Jump to content


Photo

Important: Gmc Hacked....Please Read!


  • This topic is locked This topic is locked
185 replies to this topic

#1 Mike.Dailly

Mike.Dailly

    Evil YoYo Games Employee

  • Administrators
  • 4579 posts
  • Version:GM:Studio

Posted 18 March 2013 - 04:46 PM


So turns out the root of our problems was that the GMC has been hacked again, but it appears to be more serious this time than just inserting an Ad. Someone has managed to install a password logger by modifying some root IPB forum files. We've now (obviously) removed this but in the process discovered the "log.txt" file they were using, complete with lots of usernames and passwords. Because they managed to hack the actual PHP files, they didn't need to decode  anyone's password from the SQL database (where everything is stored encoded), they simply recorded every attempt at a login - good and bad. They didn't get access to the core server, just the forums sub folder via a PHP hack.
 
We don't know how long this has been active, or if they ever downloaded it, but to be safe, I'd assume ALL username and passwords used on here are now known by someone else, so you should change your passwords as soon as possible. While the GMC server has no sensitive information on it ( addresses, credit card info etc.), if you use this password elsewhere, you may want to change that as well.
 
To change your password here, goto your profile by clicking on your user name at the top right, then choosing "My Settings". From here, you will be taken "Profile Settings" and can then select "Email & Password" just below.
 
[icu edit]
Clear the two top default fields, the email field that may have your user name in it instead of an email, and the first password field with all the *****, only fill the 3 bottom ones.
[/edit]
 
We have locked down the method they used to get in, and upgraded the forums in order to remove known IPB vulnerabilities, and will look to see if we can automate some checking so we can detect this ourselves long before they get real access.
 
You should always assume that anything contained on the GMC isn't safe, as I've previously mentioned, PM's can be sent to folk you don't know about...
 
We're sorry about this, but hope that with a quick password change, you can be up and running again.
 
 
 
Lastly... with the upgrade, the "skin" is also needing work, so for now we've reverted to the original, and we'll fix it up in the next week or so - GDC has priority for now.

  • 14

#2 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:01 PM

Thanks for being open about this and not trying to cover it up. Just changed my password.


  • 0

#3 The Legend

The Legend

    Unashamed

  • GMC Member
  • 1132 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:02 PM

Tried to change my password but it keeps saying I need to complete the entire form. Does that mean I have to change the email for the account too?


  • 0

#4 Braffolk

Braffolk

    Lumenus Team

  • GMC Member
  • 915 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:03 PM

meh?


  • -1

My main project ^o^ 2Volution http://gmc.yoyogames...opic=643861&hl=


#5 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:04 PM

Tried to change my password but it keeps saying I need to complete the entire form. Does that mean I have to change the email for the account too?

I didn't need to, I only filled in my Current password, and then my New password twice.


  • 0

#6 cantavanda

cantavanda

    Flower Princess

  • GMC-Member
  • 1025 posts
  • Version:GM8

Posted 18 March 2013 - 05:04 PM

****************!! They ****ing tricked me in giving my password!!! I knew the gmc was doing weird but I didn't know it was a hacker!!!  :verymad:  :verymad:  :verymad:  :verymad:


  • -8

manabanner_zps37c4bb38.jpg


#7 trg601

trg601

    Mutantbrain Games

  • GMC Member
  • 451 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:04 PM

Thank you too :D

 

#the legend I have the same problem.


  • 0

Some of my games:
icon210.pngbusine10.pnglogo11.pnglarry10.pngrobott10.png
 
 
Also check out Mutantbrain! (My website)


#8 leegamestudios

leegamestudios

    GMC Member

  • GMC Member
  • 116 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:08 PM

I'm having the same problem with having to fill out the whole form, and when I do it says it doesn't match.

 

- Aidan


  • 0

#9 xlordt_97248

xlordt_97248

    GMC Member

  • GMC Member
  • 156 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:10 PM

I use twitter to login... so I never really have the need to login to the actual GM site... also I am guessing they used pharma hack.... good to be back though.. thanks :)


  • 0

#10 FatalSleep

FatalSleep

    FatalSheep?

  • GMC Member
  • 3672 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:10 PM

Well awesome that we have been notified about this.

However, its kind of  pain that the GMC would end up

hacked... again.


