1. Want to get our most recent announcements - and XP codes - in your email?

    Sign up for our mailing list!

[Security] Data Breach and Information Leak

Discussion in 'Announcements' started by Navarr, May 9, 2016.

[Security] Data Breach and Information Leak | Page 3
  1. ccccccccccccccc Regular Member

    Actually, if they told us earlier we could prepare to change our IP through our ISP (not a short process) and/or change passwords to be safe...

  2. drewko09 Platinum

    I immediately regret my desicion
    Tonkotsuramen921 likes this.
  3. Stroby Platinum

    So if we change the password to our forum accounts they won't be able to access our Mojang accounts? and I assume we need to change them because they where already expressed? Do we need to change the passwords to accounts that aren't registered on Shotbow?
    Tonkotsuramen921 likes this.
  4. SocomX1 Retired Staff

    If you used the same password anywhere else as you did on Shotbow.net, then it is recommended to change that password. That should be all you need to do.

    Depending on your ISP, changing your ip can take as little as five minutes. While it is very unlikely that you are actually at risk due to our servers being breached, you can always contact your ISP if you wish to change your ip address anyways. They will be able to inform you of the technical details pertaining to your internet connection much more accurately than anybody on this thread will be able to.

    The same applies to hashed passwords- it is extremely unlikely that any of your accounts on other sites have been impacted due to this breach, and it's practically impossible if your password was complex enough. However, as stated in the main post, it is still a good security practice to change the password of any account sharing the same password as your Shotbow.net account.

    Note that the network breaches that tend to make the front page of news sites and cause users a lot of grief are incidents in which passwords were recovered in plaintext. That is NOT the case here.
    Tonkotsuramen921, Sam_F_ and Fluffoon like this.
  5. FroastJ Regular Member


    You keep saying our hashed passwords are safe but just because they are hashed does not mean they are that secure, the details of how are very much involved: therefore, I'd appreciate a bit more transparency over it:
    - What was the hashing algorithm? A weak algorithm means the passwords are not as secure.
    - Were the passwords salted and, if so, how was this applied (salt for the site, salt for every account, etc.)? Without a salt many passwords are as good as plaintext.
  6. SocomX1 Retired Staff

    I won't be releasing any additional technical information regarding the incident other than what has already been provided- Navarr may do that if he deems it appropriate.
    Tonkotsuramen921 likes this.
  7. Jarool Mini Admin

    I really can't be bothered. Why? Because the most I'd lose out of this is access to some sites I rarely go on anyways. And maybe servers, but I'm kinda getting to the point where I don't really want to play games anyways. So, eh (if you care about this stuff, then don't take my approach).
    Tonkotsuramen921 and TechoNinja like this.
  8. Stroby Platinum

    Probably one of the biggest problems is people who are completely inactive and don't use the forums. They have everything at risk and they probably won't find out; suddenly their IP's are taken and they have no clue why etc, etc
    Tonkotsuramen921 and Fluffoon like this.
  9. Fluffoon Retired Staff

    Indeed, that is why we will be:
    Tonkotsuramen921 likes this.
  10. storm345 Retired Staff

    All passwords are very safe unless the password was weak. The passwords were hashed and salted and managed professionally. This leak differs greatly from the severity of more famous cases, such as adobe's. Adobe were storing passwords in a pretty bad way, hence why there was an issue, we are storing passwords the universally accepted 'correct' way. If your password is decent it would take months if not years of powerful computing to brute force it - and that is just one account.

    As for IPs, I don't think that is as serious as some people here are making out. Many ISPs (including mine) offer dynamic ips by default anyways. What this means is that your IP changes every few days. On the internet your IP is basically an address for you so that other computers (eg. a website) can send information to your PC. If you are worried or suspect you are being DDOSsed then you can contact your ISP to get your IP changed - although personally I think the risk is very low. Any website you visit on the internet, unless you're using a proxy or vpn, can see your IP - It isn't as big of a deal as people here are trying to make out.

