By RPS on January 20th, 2012 at 7:40 pm.
Hello there. It really sucks to be posting this, but this week the RPS forums were hacked. The hackers found a way into the server on the 14th Jan, and had access for five days. We only found out last night; that hole is now closed, and they’re gone.
However, it’s not entirely clear what they did when they were there. There is no evidence that they managed to get at user details, which are well hidden, but simultaneously there’s no absolute evidence that they didn’t. So at this point we have to assume the worst.
If they got to those files, they will have got people’s emails, usernames, and encrypted passwords. Those passwords were encrypted in such a way that our tech bods believe it will take them at least a month to crack. But it means that we *strongly* recommend that you not only change your password on the RPS forums/commenting registration, but if you use that password elsewhere, make sure you change it there too. In fact, we utterly strongly recommend that you never use the same password in two different places, for this very reason.
We’re tremendously sorry. We learned that there had been some sort of incursion yesterday evening – the tech people at Positive closed it off immediately, and have been sorting it out since, working out what they could have found. We learned the information reported above half an hour ago, and have told you as quickly as we can.
An RPS forum account and an RPS commenting account are two different things; again, we don’t yet know what, if anything, was accessed, but you should reset passwords for any RPS accounts you have, as soon as possible. We are emailing everyone who has an account with RPS to let them know, with the details given here.
Please head here to change your forum password:
http://www.rockpapershotgun.
And here to change your comments password:
http://www.rockpapershotgun.
Lovely subscribers/donors – any financial details you use for that are off-site entirely, so no need to worry on that front, but if you use(d) the same password on Paypal that you did/do for RPS, you should change that immediately.
We’re bitterly upset that we were targeted. RPS is a site that has constantly stood up against that which so many hackers claim to be fighting. Of course, we don’t yet know who did this or why.
And please accept our emphatic apologies that this has happened. We are doing our best to ensure this doesn’t happen again. Meantime, it’s business as usual on the site, in comments and on the forum. Thanks for your support, patience, loyalty and loveliness.
RPS Hivemind
If any hackers are reading this, could you please tell me what my password is? I can never bloody remember. Coming up with something that even I can barely remember always seems like such a good idea at the time….
report
I have the same problem. I just try to remember what my password here was in order to figure out if I had the same hard to remember password anywhere else :-/
report
Hehe. Exactly.
One has to wonder what the purpose could be of hacking RPS forums. It’s not like there’s money involved.
report
May I suggest this method of password generation.
http://xkcd.com/936/
report
Try 123456.
Also, Kodeen, dictionary passwords are much easier to decrypt. Please don’t spread that strip, it can hurt people. (Also please don’t spread Xkcd in general)
report
I’d imagine it’s either an indirect password-gathering thing (despite the warnings, a lot of people even on a relatively tech-savvy site like this will be using the same passwords in other places), or just someone doing it to see if they can/how hard it’d be. That might explain why there was no obvious damage (and hopefully none at all).
I’m extremely far indeed from being an expert on such matters though. It just seems to stand to reason to my near-brain.
report
I checked and correcthorsebatterystapple isn’t in my dictionnary.
report
What’s wrong with XKCD?
report
May I recommend picking a longer sentence and just using the first letter of each word?
For example: “This password is hard to guess but easy to remember” becomes – “Tpih2gbe2r”
Voila.
report
There are haters for everything.
report
Alt text for the strip: “To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.”
report
Dr I am a Doctor: That strip is factually correct. Choosing four random words from a large list is both easier to remember and more secure than a short “good” password. But if you’d done the maths, you would know that.
report
Anyway, are servers not built with innate resistance to brute force hacks these days?
I can’t think of a single legitimate reason for a server to respond ‘nope’ to a million password requests on the same account without realising something’s up.
report
In this case, the site was hacked, so the strength of your passwords is irrelevant. Most of the time, a half-decent, easy to remember password is more important.
report
Dr I Am a Doctor: you’re mixing advice. Single-word passwords are easier to crack, but there’s a lot more words than letters, digits, special characters and funky emoji taken together. The “no dictionary passwords” applies to bad old days of DES-relatedd crypt function, when every password got truncated to 8 characters. This advice is utterly obsolete, the only thing that keeps it vaguely relevant is broken systems that limit password length.
report
My Password Guide (adapted from several articles after the recent password hacks)
1. The password MUST be unique.
– If you don’t use the exactly same password on any other site you’re lot safer. The one cracked from one place can’t open any other account.
