Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?
You are not logged in.
I am very disappointed in the way this issue has been handled.
Registration for new users is still open. We have evidence that the QuickConnect database was leaked in January.
The staff do not know how this list of users got out of their hands and do not know if the database is still exposed or not.
Just because the list is old doesn't mean the hacker lost access.
Summary:
- The database is still exposed to the hackers, but according to staff, sensitive information such has IP addresses and mails have been removed.
- If you register for the game as a new user, your e-mail can get in the hands of hackers.
- We cannot be sure that the hackers lost access to QuickConnect and other parts of the admin console, including the site content.
- Please visit everybodyedits.com at your own risk. Do not create new accounts in the game.
I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.
Offline
Registration of new users is still open because the attacker does not have access to newly created account credentials. The only information they have is an export that was made almost three months ago, they do not currently have access to anything more than the game database (which doesn't give them access to account credentials, nor does it give them access to the site content).
We may not have concrete proof that this is the case, but every single piece of information we have points to this conclusion, and its the only explanation anyone (including Processor) has for how the attack was performed. Until we find any information at all that suggests that this isn't the case, we are acting on this conclusion and will proceed accordingly.
Offline
It took staff three months to notice that the information of a million users was stolen.
How does that make you feel?
I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.
Offline
It took staff three months to notice that the information of a million users was stolen.
How does that make you feel?
We are very sorry that this is the case, but the truth is that there is little we could have done. We will make sure to design the EEU servers in a way that will prevent these sorts of things from happening, but currently we have very little control over things like this.
Offline
It took staff three months to notice that the information of a million users was stolen.
How does that make you feel?
Processor, I know that LukeM is upset about this issue, but really, this was inevitable. It was bound to happen eventually sooner or later, anyways. There's not much we can do here in this situation. Could you please try to stop complaining? It happens, and that's the reality.
Besides, shouldn't you be a bit happy that some of the sensitive informations were actually removed? Even if the crisis isn't yet averted, the risk has been decreased a bit.
Offline
We are very sorry that this is the case, but the truth is that there is little we could have done. We will make sure to design the EEU servers in a way that will prevent these sorts of things from happening, but currently we have very little control over things like this.
That's where you're wrong LukeM. There is something we can do about it, together. This is no longer the time for the current leadership's sweet little lies and willful deceit of it's userbase. No longer will we listen to the hollow words of programmers and other false idols. The time has come to put our beliefs in faith. Faith that we can solve EE's concurrent issues once and for all. Join me LukeM. Join me in holy communion and we will pray for our lord and saviour Benjaminsen to appear. He will forgive us the sinful life and trolling we all had in our whelping years and defeat the wicked hackers once and for all.
Believe in us, believe in the power of our strong community and say after me.
"Benjaminsen give me voice! Benjaminsen guide my hand!"
Pray for forgiveness and it shall be done. Pray for Benjaminsen to rule out the hacking scum and it shall be done. Pray for our chosen leader to turn the false shepherd Xenonetix back unto the path of righteousness and it shall be done.
The Grace of our Lord and his prophet be with you all. Amen.
★ ☆ ★ ☆ ★
☆ ★ ★
Offline
LukeM wrote:We are very sorry that this is the case, but the truth is that there is little we could have done. We will make sure to design the EEU servers in a way that will prevent these sorts of things from happening, but currently we have very little control over things like this.
That's where you're wrong LukeM. There is something we can do about it, together. This is no longer the time for the current leadership's sweet little lies and willful deceit of it's userbase. No longer will we listen to the hollow words of programmers and other false idols. The time has come to put our beliefs in faith. Faith that we can solve EE's concurrent issues once and for all. Join me LukeM. Join me in holy communion and we will pray for our lord and saviour Benjaminsen to appear. He will forgive us the sinful life and trolling we all had in our whelping years and defeat the wicked hackers once and for all.
Believe in us, believe in the power of our strong community and say after me.
"Benjaminsen give me voice! Benjaminsen guide my hand!"
Pray for forgiveness and it shall be done. Pray for Benjaminsen to rule out the hacking scum and it shall be done. Pray for our chosen leader to turn the false shepherd Xenonetix back unto the path of righteousness and it shall be done.
The Grace of our Lord and his prophet be with you all. Amen.
Who hurt you
Click the image to see my graphics suggestions, or here to play EE: Project M!
Offline
We are very sorry that this is the case, but the truth is that there is little we could have done.
If you cannot protect user information, maybe you shouldn't be in charge.
I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.
Offline
LukeM wrote:We are very sorry that this is the case, but the truth is that there is little we could have done.