  • -1

 Ask Me GM Questions Fast! Ask Me GM Questions!

Learning About Networking? Networking Tutorial

Need Networking Scripts? Networking Framework

Need A C# Based Server? Networking GML & C#


#11 MishMash

MishMash

    GMC Member

  • GMC Member
  • 1020 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:11 PM

Not even sure which one of my many passwords i used on this site :S!


  • 0

VitalitySig18thMar.png


#12 Poltroon

Poltroon

    GMC Member

  • GMC Member
  • 179 posts
  • Version:Unknown

Posted 18 March 2013 - 05:13 PM

Same, not sure which password I used here, how do we find out?


  • 0

#13 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:17 PM

Same, not sure which password I used here, how do we find out?

Theoretically, you could use the forgotten password method to reset it if you still have access to your email address.


  • 0

#14 Mr. RPG

Mr. RPG

    GMC's Forum Troll

  • GMC Member
  • 3174 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:19 PM

So does this mean that pesky bug where it emailed you twice about a notification is fixed now? :P

 

Edit: Also, I noticed everyone's avatars are gone. Was this because of the forum upgrade?


Edited by Mr. RPG, 18 March 2013 - 05:21 PM.

  • 0

#15 Yambam

Yambam

    GMC Member

  • GMC Member
  • 646 posts
  • Version:GM8

Posted 18 March 2013 - 05:19 PM

I can't change the password on the sandbox, or I don't get a email containing the new password. :(


  • 0

green-banner.png

If you have any problems with GameMaker, you can PM me. ;D


#16 RedChu

RedChu

    Demented Misanthrope

  • GMC Elder
  • 334 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:20 PM

For those getting the "complete all forms" error, make sure that none of the forms but the 3 current and new password forms at the bottom are filled.


  • 0

#17 xlordt_97248

xlordt_97248

    GMC Member

  • GMC Member
  • 156 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:22 PM

btw, just curious why not change forum?


  • 0

#18 Mike.Dailly

Mike.Dailly

    Evil YoYo Games Employee

  • Administrators
  • 4579 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:22 PM

Just ignore the top half of the form, and do the lower part that asks for your old password, and the new one twice.


  • 0

#19 trg601

trg601

    Mutantbrain Games

  • GMC Member
  • 451 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:25 PM

Hey I figured out how to get it to work correctly!

 

just clear the new email area and complete the password section :D


  • 2

Some of my games:
icon210.pngbusine10.pnglogo11.pnglarry10.pngrobott10.png
 
 
Also check out Mutantbrain! (My website)


#20 Stratadox

Stratadox

    GMC Member

  • GMC Member
  • 836 posts
  • Version:Unknown

Posted 18 March 2013 - 05:30 PM

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.


  • 0

#21 Poltroon

Poltroon

    GMC Member

  • GMC Member
  • 179 posts
  • Version:Unknown

Posted 18 March 2013 - 05:30 PM

Could someone clarify what the OP meant by 'PM's can be sent to folk you don't know about' please?


  • 0

#22 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:39 PM

Could someone clarify what the OP meant by 'PM's can be sent to folk you don't know about' please?

I believe there was a bug some time back where PM's would sometimes get accidentally sent to random people. Never experienced it and this is only what i've heard from others, so I could very well be wrong.


  • 0

#23 ElectroMan

ElectroMan

    Jack of No Trades

  • GMC Member
  • 267 posts
  • Version:GM8.1

Posted 18 March 2013 - 05:43 PM

Oh boy, having flashbacks.


  • 5

hz6U0LV.gif


#24 joepie91

joepie91

    GMC Member

  • GMC Member
  • 203 posts

Posted 18 March 2013 - 05:51 PM

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.

 

No, you shouldn't. The server was compromised, which means that even if you encrypted passwords before sending them (which would be very unreliable in the first place), they would have to be decrypted server-side, thereby defeating the point of encrypting them - after all, the server was what was compromised.

 

Honestly, once the receiving server is compromised, there really aren't any technical measures you can take to keep things secure. The only way to mitigate this risk is by using unique passwords for every service you use, as a user. Think KeePass.