– If you have a system for site-specific passwords don’t make the it too easy to guess. If your RPS password is eg. “345abcmyLongwordpass4rockpapershotgun” and email in the hacked user db is someone@gmail.com and that password “345abcmyLongwordpass4google”, someone just might guess that one.
2. The password should be long and not a common password (12345678, qwerty, password, any dictionary word, any string found in common rainbow tables).
– It should contain AT LEAST numbers and uppercase characters in addition to lowercase characters. Special characters (!”#$…) are even better.
– Almost all dictionary words and easy passwords can be solved instantly. Usually websites encrypt passwords but the encrypted version can be resolved to the cleartext one by looking it up from a “rainbow table”. Eg. encrypted “7ac66c0f148de9519b8bd264312c4d64″ is “abcdefg” decrypted. Just google the encrypted string if you won’t believe how easy it is.
– The longer a password is and the more different kinds of character it has the harder it is to really decrypt if it isn’t already available in a rainbow table. “11whatevva” is fast (hours), “11whatEvva” is almost as fast but “11whatEvvaotgunpassWrood–” takes a lot longer to crack and there’s even a not-too-clever site-specific part in the middle.
3. Best solution is to use a program like KeePass or LastPass, use it to generate unique and long passwords. Remember to backup the password database and store it somewhere safe. The last part is the hardest… But if a site gets hacked, you’re safe.
4. Do as I say, not as I do :)
report
@Dr I am a Doctor: Wrong and wrong again. If you don’t understand it, don’t pretend to show that you understand it by using an argument that doesn’t apply (which is hard not to do unless you understand it). Besides, it looks like there are spaces in between each word (though he doesn’t seem to account for them when counting the entropy bits, so I’m probably reading it wrong), adding three special characters in the middle of the password, which cranks up the difficulty significantly. And if you don’t understand XKCD in general, don’t assume that the rest of the world also does not understand it.
@bglamb: That password is pretty good, but could be improved by capitalizing one or more of the internal letters and adding one or more special characters – “TpiH!2gbE2r”
@apa: Good guidelines! I’d add a few more things:
1. Never use your email address or any part of it for a user account that will be visible to any other user.
2. If you go the manual route, create site-specific passwords and switch them around. For example, use “11whatEvvaotgunpassWrood” for your Google account and use “emaiL4mE@googlEiS!greaT” for your RPS account.
3. When creating answers for the password-recovery system questions, switch the answers around. For “What was your first car?” answer “Ghetto High School” and for “Where did you go to school?” answer “Bright Green Jalopy”
report
This is an axample of a good password:
S4$K(&6kKf%d”L?v
I use these across all asites but longer if possible. after that if you need to remember them write them down in your house some where safe. Or place them on an encrypted modern office doc. The encryption on them is very strong.
report
edit: nm im confused
report
@Dr I am a Doctor
The fact that you are disparaging xkcd lets me know that I can safely ignore any opinions you post in the future. Thanks for making the Internet just a little bit easier.
report
I try and use long passwords with non-dictonary words, numbers, lower case and upper case, and characters. I saytry and use because half the websites in the world don’t accept special characters, have a maximum length, don’t like spaces or other stupid limitations.
report
3. When creating answers for the password-recovery system questions, switch the answers around. For “What was your first car?” answer “Ghetto High School” and for “Where did you go to school?” answer “Bright Green Jalopy”
And then you completely forget what answer you gave, because it’s three years since you joined and goddamn it.
It always pisses me off when sites give you a drop down menu, and worse, when they’re all questions that one could quite easily find the answers to anyway if you know whose account you’re messing around with. Let me ask my own question, you numpties.
report
Hackers, if you have anything racy or clever to say, feel free to use my name
report
@sinister agent: That’s another reason why a program like KeePass or Lastpass come in handy – they can record your fake security question answers so that you won’t need to keep them straight a year later. That gets around the problem with sites that give you a set number of questions to choose from, especially when the questions are of the type where the answers aren’t farther than a Google search away, like you point out.
report
If they got the hash table, what password you chose is irrelevant, even 20 char gobbledygook ones can be broken in around circa 15 seconds (no, this isn’t a joke, look up rainbow table attacks) unless said hash was salted.
