1. Want to get our most recent announcements - and XP codes - in your email?

    Sign up for our mailing list!

[Security] Data Breach and Information Leak

Discussion in 'Announcements' started by Navarr, May 9, 2016.

[Security] Data Breach and Information Leak | Page 2
  1. softsocks Platinum

    XP:
    58,983xp
    now im scared
    Tonkotsuramen921 likes this.

  2. Braiti Platinum

    XP:
    87,241xp
    -.- Really?
    Tonkotsuramen921 likes this.
  3. Sercelix Obsidian

    XP:
    20xp
    Why weren't we told of this breach the moment, or following hours of realizing it had happened?
    Tonkotsuramen921 likes this.
  4. Navarr Councilor

    XP:
    1,333,433xp
    We consider situations such as this very seriously.

    It took time to ensure that we had closed off all access, more time to make sure our improved measures were in place, write up the disclosure, and get sign off on it.

    While talking with the other members of the development team I was assured two weeks is a fairly quick time for a responsible disclosure.

    We wanted to make sure we had the entire situation under control before making a statement.
  5. ikilledcreeper Regular Member

    XP:
    9,426xp
    Wow, so it pays to know that there are still lame dudes with no life out there!

    Will anything such as our XP be affected? And what will happen to our leaked IPs?
  6. SuckMyPotato Regular Member

    XP:
    62,728xp
    Did the attackers possibly unban my best friend Cizzlers (lcecreamm) in this situation? After 3 years of being banned? Holy moly, I'm gonna go check it out right now boys!!!
    drewko09 likes this.
  7. Navarr Councilor

    XP:
    1,333,433xp

    XP will not be affected. As for what will happen to your leaked addresses - I'm afraid I don't understand the question.
    Tonkotsuramen921 likes this.
  8. ccccccccccccccc Regular Member

    XP:
    3,954xp
    Shouldn't the security of your users be more important to you than your "statement"? I get that you have to make sure that nobody else who could abuse the leak would find out about it sooner, but there's been plenty of time for that. Many people use the same passwords for shotbow as they do for other things, such as minecraft and email, and they should know that they need to change their information right away. A lot could've, and probably did happen in the 2+ weeks that it took you to tell us that you lost our passwords. I really hope that you consider the our security more promptly in the future and let users know sooner that their credentials are compromised.
    1structor and Braiti like this.
  9. Navarr Councilor

    XP:
    1,333,433xp

    I'm a little confused as to how you expect me to give you the statement before having the statement prepared - but okay.

    Again, we do not believe there to have been much, if any risk in your passwords being known. They are hashed one-way in such a way that reversing them should take decades of computer time.

    We do take our player's security VERY seriously, and acted much faster than other organizations would - and as fast as we could've.
    Tonkotsuramen921 and Kelestami like this.
  10. ccccccccccccccc Regular Member

    XP:
    3,954xp
    What I meant was that you waited until you had things looking positive enough to make a statement that wouldn't portray you guys as out of control, as well as "writing up the disclosure and getting a sign off for it". However, things were out of control and it would have helped a lot of users if they knew about the leak sooner, even if it was through a simple statement that users should change passwords and more details would come. If passwords were hashed, could you not just stopped the release of more information then immediately told us? And I'm not even touching on IPs, which are not encrypted (correct?) and allow malicious users to DDOS victims of the leak who were previously protected. While our IP could be changed eventually through our ISP, it would help those being attacked if they knew it was coming.

    Even if you acted as fast as you could to control the spread of information and the possibilities of future leaks, you really could've just told us sooner.
  11. BOJMS Emerald

    XP:
    17,577xp

    Would you rather they let you know immediately and cause general panic? There are too many poor implications into letting you know immediately. Would you rather have more accurate information that is collected after the issue is handled or mere guesswork as they try to find the problems. The reason is to make sure that panic does not cause. Generally, we are looking at a younger player base that may not handle the news in a mature like manner, so it is best to wait until they have the facts before disclosing it the public.

    Although I do agree with a lot of what you said, it is easy to say after-the-fact what they should have done. What matters is that they were able to take action and they were able to inform us when they believed was the best time. Yes, they may have been able to handle it better, but now they know if they wish to take better actions towards possible future leaks like this.
    Tonkotsuramen921 and Kelestami like this.
  12. ccccccccccccccc Regular Member

    XP:
    3,954xp
    I would rather have people upset that shotbow had information vulnerabilities than have people lose access to their accounts and internet. Especially with a younger audience, whos accounts are likely more vulnerable. Shotbow could still find a way to be reassuring and let players know that everything was being done to prevent it from happening again, instead of letting us know after everything had blown over.

    I'm not very encouraged if they see 2+ weeks after the leak as the "best time" to let players know that they may have been hacked, no matter the circumstance. What does matter is all the accounts and IPs possibly exposed to malicious activity, unopposed, for 2+ weeks.
    1structor and Braiti like this.
  13. Braiti Platinum

    XP:
    87,241xp
    I have to agree with c*12. It would've been appreciated if you let us know that Shotbow's security was breached and just let everyone know that they may want to change their passwords just to ensure everyone was safe.

    Two weeks could've given the guys who breached Shotbow enough time to hack into some accounts without the users even realizing it.

    It may have caused some uproar within the community, but at least everyone would've been able to secure their accounts sooner.
  14. FroastJ Regular Member

    XP:
    121,043xp
    What hashing algorithm was used for storing the passwords?
  15. Braiti Platinum

    XP:
    87,241xp
    I'm just really boggled that you guys thought it would be alright to wait to let us know. This just seems really irresponsible, and I'm just really speechless at how poorly you treated the situation.
  16. FroastJ Regular Member

    XP:
    121,043xp

    I'm not sure how that makes any sense, anyone that ever gets access to the hashes would also know what algorithm was used. There may be multiple algorithms or some type of custom algorithm, which are both not recommended and barely slows down experienced attackers.

    If a common, trusted algorithm is being used, I don't see why we shouldn't be told.
  17. SimplyRobot Platinum

    XP:
    135,796xp
    Wait could we lose r ranks
  18. WWII Platinum

    XP:
    76xp
    Faster then a few, not most. It honestly pisses me off that my info could have been leaked without me knowing when people knew that I could be at risk.
    ccccccccccccccc and Braiti like this.
  19. nintendoway Platinum

    XP:
    301,777xp
    I do not understand though why this is being announced this much after the fact... By this time, the user could have posted passwords publicly and breached accounts without the player knowing. While the encryption might be powerful, it's still unpleasant to think about for someone desperate enough. And now for new players, I feel that seeing this post illustrates ShotBow as a server that it really is not.

    I understand that this is not a professional company, but due to the amount of younger players that use the same password across multiple sites, I just feel like this situation could of gotten much worse and that postponing the announcement only causes a rupture in the overall playerbase.
    1structor, Braiti and ccccccccccccccc like this.
  20. drewko09 Platinum

    XP:
    216,380xp
    Personally I am glad that they told us later, even if they told us sooner there was not much we could do except post rage commends.
    Tonkotsuramen921 likes this.

Share This Page