About Today's Hacking, October 3, 2009 Options

[Felorin]

We apologize to everyone in our Furcadia community about the disruption that was caused today by one disgruntled individual. They were able to find a way to get Furcadia passwords that were just words, or words with only one numeric digit included. They also were able to use one of those passwords that belonged to a staff character to send broadcasts to our News channel in the game, telling everyone those passwords, and making claims about other stuff they'd done (logging on as root to our servers, getting a copy of all our server source code), which we've found no evidence to support.

We've been able to analyze the attack and are pretty confident we understand how they were able to get the passwords. Both Farrier and Fox have been working this afternoon on three separate improvements to our security that should prevent the same method from being used to get anybody's password, ever again. We take security very seriously at Dragon's Eye, and I think we've done a decent job overall - to date this is the first time we've had a big group of passwords stolen. Hopefully it will be the last. Nobody has ever been able to get shell access to any of our server machines, or do anything that would compromise accounts you use to buy things through Furcadia - all Paypal passwords for instance and credit cards you use on Paypal are stored on their servers, not ours.

I would advise anybody whose password was sent over our news channel to change their Furcadia password here: https://sphinx.furcadia.com/services/change...e_password.php4

You also might want to change yours if you have a short, easily guessable password, one that's just words with no numbers included, etc. Of course if you have a strong, secure password you can always change it to be safe. Also, if you used the same password elsewhere on the internet, like for your email account, ICQ or other pager/messenger, PayPal, etc. you might want to change it there too to be extra safe.

Our security changes should make it so that even short passwords are a lot safer from this type of attack in future. But the safest passwords are 8 or more characters long, contain both letters and numbers, and more than one number.

I want to reassure everyone too, if someone used the passwords that were posted today to take your Digo items and/or change your character password to something only they have, we will get everything back to its rightful owners. Our staff is small and it might take us a few days or a week to clear everything up one character at a time, but we'll keep at it until it's all done. We want everyone to be able to feel like their property in Furcadia is secure, and if anything ever gets stolen we WILL get it back to you. As we have always done in the past.

Again, I'm very sorry for the disruption and unpleasantness this has cause so many people in Furcadia, especially those who had their passwords posted. I know how upsetting it feels to be attacked by someone out of the blue, even though you've never done anything bad to them. Because I feel the same way - this attack hurts us at DEP as well as you, and I certainly never did anything bad to this person that I'm aware of to deserve such treatment. So I sympathize - and I just want to tell all of you, we here at Dragon's Eye are always here to do our best to fix this, or any other problems that may arise in Furcadia in the future. We're still understaffed, and we can't fix everything as fast as we like, but we're all over this one. I'm sorry that it will take a day or two away from working on new stuff to improve the game, but we'll back to that pretty soon hopefully!

In the next reply I'll put a list of names of characters that had their passwords posted. If you're on that list, please change your password right away, or if someone has already changed it to something else, contact guardians@furcadia.com and we'll get it back to you. Also contact Guardians if you've had any of the Digo items you've bought (or received as gifts) stolen from you because of this.

If you have any questions about this situation, post them here and I'll answer. That's more efficient than me giving the same answers over and over again in whispers to hundreds of different people. Thanks!

[Felorin]

Here are the names that had their passwords given out. If you're on this list, please change your password right away at https://sphinx.furcadia.com/services/change...e_password.php4 - also consider changing your password on any other internet sites where you used the same password.

