Jump to content

Welcome to Rune Tips, the first ever RuneScape help site. We aim to offer skill guides, quest guides, maps, calculators, informative databases, tips, and much more to help you get the most from the Massive Online Adventure Game, RuneScape, by Jagex Ltd © 2009.

Report Ad

Welcome to Forum.Tip.It
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

Jagex database theft from Ace of Spades (jmod twitter hijacked)


  • Please log in to reply
15 replies to this topic

#1
Mercifull
[ Display Name History ]

Mercifull

    Post Junkie

  • Members
  • 16,130 posts
  • Gender:Male
  • Location:In a house where everything is coated in cat fur
  • Joined:18 June 2004
  • RuneScape Status:P2P
  • RSN:Mercifull
  • Clan:Tip.It

webmaster@aceofspades.com <webmaster@aceofspades.com>
18:22 (4 hours ago)

to me
Dear <player>,

At Jagex, the security of your information is especially important to us, so we’re really sorry to share with you that it’s possible that some of your Ace of Spades Forum account information may have been compromised during the last few days.

We know that some usernames, e-mail addresses, salted password hashes, and some other very limited forum profile information could have been accessed, all other more important data wasn’t at risk. All credit card, addresses, and other personal information held by Jagex is maintained in a separate high security system on a different network and have not been accessed and are not at risk.

As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe.

We recommend you change your Ace of Spades Forum password as soon as possible, and your password on any website where you may have used the same login information as a precaution. We are currently working to restore service to the forums, and ensure they are secure. Within 24 hours of the forums being restored we will require players logging into the forums to change their passwords. We recommend all users select a password consisting of letters, numbers, and special characters of at least 8 characters in length.

We apologise about this situation and any inconvenience it may cause you. We will continue to prioritise account security in the future.

If you have any questions or concerns relating to this, please contact us at aceofspades@jagex.com.

Sincerely,
Jagex Security Team.


FAQ

How did this happen?
The breach appears to have occurred due to a new exploit in the popular vBulletin forum software that is used on the website, which has been affecting many other vBulletin customers.

How could I be affected?
As usernames, e-mails, and hashed and salted passwords could have been accessed briefly, it’s possible a hacker could use these details to attempt to login to other accounts where you have used the same login details. You are particularly at risk if you use a simple password.

Has any of my billing information been stolen, should I notify my bank?
Jagex holds no billing details of customers who purchased Ace of Spades via Steam, Amazon, or other online stores. All credit card, addresses, and other personal information held by Jagex for other products is maintained in a separate high security system on a different network and have not been accessed and are not at risk.

How do I know if my password has been compromised?
As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information.

Should I change my password on the Ace of Spades Forum & other websites as well?
As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information.

What is a strong password?
A strong password is considered to be at least 8 characters in length, and contains a combination of at least three upper and/or lower case letters, punctuation, symbols, and numerals. The more variety you use, the better. Passwords such as “bubbles52” are not considered secure. Websites such as howsecureismypassword.net are a good guide to how secure your password is.

What are you doing about this?
The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe. We have taken additional steps to prevent this kind of attack occurring in the future. All players will be sent a communication to their registered e-mail address.

I have additional questions, how can I contact you?
If you have any questions or concerns relating to this, please contact us at aceofspades@jagex.com.



Posted Image
Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

#2
Ambler
[ Display Name History ]

Ambler

    Black Knight Trainer

  • Monster Hunting Team
  • 3,453 posts
  • Gender:Male
  • Joined:7 October 2009
  • RuneScape Status:Semi-Retired
  • RSN:Ambl3r
  • RSN '07:Ambler
  • Clan:¯\_(ツ)_/¯
This could be pretty nasty. :wall:

Hopefully it's all sorted soon.

Posted Image
^^My blog of EoC PvM, lols and Therapy.^^
My livestream- Currently: Offline :(
Offical Harpy Therapist of the Mad

Lewtations

#3
Zantareous
[ Display Name History ]

Zantareous

    Bear Fur

  • Members
  • 424 posts

'Accessed' by <BugAbuse> :~)Its funny. These JMods are using the same passwords on other forums/websites, as they do elsewhere!.
-https://twitter.com/...302712088645632


I expected nothing less, haha.