    As for the response time: When the attack happened we assessed the situation and considered in a worst-case scenario what the hacker would be able to do. Having done this, we decided that the attack was a low risk for our playerbase and so instead of causing panic by revealing the issue immediately, we took the time to make sure everything was re-secured and safe. Our response time, about 2 weeks, is well below what you see from other large companies regarding this type of issue.

    Tl;dr; Imo a lot of people here are over-reacting to the issue.
  11. SamB440 Regular Member

    Ugh not my IP that's one of my important things since I'm hosting a little public stuff on it
  12. HiriMc Platinum

    Just to know... EU and US are been hacked? Both of them or just US? Because in the mail they were talking only about US...
  13. Navarr Councilor

    The database is shared between regions.
    Tonkotsuramen921 likes this.
  14. Braiti Platinum

    Even if some people have been over-reacting you have to realize some people have large sums of money on their paypal accounts, and choosing to wait to let people know even with the chances of the security breach being a low threat could've still cost someone a lot of their money. If there's any chance of the security being breached you should've made sure to make it aware to everyone first hand. It shouldn't take 2 weeks to get some sort of statement out even if you didn't have much info confirming how dangerous it was. I really think the last thing people want to be worrying about when playing on Shotbow is having their identity stolen.
    Rixhack likes this.
  15. fondjp Media Partner

    Shotbow公式サイトではMedia Pertnerになっていましたから、自分が何か違反をした、というわけではないのですね?

    Tonkatsu129 likes this.
  16. sandstoner Platinum

    i can already imagine them ligging in as lazertester to then make him write a thread about why trump should be president or something.
  17. benyben27 Regular Member


    They said it is hashed not encrypted. There is a very big difference..
    Anyway, because I don't know what algorithm they used it and I don't know whether they used salts or not, it could be reversible using rainbow tables. (All hashing algorithms are one way btw)

    Why can't people use AES256...
  18. Navarr Councilor


    We use per-password salting and rigorous one-way hashing algorithms.

    I am routinely very serious about password protection - and Xenforo does not disappoint in that regard.

    Rainbow tables are wholly ineffective against our passwords.
    Tonkotsuramen921 likes this.
  19. kyaco Regular Member

    This is an important thread for all shotbow players so I translated the body into Japanese.
    I'm sorry for any mistranslations.


    大変残念なことですが、USサーバーの移設の前に、Shotbow への不正アクセスが発生しておりました。

    この資格情報により Shotbow の基盤のほとんど(Shotbow サーバーのファイルやデータベースへのアクセスなど)への侵入が可能でした。

    加えて、さらなる攻撃の機会を断つために US サーバーの移設を前倒ししました。



    ・ハッシュ化された Shotbow.net のパスワード
    ・IP アドレス

    料金の支払いに関する情報は第三者である Buycraft を通じて処理されており、今回の不正アクセスの影響はないでしょう。

    総括すると、 Shotbow.net のパスワードが危険にさらされているとは考えられませんが、同じパスワードを使ったと思われる場所でパスワードを変更することを勧めます。
    一般的に Shotbow.net のフォーラムと他の場所とでは異なるパスワードを使うことが推奨されます。
    特に Shotbow.net と Mojang とで使うパスワードは、どちらかからの情報漏えいに備えて異なるものにしておくべきです。

    今回の不正アクセスとそれに続くサーバーの移設にともない、セキュリティプロトコルを Industry Best-Practice の最新なものにアップグレードし、このプロトコルを数か月、数年に渡って評価し改善することを委託されました。
    (I'm not sure what "industry best-practices" means.)


    この件について、 Shotbow.net のプレイヤー全員にメールでお知らせします。
  20. Wun Gold

    Was going to say 'inb4 unsalted md5', but you ruined the joke. In all seriousness, though, you say the attack was through a vulnerability in Buycraft? Because this isn't on your end, how can you be sure this won't happen again?

Share This Page