Jump to content


Photo

Gmc Hacked Again.


  • This topic is locked This topic is locked
115 replies to this topic

#1 Mike.Dailly

Mike.Dailly

    Evil YoYo Games Employee

  • Administrators
  • 4974 posts
  • Version:GM:Studio

Posted 09 May 2013 - 05:34 PM

So it appears that we've once again been hacked. We've done what we can to help protect the forums, but we're all human, and no software is totally secure, and if someone really wants in, there's not a lot we can do about it. As a precaution  you should once again change your passwords, preferably using a unique one that you don't use anywhere else - just to be safe.

 

We're extremely sorry for the inconvenience, and will continue do try our best to keep things secure, but for now please change your passwords and accept our apologies.

 

Mike


  • 17

#2 Chrscool8

Chrscool8

    Call me Chris.

  • GMC Member
  • 2307 posts
  • Version:GM:Studio

Posted 09 May 2013 - 05:36 PM

It's understandable. I might not speak for everyone, but it's alright, Mike. Stuff happens.


  • 1

signature.gif


#3 MonkeyMaw

MonkeyMaw

    GMC Member

  • GMC Member
  • 310 posts
  • Version:GM:Studio

Posted 09 May 2013 - 05:38 PM

These people are idiots Mike, with nothing better to do, so no worries. Imagine if they put all that wasted time into something productive!


Edited by MonkeyMaw, 09 May 2013 - 05:38 PM.

  • 0

#4 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 09 May 2013 - 05:39 PM

Should send out an email to the affected members (everyone) and let them know. Depending on how it's handled, YYG has the opportunity to gain it's user's trust instead of losing it.

 

Still makes me laugh thinking about how long it's going to take to decrypt a 256-character password... :teehee:


  • 5

#5 Futhark

Futhark

  • GMC Member
  • 891 posts
  • Version:GM8.1

Posted 09 May 2013 - 05:41 PM

@Mike.Dailly

Will you guys be sending out emails or PMs to GMC forumites about the need to change passwords?


  • 1

My GMC Board Display Settings:
I can NOT see your sig, pics or avatars.
Let me know if I miss anything important you're trying to show me.

Information Overbloat Error in Function:Eye


#6 faissialoo

faissialoo

    I get high on orange

  • GMC Member
  • 1294 posts
  • Version:GM8.1

Posted 09 May 2013 - 05:44 PM

I have used a way more secure way to store my passwords, and they are millions of times stronger than my previous ones, here is a tip guys, use last pass


Edited by faissialoo, 09 May 2013 - 05:45 PM.

  • 0

cooltext680386545.png
The YYGF subreddit: /r/YYGF


#7 FatalSleep

FatalSleep

    FatalSheep?

  • GMC Member
  • 3759 posts
  • Version:GM:Studio

Posted 09 May 2013 - 05:46 PM

@Mike.Dailly

Will you guys be sending out emails or PMs to GMC forumites about the need to change passwords?

I believe this would help as not everyone might see this topic.


  • 2

#8 Futhark

Futhark

  • GMC Member
  • 891 posts
  • Version:GM8.1

Posted 09 May 2013 - 05:49 PM

 

@Mike.Dailly

Will you guys be sending out emails or PMs to GMC forumites about the need to change passwords?

I believe this would help as not everyone might see this topic.

 

 

If they feel it would be(come) a case of "spamming" users asking them to change their PW, then there must be some other work around.
Some forum-board software has a "blanket force", when set it asks the users to change their pw, or they can't log on.  Which might be the best thing, i.e. to force users to change their PW the first time they re-log on after a hack like this.


  • 0

My GMC Board Display Settings:
I can NOT see your sig, pics or avatars.
Let me know if I miss anything important you're trying to show me.

Information Overbloat Error in Function:Eye


#9 MissingNo.

MissingNo.

    Disco Inferno

  • GMC:Member
  • 366 posts
  • Version:GM8.1

Posted 09 May 2013 - 05:51 PM

Wait Nocturne's name was in green and it said he was yoyo staff? now his name is in red and it just says

he's an administrator. wtf is going on? 


