$20.00
$60.00
Recommend
593 
 Thumb up
 Hide
413 Posts
1 , 2 , 3 , 4 , 5  Next »  [17] | 

Geekdo» Forums » News

Subject: Please Read! Security Breach Information rss

Your Tags: Add tags
Popular Tags: BGG_Basics [+] [View All]
Scott Alden
United States
Dallas
Texas
flag msg tools
admin
Aldie's Full of Love!
mbmb
Last month we received a few reports from BGG users whose email address was targeted by phishing attempts. What made this a concern was that the email addresses targeted had only been used to register on BGG and for no other purpose. This suggested a potential hole in our security. For a while we couldn't find any evidence that such a breach was possible. However last week, after a thorough investigation, we were finally able to identify several weaknesses that could have been used to access private account information.

These security holes have now been patched. To date we are still only aware of the reported phishing attempts (scammers trying to steal WoW accounts), however we want to let you all know that any part of the database could have been compromised including the following personal info:

Email
Name (if provided)
Address (if provided)
Encrypted password verification value

We can't say with any certainty what information was taken and who has been affected. All we know is that these are the areas that we have found that were vulnerable.

Regarding passwords, we DO NOT store your unencrypted password, so if passwords were accessed the hacker(s) only have an encrypted version. However there is always a chance that someone might be able to reverse engineer your actual password. Therefore we strongly recommend changing your password here and also changing your password on any other sites where your password is the same as the one you used here.

We have since improved our password storage system.

I'm sorry for any problems this may have caused. Hopefully it stays restricted to scammers trying to steal WoW accounts through phishing emails. If you notice any other suspicious activity that may have been related to this breach, please let us know at contact@boardgamegeek.com
  • [+] Dice rolls
Hugh G. Rection
United States
La Mesa
California
flag msg tools
mbmbmbmbmb
Aldie wrote:
..and also changing your password on any other sites where your password is the same as the one you used here.


People still do this?
39 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Manchuwok
Canada
Mission
BC
flag msg tools
designer
mbmbmbmbmb
This is rather disturbing.
14 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
MAGE Company
msg tools
publisher
mbmbmbmbmb
Aww, yes they do.. and the most time is for fun!! shake
10 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Yours Truly,
United States
Raleigh
North Carolina
flag msg tools
There must have been a moment at the beginning, where we could have said no. Somehow we missed it. Well, we'll know better next time.
mbmbmbmbmb
Hugh_G_Rection wrote:
Aldie wrote:
..and also changing your password on any other sites where your password is the same as the one you used here.


People still do this?


Otherwise, what, 50 different passwords for 50 different sites?
385 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Russ Williams
Poland
Wrocław
Dolny Śląsk
flag msg tools
designer
mbmbmbmbmb
Hugh_G_Rection wrote:
Aldie wrote:
..and also changing your password on any other sites where your password is the same as the one you used here.


People still do this?

And many of them do it with easily cracked common passwords like "password" and "password1" and "iloveyou" etc.

I wish BGG would store a non-reversible salted hash of passwords (regularly recommended best practice) instead of an encrypted (hence decryptable) version of passwords (regularly recommended against). There should never be a reason to need to decrypt someone's password. If they forgot it, just send them a random new one or a link to a password reset page.
94 
 Thumb up
0.55
 tip
 Hide
  • [+] Dice rolls
Russ Williams
Poland
Wrocław
Dolny Śląsk
flag msg tools
designer
mbmbmbmbmb
JohnnyDollar wrote:
Hugh_G_Rection wrote:
Aldie wrote:
..and also changing your password on any other sites where your password is the same as the one you used here.


People still do this?


Otherwise, what, 50 different passwords for 50 different sites?

Using a unique password for each site is much easier than you think.

