1. Want to get our most recent announcements - and XP codes - in your email?

    Sign up for our mailing list!

[Security] Data Breach and Information Leak

Discussion in 'Announcements' started by Navarr, May 9, 2016.

[Security] Data Breach and Information Leak | Page 4
  1. stuntguy3000 Platinum

    XP:
    24,548xp
    Why has a required forum password reset not been issued?

  2. Navarr Councilor

    XP:
    1,333,433xp

    This was not a vulnerability through Buycraft. It was through a separate third party service unrelated to Shotbow.

    The credentials that were leaked have been revoked (and all credentials exposed through access have been revoked and changed), and we've updated our policies so that such credentials cannot leak in such a manner ever again.


    We do not believe there to be risk in your password being compromised, nor do we believe there is any risk to your forum account. If these were unsalted hashed passwords or plaintext passwords we would be treating the situation very differently.
    Tonkotsuramen921 and DutchBartje like this.
  3. ItzKaspian Platinum

    XP:
    947,712xp
    They may only have you MC Password if it is the same as your Shotbow.net Password
  4. FireKnight1483 Platinum

    XP:
    948,262xp
    What do you call this then?!?
  5. furret780 Regular Member

    XP:
    3,478xp
    Y'all need to calm the hell down. They're basically pinning their reputation on the fact the passwords aren't going to be compromised, so I don't see any reason to doubt them.
  6. weco_paul Regular Member

    XP:
    3,692xp
    Did emails also got leaked?
  7. Navarr Councilor

    XP:
    1,333,433xp

    Email addresses, being part of your forum information, are part of the data in the hands of the attacker.
    Tonkotsuramen921 likes this.
  8. 1adog1 Gold

    XP:
    12,057xp
    Although a mandatory password reset is standard for any kind of information leak, if the passwords were protected in the way Navarr has described, they are either at very little risk of being discovered, or were not the target of the hack in the first place. The longer the password you used, the longer a brute force attack would take to succeed (a good password can take years to crack in this manner). Given this, it could literally take lifetimes to crack the tens of thousands of passwords that were leaked.

    Stack Exchange actually has a very good post on why hash algorithms are so hard to reverse here:
    http://security.stackexchange.com/q...f-i-know-the-algorithm-why-cant-i-calculate-t
  9. Braiti Platinum

    XP:
    87,241xp
    You're right. We need to calm down. Sure your Paypal account may have been hacked into and your money could've been stolen, but we need to calm down. Your internet IP is in the hands of a complete stranger without you knowing, but we need to calm down. Your Shotbow account could be hacked into without you knowing, but we need to calm down.

    Seriously Shotbow could've avoided this if they bothered to let us know the second they found out about the security breach. ._.
    Tonkotsuramen921 likes this.
  10. 1adog1 Gold

    XP:
    12,057xp
    They said PayPal info wasn't hacked, and an IP can literally be changed in less than an hour (with or without your ISP's help). See my above statement regarding the passwords.
  11. Navarr Councilor

    XP:
    1,333,433xp

    As 1adog1 stated, our passwords are heavily encrypted. Unless your password is a dictionary word it would take far too long to crack for your Paypal to be at any significant risk.
    Tonkotsuramen921 likes this.
  12. 1adog1 Gold

    XP:
    12,057xp
    Oh, and on an unrelated note, the emails you sent out are being automatically put into the spam folder by Gmail. Not sure about other email services.
  13. furret780 Regular Member

    XP:
    3,478xp
    They have our IP addresses. Useless really, what, they're going to ddos tens of thousands(or however many people play the server) of people for no reason? The passwords are protected, no need to worry on those. The only significant enough thing is really the forum info, they can sell our emails to some spammers but who cares about that.
  14. Navarr Councilor

    XP:
    1,333,433xp
    This thread is not for discussion back and forth, it is for additional questions.

    Please keep the thread clean so that we can handle additional questions and concerns.
    Tonkatsu129 likes this.
  15. storm345 Retired Staff

    XP:
    632,098xp
    I understand your concerns. However buycraft is totally separate to our shotbow systems so the only way the attacker could get any payment info would be if you'd posted it on the forums, or, in the case of paypal. had a ludicrously insecure password the same as your shotbow.net account.
    Tonkotsuramen921 likes this.
  16. weco_paul Regular Member

    XP:
    3,692xp

    If the breach happend about 2-3 days ago, than I know why I am getting so much spam.
    And were the emails at least encrypted? I guess not.
  17. SpaceWarp Emerald

    XP:
    118,168xp
    Will shotbow be providing advice or a list of recommended applications to change/secure your ip?
    EDIT: Will a list of recommended applications of password lockers be released.
    Disappointed this wasn't realeased earlier as my shotbow forum password and PayPal password at close to each other and I could have lost a lot of money. But thank you o the dev team for taking steps to insure this won't happen again!!
    Tonkotsuramen921 and Fluffoon like this.
  18. xcube Regular Member

    XP:
    40,197xp
    Why is everyone crazy about there IP address?
    If you browse the web, every website/data base/ad system that you connect to KNOWS YOUR IP!

    Now... the real problem is the email addresses being leaked! (spear phishing scams)
    If the hacker used the breached information to email you it mite look something like this...

    ##### example email phishing email #####
    Dear <insert your minecraft username here>.
    Your Minecraft account is expiring do to inactivity!
    Please verify your account here.
    (where "here" is a link to an attack site asking for your minecraft password)
    ##### end of example email #####

    NOTE: The real thing may be even more convincing, look out!

    Now stop complaining about IP's being leaked, we have bigger problems. :)
    DutchBartje, Mistri, Sam_F_ and 6 others like this.
  19. 1adog1 Gold

    XP:
    12,057xp
    This is probably the most valid concern here. That being said though, if you use any kind of reputable email service (Not Yahoo, school, or ISP basically), any message of this kind will get filtered out relatively quickly. What's more likely is that this info was sold to companies for advertising (an unfortunately common occurrence). That would be the most quick and simple way to gain money from this.
    xcube and Fluffoon like this.
  20. ThePandemos Platinum

    XP:
    30,182xp
    THEY BETTER NOT TAKE MY SHINY AWAY
    Tonkotsuramen921 likes this.

Share This Page