If you cannot protect user information, maybe you shouldn't be in charge.
If it were that we're not experienced enough to handle the job then maybe I'd agree with you, but currently we just aren't given the tools we would need to do these sorts of things. We are currently in the process of moving away from PlayerIO and to our own servers for EEU, but this is something that takes time and shouldn't be rushed, and in the meantime we're doing all we can to make do with the bad situation we're currently in.
Offline
my face when I don't have an every body edits password or email because I play on kongregate.com using an account I stole from someone else seven years ago
Offline
Sheesh, HeyNK. You really need to get over your crush on me.
★ ☆ ★ ☆ ★
☆ ★ ★
Offline
It took staff three months to notice that the information of a million users was stolen.
How does that make you feel?
For the record, it's very easy to get database exports without anyone noticing.
All the information released to this point, is all information that could have been exported. I don't know the whole story, and I'm sure there's details I'm missing, but I'd guess your "hacker" is a past staff member.
Discord: jawp#5123
Offline
proc please stop wasting lukems time replayign to you he coudlve used that time to do more research ect i mean they have to deal wiht a third party tool that stores the information (PIO) its not only thier resposebility that the ifo is tored safety btu also that from PIO to keep it safe
thanks hg for making this much better and ty for my avatar aswell
Offline
Does beta.everybodyedits.com gets affected? I used it to play EE yesterday.
Also, if Proc and LukeM keeps arguing, the problem will surely not be fixed. How about both LukeM and Proc actually listens to other’s opinions and think about it? If you keep waiting for the Player.IO to react, no progess will be made.
she/her
also known as DevilCharlotte
search 2bisniekitastan if you wanna find my worlds on ArchivEE
Offline
Does beta.everybodyedits.com gets affected? I used it to play EE yesterday.
Also, if Proc and LukeM keeps arguing, the problem will surely not be fixed. How about both LukeM and Proc actually listens to other’s opinions and think about it? If you keep waiting for the Player.IO to react, no progess will be made.
It's affected by everything that the main site is affected by (your mail, reports, email address, and IP may have been included in the leaks), but as I've said before, neither put your password at risk.
As for the waiting for PlayerIO to react, we (the staff team) have been doing all we can to try and reduce the damage caused, but without PlayerIO's intervention we are physically unable to fix that issue itself, so we're at a bit of a roadblock until that happens.
Offline
Soo.. If PlayerIO is to blame for the breach, that means PlayerIO uses an insecure manner to store their passwords..
Changing my password is kind of pointless then, right? I mean.. If it's easily hackable then changing it will only provide more information on how I handle my passwords, increasing the predictability of my passwords exponentially..
Not saying I'm the best at creating password systems, but I have created a few and one of those is (imo) fairly decent.. Even if you manage to hack 1 password, which is a very difficult job to do in the first place, you can never use your gained knowledge to hack another (rainbow tables will not work and decrypting neither). AFAIK my passwords have not been hacked so far, and I would love for someone to try.
Anyone interested? PM me
Any kind of management not willing to listen is no management at all..
Offline
Soo.. If PlayerIO is to blame for the breach, that means PlayerIO uses an insecure manner to store their passwords..
Changing my password is kind of pointless then, right? I mean.. If it's easily hackable then changing it will only provide more information on how I handle my passwords, increasing the predictability of my passwords exponentially..
The security vulnerability we've found is very specific to the game database, so it can't be used to do anything with account details or game files (which is the reason we originally believed that only the small number of emails that happened to still be stored from an obsolete email system were at risk). However it turned out that the person carrying out these attacks also got access to an old export perfomed a few months ago (by someone who no longer has access to the backend console). We strongly believe that old data is all that they have in this regard, and that they do not have the ability to access current account information other than whats stored in our game database, which isn't much.
PlayerIO does have its problems, but they do seem to store user passwords in a secure way, where they are completely 'walled off' from the rest of its systems, and hashed (with salt) so that even if someone did somehow get access to this system there wouldn't be a whole lot they could do.
Offline
It seems that every time any sort of security issue happens they jump at the chance to blame Player.IO. It's rather convenient to suggest that the attacks occurring are entirely out of your hands without even going as far to conduct an audit of your own security at all.
If they had compromised Henrik and Player.IO, they could do far more than attack a smiley face game.
Is there any evidence to back up that claim in the first place? I looked through the drama posts and haven't come across any.
*u stinky*
Offline
TheSource85 wrote:Soo.. If PlayerIO is to blame for the breach, that means PlayerIO uses an insecure manner to store their passwords..