Adanya|Claw, Ale, Aliana|Ikryss, All.Pink.Inside, AmberWolf, Angellina|Autumn, Ankhnesmerire|Miu, Antonio|Rameriz, Anubis|The|Jackal|God, Argus, Arubin, Asgard, Atana|of|Gerbilshire, Aurore, Azuredrake, BlackShadowC, Blaclan, Bullseye, c00k13, cabbit, CadillacWerewolf, Calipsa, Cannibal, capurla, Cattan, Cerulean|Ghost, Chattan, Cheffie, Cheysuli, Chicken, Cironir, Colefaxia, Crash|Star, Crazy|Guy, CumJunkie, Dagmire, DaiGekitotsu, Darious|Breathstealer, DarkRomeo, Deathdog3000, Delcara, Demonica, Derel, Dervilia, Dirk|Corrigan, Disease, Dragon|Fury, DragonMage, Drogan, Duval|DemonFrost, Dye, EJ|Nitewalker, Emerald|Flame, Equilibrium, Evee|Tryvinew, Everyn, Fafnir, Farrier1, Fiddle, Fion|Meadhrach|Winery, Fire#SOHeart, Gabrielle|Reeves, Galedeep, Gar, Gauisus, Got|Gal, Graywolf, Haroud, Haruko-san, Hawk, Heaven|Scent, Himetone, Himitsu, Hollow|Kat, iddie, Ignition, Industry, Influenza, Irriel, Jen-Lee, Jenny, Jetlag, Jigsaw, Jungle|Babe, Kai'Chel, Kaisu, Kelara|Hearth, Kissbone, Kitora, Klass, Kobras, Kotramif|Slikomif, Kriss|Double, Kurio, Kyo, Kyoma, Lady|despiana, Lady|Falcon, Lady|Gargoyle, Lady|Jewel, larissah, Laurent, Lerana, Logan, Lord|Brolly, Lord|Sephiroth, Lord|Thanatos, Lucia|Demonica, Magdalena, Mana, Maravine, Max|Furreland, Midnight|Rains, Mitoshen, Munin, Mystic, Naomi, Nessis, Nienna, NightFeather, Noelani|Alida, Nowan, Obi-Chan, Okuku, Overkill, Priss, Purrmon, Pwwka, Queen's|Bishop, Quiet|Soul, Raef|Eltimatu, Reno|Dread, RERENEX-Curian, RERENEX-Foo, RERENEX-Oblivia, RERENEX-Underwear, Reunion, Robba, Roxy|Silverstars, Rubiana, Rudger, Runner, Ryco, Ryhn, Sailor|Tin|Nyanko, Sanabelle, sanctimonious, Sardan|Purple, Scorp|Noname, Selanium, Selineia, Serpentar|de|Rafe, Shadowcat|Dominique, Shaminar, Shantai, Shesmu, Shikima, Shirin, Shisen|Bakkari, Shivia|Suylain, Silhouette|Mirage, Silver|Warrior, Simon|Potter, Sirithis, Skivv, Sky, Skye|Cantrell, Sneakers, Snowsprite, SnowyThing, Sono, StanlyStarz, Synystrad|Faust, Taiya, Tak, Talia|Darkfurr, Talvin, Tamarin, Tate, Taz, Teal|00, Teera, Tequila|Sunset, Tessa, The|Lady|Subaru, Thomasius, Tiaraa, TigFelin, Tirrah, Troy|Tilaric, TwinAlaskansnowwolf, Tymon, Tyr|RuneHammer, Valor|Brightpaw, Varick|Swiftbow, Venus|the|Vixen, Vermilion, Vica, Victoria|Black, Walraven, William|Starks, Wilowah, Wyllowe, Xinroth, XJXsancti, Xyna, Xypher, yiffy|hospital, Yotohan, Your|Past, Yuki|Tei, Zarzuela, Zybolt

[Blizz]

@Felorin: There is already a list going in Smalltalk. Many people are already referring to that thread.

Take it easy DEP. While people may be frustrated, this is NOT the end of the world.

Furcadia uses a variety of methods to secure password data. Your best bet to protect yourself is to change your password to something that can't be 'bruteforce' cracked. This means using a variety of techniques:

* Don't use words. Lots of cracking programs have dictionaries that scan for words and try them.
* Use a combination of letters & numbers (and even different cases of letters if possible. ex: A87dD938Z)
* Longer is better. It takes exponentially longer to crack a password that's longer.
* Change your password regularly. Keeping the same password for a long period of time is looking for trouble
* Don't use your password across multiple sites. It'd be a really bad idea to use the same password/email combination on Furcadia that you used, say, on Paypal.

Furcadia specific notes:

* Your password is emailed to you when you change it on the password change site: https://sphinx.furcadia.com/services/change...e_password.php4
* Keep your email address current and have an actual email account (don't use a fake one). It's the only way DEP can contact you and if you need to confirm your identity it'll be the only way to do so easily.

DEP's investigating the breach, and will give more info when they're done. It would, however, be counter-productive to give out certain info on the breach until its method has been prevented from happening again. As such don't expect them to tell you how, or how much data was compromised. Mastercard lost a ton of credit card numbers in a breach and you don't see a lot of press releases on what happened for the same reason. Part of a good security policy sometimes includes not putting info into the public domain unless necessary.

[Nemo Kiana]

*sends hugs to everyone at DEP*

[Shinichi Kudo]

You definitely didn't deserve this treatment. What the hacker has done is just immature. There are many things you can do if you're bored, but harming other people like this is simply not fair. You aren't the one who has to apologise, the hacker does. 

[Alatariel]

-Buys everyone at DEP some Starbucks to keep them energetic!- .... -hugs all around too!- x3

[Heavens cat]

*buys the DEP gang some Tim Horton's "double double" to help as well! *

[Emerald Flame]

For those who just skimmed Felorin's post, a few important points:

Only a tiny portion of our hundreds of thousands of accounts were compromised and only if they did not change their passwords in the last two months.