Just change your passwords and stop worrying, if they have the hash table AND it wasn’t salted, they’ve got our passwords anyways.
report
My password tip is to generate your own gibberish word that is actually pronounceable, either a portmanteau or if you’re really clever about it generate a core word out of real English consonant and vowel combinations, throw some prefix and suffixes at it, and you’ll have something memorable that you shouldn’t have to write down.
Compare a LastPass generated password: o@y}F=NLqV
To something like Disprailunkesque or Prodiltyunderble
You can do all the standard character replacements to make it more secure but bottom line is if you keep it legible you’re far more likely to recall it if you need to use it somewhere away from your LastPass database, while still being resistant to dictionary attacks.
report
@apa I’d like to throw in my support for KeePass. Two-channel auto-type obfuscation is a brilliant way to deal with keyloggers, and it’s cross-platform, as well. KeePass can also conveniently be used for other applications, such as Steam or Desura.
(Although unfortunately, at least in Steam’s case, copy and paste are not supported, so TCATO doesn’t work with it. Standard auto-type is still supported, however, which functionally has the same level of security as typing in the password yourself.)
report
I used a randomly generated password on my email account and after typing it in several times a day for many months it is committed to muscle memory.
Oddly, for the life of me I can’t write it down or tell you what it is but put me in front of a keyboard and I can type it without thinking about it.
report
but JuJu cam … If we come up with meaning for your words then they’ll end up in the dictonary and then you’ll be easy to hack surely ;)
I’m going for
Disprailunkesque
[adj] Similar to or likened to a Disprailunk
or Prodiltyunderble
[noun] The lower eeful bone of a Prodillitylactyl
report
TLGAthena: Two things. Firstly, I’d be surprised if the passwords aren’t salted on the RPS database as it’s a very simple, common and computationally inexpensive thing to do (as simple as appending the username to the password before hashing it, for example).
Secondly, rainbow tables are limited in length and scope and so are only useful with shorter passwords containing common characters. If your password is longer than the biggest computed rainbow table for whatever hashing algorithm RPS uses, then you’re safe. Large rainbow tables take a very, very long time to compute.
report
@Dr I am a Doctor
What you’ve done there is figure that passwords with 4 words can be decrypted one word at a time like in the movies.
report
@Aquamarine Jesus – I’m pretty much the same but with trying to spell. Many people when trying to figure out a words spelling with fake write it with a pen, I pretend there is a keyboard in front of me and try to type it.
Now thats bad.
As for passwords, I’ve pretty much used the same one since I was like 8. Then I made a website for somebody and liked his and mixed it in with mine =P
report
Four or more random words make for a strong password, but you’ll quickly note with dismay that the vast number of services limit you to less than sixteen characters.
As for rainbow tables, a SHA-1 checksum is 160 bits. Until all 10^48 hashes have been mapped in a rainbow table (in about 10^37 years at 1k hashes per second), it does matter which password you choose. But it just goes without saying that you should always salt the
friespassword hashes.report
Actually, the only version of xkcd that’s even vaguely tolerable is
http://www.goatkcd.com/sfw
report
What a shame.
report
“I now have full access to your systems.”
report
A bomb!
report
I didn’t ask for this.
report
Assuming direct control.
report
L L L Look at you, hacker!
Oh come on, I can’t believe no one said that one already!
report
Shitballs.
report
I concur.
report
[slow clap]
What a shame.
report
[golf clap]
You’ve done everything right, chaps. Don’t ever change.
report
I am not getting a new one sent to my mail it’s been 10 minutes is that normal.
report
You should be receiving a link that lets you select your new password, rather than having a new one sent to you. I imagine the system is pretty loaded right now. If something doesn’t come through in the next hour or so, email john@rockpapershotgun.com, and I’ll reset it by hand.
report
It’s all good I followed the other link and changed it through the wordpress dash board. All good, thankfully I am so paranoid I dont share any similar passwords between sites.