Changing my password is kind of pointless then, right? I mean.. If it's easily hackable then changing it will only provide more information on how I handle my passwords, increasing the predictability of my passwords exponentially..The security vulnerability we've found is very specific to the game database, so it can't be used to do anything with account details or game files (which is the reason we originally believed that only the small number of emails that happened to still be stored from an obsolete email system were at risk). However it turned out that the person carrying out these attacks also got access to an old export perfomed a few months ago (by someone who no longer has access to the backend console). We strongly believe that old data is all that they have in this regard, and that they do not have the ability to access current account information other than whats stored in our game database, which isn't much.
PlayerIO does have its problems, but they do seem to store user passwords in a secure way, where they are completely 'walled off' from the rest of its systems, and hashed (with salt) so that even if someone did somehow get access to this system there wouldn't be a whole lot they could do.
Key words in that reply are: 'We strongly believe' and 'seem to store'.
Whatever you think or believe is not adding any value to this whole thing.
Point is: Stuff got hacked and used.
Why?: Because something in the data allowed stuff to be (in this case massively) hacked and used.
What is helpful?: Getting all parties involved to do a massive security overhaul and getting external involvement to assess the actions you'll be taking to ensure this doesn't happen again..
What is not helpful?: Making (and posting) assumptions, believes, or putting any form of faith in the thing that is responsible for this breach.
To be clear: a salt code is very helpful to help raise complexity in encryption, but usually it's is either fixed in the site code, application code or saved in the databse and that always leads to the possibility of decrypting data..
Unless of course you know a way to use the salt code without making it findable anywhere.. (which I managed to do)
Any kind of management not willing to listen is no management at all..
Offline
(Mostly in response to Atilla, but also TheSource):
We have done several investigations into how the attacks could have been performed, and the only logical conclusion is the one that we've made (that they are to blame for the things that we've blamed them for).
That said, we are not suggesting that the entirety of PlayerIO (or that Henrik) is compromised, and I'd strongly advise against extrapolating anything like this from the claims we've made until we release further information.
We may not have 100% proof that this is the how the attacks were performed, but thats next to impossible without some miracle like the attacker actively giving us evidence to prove how they performed the attack, and even then it would be difficult to prove that its not fabricated...
However, the scientific method is what you use in situations like this, and although it can't be used to prove things (nothing in science is, or can ever be, proven), it can be used as VERY good evidence that something is true. We first made our current hypothesis for how the attacks are performed very early on in the process, and we've shown that it does explain every single piece of evidence we've gathered so far, to the extent that we've even performed one of these attacks ourselves on one of our development servers, which is enough to convince all of us beyond any doubt that it is what the attacker is doing.
So sorry, we're not able to prove anything conclusively, but I hope that explaining what evidence we have and our method that brought us to these conclusions will help convince you that what we are saying is true.
Offline
The scope of the attack surface appears to be exactly the same as if one of your developers were compromised. I haven't seen anything about auditing your own personal security rather than defaulting to Player.IO being at fault.
I would think Occam's razor would readily apply in this instance. You can audit yourselves whilst awaiting a response from Player.IO, rather than speculating and fiddling your thumbs, since that clearly isn't helping.
*u stinky*
Offline
(Mostly in response to Atilla, but also TheSource):
We have done several investigations into how the attacks could have been performed, and the only logical conclusion is the one that we've made (that they are to blame for the things that we've blamed them for).
That said, we are not suggesting that the entirety of PlayerIO (or that Henrik) is compromised, and I'd strongly advise against extrapolating anything like this from the claims we've made until we release further information.
We may not have 100% proof that this is the how the attacks were performed, but thats next to impossible without some miracle like the attacker actively giving us evidence to prove how they performed the attack, and even then it would be difficult to prove that its not fabricated...
However, the scientific method is what you use in situations like this, and although it can't be used to prove things (nothing in science is, or can ever be, proven), it can be used as VERY good evidence that something is true. We first made our current hypothesis for how the attacks are performed very early on in the process, and we've shown that it does explain every single piece of evidence we've gathered so far, to the extent that we've even performed one of these attacks ourselves on one of our development servers, which is enough to convince all of us beyond any doubt that it is what the attacker is doing.
So sorry, we're not able to prove anything conclusively, but I hope that explaining what evidence we have and our method that brought us to these conclusions will help convince you that what we are saying is true.
Well, that's a clear way of putting a sign up saying: Back off people, we got this! (which is a highly debatable thing right now)...
"the only logical conclusion"... I love those kind of statements.. It's in the same lane as assumptions and you all know well, assumptions are the mother of all f*ck-ups.. Please... Just.. You know.. DON'T!