You can use a manual algorithm to easily generate a strong password with a nonobvious scheme based on the url (which I did for several years), or a simple javascript bookmarklet (various ones exist). Or you can store truly random long custom passwords for each site in a password manager tool like KeePassX (which I'm currently using and quite happy with). Using the same password at all sites is very risky - your password is only as safe as the weakest of all the sites (and a depressingly large number of sites just store passwords in plain text and have crappy security). I have a friend whose primary gmail account was hijacked because she used the same password at all sites.
75 
 Thumb up
0.02
 tip
 Hide
  • [+] Dice rolls
Testy Testerson
Canada
Edmonton
Alberta
flag msg tools
mbmbmbmbmb
Are you able to tell us what form of encryption you use for the passwords?
7 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Nushura
Japan
Sendai
flag msg tools
mbmbmbmbmb
JohnnyDollar wrote:
Hugh_G_Rection wrote:
Aldie wrote:
..and also changing your password on any other sites where your password is the same as the one you used here.


People still do this?


Otherwise, what, 50 different passwords for 50 different sites?


Use a password that depends on the website. For example if my super password were "er231" then the password of this website would be "er231board" when I go to hotmail I use "er231hotma", and so on
21 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Drew Dallas
United States
Tennessee
flag msg tools
mbmbmbmbmb
The easiest way for unique passwords per site is to just make a pass phrase and have one of the words be the site name.
16 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
David Brain
United Kingdom
London, UK
flag msg tools
designer
mbmbmbmbmb
As has occasionally been pointed out, it's safer to have a different complex password for every site and write them all down as a list on paper than to use the same password everywhere, simply because you are far more likely to have your password intercepted and/or decrypted online than for someone to break in and steal the list!
51 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Testy Testerson
Canada
Edmonton
Alberta
flag msg tools
mbmbmbmbmb
Darksbane wrote:
The easiest way for unique passwords per site is to just make a pass phrase and have one of the words be the site name.


This is not a safe approach. If someone gets your password and sees "15!bAOR*&gmail", it won't take long to puzzled out the plan. If you have an algorithm for checking the site name and generating a password, that will work fairly effectively, but don't ever use a portion of the site's name in plaintext. It's too obvious.

If you want good advice on how to generate safe passwords for multiple websites, you can always check out Steve Gibson's site at www.grc.com. He does a ton of really good security work.

Edit: Here's a very safe paper password generator. Explanation is on the page. https://www.grc.com/offthegrid.htm
57 
 Thumb up
1.00
 tip
 Hide
  • [+] Dice rolls
Nicolas Guibert
United Kingdom
London
London
flag msg tools
mbmbmbmbmb
russ wrote:


I wish BGG would store a non-reversible salted hash of passwords (regularly recommended best practice) instead of an encrypted (hence decryptable) version of passwords (regularly recommended against)..


I could not agree more.
16 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Matthew M
United States
New Haven
Connecticut
flag msg tools
admin
8/8 FREE, PROTECTED
badge
513ers Assemble!
mb
Quote:
Are you able to tell us what form of encryption you use for the passwords?


We previously stored a non-reversible salted hash of passwords. Most people, myself included, don't understand technical details of such things so Aldie used "encrypted" as it is a more commonly understood (though less accurate) term.

The passwords should be secure, even if they were collected. But we prefer people take every precaution.
123 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Russell Woodland
New Zealand
Tauranga
Bay of Plenty
flag msg tools
mbmbmbmbmb
Thanks Aldie,

Been receiving emails about WOW account for a while. The funny thing is I don't own one...whistle

Right time to change all my passwords for added saftey.

Thanks for the continued great work
13 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Daniel Karp
United States
Rockville
Maryland
flag msg tools
admin
Developin' Developin' Developin'
badge
100 geekgold for OverText, and all I got was this stupid sentence.
As Matthew said, we previously stored a salted hash for passwords. Unfortunately, we did not change the salt for each password, meaning that the passwords were vulnerable to what is called a "rainbow table" attack. That means that if someone got ahold of the table, they could crack it by brute force, trying every possible password, starting with the more easily guessable ones--but that the effort would work against the whole table at once.

Our new system, among other things, uses a different salt for each password. That means that a brute force attack would have to be done against each password separately--far more difficult computationally.
  • [+] Dice rolls
Jim Cote
United States
Maine
flag msg tools
mbmbmbmbmb
Aldie wrote:
Regarding passwords, we DO NOT store your unencrypted password,

Do you use a per user salt as well as a global salt?

Edit: n/m, answered by Daniel.
4 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Hugh G. Rection
United States
La Mesa
California
flag msg tools
mbmbmbmbmb
JohnnyDollar wrote:
Otherwise, what, 50 different passwords for 50 different sites?