  • 1

#25 cantavanda

cantavanda

    Flower Princess

  • GMC-Member
  • 1025 posts
  • Version:GM8

Posted 18 March 2013 - 05:52 PM

Help me! They were like 'The GMC is under maintenance, please sign in' so I gave my password and email so now the hackers know it! And it's also the password of all the forums I'm on, my email and my youtube!! :'(


  • 0

manabanner_zps37c4bb38.jpg


#26 commander of games

commander of games

    Kaos Kreator

  • GMC Member
  • 2883 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:53 PM

Help me! They were like 'The GMC is under maintenance, please sign in' so I gave my password and email so now the hackers know it! And it's also the password of all the forums I'm on, my email and my youtube!! :'(

Change your password and email as instructed in the first post.


  • 0

InvaderX.gif


#27 cantavanda

cantavanda

    Flower Princess

  • GMC-Member
  • 1025 posts
  • Version:GM8

Posted 18 March 2013 - 05:54 PM

But it's already hours ago so too late!


  • 0

manabanner_zps37c4bb38.jpg


#28 roytheshort

roytheshort

    The Village Idiot

  • GMC Member
  • 455 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:54 PM

I haven't been logging in the past few weeks because I've already been logged in and have not used a login form since. Am I safe?

 

Also, when do the themes return?


Edited by roytheshort, 18 March 2013 - 05:56 PM.

  • 0

Clowns


#29 ElectroMan

ElectroMan

    Jack of No Trades

  • GMC Member
  • 267 posts
  • Version:GM8.1

Posted 18 March 2013 - 05:56 PM

Oh yes, I was about to ask that same thing. Do you guys know the exact or just more or less precise date they started receiving the passwords from the server?


  • 0

hz6U0LV.gif


#30 NakedPaulToast

NakedPaulToast

    GM Studio/Mac/Win

  • GMC Member
  • 8528 posts
  • Version:GM:Studio

Posted 18 March 2013 - 05:57 PM

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.

 

No, you shouldn't. The server was compromised, which means that even if you encrypted passwords before sending them (which would be very unreliable in the first place), they would have to be decrypted server-side, thereby defeating the point of encrypting them - after all, the server was what was compromised.

 

Honestly, once the receiving server is compromised, there really aren't any technical measures you can take to keep things secure. The only way to mitigate this risk is by using unique passwords for every service you use, as a user. Think KeePass.

No, this is not how passwords are stored.

 

Typically the client accepts the plain text password, it then encrypts the password and sends the encrypted password. On the server the plain text password is never stored, but rather the previously saved encrypted password.

 

The encrypted password transmitted is compared to the saved encrypted password.


  • 0

keep_crap_150_zpsd7af69c5.png


#31 cantavanda

cantavanda

    Flower Princess

  • GMC-Member
  • 1025 posts
  • Version:GM8

Posted 18 March 2013 - 05:59 PM

I hope that when they put the other themes back, they keep this one. I like it  :thumbsup:

No it's sucky!


  • 0

manabanner_zps37c4bb38.jpg


#32 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:01 PM

But it's already hours ago so too late!

Calm down, unless you have noticed someone on your account, there is nothing to fret about.

Go to each account that you use that password on, and change the password, giving each one a unique password. I would recommend using a password storing tool to help you keep track of them.

Again, unless someone has specifically been on your profile, there is nothing to catastrophosize about. Just change your passwords.


  • 0

#33 roytheshort

roytheshort

    The Village Idiot

  • GMC Member
  • 455 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:02 PM

I've changed my password anyway. Only needed one changed. Everything is linked to my e-mail which has 20 completely random characters. Good thing about multiple passwords.


  • 0

Clowns


#34 commander of games

commander of games

    Kaos Kreator

  • GMC Member
  • 2883 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:04 PM

But it's already hours ago so too late!

No, it's not. If you still have access to your account (and you obviously do), you can still change the password and email. They'll know what your old password and email was, but those will no longer be relevant to your account if you change it.

 

It will only be too late once they log into your account and change your password.


  • 0

InvaderX.gif


#35 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:05 PM

It will only be too late once they log into your account and change your password.

And even then, if you contact support, most websites can help you regain access to your account.


  • 0

#36 cantavanda

cantavanda

    Flower Princess

  • GMC-Member
  • 1025 posts
  • Version:GM8

Posted 18 March 2013 - 06:06 PM

I won't let that **** happen!