If you're not able to prove your 'logic', it can never EVER apply, because its foundation is based on things like hopes, wishes, fairytales, magic, probably some Walt Disney Princesses, pure assumptions (which are based on the maximum capability of the people making those assumptions.. they're probably calling it experience or something) and other senseless stuff..
Perhaps in stead of trying to keep all relevant data to yourselves and trying to get everyone off your back by stating wall-of-text-like nonsense, you could make public what you've found, what you've done, what your thought processes were and what is actually being done to prevent this.
And I'm not even talking about legal stuff.. Some people mentioned GDPR before. That's just 1 of the many legal documents present on the great big Internetz regarding the security of personal data.
If you're offering a 3rd party solution, you are still responsible to your clients.. That 3rd party is responsible to you and you need to be absolutely sure that your client data is secure..
If you're not sure, then the Only option is to not use that 3rd party thing and if you continue using it: YOU are legally at fault, no matter how much you point your finger to said 3rd party..
Any kind of management not willing to listen is no management at all..
Offline
I would think Occam's razor would readily apply in this instance. You can audit yourselves whilst awaiting a response from Player.IO, rather than speculating and fiddling your thumbs, since that clearly isn't helping.
We did, and we made all the changes we are able to do ourselves (changing passwords, removing all permissions we could that would allow anyone with a developer's login credentials to perform an attack, etc) after the first time data was modified (which obviously didn't prevent their access).
As I said earlier, we're not suggesting that PlayerIO is completely to blame, our conclusion puts at least a small part of the fault on us, but it certainly wouldn't have been possible without significant security flaws on their side, and is not fixable without their help.
As for 'twiddling our thumbs', we're not just sitting by spectating, we're doing all we can to prevent further damage, and we're still collecting as much information about the attacks as possible (and trying to fill in the rest of the smaller details about who is involved with the attacks)
Offline
I don't think you quite understand, Luke. If an attacker has remote access to one or more of your developers workstations then changing passwords would be completely ineffectual in preventing future attacks.
*u stinky*
Offline
"the only logical conclusion"... I love those kind of statements.. It's in the same lane as assumptions and you all know well, assumptions are the mother of all f*ck-ups.. Please... Just.. You know.. DON'T!
If you're not able to prove your 'logic', it can never EVER apply, because its foundation is based on things like hopes, wishes, fairytales, magic, probably some Walt Disney Princesses, pure assumptions (which are based on the maximum capability of the people making those assumptions.. they're probably calling it experience or something) and other senseless stuff..Perhaps in stead of trying to keep all relevant data to yourselves and trying to get everyone off your back by stating wall-of-text-like nonsense, you could make public what you've found, what you've done, what your thought processes were and what is actually being done to prevent this.
And I'm not even talking about legal stuff.. Some people mentioned GDPR before. That's just 1 of the many legal documents present on the great big Internetz regarding the security of personal data.
If you're offering a 3rd party solution, you are still responsible to your clients.. That 3rd party is responsible to you and you need to be absolutely sure that your client data is secure..
If you're not sure, then the Only option is to not use that 3rd party thing and if you continue using it: YOU are legally at fault, no matter how much you point your finger to said 3rd party..
Firstly, we know about all the legal stuff, we're not trying to suggest that we don't need to follow the laws because it was PlayerIO that allowed the attack to happen, we will continue to take this seriously and will do everything we're required to do.
As for the proof stuff, logic can be proven, yes, but science can't be. The whole field of science is trying to find the conclusion that fits the data you have the best, which is what we've done. The hypothesis we have works; It explains perfectly what the attacker is able to do, and we've gone ahead and performed one of these attacks on our development server to show this. I may be taking the word 'prove' more seriously than some other people, and its likely that others would have claimed that they had proven that this was how the attack was performed at this point, but that would technically be a false claim so we're not going to make it.
We want to reveal more information about the attack, but we really can't at this point. If we gave out more information before we've ensured that the vulnerability is fixed we'd be putting ourselves in even more danger of attack, and I think we can all agree that thats not a good idea
I don't think you quite understand, Luke. If an attacker has remote access to one or more of your developers workstations then changing passwords would be completely ineffectual in preventing future attacks.
But removing permissions would. Performing one of these attacks on the EE servers is now impossible from a developer account, and has been since before the last time they modified the database. Xenonetix has even been doing all management from a different computer as we can't remove his permissions, so you can trust us when we say that we've done all we can to narrow down the number of ways the attacks could have been performed.
Offline
[ Started around 1732684862.573 - Generated in 0.379 seconds, 12 queries executed - Memory usage: 1.9 MiB (Peak: 2.22 MiB) ]