Edited by MissingNo., 09 May 2013 - 05:59 PM.

One day... I will destroy the world... WITH MY THUMB!!


#10 N-cubo

N-cubo

    GMC Member

  • GMC Member
  • 84 posts
  • Version:GM:Studio

Posted 09 May 2013 - 05:57 PM

Again?!  :verymad:

But if you don't change the forum software (IP.Board) can happen a third attack?


  • 0

#11 Lawsome

Lawsome

    Not Lukasmah

  • GMC Member
  • 250 posts
  • Version:GM8

Posted 09 May 2013 - 06:02 PM

As I said in the other topic, when you've got a community filled with programmers, you're going to bump into a few immature ones. It's not anything about the security of the forum or YYG, all forums are like this, but some have a community of people surrounding them who are very good hackers.


  • 3

whappatdy dappedy doo


#12 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:04 PM

but some have a community of people surrounding them who are very good hackers.

 

OR script kiddies who leach off of the really good hackers. ^


  • 0

#13 soccer99

soccer99

    Unschooled Developer

  • GMC Member
  • 524 posts

Posted 09 May 2013 - 06:14 PM

I haven't been to this forum in a long time but a few of my online accounts were just hacked today.  I've been using the same password (or slight variations) on all my online accounts for a long time and both my facebook and email were hacked.  Checking all my accounts to make sure there aren't more.  This was one of my accounts I was going to check and I guess I found the source!

 

My facebook account told me the unauthorized login came from Melbourne Australia, incase anyone was curious haha.  That may very well be where this hacker is from.


  • 0
I am a programmer and filmmaker.

Working in Hollywood!

#14 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:16 PM

@soccer99

 

You should always use different passwords for your accounts, especially vital ones such as email. I would recommend changing all your passwords, then storing them in a program (I recommend Keepass) that will encrypt them. Most of them also have password generators as well.


  • 0

#15 DoubleD33D

DoubleD33D

    GMC Member

  • GMC Member
  • 115 posts
  • Version:GM8

Posted 09 May 2013 - 06:19 PM

Maybe if YoYoGames stopped using this ****ty board software, or learnt how to run a server


  • -20

#16 legocjman

legocjman

    Soldier of Christ

  • GMC Member
  • 640 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:31 PM

Maybe if YoYoGames stopped using this ****ty board software, or learnt how to run a server

 

Complete security is a lie, and anyone who has thought about the process of security knows it. There is always a vulnerability, and sometimes, there just isn't anything you can do about it besides damage control. You do what you can to prevent a breach, and you minimize the damage that would result from it. It doesn't have anything to do with learning how to run a web server, they know quite a bit about it. Seriously, the only thing you can criticize them about is if there was anything that could be done to prevent it, but didn't (note that this was a zero-day exploit, there wasn't anything they could do about it), or in the way they handled it, which is still too early to tell. Please, "learnt" more about what is going on (and read up on your spelling) before posting on something you don't know about.


  • 2

#17 MonkeyMaw

MonkeyMaw

    GMC Member

  • GMC Member
  • 310 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:32 PM

 

Maybe if YoYoGames stopped using this ****ty board software, or learnt how to run a server

 

Oh that's the spirit, really helpful.
 


  • 5

#18 Debels

Debels

    GMC Member

  • GMC Member
  • 2869 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:35 PM

Maybe if YoYoGames stopped using this ****ty board software, or learnt how to run a server

 

Every board/forum has its exploits, doesn't matter how many times you change it, its just finding where the exploit is, patching it and moving on. That is the only way you can fix them :P

 

Besides they have way better things to do than attend a few immature hackers trying to get some attention.


  • 4

This signature has been removed for being too awesome.


#19 NakedPaulToast

NakedPaulToast

    GM Studio/Mac/Win

  • GMC Member
  • 8652 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:37 PM

Maybe if YoYoGames stopped using this ****ty board software, or learnt how to run a server

Maybe you could explain how to protect against a zero-day exploit?