  • -4

manabanner_zps37c4bb38.jpg


#37 theweirdn8

theweirdn8

    Unrivaled Legend

  • GMC Member
  • 4108 posts
  • Version:GM8.1

Posted 18 March 2013 - 06:09 PM

Woah, this is crazy!


  • 0

[My milkshake brings all the boys to the yard]


2h2fg3c.png


#38 joepie91

joepie91

    GMC Member

  • GMC Member
  • 203 posts

Posted 18 March 2013 - 06:10 PM

 

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.

 

No, you shouldn't. The server was compromised, which means that even if you encrypted passwords before sending them (which would be very unreliable in the first place), they would have to be decrypted server-side, thereby defeating the point of encrypting them - after all, the server was what was compromised.

 

Honestly, once the receiving server is compromised, there really aren't any technical measures you can take to keep things secure. The only way to mitigate this risk is by using unique passwords for every service you use, as a user. Think KeePass.

No, this is not how passwords are stored.

 

Typically the client accepts the plain text password, it then encrypts the password and sends the encrypted password. On the server the plain text password is never stored, but rather the previously saved encrypted password.

 

The encrypted password transmitted is compared to the saved encrypted password.

 

Uh, no, that's not how it works. When you enter your password on a typical site, it will either be sent in plaintext (when using HTTP) or in encrypted form (when using HTTPS), and decrypted by the receiving server (when using HTTPS). The forum/blog/etc. software then hashes (this is not encryption, it's hashing!) your password and stores it in the database. The server will always see your password in plaintext before it hashes and stores it.


  • 0

#39 Stratadox

Stratadox

    GMC Member

  • GMC Member
  • 836 posts
  • Version:Unknown

Posted 18 March 2013 - 06:21 PM

 

Ouch, that's pretty bad. They stole all plaintext passwords.... It's only a few days ago that I had this discussion about how unsafe it is to send plaintext passwords all the time on a login and how we should encrypt them before actually sending them.

 

No, you shouldn't. The server was compromised, which means that even if you encrypted passwords before sending them (which would be very unreliable in the first place), they would have to be decrypted server-side, thereby defeating the point of encrypting them - after all, the server was what was compromised.

 

Honestly, once the receiving server is compromised, there really aren't any technical measures you can take to keep things secure. The only way to mitigate this risk is by using unique passwords for every service you use, as a user. Think KeePass.

No, this is not how passwords are stored.

 

Typically the client accepts the plain text password, it then encrypts the password and sends the encrypted password. On the server the plain text password is never stored, but rather the previously saved encrypted password.

 

The encrypted password transmitted is compared to the saved encrypted password.

 

What NPT says. There's no decrypting passwords, that wouldn't make sense. The idea is to encrypt passwords in such a way they cannot be decrypted, only replicated.

Usually the client sends out a plain text password, then the server encrypts hashes it with some salt and compares the hash. If the hash equals the stored hash, the password is considered correct and the user can log in.

What happened today is pretty bad: they compromised the script that takes the plain text password andencrypts hashes it; before encrypting hashing they steal the password.

If the stored password is a hash of the password and the salt, it can also be a hash of the hash of the password with the salt. Or, better still, the hash of the hash of the salted password with salt. This may result in very salty hash (becoming rather unsmokable) but works without decrypting and even a man in the middle would only get a salted hash - even if it's only half as salty as it is stored in the database it requires some extra brute force attack to get the plain text passwords as opposed to the current method of plain text theft.

 

To make password theft even tougher, a user-unique salt could be used so that no common salt can be deducted and the brute forcing would be way tougher and can lead to multiple sense-making outputs, confusing any intruder.

These modifications could, by the way, be handled uniquely by the client, no changes to the forum software would be required. Maybe I should learn how to make firefox plugins.

 

Edit: Don't mind the wording, I meant hashing indeed.


Edited by Stratadox, 18 March 2013 - 06:26 PM.

  • 0

#40 cantavanda

cantavanda

    Flower Princess

  • GMC-Member
  • 1025 posts
  • Version:GM8

Posted 18 March 2013 - 06:24 PM

When I find the idiot who did this I'm gonna eat him like a cheeseburger!


