds no billing details of customers who purchased Ace of Spades via Steam, Amazon, or other online stores. All credit card, addresses, and other personal information held by Jagex for other products is maintained in a separate high security system on a different network and have not been accessed and are not at risk. How do I know if my password has been compromised?As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information. Should I change my password on the Ace of Spades Forum & other websites as well?As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information. What is a strong password?A strong password is considered to be at least 8 characters in length, and contains a combination of at least three upper and/or lower case letters, punctuation, symbols, and numerals. The more variety you use, the better. Passwords such as “bubbles52” are not considered secure. Websites such as howsecureismypassword.net are a good guide to how secure your password is. What are you doing about this?The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe. We have taken additional steps to prevent this kind of attack occurring in the future. All players will be sent a communication to their registered e-mail address. I have additional questions, how can I contact you?If you have any questions or concerns relating to this, please contact us at [email protected]. 1 Link to comment Share on other sites More sharing options...
Mercifull Posted September 4, 2013 Author Share Posted September 4, 2013 Thanks Kaur, added to FP Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
Mylez Posted September 6, 2013 Share Posted September 6, 2013 Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well. Link to comment Share on other sites More sharing options...
Sy_Accursed Posted September 6, 2013 Share Posted September 6, 2013 Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well. As proven by the fact that using passwords extracted from the stolen data the hackers were able to hijack a number of jmod twitter accounts; thereby categorically proving they could not in anyway shape or form breach the encryption. Database breaches are relatively easy to decrypt passwords, depending on how quickly they are stopped, because said database also hides away the encryption information required for it recognise what you type as your password as they thing it stored cryptically. Or if that's not found and it's a generic database (eg a generic forum software) then the hackers have logs out there of the various encryption variants those forums run and it is simple a matter of trial and error to find the one that makes the gathered passwords become normal data. Operation Gold Sparkles :: Chompy Kills :: Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA RewardsDragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue Link to comment Share on other sites More sharing options...
Kaur Posted September 7, 2013 Share Posted September 7, 2013 Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well.You do not need to reverse the encryption when you can encrypt random word combinations and see if the results match.Ordinary desktop computers can test over a hundred million passwords per second using password cracking tools that run on a general purpose CPU and billions of passwords per second using GPU-based password cracking tools *It's only a matter of time. Link to comment Share on other sites More sharing options...
Platinum_Myr Posted September 7, 2013 Share Posted September 7, 2013 Correct. and if they have a small network of GPU based hacking systems it can go even faster. If the hash was salted (highly likely) it adds an extra amount of guessing what the salt was in addition. If it was salted well, then it will be much more difficult to crack considering that you would have to know the salt as well (which without length and if properly random would be very difficult) If the hash algorithm had a weakness they could also exploit that.. but most likely it doesn't have a known weakness (since usually that is reason to stop using it for passwords) It can be effectively beaten for a period of time with a proper length salt and good length passwords. Maxed since Sunday, January 9th, 2014Completionist since Wednesday, June 4th, 2014 Link to comment Share on other sites More sharing options...
Riptide Mage Posted September 7, 2013 Share Posted September 7, 2013 vBulletin uses md5(md5($password).$salt) which really only defeats rainbow tables, a small botnet could make billions of crack attempts a second. You make it sound like running through a few level 87 monsters is hard which it really shouldn't be at your level. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now