Jump to content


Photo

Important: Gmc Hacked....Please Read!


  • This topic is locked This topic is locked
186 replies to this topic

#1 Mike.Dailly

Mike.Dailly

    Evil YoYo Games Employee

  • Administrators
  • 4151 posts
  • Version:GM:Studio

Posted 18 March 2013 - 04:46 PM


So turns out the root of our problems was that the GMC has been hacked again, but it appears to be more serious this time than just inserting an Ad. Someone has managed to install a password logger by modifying some root IPB forum files. We've now (obviously) removed this but in the process discovered the "log.txt" file they were using, complete with lots of usernames and passwords. Because they managed to hack the actual PHP files, they didn't need to decode  anyone's password from the SQL database (where everything is stored encoded), they simply recorded every attempt at a login - good and bad. They didn't get access to the core server, just the forums sub folder via a PHP hack.
 
We don't know how long this has been active, or if they ever downloaded it, but to be safe, I'd assume ALL username and passwords used on here are now known by someone else, so you should change your passwords as soon as possible. While the GMC server has no sensitive information on it ( addresses, credit card info etc.), if you use this password elsewhere, you may want to change that as well.
 
To change your password here, goto your profile by clicking on your user name at the top right, then choosing "My Settings". From here, you will be taken "Profile Settings" and can then select "Email & Password" just below.
 
[icu edit]
Clear the two top default fields, the email field that may have your user name in it instead of an email, and the first password field with all the *****, only fill the 3 bottom ones.
[/edit]
 
We have locked down the method they used to get in, and upgraded the forums in order to remove known IPB vulnerabilities, and will look to see if we can automate some checking so we can detect this ourselves long before they get real access.
 
You should always assume that anything contained on the GMC isn't safe, as I've previously mentioned, PM's can be sent to folk you don't know about...
 
We're sorry about this, but hope that with a quick password change, you can be up and running again.
 
 
 
Lastly... with the upgrade, the "skin" is also needing work, so for now we've reverted to the original, and we'll fix it up in the next week or so - GDC has priority for now.

  • 14

#2 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 639 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:01 PM

Thanks for being open about this and not trying to cover it up. Just changed my password.


  • 0

#3 The Legend

The Legend

    Unashamed

  • GMC Member
  • 1128 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:02 PM

Tried to change my password but it keeps saying I need to complete the entire form. Does that mean I have to change the email for the account too?


  • 0

#4 Braffolk

Braffolk

    Lumenus Team

  • GMC Member
  • 857 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:03 PM

meh?


  • -1

#5 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 639 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:04 PM

Tried to change my password but it keeps saying I need to complete the entire form. Does that mean I have to change the email for the account too?

I didn't need to, I only filled in my Current password, and then my New password twice.


  • 0

#6 cantavanda

cantavanda

    GMC Member

  • Banned Users
  • 994 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:04 PM

****************!! They ****ing tricked me in giving my password!!! I knew the gmc was doing weird but I didn't know it was a hacker!!!  :verymad:  :verymad:  :verymad:  :verymad:



#7 trg601

trg601

    Mutantbrain Games

  • GMC Member
  • 406 posts
  • Version:GM8.1

Posted 18 March 2013 - 05:04 PM

Thank you too :D

 

#the legend I have the same problem.


  • 0

#8 leegamestudios

leegamestudios

    GMC Member

  • GMC Member
  • 116 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:08 PM

I'm having the same problem with having to fill out the whole form, and when I do it says it doesn't match.

 

- Aidan


  • 0

#9 xlordt_97248

xlordt_97248

    GMC Member

  • GMC Member
  • 156 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:10 PM

I use twitter to login... so I never really have the need to login to the actual GM site... also I am guessing they used pharma hack.... good to be back though.. thanks :)


  • 0

#10 FatalSleep

FatalSleep

    FatalSheep?

  • GMC Member
  • 3421 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:10 PM

Well awesome that we have been notified about this.

However, its kind of  pain that the GMC would end up

hacked... again.


  • -1

#11 MishMash

MishMash

    GMC Member

  • GMC Member
  • 889 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:11 PM

Not even sure which one of my many passwords i used on this site :S!


  • 0

#12 Poltroon

Poltroon

    GMC Member

  • GMC Member
  • 179 posts
  • Version:Unknown

Posted 18 March 2013 - 05:13 PM

Same, not sure which password I used here, how do we find out?


  • 0

#13 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 639 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:17 PM

Same, not sure which password I used here, how do we find out?

Theoretically, you could use the forgotten password method to reset it if you still have access to your email address.


  • 0

#14 Mr. RPG

Mr. RPG

    GMC's Forum Troll

  • GMC Member
  • 3150 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:19 PM

So does this mean that pesky bug where it emailed you twice about a notification is fixed now? :P

 

Edit: Also, I noticed everyone's avatars are gone. Was this because of the forum upgrade?


Edited by Mr. RPG, 18 March 2013 - 05:21 PM.

