Jump to content

Jagex database theft from Ace of Spades (jmod twitter hijacked)


Mercifull

Recommended Posts

[email protected] <[email protected]>

18:22 (4 hours ago)

 

to me

Dear <player>,

 

At Jagex, the security of your information is especially important to us, so we’re really sorry to share with you that it’s possible that some of your Ace of Spades Forum account information may have been compromised during the last few days.

 

We know that some usernames, e-mail addresses, salted password hashes, and some other very limited forum profile information could have been accessed, all other more important data wasn’t at risk. All credit card, addresses, and other personal information held by Jagex is maintained in a separate high security system on a different network and have not been accessed and are not at risk.

 

As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe.

 

We recommend you change your Ace of Spades Forum password as soon as possible, and your password on any website where you may have used the same login information as a precaution. We are currently working to restore service to the forums, and ensure they are secure. Within 24 hours of the forums being restored we will require players logging into the forums to change their passwords. We recommend all users select a password consisting of letters, numbers, and special characters of at least 8 characters in length.

 

We apologise about this situation and any inconvenience it may cause you. We will continue to prioritise account security in the future.

 

If you have any questions or concerns relating to this, please contact us at [email protected].

 

Sincerely,

Jagex Security Team.

 

 

FAQ

 

How did this happen?

The breach appears to have occurred due to a new exploit in the popular vBulletin forum software that is used on the website, which has been affecting many other vBulletin customers.

 

How could I be affected?

As usernames, e-mails, and hashed and salted passwords could have been accessed briefly, it’s possible a hacker could use these details to attempt to login to other accounts where you have used the same login details. You are particularly at risk if you use a simple password.

 

Has any of my billing information been stolen, should I notify my bank?

Jagex holds no billing details of customers who purchased Ace of Spades via Steam, Amazon, or other online stores. All credit card, addresses, and other personal information held by Jagex for other products is maintained in a separate high security system on a different network and have not been accessed and are not at risk.

 

How do I know if my password has been compromised?

As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information.

 

Should I change my password on the Ace of Spades Forum & other websites as well?

As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information.

 

What is a strong password?

A strong password is considered to be at least 8 characters in length, and contains a combination of at least three upper and/or lower case letters, punctuation, symbols, and numerals. The more variety you use, the better. Passwords such as “bubbles52” are not considered secure. Websites such as howsecureismypassword.net are a good guide to how secure your password is.

 

What are you doing about this?

The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe. We have taken additional steps to prevent this kind of attack occurring in the future. All players will be sent a communication to their registered e-mail address.

 

I have additional questions, how can I contact you?

If you have any questions or concerns relating to this, please contact us at [email protected].

 

612d9da508.png

Mercifull.png

Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

Link to comment
Share on other sites

This could be pretty nasty. :wall:

 

Hopefully it's all sorted soon.

yqe0mrU.jpg

^^My blog of EoC PvM, lols and Therapy.^^

My livestream- Currently: Offline :(

Offical Harpy Therapist of the Mad

[hide=Lewtations]

Barrows drops: Dharok's helm x2, Guthan's helm, Ahrim's top, Hood and skirt, Torag's hammers, Karils skirt, Karil's top, Torag's helm, Verac's skirt, Verac's Flail, Dharok's Platebody.

Dag kings drops: Lost count! :wall:

4k+ Glacors, 7 Ragefires, 4 Steadfasts, 4 Glaivens, 400+ shards![/hide]

Link to comment
Share on other sites

'Accessed' by <BugAbuse> :~)Its funny. These JMods are using the same passwords on other forums/websites, as they do elsewhere!.

-https://twitter.com/...302712088645632

 

I expected nothing less, haha.

 

-----

 

Screenshots of @jagexphoenix's and @sallythebutcher's accounts in their current state (censored some stuff to stay within TIF rules):

 

 

7Nm0PbS.jpg

 

HV5idl1.png

 

 

 

-----

 

Topic on reddit: http://www.reddit.co...t_click_on_any/

 

@sallythebutcher and @jagexrocket are still "hacked," apparently some others were as well (though it looks like they were able to quickly fix their accounts), and the passwords of other accounts are known and are to be revealed later.