  • -3

manabanner_zps37c4bb38.jpg


#41 Mike.Dailly

Mike.Dailly

    Evil YoYo Games Employee

  • Administrators
  • 4579 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:26 PM

Okay... the way IPBoard login appears to work, is that plain text is sent, but it's encrypted server side and then compared with the stored (and encrypted) password.

 

Of course... even if the client sent an encoded password, the value that was encoded and sent could still be used to login, as that's the value the server would be waiting on. So simply by hacking the login page, you could send an encoded value, rather than text that was then encoded - so they could still use that string as a valid login. Even SSL certificates wouldn't work here, as the hack was server side - once all the data was received. I suspect what you SHOULD do.... is have a unique encryption string string that is used "per session", and is unique to you, and this time you've logged in.

 

But they don't.....

 

As to why we don't swap.... The GMC has a large historic database, and we need to keep that, so importing it might be an issue. But to be honest, ANY popular forum will be subject to hackers because....well, it's popular. Catch 22 really.


  • 1

#42 cantavanda

cantavanda

    Flower Princess

  • GMC-Member
  • 1025 posts
  • Version:GM8

Posted 18 March 2013 - 06:27 PM

But do a good theme as fast as possible


  • -1

manabanner_zps37c4bb38.jpg


#43 MonkeyMaw

MonkeyMaw

    GMC Member

  • GMC Member
  • 310 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:30 PM

I don't buy it. I think Mike is trying to steal your passwords! After all, look at his title  :P


  • 1

signature.png


#44 Experimenator

Experimenator

    Java Developer

  • GMC Member
  • 383 posts
  • Version:GM8

Posted 18 March 2013 - 06:35 PM

I didn't catch it, why is the theme changed to white when the only problem was the logger?


  • 0
+

#45 MonkeyMaw

MonkeyMaw

    GMC Member

  • GMC Member
  • 310 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:40 PM

I didn't catch it, why is the theme changed to white when the only problem was the logger?

According Mike's original post ... "Lastly... with the upgrade, the "skin" is also needing work, so for now we've reverted to the original, and we'll fix it up in the next week or so - GDC has priority for now."


  • 0

signature.png


#46 faissialoo

faissialoo

    I get high on orange

  • GMC Member
  • 1280 posts
  • Version:GM8.1

Posted 18 March 2013 - 06:42 PM

OMG!!! someone has hacked yyg again? didnt someone hack this place before and write hello on one of the pages before? and the yygf kept getting attacked to, something needs to be done. Could it be patrik again?


  • 0
cooltext680386545.png
"My game vs my brains, who gets more fatal errors?" ~ Camper125Lv, GMC Jam #15

#47 icuurd12b42

icuurd12b42

    Self Formed Sentient

  • GMC Elder
  • 16913 posts
  • Version:GM:Studio

Posted 18 March 2013 - 06:56 PM

All I get is 

The entered email addresses do not match.

 

​and they do, I literally copied the email shown and pasted it in the email I have to type

 

So I cant change my password until that is fixed.


  • 0

#48 Experimenator

Experimenator

    Java Developer

  • GMC Member
  • 383 posts
  • Version:GM8

Posted 18 March 2013 - 06:56 PM

 Hmm, I actually like this theme. It's kinda be hard to get used to it, but it's fine.

OMG!!! someone has hacked yyg again? didnt someone hack this place before and write hello on one of the pages before? and the yygf kept getting attacked to, something needs to be done. Could it be patrik again?

Why must it always be 'patrik'? 


Edited by Experimenator, 18 March 2013 - 06:59 PM.

  • 1
+

#49 Chardagger

Chardagger

    GMC Member

  • GMC Member
  • 95 posts
  • Version:GM:Studio

Posted 18 March 2013 - 07:22 PM

It's a good thing I don't use my normal password for this. I'm just slightly concerned how my account now has my facebook avatar when I never connected to facebook.


  • 0
☆★☆ Stars are cool ☆★☆

#50 theweirdn8

theweirdn8

    Unrivaled Legend

  • GMC Member
  • 4108 posts
  • Version:GM8.1

Posted 18 March 2013 - 07:36 PM

In the darkest of nights, us game developers will stick together.


  • 2

[My milkshake brings all the boys to the yard]


2h2fg3c.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users