NO Paypal or other order account information was compromised.

No one got root or shell access to the Furcadia server.

What the hacker got was very limited information: Just name, password and email address.

All of the staff names are with who they belong to already and most of the others. Most Digos have been returned if taken.

The reason that those names were compromised was because they/we used real word (dictionary) passwords that were gotten with a brute force attack.

This should not be able to happen again as the security has been tightened even more.

We encourage all of our players to change their password if they use dictionary word passwords.

[Akago]

White-hat hacker my foot. A white hatter would have simply contacted any employee he could have possibly gotten a hold of to warn them of a breach like this. Jerks like that give a bad name to the real white-hats out there. I don't think anyone deserves this type of treatment, not to mention they dragged quite a few innocent people into their immature hissy-fit. Hugs all around to DEP and anyone who this has stressed out.

[Cironir]

Please also note that players who have used this "opportunity" to steal digo items or character names have been suspended from Furcadia, or are in the process of losing their access to the game. We treat these cases just like any other theft situations. There is no excuse for stealing items or characters from other players.

[Artex]

We encourage all of our players to change their password if they use dictionary word passwords.

What if they don't?

Even if my password is dictionary-unfriendly, if these guys got a hash of it, it would be under a significantly higher risk than it was in general.

Obviously I will change my passwords in the time I've bought myself with their strength, but if that person really did get the entire userlist with the hashes, shouldn't even those who do have strong passwords change them to avoid possible future inconveniences?

[Farren Dustfur]

Thanks for posting the list of names (and thanks to Mr. Cheez who posted the list earlier, as well). I'm happy to say the only name I knew personally on the list belonged to a person who quit playing about 2 years ago, and therefor I doubt she'd really care if it were stolen.

I wasn't here when the hacking happened (I was blissfully asleep in bed), so I can't really say much about it. At least there's a silver-lining to this - furc now has stronger security, right? Or at least is more secure against this kind've attack.

[Felorin]

What if they don't?

Even if my password is dictionary-unfriendly, if these guys got a hash of it, it would be under a significantly higher risk than it was in general.

Obviously I will change my passwords in the time I've bought myself with their strength, but if that person really did get the entire userlist with the hashes, shouldn't even those who do have strong passwords change them to avoid possible future inconveniences?

I think it's a lot less likely a strong password would be cracked, no matter what info the hacker got. So we wanted to give the most encouragement people with simple passwords to change theirs. But certainly anyone with a long, complicated password should feel free to change it too. It never hurts to change your password any time there's even the tiniest risk, and it can help. I would note that any hash they got will be invalidated soon by some of our security changes. So you're probably safe regardless.

[Xxysthstris]

and making claims about other stuff they'd done (logging on as root to our servers, getting a copy of all our server source code), which we've found no evidence to support.

It was a bloke, I'm sure of it. No one else attempts to compensate for small things by making big claims. No one.

[Indie]

so there's really no substance to the claims of the hacker? there was someone who has claimed to know the hacker, and is saying that the attacks aren't over and that every single password in furcadia will be posted "once he wakes up." i'm sure this has been investigated, but is there anything that you can tell us to reassure us that these are JUST claims other than telling us you're working on tightening security?

[Heavenly]

A truly lulzworthy day, chaps.

[ArtSpace]

A truly lulzworthy day, chaps.

No kidding. All drama aside, I think I'd enjoy a Muskrat article parodying this.

[Pee]

What I'd like to know is WHY this person did what they did. I highly doubt DEP can say they don't know when it was pretty much stated that it was a direct attack at DEP to show their weakness and flaws. Who was this person? Did they have a past falling-out with staff?

It just seems odd that someone would randomly direct an attack at DEP "just because" they felt like it.

/shot

[Florah]

I'm glad everything is under control now. I'd like to personally thank DEP for fixing this situation, the Beekins, and everyone else who stayed positive and was patient during this event. Although we were stressed furres, as a whole, I think we all learned something here! That we can do anything even at times like these. I would like to hope we learned at least something from this - I did (And the individual, him or herself.) Woooohooo!

[Mauler]

What I'd like to know is WHY this person did what they did. I highly doubt DEP can say they don't know when it was pretty much stated that it was a direct attack at DEP to show their weakness and flaws. Who was this person? Did they have a past falling-out with staff?

It just seems odd that someone would randomly direct an attack at DEP "just because" they felt like it.

/shot

Sadly, many hackers do just this. Just to show that they can. If it causes complete random chaos then it suited their means just fine. Look at a virus you might get. The person that made that virus might not have any beef against you or anyone in general, it just excites them to cause the chaos or "gets their rocks off" as some would say. Some people are just deviate that way.