KeePass

I generate a random, unique password for each site where I have an account. Minimum is 16 characters if the site will handle it. When I need to enter the password (if it's not stored), a simple copy/paste does the trick.
24 
 Thumb up
0.04
 tip
 Hide
  • [+] Dice rolls
Hugh G. Rection
United States
La Mesa
California
flag msg tools
mbmbmbmbmb
russ wrote:
Hugh_G_Rection wrote:
Aldie wrote:
..and also changing your password on any other sites where your password is the same as the one you used here.


People still do this?

And many of them do it with easily cracked common passwords like "password" and "password1" and "iloveyou" etc.


Yeah, I know. It was more of a rhetorical question of the sad reality. I'm a network admin, and I see/hear about this all the time from users regarding their non-company accounts. Their network password has a minimum complexity requirement and has to be changed on a regular basis. People really hate being forced to do things the safe way... devil
10 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Yours Truly,
United States
Raleigh
North Carolina
flag msg tools
There must have been a moment at the beginning, where we could have said no. Somehow we missed it. Well, we'll know better next time.
mbmbmbmbmb
Hugh_G_Rection wrote:
JohnnyDollar wrote:
Otherwise, what, 50 different passwords for 50 different sites?


KeePass

I generate a random, unique password for each site where I have an account. Minimum is 16 characters if the site will handle it. When I need to enter the password (if it's not stored), a simple copy/paste does the trick.


So, basically everything is on a USB drive, if I understand correctly? It's encrypted on that drive, that you then log into with a password? And you just plug in the USB drive to whatever computer you're on? I guess as long as you don't lose the USB drive or someone doesn't steal it and figure out your master password. I can barely keep track of my sunglasses, I'd be worried about depending on a USB drive of such critical importance.
27 
 Thumb up
0.25
 tip
 Hide
  • [+] Dice rolls
Nate Downs
United States
Granville
Ohio
flag msg tools
designer
mbmbmbmbmb
About three years ago I reported to you directly that passwords were compromised and I didn't want to post it in the forums. Users might be able to login with their password + various strings. For example, I can login with my password + numerals.

I figure since you are announcing security flaws now is a good time to return to this subject.

I am posting this after logging in with an incorrect password.
45 
 Thumb up
0.03
 tip
 Hide
  • [+] Dice rolls
Chapel
United States
Round Rock
Texas
flag msg tools
"32 inches of Plexi....for your pleasure"
mbmbmbmb
Damn. Now knowing that someone will spend massive amounts of CPU cycles to crack my AES256 key just to change my rating of wizard to a 10. Those bastards
123 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Daniel Karp
United States
Rockville
Maryland
flag msg tools
admin
Developin' Developin' Developin'
badge
100 geekgold for OverText, and all I got was this stupid sentence.
casperthegoth wrote:
About three years ago I reported to you directly that passwords were compromised and I didn't want to post it in the forums. Users might be able to login with their password + various strings. For example, I can login with my password + numerals.

I figure since you are announcing security flaws now is a good time to return to this subject.

I am posting this after logging in with an incorrect password.

We fixed that problem several years ago. However, we were only able to fix it for newly created or changed passwords--if you change your passwords, you will be upgraded to the new version, and won't have this problem anymore.
48 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Barney Hawes
United Kingdom
Unspecified
Unspecified
flag msg tools
I made a website to make it easy to have a password for every website you use. Feel free to use it: it's free!

http://www.passwordchameleon.com
15 
 Thumb up
1.00
 tip
 Hide
  • [+] Dice rolls
Napoleon Bonaparte
msg tools
mbmb
yes and use a password-safe. Keyloggers mostly got problems with directly into memory copied passwords - which does not mean this is the holy grail of passwords. Also if you only use a unsafe, easy password and email combination for sites like for example bgg and dont use the same things for important sides it doesnt matter anyhow.
5 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
1 , 2 , 3 , 4 , 5  Next »  [17] | 
Front Page | Welcome | Contact | Privacy Policy | Terms of Service | Advertise | Support BGG | Feeds RSS
Geekdo, BoardGameGeek, the Geekdo logo, and the BoardGameGeek logo are trademarks of BoardGameGeek, LLC.