Edited by NakedPaulToast, 09 May 2013 - 06:38 PM.

  • 3

If the Bible truly is inspired by God, you would think that somebody as omnipotent and all-knowing would have known to get his message out using TCP instead of UDP.

 


#20 Arusiasotto

Arusiasotto

    GMC Member

  • GMC Member
  • 760 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:41 PM

It would also help if those in the community who are in contact with the individual reported him to authorities instead of relaxing in an IRC channel discussing how cool it is that he's going to sell all that information to Runescape RMTs.


  • 8

 

"It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter." - Nathaniel Borenstein

 

 

 


#21 Rusty

Rusty

    The Rustic One

  • GMC Member
  • 3934 posts
  • Version:GM:Studio

Posted 09 May 2013 - 06:49 PM

 

Maybe if YoYoGames stopped using this ****ty board software, or learnt how to run a server

Maybe you could explain how to protect against a zero-day exploit?

You take down the forum immediately, repair the damage and put the forum back up.

 

Oh wait...


  • 1

tumblr_ngbm3tNUVy1thlk7do1_75sq.png

Professor Kayge says: "An argument is a variable to a discussion. When you are stuck in an argument rather than having a discussion, you need to debug your interaction."


#22 makerofthegames

makerofthegames

    Octagon-Man

  • GMC Member
  • 7548 posts
  • Version:GM:Studio

Posted 09 May 2013 - 07:13 PM

It would also help if those in the community who are in contact with the individual reported him to authorities instead of relaxing in an IRC channel discussing how cool it is that he's going to sell all that information to Runescape RMTs.

Perhaps the Twitter people could help YYGs.
  • 0

#23 NakedPaulToast

NakedPaulToast

    GM Studio/Mac/Win

  • GMC Member
  • 8652 posts
  • Version:GM:Studio

Posted 09 May 2013 - 07:29 PM

It would also help if those in the community who are in contact with the individual reported him to authorities instead of relaxing in an IRC channel discussing how cool it is that he's going to sell all that information to Runescape RMTs.

Report to which authorities?

And what exactly are they going to report?

 

IRC user: I'd like to report a hacking.

Authorities: Do you have their name?

IRC user: No.

Authorities: Do you have their location?

IRC user: No.

Authorities: Do you have their IP address?

IRC user: No.

Authorities: Do you know anything about them?

IRC user: He's using the username rootinaboxxy.

Authorities: Anything else?

IRC user: He's on the Internet.

Authorities: We'll get right on that.


  • 4

If the Bible truly is inspired by God, you would think that somebody as omnipotent and all-knowing would have known to get his message out using TCP instead of UDP.

 


#24 GameDevDan

GameDevDan

    The Shol'va

  • Global Moderators
  • 1358 posts
  • Version:GM:Studio

Posted 09 May 2013 - 07:39 PM

Cheers for the heads up.

 

My password here is and always has been different to all other accounts, and important accounts all have different complex passwords, so I guess that makes me one of the people really relaxed about this XD


  • 0

MySignature_Test_zpsnzdwoqon.gif InnoquousSignature_zpsz3v5nwam.png


#25 Futhark

Futhark

  • GMC Member
  • 891 posts
  • Version:GM8.1

Posted 09 May 2013 - 07:47 PM

 

It would also help if those in the community who are in contact with the individual reported him to authorities instead of relaxing in an IRC channel discussing how cool it is that he's going to sell all that information to Runescape RMTs.

Report to which authorities?

And what exactly are they going to report?

[...]

 

 

Good question that.

YYG could first of all contact Twitter and ask them to stop harbouring known hackers.

YYG might be able to at least get the rootboxwhatever Twataccount closed.

And contact some of the other companies the "hacker" has already listed.

 

Close the bast down,

hound him out of town.

He tries it again,

YYG cures the pain.

[word up to yo momma!]


  • 0

My GMC Board Display Settings:
I can NOT see your sig, pics or avatars.
Let me know if I miss anything important you're trying to show me.