Zanty.jpegsigquotes.png

Link to comment
Share on other sites

'Accessed' by <BugAbuse> :~)Its funny. These JMods are using the same passwords on other forums/websites, as they do elsewhere!.

-https://twitter.com/...302712088645632

 

I expected nothing less, haha.

 

-----

 

Screenshot of @jagexphoenix's account in its current state (censored some stuff to stay within TIF rules):

 

 

7Nm0PbS.jpg

 

 

-----

 

Topic on reddit: http://www.reddit.co...t_click_on_any/

 

@sallythebutcher and @jagexrocket are still "hacked," apparently many others as well (I'm not sure where to find a list of employees, maybe a Twitter list will have it).

 

 

(this comment is currently being edited a ton as I take pictures/add links, bear with me)

 

I'm the OP on that Reddit thread (/u/WNCaptain) and I'd just like to clear some things up that we've just recently learned:

 

It's unclear whether it was a jagex-specific database that was hacked into or a fan-site. The latter is more likely.

 

There is a lot of confusion. All we know right now is that there are some JMod twitters hacked and that you SHOULD NOT be clicking links from any Jagex social media account.

RSN: Canada Crow


85jcVSg.png


Professional Noob


"It's a known fact that you cannot lie on the internet." -Abraham Lincoln


"Time that you enjoy wasting is not wasted time" -John Lennon


I am not a Jagex Moderator

Link to comment
Share on other sites

Phoenix isn't a Jmod anymore though is she? I thought she was let go last week or the week before that. There was a farewell thread for her on reddit if I remember correctly.

 

I dunno who @sallythebutcher is.

 

Phoenix left to work with another big video game company in the UK.

RSN: Canada Crow


85jcVSg.png


Professional Noob


"It's a known fact that you cannot lie on the internet." -Abraham Lincoln


"Time that you enjoy wasting is not wasted time" -John Lennon


I am not a Jagex Moderator

Link to comment
Share on other sites

Looking likely that the official forums for Ace Of Spades, which ran open source forum software (I'm told it was phpbb but as I don't play it I don't know) not jagex's proprietary one, got exploited. If you had an ace of spaces account then you might want to consider changing your passwords.

612d9da508.png

Mercifull.png

Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

Link to comment
Share on other sites

Just saw this... 12 shades of NOT HAPPY... I hope no passwords for our RuneScape/FunOrb accounts have been acquired, because I really don't want to have to ever use that junky reset rigamarole for my own accounts. :wall:

 

~Mr. D. V. "Flat ticked off..." Devnull

tifuserbar-dsavi_x4.jpg and normally with a cool mind.

(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

Link to comment
Share on other sites

Jagex's response.

 

 

[email protected] <[email protected]>

18:22 (4 hours ago)

 

to me

Dear Kaur,

 

At Jagex, the security of your information is especially important to us, so we’re really sorry to share with you that it’s possible that some of your Ace of Spades Forum account information may have been compromised during the last few days.

 

We know that some usernames, e-mail addresses, salted password hashes, and some other very limited forum profile information could have been accessed, all other more important data wasn’t at risk. All credit card, addresses, and other personal information held by Jagex is maintained in a separate high security system on a different network and have not been accessed and are not at risk.

 

As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe.

 

We recommend you change your Ace of Spades Forum password as soon as possible, and your password on any website where you may have used the same login information as a precaution. We are currently working to restore service to the forums, and ensure they are secure. Within 24 hours of the forums being restored we will require players logging into the forums to change their passwords. We recommend all users select a password consisting of letters, numbers, and special characters of at least 8 characters in length.

 

We apologise about this situation and any inconvenience it may cause you. We will continue to prioritise account security in the future.

 

If you have any questions or concerns relating to this, please contact us at [email protected].

