Hey guys/gals, We're back! Thanks to Aikar for his hard restoration work, the forums are back and staff is staff again =P Let this be a reminder to all, it's usually a smart thing to make your EMC password different than ones you use elsewhere. One of our Senior Staff has now learned that the hard way. =P Player passwords are not available through the admin panel so no information was breached. We are certain that the problem was contained to simple access through a password and will make that more difficult to accomplish in the future. So you may have noticed that some staff's profiles look like they jumped back in time to 2014. As a result some profile posts may now be missing. Sadly those posts are lost, but if you remember your posts, feel free to add them back =) In addition, any and all conversations that you have pending with myself or another staff member may have issues. If you do not see us as part of the conversation, you will need to re-add us so that we can respond. This won't apply for all staff, just most of SS, myself and a few mods. If you do not add us, we cannot respond. This is important. If we started the conversation with you, odds are that you will be unable to add people. If this is the case, please copy the conversation as best you can into a new one if it is an ongoing conversation you require a response to. Auctions will all have additional time added on due to the lack of forum access. 16 hours will be added and a staff member will post on each active auction to state the new time. We thank you for your patience.
Members affected by the deletion: Code: AlexChance Krysyy chickeneer Maxarias Bigdavie Seffychan crystaldragon13 The_Boulder What about a backup? We had a more recent backup... but sadly learned that something about the backup is corrupted An important lesson from this is to also practice restoring your backups to ensure they actually work In the past few weeks I've been in progress of improving our backup system to be ran hourly... which would of really helped if it was done (and verified working!!) but sadly it was not. I wasn't finished though :/ just slowly kept chipping at it. So, we ended up with only having data from my dev server which is partial with some of the data going back to over a year ago. Thankfully only profile posts and PM's were affected. The PM itself still exists, but the data about conversation participants does not for those listed above. Needless to say, my priority is now working on the database backup system to 1) fix it, 2) run it hourly like the game servers do. (they use different systems)
What are we doing to prevent this from happening again? First, all staff members passwords have been forcefully broken on them, forcing them to reset it through the valid email we have for them. Then, we will be drilling into everyone's head the importance of not using the same password for multiple sites, and guidelines on password security. Finally, with some development (after backups...) we will be working towards a 2 Factor Authentication system for Ingame AND forums anytime someone tries to log in from a new IP address. Ultimately, 1 and 2 are the biggest parts, as this is purely a 'political' problem, not technology problem. Both incidents we've had with unauthorized access dealt with staff not using secure password policies, so we will work hard to make sure no-one else ends up in the same boat.
Perhaps staff should be first to use 2FA earlier than might be ready for general release since their accounts are more powerful.
I expected much different from a senior staff member and I'm a little disappointed with seeing someone in those regions mess up with something so trivial as not to share passwords like that. Lesson learned I hope, also for the rest of the staff. Need a solid password? Try something like PWGen. And there are dozens of password agents around which can store multiple passwords for you while keeping them protected with that one single password you'd like to use everywhere. So yeah, not pleased on that account but that's water under the bridge now. Sorry, had to vent. What I am pleased with is the way in which Aikar handled this. Referring to the no-nonsense approach. Not trying to make up excuses (you'd be surprised how often that happens) but instead come out with the truth. Also shutting the whole thing down, even though its very inconvenient, and then taking the time you need to fix things was a good way to go. Yups, the #1 moment when people find out that their backups don't work is when they need 'm. This is why backup checks are usually included in security audits. I sincerely hope so.
I wouldn't say the best, but yeah. Mods, SS, and Admins were deleted. Not very nice to call them the best, it could put down the rest. Also, I think we all know who did this.
uhm???? But 2 factor authentication will be awesome. I have it setup on my 2 gmail accounts (school and personal) and it saved me on one becuase I suddenly got spammed with texts from a verified google number saying my account was being attempted to logged into