An exploit in the latest VBB caused our database connection data to be made public in the faq. It is thus possible that people may have downloaded the database. The only sensitive data stored in there is your account passwords. Note that these passwords are encrypted and would take years to crack without a supercomputer. (depending on your password strength)

Regardless you may want to update your passwords and any other accounts that use the same one. I am sorry about this but wanted to let you all know ASAP so that everyone can ensure that their passwords are safe.

The actual risk is very low but still I want to make sure that you all know what is going on :wtg:

Thanks for letting us know.

Hold on, so its just the password for our accounts on the forum right?

Yea, as stated above it is just to be safe. The actual chance of it getting stolen is very low.

Another forum I'm on got hit and some accounts with passwords smaller than 5 characters were broken into within the two days of the exploit being published.

They expect some people with 6 character passwords to possibly be compromised by Tuesday (depending on the words in their passwords).

A decent GPU with a well made word table can take down some MD5 passwords up to 7-8 character with salt in under two weeks.

So, should probably let your community know that their password and email address might have been compromised by a broadcast email and not just an announcement thread.

hmm 8 char only letters... 2 weeks... oh well what do they have to gain from takeing my forum account :/

hmm 8 char only letters... 2 weeks... oh well what do they have to gain from takeing my forum account :/

around 700 forums posts?

around 700 forums posts?

only a post-count whore like acolyte would care about that :O

around 700 forums posts?

.... so? those posts are still mine.

As it can only really effect forum accounts they gain access to no sensitive data. That is why it is just a forum topic. I wanted to warn everyone but not have any over reaction.

It is important to note that even with the passwords it is not possible to connect to our database remotly without being on a white list. Only the ips of the game servers are on this list.

any way to tell if the database had been accessed?

and what brought this up to your attention?

if one had a networking site link such as face book on there forum profile, and there forum profile was compromised, one would assume they may go as far as attempting to use the password they found with our other sites you are affiliated to?

I think this should be sent to everyone just as a precaution to tell them to change their passwords. You don't want this coming back and nipping you in the butt

I would be able to tell because it would require them to hack the root of the website and add them self to the white list of the firewall. There are also access logs for root and I am the only ip in there. The database is so locked down that I can not even access it remotely. I can only access it locally from within the server. So there is no way anyone could have accessed it.

I was informed about it via e-mail from a user on the forums.

So yea nothing was actually compromised other than the account data for the sql server (that account is now deleted). I just posted this thread right away because on the old web server from a few years ago anyone could access the database remotely. I forgot that I do not allow that anymore in order to make a brute force hack impossible.

So no worries all is good :wtg:

I would be able to tell because it would require them to hack the root of the website and add them self to the white list of the firewall. There are also access logs for root and I am the only ip in there. The database is so locked down that I can not even access it remotely. I can only access it locally from within the server. So there is no way anyone could have accessed it.

I was informed about it via e-mail from a user on the forums.

So yea nothing was actually compromised other than the account data for the sql server (that account is now deleted). I just posted this thread right away because on the old web server from a few years ago anyone could access the database remotely. I forgot that I do not allow that anymore in order to make a brute force hack impossible.

So no worries all is good :wtg:

good to know. thanks mate

edit: although now that i think about it, who the fuck was trying to hack into the database that they noticed this flaw?