-----

Screenshots of @jagexphoenix's and @sallythebutcher's accounts in their current state (censored some stuff to stay within TIF rules):



-----

Topic on reddit: http://www.reddit.co...t_click_on_any/

@sallythebutcher and @jagexrocket are still "hacked," apparently some others were as well (though it looks like they were able to quickly fix their accounts), and the passwords of other accounts are known and are to be revealed later.

Zanty.jpegsigquotes.png


#4
Canada Crow
[ Display Name History ]

Canada Crow

    Goblin Armour

  • Editorial Panel
  • 90 posts
  • Gender:Male
  • Location:Twitter
  • Joined:21 November 2012
  • RuneScape Status:P2P
  • RSN:Canada Crow
  • RSN '07:Canada Crow
  • Clan:WyoNation

'Accessed' by <BugAbuse> :~)Its funny. These JMods are using the same passwords on other forums/websites, as they do elsewhere!.
-https://twitter.com/...302712088645632


I expected nothing less, haha.

-----

Screenshot of @jagexphoenix's account in its current state (censored some stuff to stay within TIF rules):



-----

Topic on reddit: http://www.reddit.co...t_click_on_any/

@sallythebutcher and @jagexrocket are still "hacked," apparently many others as well (I'm not sure where to find a list of employees, maybe a Twitter list will have it).


(this comment is currently being edited a ton as I take pictures/add links, bear with me)


I'm the OP on that Reddit thread (/u/WNCaptain) and I'd just like to clear some things up that we've just recently learned:

It's unclear whether it was a jagex-specific database that was hacked into or a fan-site. The latter is more likely.

There is a lot of confusion. All we know right now is that there are some JMod twitters hacked and that you SHOULD NOT be clicking links from any Jagex social media account.

RSN: Canada Crow

85jcVSg.png

Professional Noob

"It's a known fact that you cannot lie on the internet." -Abraham Lincoln

"Time that you enjoy wasting is not wasted time" -John Lennon

I am not a Jagex Moderator


#5
Kimberly
[ Display Name History ]

Kimberly

    Retired Staff

  • Members
  • 12,325 posts
  • Gender:Female
  • Location:Pennsylvania; United States
  • Joined:26 November 2004
  • RuneScape Status:P2P
  • RSN:Kimberly
  • RSN2:Dorelei
Phoenix isn't a Jmod anymore though is she? I thought she was let go last week or the week before that. There was a farewell thread for her on reddit if I remember correctly.

I dunno who @sallythebutcher is.

hzvjpwS.gif


#6
Canada Crow
[ Display Name History ]

Canada Crow

    Goblin Armour

  • Editorial Panel
  • 90 posts
  • Gender:Male
  • Location:Twitter
  • Joined:21 November 2012
  • RuneScape Status:P2P
  • RSN:Canada Crow
  • RSN '07:Canada Crow
  • Clan:WyoNation

Phoenix isn't a Jmod anymore though is she? I thought she was let go last week or the week before that. There was a farewell thread for her on reddit if I remember correctly.

I dunno who @sallythebutcher is.


Phoenix left to work with another big video game company in the UK.

RSN: Canada Crow

85jcVSg.png

Professional Noob

"It's a known fact that you cannot lie on the internet." -Abraham Lincoln

"Time that you enjoy wasting is not wasted time" -John Lennon

I am not a Jagex Moderator


#7
Mercifull
[ Display Name History ]

Mercifull

    Post Junkie

  • Members
  • 16,130 posts
  • Gender:Male
  • Location:In a house where everything is coated in cat fur
  • Joined:18 June 2004
  • RuneScape Status:P2P
  • RSN:Mercifull
  • Clan:Tip.It
Looking likely that the official forums for Ace Of Spades, which ran open source forum software (I'm told it was phpbb but as I don't play it I don't know) not jagex's proprietary one, got exploited. If you had an ace of spaces account then you might want to consider changing your passwords.

Posted Image
Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

#8
Kaur
[ Display Name History ]

Kaur

    Skeleton Shield

  • Members
  • 1,025 posts
  • Gender:Not Telling
  • Joined:29 August 2004
  • RuneScape Status:None
  • Clan:RSD
And this, my friends, is what you get for using the same password in multiple places and giving admin access to rookies.