Information Overbloat Error in Function:Eye


#26 commander of games

commander of games

    Kaos Kreator

  • GMC Member
  • 2883 posts
  • Version:GM:Studio

Posted 09 May 2013 - 07:52 PM

Well, this sucks. And this time the hacker seems to be using it for things other than hacking Runescape accounts.

You say he's bragging on IRC? Really?
  • 0

InvaderX.gif


#27 gnysek

gnysek

    GMC Member

  • GMC Member
  • 591 posts
  • Version:GM:Studio

Posted 09 May 2013 - 07:54 PM

WHAT A SHAME. Was it again a server-side script uploaded to server?


  • 0

Previously game developer at YoYoGames, Currently PHP developer in DB-Team
Programming and working with: GML/C#/PHP/JS/MySql/CSS/HTML

Follow 
@GameMakerUpdate to get info about latest versions of GM when they are released: https://twitter.com/GameMakerUpdate or visit website.

(it's managed by bot, not by human, remember)


#28 commander of games

commander of games

    Kaos Kreator

  • GMC Member
  • 2883 posts
  • Version:GM:Studio

Posted 09 May 2013 - 07:58 PM

Hopefully my accounts on other sites are safe.

Edited by commander of games, 09 May 2013 - 08:41 PM.

  • 0

InvaderX.gif


#29 Overloaded

Overloaded

    Oneirophobia

  • GMC Member
  • 986 posts
  • Version:GM:Studio

Posted 09 May 2013 - 08:02 PM

Hm... we need to change passwords again right?


  • 0

gmc_signature.png

Upcoming 2D Turn-Based RPG. You can visit our website, like us on Facebook and follow us on Twitter.

Check out my GM Marketplace Assets!

Follow me on Twitter: @OVLDD

 


#30 Mailas

Mailas

    Send in the Mail

  • GMC Member
  • 5871 posts
  • Version:GM:Studio

Posted 09 May 2013 - 08:05 PM

Hm... we need to change passwords again right?

 

"As a precaution  you should once again change your passwords, preferably using a unique one that you don't use anywhere else - just to be safe."


  • 0
omQasih.jpg

#31 GothSeiDank

GothSeiDank

    GMC Member

  • GMC Member
  • 278 posts
  • Version:GM:Studio

Posted 09 May 2013 - 08:42 PM

What kind of data did the hackers obtain when you use the Twitter Login only?

 

And how the hell did they obtain the passwords in clear form as GMBlog states?

Why are they not encrypted and salted?


Edited by GothSeiDank, 09 May 2013 - 08:43 PM.

  • 0

Code posted by me in this forum is Public Domain. Do with it whatever you want, I don't care.


#32 Arusiasotto

Arusiasotto

    GMC Member

  • GMC Member
  • 760 posts
  • Version:GM:Studio

Posted 09 May 2013 - 09:03 PM

What kind of data did the hackers obtain when you use the Twitter Login only?

 

And how the hell did they obtain the passwords in clear form as GMBlog states?

Why are they not encrypted and salted?

The Twitter API may have protected you from this. Twitter would be able to tell you more. The original reported hack had a script installed that was basically keylogging entered passwords. This latest hack just dumped the database, and will need to be decrypted.


  • 0

 

"It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter." - Nathaniel Borenstein

 

 

 


#33 commander of games

commander of games

    Kaos Kreator

  • GMC Member
  • 2883 posts
  • Version:GM:Studio

Posted 09 May 2013 - 09:19 PM

I get logged out every time I close the browser. I have the Remember Me button checked. Is it related to this?
  • 0

InvaderX.gif


#34 Futhark

Futhark

  • GMC Member
  • 891 posts
  • Version:GM8.1

Posted 09 May 2013 - 09:24 PM

I get logged out every time I close the browser. I have the Remember Me button checked. Is it related to this?

 

Oh, hey, glad I'm not the only one experiencing this today!  


  • 0

My GMC Board Display Settings:
I can NOT see your sig, pics or avatars.
Let me know if I miss anything important you're trying to show me.

