MOBAFire Situation Update

[quote=Matt]Hey all, We’re back online and want to update everyone again, this time in greater detail. [h1]What happened[/h1] A small number of accounts were compromised on Thursday and Saturday and the attacker used those accounts to delete a number of guides. Both times the damage was contained and we believe nothing has been permanently lost. Upon discovering the first attack, we immediately locked down our tools and all mod and admin accounts. Upon discovering the second attack, we brought the site down entirely so that we could take our time to analyze everything and to minimize damage. We believe the attacker has a database containing various usernames, emails and passwords. We cannot say for certain where this information came from, but we believe it is from various sources, possibly including MOBAFire. This means it’s possible that a SQL injection vulnerability exists on MOBAFire. This is what we have focused the most time on since the first attack. We have been reviewing every possible place such a vulnerability could exist, as well as building in additional layers of system-wide protection. [h1]About our database[/h1] All passwords are salted, hashed and stretched using a very strong algorithm (NOT MD5) before they are stored. This makes it very time consuming to break a password even if you have the full hash, and if the password is strong then it’s essentially impossible. HOWEVER, we discovered that a portion of our user base (about 5%) never upgraded from an old hash we originally used, to the new one. As far as we can tell, none of these accounts were used in this attack, and we have now erased all of those old passwords completely. We’re investigating why the accounts failed to upgrade. [h1]What we’ve been doing[/h1] We’ve spent most of our time scouring our code looking for any potential vulnerabilities. We haven’t found any yet but we have been rewriting any code that looks mildly suspicious just to be sure. We’ve found no direct evidence that we were compromised but we have no way to be sure so we aren’t taking any chances. We have also added a number of new security features as well as improved on some existing ones related to our account handling. We have improved our guide system to further minimize the potential for lost content, as well as to simplify the restoration of lost content, whether from a bug, a server hiccup or from a compromised account. We have not had any issues restoring lost content in the past, but this will make it significantly faster if we ever need to do it again. We have been working on various new protections and policies for our back-end tools, with the goal that even a compromised mod or admin account will be heavily restricted. We have many more improvements still planned and the team has been, and will continue to work hard on this. [h1]What we ask of you[/h1] We have no conclusive evidence that MOBAFire was or wasn’t compromised, so we are going to move forward under the assumption that it was. We want you to as well. [b]Please assume that your password was compromised and change it on any other site that uses the same one.[/b] We are also forcing a network-wide password reset. Every single member of any MOBAFire Network site will be forced to reset their password before they can log back in again. Please use a new password that is unique and hard to crack. Since there will be a very high volume of people resetting their passwords at the same time, the email system may get backed up. Please be patient if it takes some time for you to receive your email after initiating your password reset. [h1]What to expect now[/h1] We’re not security experts, we’re gamers and programmers, and this site is seriously large. There is a lot of code and a lot going on. We hope our new updates will further secure the site while also minimizing any damage from a successful attack in the future but we can’t be certain that this is over yet. If you have any questions please ask here, we’ll do our best to answer quickly, but be aware that we are all buried in code and responses may not be fast. We apologize for the inconvenience and if you find you are missing any content please let us know and we’ll restore it as soon as we can.[/quote]

[quote=jhoijhoi]Keep up the great work, Matt and team :)[/quote]

[quote=Sir Wellington]Thanks everyone![/quote]

[quote=Vapora Dark]Np.[/quote]

[quote=IceCreamy][quote=Matt]We’re not security experts, we’re gamers and programmers[/quote] Might be a good idea to hire someone to look at security, I guess many people only use a few passwords for all of their online accounts. Either way, keep up the good and hard work, it's much appreciated![/quote]

[quote=404BearNotFound]I really appreciate the security measures taken. However, after resetting my password, the website would still not let me log in :( I'm not sure if it's a mistake on my part or something. I'm sure I typed in the password correctly, I tried entering it several times but no luck.[/quote]

[quote=Matt]@IceCreamy we are discussing that actually. In the mean time I am doing a LOT of reading, research and work on our systems. Again we don't know that any of our systems were compromised but we're going to assume they were and go over everything with a fine-toothed comb. While our existing systems were decent, I am finding room for improvement here and there. Best practices in security change and evolve very fast, so I'm going to make it a habit of reviewing current best practices regularly going forward and making sure our systems are using the most current methods. Unfortunately so far as passwords go there is only so much we can do. It's up to people to decide how they want to handle their passwords. We are doing everything within our power to secure that information but we can't control the quality of the original passwords, nor their use on other sites that become compromised. @404BearNotFound we have had a few complaints that it wasn't working. I made some adjustments to the process to make it a bit smoother, so I suggest trying again now. The new changes are up, and I had to reset the system when I put the changes up, so if you were in the middle of a password reset at that time it would fail for sure. Give it another try, and let me know if it is still not working. I have had confirmation from a few people now that this change resolved their issues upon trying again so hopefully it does for you as well![/quote]

[quote=404BearNotFound]It's fixed! Thank you very much ^^[/quote]

[quote=The_Nameless_Bard]It keeps forcing me to log back in for some reason, even though it already forced me to change my password twice .-.[/quote]

[quote=Matt]I've replaced the "remember me" feature with an improved version. Everybody will be forced to log in once their session expires, but then it should act like it normally does. The new change password feature had a couple issues but it should be working fine now. Let me know if you continue to get logged out![/quote]