 

Sincerely,

Jagex Security Team.

 

 

FAQ

 

How did this happen?

The breach appears to have occurred due to a new exploit in the popular vBulletin forum software that is used on the website, which has been affecting many other vBulletin customers.

 

How could I be affected?

As usernames, e-mails, and hashed and salted passwords could have been accessed briefly, it’s possible a hacker could use these details to attempt to login to other accounts where you have used the same login details. You are particularly at risk if you use a simple password.

 

Has any of my billing information been stolen, should I notify my bank?

Jagex holds no billing details of customers who purchased Ace of Spades via Steam, Amazon, or other online stores. All credit card, addresses, and other personal information held by Jagex for other products is maintained in a separate high security system on a different network and have not been accessed and are not at risk.

 

How do I know if my password has been compromised?

As passwords are protected by means of being salted and hashed, the passwords are unreadable, however players with easily guessable passwords may be vulnerable. As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information.

 

Should I change my password on the Ace of Spades Forum & other websites as well?

As a precaution we recommend everyone changes their password as soon as possible on all sites where you used the same login information.

 

What is a strong password?

A strong password is considered to be at least 8 characters in length, and contains a combination of at least three upper and/or lower case letters, punctuation, symbols, and numerals. The more variety you use, the better. Passwords such as “bubbles52” are not considered secure. Websites such as howsecureismypassword.net are a good guide to how secure your password is.

 

What are you doing about this?

The breach appears to have occurred due to a new exploit in popular vBulletin forum software, which has been affecting many other vBulletin customers. We acted within hours of vBulletin announcing the exploit to its customers, taking all necessary actions to secure the forums; however unfortunately the exploit appears to have been used on the Ace of Spades forums within this short timeframe. We have taken additional steps to prevent this kind of attack occurring in the future. All players will be sent a communication to their registered e-mail address.

 

I have additional questions, how can I contact you?

If you have any questions or concerns relating to this, please contact us at [email protected].

 

 

 

  • Like 1
Link to comment
Share on other sites

Thanks Kaur, added to FP

612d9da508.png

Mercifull.png

Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

Link to comment
Share on other sites

Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well.

Link to comment
Share on other sites

Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well.

 

As proven by the fact that using passwords extracted from the stolen data the hackers were able to hijack a number of jmod twitter accounts; thereby categorically proving they could not in anyway shape or form breach the encryption.

 

Database breaches are relatively easy to decrypt passwords, depending on how quickly they are stopped, because said database also hides away the encryption information required for it recognise what you type as your password as they thing it stored cryptically. Or if that's not found and it's a generic database (eg a generic forum software) then the hackers have logs out there of the various encryption variants those forums run and it is simple a matter of trial and error to find the one that makes the gathered passwords become normal data.

Plv6Dz6.jpg

Operation Gold Sparkles :: Chompy Kills ::  Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA Rewards

Dragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue

Link to comment
Share on other sites

Don't know why people are so bothered about the passwords, it's not like they're stored in plain-text. Even the simplest of encryption methods, MD5, is impossible to reverse. Ah well.

You do not need to reverse the encryption when you can encrypt random word combinations and see if the results match.

Ordinary desktop computers can test over a hundred million passwords per second using password cracking tools that run on a general purpose CPU and billions of passwords per second using GPU-based password cracking tools
*

It's only a matter of time.

Link to comment
Share on other sites

Correct. and if they have a small network of GPU based hacking systems it can go even faster. If the hash was salted (highly likely) it adds an extra amount of guessing what the salt was in addition. If it was salted well, then it will be much more difficult to crack considering that you would have to know the salt as well (which without length and if properly random would be very difficult)

 

If the hash algorithm had a weakness they could also exploit that.. but most likely it doesn't have a known weakness (since usually that is reason to stop using it for passwords)

 

It can be effectively beaten for a period of time with a proper length salt and good length passwords.

Serena_Sedai.png
Maxed since Sunday, January 9th, 2014
Completionist since Wednesday, June 4th, 2014

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.