Thanks for the help though.
report
I was just about to suggest that you just use the WordPress admin-dash-panel-board, but then I realized that there was already a link to it in the article.
report
Since the hackers have the emails, you shouldn’t be sending links. You should be saying “come to the RPS forums and do this and this to reset your password.”
report
Is the wordpress one the same as the forum one? I was under the impression they are completely different.
report
*Edit* I guess my forum account disappeared for some reason.. created a new one, so nvm
report
Thanks for informing us quickly and honestly.
Bah, now I have to think of a new random password.
report
Seconding this: the quick announcement is much appreciated!
report
Indeed, thanks guys. And curse you hackers.
report
Absolutely this!
Sorry it happened and thank-you for being so open and helpful about it!
:)
report
Thanks for letting us know as soon as possible, and for the good encryption :)
report
Lastpass for the win – 24char random string at the press of a button.
~I
report
It’s a shame, but these things happen.
report
Meh. Sucks in principle, but largely irrelevant. For so long as RPS doesn’t store important info, this is just an inconvenience at worst.
report
I have a random password for here, so meh… And I DO have a generic password I use in a lot of places, but nowhere I give a shit about. Important stuff (email, bank etc…) have entirely different passwords.
At the point where I largely don’t care anymore. Hackers will always be scum and I’m done dancing to their tune.
report
I have separate passwords for important stuff (banks, email etc) but I tend to use similar passwords with a few variations for forums, commenting and stuff.
It’s the random passwords that I might not have to use much that I want to be easy to remember. So the worst result is that someone sufficiently dedicate to tracking me down could pwn all of my commenting identity across the intewubs, I can live with that.
Although it’s my steam password, which is important, but that I don’t use much that is hardest to remember.
Fortunately I’ve just realised that I never got around to registering for the newer RPS forums, so none of my details are in there :)
report
You’ve inspired a crusade to replace all my passwords with newer, better, stronger, slower versions. So, at least some good came of this.
Me, I blame Obama.
report
That is exactly what happened to me. Second I saw the e-mail I downloaded KeePass and generated a whole bunch of random passwords for here and all my other regular sites. There’s still a few that I need to change, but I have new passwords where I spend 99% of my time on the internet.
report
OBUMMER
report
Sorry that this happened, mate. For what it’s worth, my identity is so awful that it will surely only harm anyone who’s stolen it.
report
Imagine you steal the identity of a CIA spy who’s just been found out and use it to travel through Iran, making a photo-documentary about nuclear installations. That would suck.
report
Somehow, when the Iranians catch you, I don’t think they’re going to believe that story.
report
#GetOffRPSGlitter
report
Oh – and chin up, Hivemind. It’s not the end of the world.
report
Time to create a new policy, passwords are random strings of 50 characters that are emailed to you every time you want to log in to something. Email providers are given infinite money to build a secure system for email access, everyone can forever be happy (and log in by c&p’ing their one time use key to log in each time they need to access a site). It’s the only sane way.
report
But how would people log into their email in the first place?
Edit: Actually, never mind. Next time I’ll actually read the whole comment before I reply.
report
Everytime it happens I hope for the hackers to die horribly, someday one of them will
report
Lastpass randomly generated password for each site I visit so it’s no skin off my nose. Thanks for the prompt email though. You’re in good company these days so no need to worry :)
report
Indeed. It’s happened to bigger, but few better.
report
Thanks so much for the lastpass suggestion. I’ve just installed it and it’s brilliant. Now I’m in the process of changing all of my passwords to randomly generated ones.
report
This does not affect the comments accounts, right? I’m pretty sure I’ve never made an account for the forums.
report
Doesn’t look like it applies to comment accounts, I just tried to log into the forums using my comment username and password and it doesn’t work, looks like they are completely separate accounts. Save me going on a paranoid password changing binge though I guess.
report
This has been my experience as well, but I’d figure I’d ask.
report
Would be nice to get some confirmation about this though.
report
as per the article (probably didn’t say it when you asked, to be fair), it’s recommended you change the password on your comment accounts (“wordpress”) as well.