#9
D. V. Devnull
[ Display Name History ]

D. V. Devnull

    Dragon Slayer

  • Members
  • 5,162 posts
  • Gender:Male
  • Location:Slinking in shadow, finding site/forum bugs to kill...
  • Joined:1 July 2006
  • RuneScape Status:None
Just saw this... 12 shades of NOT HAPPY... I hope no passwords for our RuneScape/FunOrb accounts have been acquired, because I really don't want to have to ever use that junky reset rigamarole for my own accounts. :wall:

~Mr. D. V. "Flat ticked off..." Devnull
Posted Image and normally with a cool mind.
(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

#10
Kaur
[ Display Name History ]

Kaur

    Skeleton Shield

  • Members
  • 1,025 posts
  • Gender:Not Telling
  • Joined:29 August 2004
  • RuneScape Status:None
  • Clan:RSD
Jagex's response.


#11
Mercifull
[ Display Name History ]

Mercifull

    Post Junkie

  • Members
  • 16,130 posts
  • Gender:Male
  • Location:In a house where everything is coated in cat fur
  • Joined:18 June 2004
  • RuneScape Status:P2P
  • RSN:Mercifull
  • Clan:Tip.It
Thanks Kaur, added to FP

Posted Image
Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

#12
Mylez
[ Display Name History ]

Mylez

    Hobgoblin Killer

  • Members
  • 1,743 posts
  • Gender:Male
  • Location:Manchester
  • Joined:14 January 2007
  • RuneScape Status:Retired
  • RSN:Dyze
Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well.

#13
Sy_Accursed
[ Display Name History ]

Sy_Accursed

    Post Junkie

  • Members
  • 16,851 posts
  • Gender:Male
  • Location:Norfolk, UK
  • Joined:22 December 2004
  • RuneScape Status:P2P
  • RSN:Sy Accursed

Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well.


As proven by the fact that using passwords extracted from the stolen data the hackers were able to hijack a number of jmod twitter accounts; thereby categorically proving they could not in anyway shape or form breach the encryption.

Database breaches are relatively easy to decrypt passwords, depending on how quickly they are stopped, because said database also hides away the encryption information required for it recognise what you type as your password as they thing it stored cryptically. Or if that's not found and it's a generic database (eg a generic forum software) then the hackers have logs out there of the various encryption variants those forums run and it is simple a matter of trial and error to find the one that makes the gathered passwords become normal data.

Plv6Dz6.jpg

Operation Gold Sparkles :: Chompy Kills ::  Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA Rewards

Dragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue


#14
Kaur
[ Display Name History ]

Kaur

    Skeleton Shield

  • Members
  • 1,025 posts
  • Gender:Not Telling
  • Joined:29 August 2004
  • RuneScape Status:None
  • Clan:RSD

Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well.

You do not need to reverse the encryption when you can encrypt random word combinations and see if the results match.

Ordinary desktop computers can test over a hundred million passwords per second using password cracking tools that run on a general purpose CPU and billions of passwords per second using GPU-based password cracking tools

*
It's only a matter of time.

#15
Platinum_Myr
[ Display Name History ]

Platinum_Myr

    Moss Giant Whipper

  • Members
  • 2,604 posts
  • Gender:Male
  • Location:Oregon, United States
  • Joined:1 May 2006
  • RuneScape Status:P2P
  • RSN:Serena Sedai
  • RSN2:Fyora Serena
  • Clan:The Knighted Angels
Correct. and if they have a small network of GPU based hacking systems it can go even faster. If the hash was salted (highly likely) it adds an extra amount of guessing what the salt was in addition. If it was salted well, then it will be much more difficult to crack considering that you would have to know the salt as well (which without length and if properly random would be very difficult)

If the hash algorithm had a weakness they could also exploit that.. but most likely it doesn't have a known weakness (since usually that is reason to stop using it for passwords)

It can be effectively beaten for a period of time with a proper length salt and good length passwords.

Serena_Sedai.png
Maxed since Sunday, January 9th, 2014
Completionist since Wednesday, June 4th, 2014


#16
Riptide Mage
[ Display Name History ]

Riptide Mage

    Skeleton Shield

  • Members
  • 1,027 posts
  • Gender:Male
  • Joined:23 June 2004
  • RuneScape Status:P2P
  • RSN:Riptide Mage
  • Clan:DGS
vBulletin uses md5(md5($password).$salt) which really only defeats rainbow tables, a small botnet could make billions of crack attempts a second.

You make it sound like running through a few level 87 monsters is hard which it really shouldn't be at your level.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users