Forums  /  The Site  /  Password Resets (April 3, 2019)
(edited: )

A few game moderator accounts were compromised on April 1, in a very similar manner to what happened back in November. About 3 to 5 accounts moderating a few prominent boards were compromised. The cause is still understood to be a few users using or re-using passwords that were compromised from other sites years ago. We implemented password re-use stipulations and reset everyone's password again. We also rolled back the database to shortly after 2019-03-30 23:37 US Eastern. The description of November's issues is here:

If your password was a password that was not previously used on a compromised website, your account was never at risk. We're acutely aware that resetting passwords and rolling back the database is a disappointing approach. In order to get the site up today, that's what we went with. We have every intention to implement further safeguards against this method of account compromise.

The site's leaderboards as a whole are only as secure as the least secure user, and we're very aware this is a problem. We intend to implement further protection against known compromised passwords from other websites. We currently intend to utilize the pwnedpasswords API, which offers built-in anonymity in password match requests:

It is our current understanding that every compromised password was gained from that list. We're looking into the logistics for implementing 2-factor authentication as well. 2FA could potentially be mandatory for game moderators, if that is seen by the community as acceptable. If it's optional it only protects people who want to be protected.

Hours prior to all of this, a couple users also took the opportunity for April Fools to trash a couple boards. Those were also cleaned up by the database rollback. We'll address that facet for April 1 2020. There is some additional work to make damaged board cleanup much easier, such as site staff being able to restore from backups easily. Restoring a single board is currently a very manual process that only a couple people know how to do currently.

Bogdan_mkBogdan_mk, RazorflameRazorflame and 24 others like this. 

To those of us who happened to donate after 3-30-19 but before the rollback occurred, how does that get fixed?

GranolantGranolant and O.D.W.O.D.W. like this. 

mixmastapj: I pointed Pac to your post.

GranolantGranolant likes this. 

To be honest, I think that 2FA should never be a topic of discussion and mandatory for everyone, not just game moderators like myself. It should have been a thing since the November vandalizing of this site.

DerpethDerpeth likes this. 

The real April Fools is still letting users change the name of the game and the theme of the page

Bogdan_mkBogdan_mk, blueYOSHIblueYOSHI and 2 others like this. 

Thanks for dealing with this again. I'd welcome a 2FA requirement for super-mods and mods, given that they have the highest abuse potential.

(edited: )

Vet mods better. I'm a fuckin' nobody but if whatever the 2FA implementation ends up being, if it's too much of a hassle I'll just dip back to google sheets nbd.

edit: also don't go half way if you're going to do it, force 2FA on everyone. Requiring it only for people that have mod roles sounds like a pain in the ass anyways.

6oliath6oliath, MASHMASH and HowDenKingHowDenKing like this. 

The option for 2FA needs to exist. Making it mandatory for mods and optional for everyone else is fine, but I also see no harm in requiring it for everyone since even a hacked regular user account can cause major headaches for people and mods (although hacking a non mod does significantly less damage for whatever it's worth). But it's pretty obvious we need something for it.

But please, for the love of god, make April Fool's jokes grounds for removing mod powers. I'm so tired of seeing themes and backgrounds become major eyesores and fake runs are just plain stupid. None of it is a joke, it's just an excuse to vandalize a board for a day. Twitter is already un-usable on that day because of fake strat videos, I don't need this site to become the same way.

Bogdan_mkBogdan_mk, bigcrunchbarbigcrunchbar and 6 others like this. 
(edited: )

Considering this is the second time this has happened in less than a year, I don't think there's any room for debate here. The site absolutely needs 2FA, and 2FA should absolutely be mandatory for game moderators as a bare minimum. It's inconvenient, but so is having to roll back the entire site and reset everybody's passwords frequently because some idiot didn't get the memo the first time this happened.

In addition to that, major changes to leaderboards (changing game name, url, logo, mass-adding or deleting runs, etc) should be flagged and need to be manually approved by site staff. I realize that creates a lot of extra work for site staff, but this is clearly a huge avenue for abuse, and having a human manually checking these things would prevent a lot of the problems we're having here.


make April Fool's jokes grounds for removing mod powers

Hard agree on this. The internet really isn't a great platform for April Fool's pranks (or any kind of prank, for that matter), half the reason they work is because you follow them up with "hah, gotcha! April Fools!". Posting a fake run on an otherwise reputable leaderboard has no "gotcha" moment, it's just annoying, low-effort vandalism. Doing weird themes for the day is one thing (though I don't think anyone should even be doing that), but posting blatantly fake runs, for any reason (even on "socially-agreed-upon prank day") should not be tolerated.

Bogdan_mkBogdan_mk, blueYOSHIblueYOSHI and 4 others like this. 
(edited: )

Compromising accounts is an April Fools prank? That's really a new one on me.

(edited: )

In November, a few users with unsecured accounts indirectly caused widespread vandalism. There was damage to the integrity of the leaderboards and to the site's reputation. Staff had to scramble; the database was manually reverted. For months we were getting daily complaints of users who had to be directed to bother Pac personally to get their accounts emails reset. Everyone paid the price.