Information Overbloat Error in Function:Eye


#35 DANT3

DANT3

    demon hunter

  • GMC Member
  • 1086 posts
  • Version:GM8

Posted 09 May 2013 - 09:25 PM

so these hackers, who apperently have potential, decide to hack a webpage about game making? please. how stupid, they could spend their time doing something important, like helping people, ending corruption. but no, the GMC. pethetic.


  • 3

#36 Rusty

Rusty

    The Rustic One

  • GMC Member
  • 3934 posts
  • Version:GM:Studio

Posted 09 May 2013 - 09:32 PM

so these hackers, who apperently have potential, decide to hack a webpage about game making? please. how stupid, they could spend their time doing something important, like helping people, ending corruption. but no, the GMC. pethetic.

You know what a hacker is, right?


  • 3

tumblr_ngbm3tNUVy1thlk7do1_75sq.png

Professor Kayge says: "An argument is a variable to a discussion. When you are stuck in an argument rather than having a discussion, you need to debug your interaction."


#37 Oracizan

Oracizan

    Mutant Dreamer

  • GMC Member
  • 550 posts
  • Version:GM:Studio

Posted 09 May 2013 - 09:35 PM

Oh.

 

I'm just sad that I'm using up all my clever passwords. Otherwise, no skin off my nose.


  • 0

#38 Rusty

Rusty

    The Rustic One

  • GMC Member
  • 3934 posts
  • Version:GM:Studio

Posted 09 May 2013 - 10:27 PM

Smack something against your keyboard (personally, I like to use my face) and then make a little song for it.

 

For example:

bbbvbgmhgvcrggd (Forehead)

 

Brother Bacon Bravely Ventured (to the) Bravey Gravy Market, He Got Vengence, Cool Resemblance (to) Godly Gladick's Death.

 

bbbvbgmhgvcrggd = Epic password.


  • 3

tumblr_ngbm3tNUVy1thlk7do1_75sq.png

Professor Kayge says: "An argument is a variable to a discussion. When you are stuck in an argument rather than having a discussion, you need to debug your interaction."


#39 bwdevel

bwdevel

    GMC Member

  • GMC Member
  • 6 posts
  • Version:GM:HTML5

Posted 09 May 2013 - 10:41 PM

How about this time following best practice for such an incident and setting everyone's password as "expired"; requiring a reset via email link.

 

As it is, there are accounts that have been compromised that have never been changed and this is bad over time.

 

 

EDIT: Ah, I see the site is set up even worse than I thought. You do not require an email loop for a password reset.


Edited by bwdevel, 09 May 2013 - 10:43 PM.

  • 0

#40 Rusty

Rusty

    The Rustic One

  • GMC Member
  • 3934 posts
  • Version:GM:Studio

Posted 09 May 2013 - 10:49 PM

How about this time following best practice for such an incident and setting everyone's password as "expired"; requiring a reset via email link.

 

As it is, there are accounts that have been compromised that have never been changed and this is bad over time.

 

 

EDIT: Ah, I see the site is set up even worse than I thought. You do not require an email loop for a password reset.

Most of us (I hope) are now using unique passwords after the last time the GMC got hacked (you know, we learnt from last time the hot pan burnt us). I honestly don't care if they want to get into my forum account, I don't store my bank details on the GMC.

 

Unfortunately, the forum will be attacked again, and again, and again, nothing YYG can do about it, nothing IPBoard can do about it and I honestly don't care enough to try to remember a new password every single damn time.


  • 0

tumblr_ngbm3tNUVy1thlk7do1_75sq.png

Professor Kayge says: "An argument is a variable to a discussion. When you are stuck in an argument rather than having a discussion, you need to debug your interaction."


#41 TeamSteeve

TeamSteeve

    GMC Member

  • GMC Member
  • 1355 posts
  • Version:GM:Studio

Posted 09 May 2013 - 11:09 PM

Smack something against your keyboard (personally, I like to use my face) and then make a little song for it.