  • 0

#15 Yambam

Yambam

    GMC Member

  • GMC Member
  • 634 posts
  • Version:GM8

Posted 18 March 2013 - 05:19 PM

I can't change the password on the sandbox, or I don't get a email containing the new password. :(


  • 0

#16 RedChu

RedChu

    Demented Misanthrope

  • Global Moderators
  • 334 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:20 PM

For those getting the "complete all forms" error, make sure that none of the forms but the 3 current and new password forms at the bottom are filled.


  • 0

#17 xlordt_97248

xlordt_97248

    GMC Member

  • GMC Member
  • 156 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:22 PM

btw, just curious why not change forum?


  • 0

#18 Mike.Dailly

Mike.Dailly

    Evil YoYo Games Employee

  • Administrators
  • 4151 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:22 PM

Just ignore the top half of the form, and do the lower part that asks for your old password, and the new one twice.


  • 0

#19 trg601

trg601

    Mutantbrain Games

  • GMC Member
  • 406 posts
  • Version:GM8.1

Posted 18 March 2013 - 05:25 PM

Hey I figured out how to get it to work correctly!

 

just clear the new email area and complete the password section :D


  • 2

#20 Stratadox

Stratadox

    GMC Member

  • GMC Member
  • 836 posts
  • Version:Unknown

Posted 18 March 2013 - 05:30 PM

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.


  • 0

#21 Poltroon

Poltroon

    GMC Member

  • GMC Member
  • 179 posts
  • Version:Unknown

Posted 18 March 2013 - 05:30 PM

Could someone clarify what the OP meant by 'PM's can be sent to folk you don't know about' please?


  • 0

#22 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 639 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:39 PM

Could someone clarify what the OP meant by 'PM's can be sent to folk you don't know about' please?

I believe there was a bug some time back where PM's would sometimes get accidentally sent to random people. Never experienced it and this is only what i've heard from others, so I could very well be wrong.


  • 0

#23 ElectroMan

ElectroMan

    The Electricized Guy

  • GMC Member
  • 266 posts
  • Version:GM8.1

Posted 18 March 2013 - 05:43 PM

Oh boy, having flashbacks.


  • 5

#24 joepie91

joepie91

    GMC Member

  • GMC Member
  • 203 posts

Posted 18 March 2013 - 05:51 PM

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.

 

No, you shouldn't. The server was compromised, which means that even if you encrypted passwords before sending them (which would be very unreliable in the first place), they would have to be decrypted server-side, thereby defeating the point of encrypting them - after all, the server was what was compromised.

 

Honestly, once the receiving server is compromised, there really aren't any technical measures you can take to keep things secure. The only way to mitigate this risk is by using unique passwords for every service you use, as a user. Think KeePass.


  • 1

#25 cantavanda

cantavanda

    GMC Member

  • Banned Users
  • 994 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:52 PM

Help me! They were like 'The GMC is under maintenance, please sign in' so I gave my password and email so now the hackers know it! And it's also the password of all the forums I'm on, my email and my youtube!! :'(



#26 commander of games

commander of games

    Kaos Kreator

  • GMC Member
  • 2883 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:53 PM

Help me! They were like 'The GMC is under maintenance, please sign in' so I gave my password and email so now the hackers know it! And it's also the password of all the forums I'm on, my email and my youtube!! :'(

Change your password and email as instructed in the first post.


  • 0

#27 cantavanda

cantavanda

    GMC Member

  • Banned Users
  • 994 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:54 PM

But it's already hours ago so too late!



#28 roytheshort

roytheshort

    The Village Idiot

  • GMC Member
  • 440 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:54 PM

I haven't been logging in the past few weeks because I've already been logged in and have not used a login form since. Am I safe?

 

Also, when do the themes return?


Edited by roytheshort, 18 March 2013 - 05:56 PM.

  • 0

#29 ElectroMan

ElectroMan

    The Electricized Guy

  • GMC Member
  • 266 posts
  • Version:GM8.1

Posted 18 March 2013 - 05:56 PM

Oh yes, I was about to ask that same thing. Do you guys know the exact or just more or less precise date they started receiving the passwords from the server?


  • 0

#30 NakedPaulToast

NakedPaulToast

    GM Studio/Mac/Win

  • GMC Member
  • 8357 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:57 PM

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.

 

No, you shouldn't. The server was compromised, which means that even if you encrypted passwords before sending them (which would be very unreliable in the first place), they would have to be decrypted server-side, thereby defeating the point of encrypting them - after all, the server was what was compromised.

 

Honestly, once the receiving server is compromised, there really aren't any technical measures you can take to keep things secure. The only way to mitigate this risk is by using unique passwords for every service you use, as a user. Think KeePass.

No, this is not how passwords are stored.

 

Typically the client accepts the plain text password, it then encrypts the password and sends the encrypted password. On the server the plain text password is never stored, but rather the previously saved encrypted password.

 

The encrypted password transmitted is compared to the saved encrypted password.


  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users