Can we have the names of those other Minecraft sites so the community can be sure that their passwords are safe?
well, as the person who never goes to these sites, i dont know much other than random overhearings. but Hypixel recent got exploited in that anyone who logged in during it had raw password stolen (they modified the login form on the site), youll have to check their site for more details. not sure about more about others, but at same time I heard about hypixel I heard rumors others had recently suffered same problem but i cant be too sure. The ironic part about the hypixel hack - it was the same issue. One of their admins used same password on multiple sites, one being 000webhost or so that recently got hacked and leaked millions of passwords. so they logged into the admin, modified the template for the login form and stole passwords. Again, unique passwords is key!!! And limiting people to only what they NEED power wise. SS only has perms to ban and edit users, nothing more. Thats why damage was limited to this scope.
A small general comment about password breaches. Many people seem to be under the impression that when you're registering with some multinational you can expect more or better security than on smaller sites. I'd like to bust that myth right open, to a certain degree anyway. There are dozens of (large) companies out there who will spend more time and resources on keeping any news of a breach out of the media than they're willing to invest in actually fixing their mess. And it has everything to do with money. Its considered to be much cheaper to keep the news out than having to repair your reputation afterwards. Also: just because the company is big and all does not necessarily mean that they know what they're doing. Remember the Playstation Network outage? One of the reasons people gained so widely access was because the passwords were actually stored in a plain text format. Meaning: anyone who had access to the database could simply read those passwords as well as the usernames. And Sony isn't exactly a small company. It doesn't matter if you're using Google, Microsoft, Yahoo, or your local Internet provider. You should not fully rely on their systems to keep you safe. Safety always begins with yourself. True story: company which invested heavily in a new security system to keep their server data safe. So they had their first audit for certification after which it was discovered that many managers as well as their secretaries kept their passwords written down on a post-it note which was then stuck to their monitor. Needless to say; but the company failed the first certification round. And that is exactly why I think so highly about the transparency which Aikar showed here. In the end that'll work a lot better in the longer run than trying to hide it.
To add to the password advice: If there are any websites that provide two step protections that involves texts or calls to phones, do it. Twitter is one of those that sticks out. Basically, everytime you log into the site from a new computer, it'll ask you to verify the last four digits of your number. Once you do, it'll text a code that you have to enter. If you don't have that code, you can't log in. Here's the kicker: Even if you have the password. Not kidding. So if someone in Russia hacks your twitter and you have this set up, they can't get in unless they have direct access to your phone's text messages. I know this because my twitter account was, until about 10 minutes ago, compromised for the last two weeks. But because of this protection, the idiots who ran off with the password couldn't get into my account. Gonna irritate some kiddies on the next attempt they make to crack it, that's for sure. Fair warning though: You can get lit up by texts if you do get compromised (which should be seldom, if ever, if the rest of the advice given here is heeded), so make sure you got a decent texting plan on your cell phone service should you go this round. That's my $0.02 on that point. Great job Aikar and Krysyy in getting things back in order again.
Great job aikar! May I suggest staff download keepass? It keeps and encrypts all your passwords. You can randomly generate ridiculous passwords that are pretty tough to crack and keep the master file as encrypted as much as you want. You just have to remember how to get on your computer and the the password to the keepass file. Like I randomly generated this 270 bits password and I don't have to remember it at all. You can generate any password to meet any silly requirement a website throws at you and then exceed it by as much as you want. eK^UJ;8ÌTñ¹ÌJýõNW&W¼ÖÐa£WËïO¯ìU$kkYï/&å (note this is gibberish for demonstration) I can just generate more for other websites. Super easy to use. Hope this helps someone, have a good day!
This is quite entertaining to read. I am really big on computer security and anytime I hear of such a simple mistake I laugh hysterically. Such a thing should not affect anyone these days with all the programs, both free and paid, that will create, encrypt and store passwords for you. I have to say that the proper security implementations were used in limiting the administrative access of the Senior Staff to avoid a full takeover. The Hypixel rumor is much funnier because the admin allowed his account to be compromised for their site in addition to the web hosting account. That is ridiculous. A good rule of thumb is to have 3 email addresses. Professional, Personal, and Public. Pick a theme not related to your interests for your password, modify it based on the site you will be accessing and do not be consistent across all of your accounts with the password structure. Example Theme: Fish EMC - S0m3R@nd0M$C@rp (EMC and Carp with Capital, Lower case, numbers and Symbols.) -- This meets the requirements of many sites. Minecraft Forum - <*(((<%M3lt3dtun@Fr1e$>)))*> (This may not work for most websites... but it is a good principle) Do not expect to try these on any of my accounts as I am not insane enough to give you my real passwords. Just some food for thought. Also, two-step verification for your Professional and Personal accounts, as well as Private Browsing in Chrome and Firefox (all I use) is a great idea. Also, never use a browsers Save Password feature on places that you store factual information about yourself. The worst thing to do is leave evidence all over the Internet. Monitor your credit files and if you are so inclined, as I am, sign up for something like Identity Guard (find the discount code in Google search for the 3 month credit score and report update with a lifetime price of $14.99/month instead of the standard $19.99/month.) Also, if you were affected by the data breach of the FBI and OPM by China, use the code from the notice to get the IDExperts service for the 3 years and immediately activate your fraud alerts to TransUnion, Equifax and Experian. Then go to annualcreditreport.com and order all three reports, if you find anything wrong go directly to the respective credit reporting agency's website and call their dispute line. -- My experience with Experian was wonderful. They updated my report in real time versus doing the online dispute which would have taken up to 3 months.
This is a great lesson learnt for all of us, good to see staff doing something about it to help prevent a situation like this occuring again in the future Because that ain't creepy enough..
Silly trick for passwords when you have a slew of them, and you don't like username/password generators. Make a list of sites. Decide on a numbering system you'll remember. Count by 2s, 5s, etc. You can also use marks/scribbles as indicators. For example: - facebook - gmail - emc mc - kong - junk email - mojang mc In your head, translate it to page 1, facebook = 5, gmail = 10. Page 5, emc = 5, kong = 10, junk email = 15. Page 10, mojang = 5. Etc. In my silly example, "mc" acts like a page break. A heart, star, dash, etc could all do the same thing. Just pick a simple system you'll remember. Pick a book. Page 1 line 5 reads "It's cliche, but it really was a dark and stormy night." Your Facebook password is "1t$c!1ch3_but1tR34!!y". Now all you have to remember is where you put the written list of sites, what book, and what your numbering system was. You can also use it for usernames. "1t$c!1ch3_But" "1tr34!!yw454D4rk"
They got my info and finger prints....All my security clearances at work have been temp suspended from the OPM breach.
I just use 1t$@r3@LLyL0NgP@55w0rD For everything. no one ever guesses it. Uh... except chin... I mean #blameaikar why not.
*bans Aikar for mentioning other servers* Just kidding Anyway, good work. Can't live without the forums obviously
Thank you Aikar and Krysyy! Thanks for sorting this out and being as efficient as you were. Smart to list the voting sites, people went crazy over voting
True, but it was more or less covered as well. I quickly dug up the page from Google's history and 'tinied' it: http://tinyurl.com/voting4emc. I was about to advertise it when I learned that Aikar had added these changes
Adding to OP: If I/other Staff started the conversation with you, odds are that you will be unable to add people. If this is the case, please copy the conversation as best you can into a new one if it is an ongoing conversation you require a response to.