 

For example:

bbbvbgmhgvcrggd (Forehead)

 

Brother Bacon Bravely Ventured (to the) Bravey Gravy Market, He Got Vengence, Cool Resemblance (to) Godly Gladick's Death.

 

bbbvbgmhgvcrggd = Epic password.

I now know Rusty's password!

If he changes it, I'll just try smacking myself in the head with my keyboard and maybe I'll get lucky.  :P


  • 2

rCf1TdL.gif


#42 Manuel777

Manuel777

    InvaderGames

  • GMC Member
  • 3554 posts
  • Version:GM:Studio

Posted 09 May 2013 - 11:12 PM

Idiots, idiots everywhere.


  • 4

#43 blopit

blopit

    cool guy

  • GMC Member
  • 823 posts
  • Version:GM8.1

Posted 09 May 2013 - 11:42 PM

Hacker stole 60 rep from me!

I demand compensation or I will sue  :verymad:


  • 0

E3VdaOr.png GLOB  - GMC Jam 11( PC

"it's cool I guess" -blopit


#44 chance

chance

    GMC Member

  • Global Moderators
  • 8360 posts
  • Version:GM:Studio

Posted 10 May 2013 - 01:25 AM

so these hackers, who apperently have potential, decide to hack a webpage about game making?


I doubt this was a random hacker who just happened to pick the GMC. More likely, this is a GMC member. One of us.

Just someone with a big ego, who needs the attention this topic gives him.
  • 5

#45 mcmonkey

mcmonkey

    mcmonkey

  • GMC Member
  • 778 posts
  • Version:GM:Studio

Posted 10 May 2013 - 04:33 AM

so these hackers, who apperently have potential, decide to hack a webpage about game making?


I doubt this was a random hacker who just happened to pick the GMC. More likely, this is a GMC member. One of us.

Just someone with a big ego, who needs the attention this topic gives him.

10 rep says it's chance - he made the post above to throw off suspicion by leading the hunt!
  • 0
Spam prevents spam by spamming the spammers spam bots with spam.
YYGF Archive: http :// mcmonkey . org / yygf/classic/index . html
3794 Post on YYGF before the end.
Game Maker 8 Documentation Online: http :// mcmonkey . org / chmstore/gm8/files/index . html

Disclaimer: I reserve the right to massively exaggerate my points more often than humans take steps on Earth.
Disclaimer: My jokes are poorly planned and may end up looking like insults. They are not.

I finally got a real domain name! http://mcmonkey.org

#46 TeamSteeve

TeamSteeve

    GMC Member

  • GMC Member
  • 1355 posts
  • Version:GM:Studio

Posted 10 May 2013 - 04:48 AM

10 rep says it's chance

Ha! Not a chance.

I'll take your bet.


  • 0

rCf1TdL.gif


#47 True Valhalla

True Valhalla

    ಠ_ಠ

  • GMC Member
  • 5277 posts
  • Version:Unknown

Posted 10 May 2013 - 09:40 AM

If YYG didn't send an email alerting users last time, they sure as hell aren't going to do it this time. This is just dejavu and should not come as a shock to anyone.


  • 0

book_forum.png


#48 Curio

Curio

    Simplastic

  • GMC Member
  • 161 posts
  • Version:GM8

Posted 10 May 2013 - 10:16 AM

is it possible for the hacker(s) to crack this website via sql injection? Or even xss injection?
  • 0

"Process without failure is not a success"


#49 True Valhalla

True Valhalla

    ಠ_ಠ

  • GMC Member
  • 5277 posts
  • Version:Unknown

Posted 10 May 2013 - 10:26 AM

No, it was apparently a zero-day exploit.


Edited by True Valhalla, 10 May 2013 - 10:26 AM.

  • 0

book_forum.png


#50 Curio

Curio

    Simplastic

  • GMC Member
  • 161 posts
  • Version:GM8

Posted 10 May 2013 - 10:31 AM

when i clicked the link you gave me, i thought it was an explanation of zero day exploit. Oh well.
  • 2

"Process without failure is not a success"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users