...Everyone except those who had their unsecured accounts broken into. They were allowed to continue as mods. Some of them thoughtlessly changed their passwords right back to what they were, according to site staff.

Users who have their accounts compromised for any reason (third party site hack, easy-to-guess passwords, improper log-out, etc. etc.) must be held accountable for what happens on their account.

Now here we are, the site is being forced to implement anti-stupidity measures for every user, because of the actions and neglect of a few bad apples. Staff is talking about removing moderator responsibilities for those who don't wish to comply. But there's been no mention of permanently removing the moderator responsibilities of those whose passwords caused all of this. What kind of message is this sending?

It is unbelievable that the same people can be allowed to remain a liability on a repeated basis.

Bogdan_mkBogdan_mk, blueYOSHIblueYOSHI and 6 others like this. 

If full 2FA is too much of a pain (requiring users to install a new application or give a phone number), an easier alternative might be requiring email confirmation the first time a moderator logs in (starts a new session) from a new IP. Not quite as secure, but perhaps sufficient.

Bogdan_mkBogdan_mk, blueYOSHIblueYOSHI and 3 others like this. 

The board I moderate (SMW Remix) seems like it wasn't rolled back?


What bout us poor boys who can't afford to have a cell phone

AlayanAlayan, Bogdan_mkBogdan_mk and 3 others like this. 

I agree with several of the above posters that 2FA should be mandatory for anyone with mod-level powers. I don't have a strong opinion on a 2FA requirement for non-mods.

As for "what if I don't have a cell phone": I use a Yubikey U2F key on several other sites and I have found the experience to be quite painless. Implementing WebAuthn as an alternative to SMS-based 2FA would be nice.

TenkaTenka and HoodyTwoShoesHoodyTwoShoes like this. 
(edited: )

2FA will have an option for emailing a code out for those, in the minority, that for some reason do not own a mobile phone or another device that can send and receive SMS. Alternatively, may integrate social media authentication in the future.

Bogdan_mkBogdan_mk, blueYOSHIblueYOSHI and 2 others like this. 

Most 2FA methods, such as email, are phony. Phone numbers are easily hijacked as well. They don't solve the problem, but are really great at locking out legitimate users with no recourse.

Better backups, and the ability to roll back specific games without it being a holy hassle, are probably a better approach than that.

(edited: )

@PresJPolk They are not "phony", they provide different levels of security. If you have Google's threat model, where you need to actively defend against technologically sophisticated militarizes with billions of dollars to spend attacking you, then you certainly want to mandate a Yubikey or other tamper-resistant signature mechanism. The vandalism on is about as far from that as you can get: zero-effort non-interactive password reuse. SMS hijacking may be relatively easy for a determined attacker, but even that is several levels above anything we've seen. Calling it a "phony" defense is unhelpfully reductionist.

(Not that I actually disagree about the backups/rollbacks -- that's definitely critical stuff. I just get nitpicky about broad security claims.)

ShikenNuggetsShikenNuggets likes this. 
(edited: )

Most of you guys that are active in the Discord probably know about my concerns regarding the site's security and implementations.
It is a great idea to include the long wished 2FA but PLEASE implement it in the most easy and user-friendly way.
Just use Google Authentificator or any other code generator for it; e.g:

It is supported on all platforms, doesn't require you to transmit a phone number and also won't cost you any cent on the client and server side (I don't wanna receive authentification messages from another country making me pay fees for it everytime I need to log into the site). Let's not even start about being forced to provide sensitive data in form of a mobile number.
Quoting another reply from above:

"If full 2FA is too much of a pain (requiring users to install a new application or give a phone number), an easier alternative might be requiring email confirmation the first time a moderator logs in (starts a new session) from a new IP. Not quite as secure, but perhaps sufficient."

That's one of the worst methods to implement a 2FA and has its roots from the early days of that technology. You'll end up with the same insecure scenario regarding bruteforced/leaked email accounts as it already was without it.
You would also annoy a LOT of users who are living in countries with dynamic IP allocations like Germany (you automatically receive a new IP address every 24 hours).
However be adviced that you're able to use a similar, user-friendly way of storing a session over multiple days/weeks. You can save the authentificated clients into a database which will allow the people to login without a 2FA prompt as long as they're on the same machine and didn't clear their browser cache or exceed the maximal amount of days before that authentification session is getting flagged as expired (you can set that on the server side again; most sites use a value of 14-30 days).

And for the other subject: I do not really care if all of the users are forced to use a 2FA as long as people with ANY sort of rights on the site are.

Best regards

Bogdan_mkBogdan_mk, enamelenamel and 2 others like this. 

About the April Fools jab: There are games like Minecraft, where those changes are just part of the culture. That's not the mods acting up, it's the mods celebrating a global holiday

BellumZeldaDSBellumZeldaDS likes this.