[NOTICE] Staff Information Data Leak

Discussion in 'Empire Help & Support' started by Krysyy, Sep 14, 2016.

Thread Status:
Not open for further replies.
  1. Dear EMC Community,
    It has come to our attention that one of our Staff Team member's accounts was recently compromised. A banned player with malicious intentions utilized a Staff member's account and accessed staff confidential information. Some of you may have already been aware of this, due to the player's not-so-subtle temp and permabans of some players. After analysis and information gathered, we have determined the full extent of the breach and are sharing it with you, the community so that you are aware. Please note that this was a Moderator account and as such, certain details were not made accessible to them at all. Information such as player registration email, private chat, etc are only accessible to the Senior Staff and above and was not compromised. And even if it was a Senior Staff account, we made security improvements after the last incident to lock the admin panel down to an IP white-list to avoid future data deletion as had occurred.

    We are initiating a Zero Tolerance policy with regards to this issue. Note that the inquiry into, or the sharing of, the private information as it was leaked, is grounds for an immediate and permanent in-game and site ban, as well as further legal action if deemed necessary.

    The player that was involved has already been handled, but may be reaching out via Skype or other social media to share this information. Do not give them the recognition that they seek by continuing to share it or giving them credit by name.

    Data that was accessed and downloaded includes the following:

    First off, we give you a 110% guarantee no passwords or other login based information was accessed, not even in hash form. No technical level breach occured. Only logging into a privledged account.

    Staff Google Drive:
    • Contact Sheet
      • Emails for all staff members
      • Phone numbers for some staff members (Note: Harassment is a criminal offense and the police may be involved if this occurs)
    Staff Threads:
    • An Explanation and a REALLY Thorough Guide (The Staff Guide/Moderator Handbook)
    • All Vote Appeal Polls
    • Security Breach and Good Password Practices (Player had access for a little longer than we initially thought and saw the thread where we instructed staff to change their passwords)
    • Multiple Stream Team Guide Threads
    Staff Tool - Square:
    • The Front page and Reports against tab in a static page - All Staff Members as well as some players. Players will be notified in a private conversation if their information was accessed.
      • The Front page includes the most recent IP and Staff Notes for each player, time on the Empire, rupee balance, token balance, experience totals, and residences owned at the time of download.
      • The Reports Against tab Includes all reports made against the account through the /report feature
    • IP Ban List
    • Derelict Protection Account List
    • Watch List for the Moderator Account Accessed
    • One page of recent Staff Events
    • One page of recent Staff Notes
    • One page of recent session logs (Players will be notified if their information was present on this page)
    • The Square dashboard at the time of the access
    Given when this player first started harassing us, we took the effort to get all staff to review their password policies, to choose stricter passwords, and to enable 2-factor authentication where they can. The issue was purely due to bad password policies (password re-used that was also used on another service that was compromised and their passwords published)
    While 2-factor authentication would have helped some here, the proper course of action is to ensure staff has unique and complex passwords. We will explore 2-factor authentication on the entire forum login level, but given the complexity to add that, it might take some time. A good password is the best first step, and 2-factor is just a fail-safe.

    Aikar Update - 9/15/2016

    If anyone has any further questions, please send a pm to pmss.emc.gs in order to discuss. One of our Senior Staff or Krysyy will respond.
  2. Dang thats insane, thanks for handling it though!
  3. #chinbrokeit

    Glad to hear it was handled, though
    AyanamiKun and CyborgTed like this.
  4. I've been on a lot of Minecraft servers in my life and never have I seen a staff member who actually cares about the well safety for the Community. I'm Impressed
  5. Geez! The things you guys have to put up with! Very relieved that you guys got it under control...
    AyanamiKun, iamcavie and Kytula like this.
  6. GJ getting it handled and taken care of :)
    CyborgTed and AmyLemurPlayz like this.
  7. I know who did it and in a week advance. We warned you of this as soon as we could (same day). Unfortunately, you didn't do anything at the time, but it's nice to see you finally taking actions to prevent this and informing the community who should've been notified as soon as it happened.

    EMC staff, I may be banned, I do not like some of you, but what happened is terrible, no one deserves it, and all I can really say is, Good Luck.
  8. I appreciate you being transparent about it but I am quite disappointed that this happened again. This is a sign that your security is failing.
  9. We took actions that day, and perhaps earlier as multiple people reported the issue. We didn't want to bring this to the community without complete disclosure of what was accessed and with an official notice so as to not cause a panic before we had all information laid out.
  10. Someone took things way too far. At least you did not have any lasting damage per say. As subhan said, good luck, this is an awful thing to happen.
  11. It's a shame that people feel the need to cause trouble for no good reason. Apologies to anyone who has to deal with the resulting mess, especially you innocent players who just happened to be victims of somebody's own selfishness.
  12. I can understand that, but it's been over two weeks. Serious information about community members could've and WAS compromised, hell one was even banned via a compromised staff account, they deserve to know. Sorry, but two weeks is untimely and the people deserve better.
  13. Security is only as good as your password practices. I am also very disappointed in the situation as a whole, but there are also times at which I have to step back and realize that the Staff members are human and be understanding. Many people in the world do not use unique passwords for every site that they access so that they don't have to remember 20+ passwords. In this case, the use of a repeat password was targeted by someone that was looking for a way in. Yes, it's terrible, and personally as my private phone number was accessed and harassed, I'm not brushing off this situation. Every company, no matter how large and impenetrable they may seem, has their times of compromise. This is our leak and this is our notice to you about what happened and what we are doing as response.
  14. Sounds like you found another nasty troublemaker hiding out there. . .

    Thank you for putting them to an immediate halt and handling it asap!

    +1 , no matter how long it takes.
    Perry_Stahlsis and ANubIsWe3 like this.
  15. Would it go against the red text to ask who the player was?
  16. I log onto the forums to see this... gg EMC...

    And no I'm not back, only logged in to make sure my votes were going through.
  17. The people that were banned were notified immediately after unbanning them. It took time to gather data about what was accessed, lock down the systems that needed it, have staff update their passwords, and get the systems up again. We have a complete list of the pages accessed and we have the ability to privately notify each and every person that had their data accessed.

    In any data leak situation, you don't notify the mass public until you know the extent of the breach. We did the same here.
  18. I was wondering this myself...
    MissFable and 607 like this.
  19. People who do this kind of thing are very hostile, and the actions they made anger me entirely. Why would someone even think of hacking into a moderator's information? It is wrong and unjust to do something like that, especially to a moderator :(
Thread Status:
Not open for further replies.