IMPORTANT - please read

Post Reply
User avatar
Mithreas
Emeritus Admin
Emeritus Admin
Posts: 2555
Joined: Sat Sep 06, 2014 3:09 am

IMPORTANT - please read

Post by Mithreas » Wed Oct 17, 2018 1:49 pm

TL;DR - if your old forum password was one you used on any other services, please change it immediately.

We have had a report from a player that their Facebook account has been hijacked, and is being used to try and defraud Facebook friends out of money. Its login credentials were the email address and password that the player had used on the Arelith forums. It's not certain that our hacker is responsible, but if they are, it would represent a shift from minor harassment of an obscure online community (that's us) to actual criminal acts.

Liareth made this point when she posted previously, but it bears repeating, in capital letters.

PASSWORDS USED ON ARELITH PRIOR TO THE DATA BREACH ARE NO LONGER SECURE. IF YOUR PASSWORD WAS ONE YOU USED ELSEWHERE, YOU SHOULD IMMEDIATELY CHANGE IT. YOU SHOULD NEVER USE THAT PASSWORD AGAIN.

Security best practice is not to re-use passwords across multiple platforms. This episode should explain why. (Passwords on Arelith's forums are stored hashed, which means they can't be decoded - but they can be brute-forced, so given enough time, someone can figure out what they are by trying every combination of characters and seeing which ones produce the same result when hashed. That appears to be what happened in this case).
xkcd.com is best viewed with Netscape Navigator 4.0 or below on a Pentium 3±1 emulated in Javascript on an Apple IIGS at a screen resolution of 1024x1.For security reasons, please leave caps lock on while browsing.

User avatar
Irongron
Server Owner/Creative Lead
Server Owner/Creative Lead
Posts: 4666
Joined: Tue Sep 09, 2014 7:13 pm

Re: IMPORTANT - please read

Post by Irongron » Wed Oct 17, 2018 3:06 pm

I can only add to this, that if proven true then this would very much become an actionable criminal act. In the UK anyone involved in the theft and dissemination of this password data would be likely be open to something like Conspiracy to Defraud charges. A line that is well and truly crossed IF this can be shown to be used to extract (or attempt to extract) financial gain.

Personally I spent many years working in the area of Fraud Investigation, and do know a thing or two about this kind of crime. It would be an absurd, and frankly dimwitted risk for a disgruntled player of to attempt, as it really would be incredibly easy to trace those responsible for any professional agency, and if anyone thinks Discord is so unmoderated as to not fully cooperate with law-enforcement, so as to provide the details of those spreading compromised data they are mistaking it for the dark web.

To go from leaking the identites of a few DMs on an obscure game to risking actual jail time for fraud is something, at this stage, is something I am extremely sceptical about.

The procedure to follow for any player who finds they have been the victim of this attempted crime is to report it, along with obtaining an incident/reference number, which can then be used by ourselves and Discord to provide information to the authorities.

Finally, given this leak is extremely unlikely to have done by a single individual, and IF (Really a big IF) there have been attempts to access people's email/facebook accounts, I would strongly urge anyone to involved in the breach to contact the authorties once this crime is reported. This is not a ploy to expose our 'hackers', I personally am not really interested in that for such minor grieving, but a result of a very real attempted crime now being reported to us. I repeat, no matter how skilled at evading detection with the use of VPNs etc, you think that you are, the nature of this attack and its target is truly child's play in the area of financial crime. You would be discovered, and you would be charged.

Post Reply