Since RPS seem to have posted as soon as they got news, it’s possible they don’t even _know_ if wordpress was affected or not
report
Yes, like the post says, it does apply to comment accounts too.
report
Damn it. Still in a way if people decided to hack you, it’s some form of compliment I guess. After all the Gawker stuff I went separate passwords on everything, so no biggie personally tbh. Also http://www.lastpass.com is great for keeping track of all of that sort of thing.
report
Same here. Gawker forced me to change the way I did passwords and now I have a unique one for each site I’m registered at.
report
Done it! Actually my password in RPS are the longest one (15 char) I can remember! Yes, its the only password I can remember my whole life because you’re so special,guys!
report
(oh my first reply fail for the occasion)
report
This rubbish me the wrong way.
report
Will you sec-ure dogs on the perpetrators?
report
You get bonus points for using an image from Uplink.
report
…..
report
Some people enjoy it! Ugh, can you imagine?
report
mkay it keeps replyfailing… anyway, *hug* hivemind
report
XKCD is awesome.
report
Sorry to hear about it guys. Thanks for telling us and being frank about it.
report
Thanks for letting us know quickly – as said above this is nothing unusual these days, the difference is in how the site responds.
An alternative to LastPass (which has supposedly been hacked before) is KeePass – stores things locally so it’s not such a tempting target. I especially like the readable passphrase generator, which gives you a 128bit password you can actually remember.
report
I have reset both of my passwords. I am sorry you guys got hacked but thanks for being upfront and honest about it. I mean you guys could have just pretended nothing was wrong and then shut down the site for months *cough PSN cough*.
report
There was a forum?
report
+1 also confused.
report
Thanks for the info – I am assuming subscription donations are secure?
report
Just updated the post to reflect that, but, basically, yes, as all that stuff’s with Paypal – the only issue is if you use(d) the same password here as you do for Paypal or any other sites that do hold financial details.
report
Eh, nothing is uncrackable. I had hoped that once the lulzsec pillaging was over, I wouldn’t have to change my password again. I’ve almost got a dictionary full of passwords and it’s a hassle to remember them.
report
Use LastPass, let it generate random passwords for everything you log into and let IT remember them (not you).. We put up a mini article on it here after the big lulzec wave of hacks
report
Beeing using Lastpass for about 4 years now and I CANNOT recommend them enough to everyone. Fantastic service that is really well run and so easy to use that my mum uses it as well! :-P
It can automatically generate super secure passwords, remember them all, automatically log you in to all of your different sites, use several authentication/dual authentication methods, allows mobile access, the list goes on. Seriously, use it. Also try it’s security test.
report
I’m sceptical of anywhere that keeps all my passwords in one place. Sure my computers do, but they are spread all over the hard drives. Yes, you could not have it connected to the web, but if it;s on a computer it can have access to it.
I’ll just trust the piece of paper on my desk I think.
report
No worries. I assume every site I use will eventually be hacked, so I’m prepared.
For those of you fretting about passwords, I suggest you start using a secure password managing application like KeePass. There are a bunch of free ones out there, and they make it very easy to have a separate highly secure password for every site.
I also recommend you print out your password list periodically and stick the printout in a safe at your home or band, just in case.
report
“Those passwords were encrypted in such a way that our tech bods believe it will take them at least a month to crack.”
What sort of encryption were you using exactly? Proper salted hashed passwords should be basically uncrackable forever, and it’s worrying that yours weren’t this.
report
No such thing as uncrackable, just “would take so long that there’s no point in sticking with it over easier targets”. Also, getting to the stronger (no dictionary words, no common patterns) passwords would take a lot longer, since the only really doable (read: might actually be worth the amount of time needed) brute force search is still the dictionary attack.
Now, if they’re salted (with a global salt; more on that later), you can assume that will take a bit longer, because you can’t just use pre-generated rainbow tables (a list of hashes mapped to the password known to generate them when using a given hashing algorithm – these are handy for someone searching for passwords, because they just search the DB for hashes matching one in their rainbow table, and bam! they’ve got a confirmed password), so you’ll at least need to generate a rainbow table for that individual site (slow, but again, not infeasible). This is the most likely one for RPS to be using, as a decently slow-but-not-too-slow (quick enough to not hinder log-ins perceptibly, but slow enough that all that extra time adds up when you’re running it thousands of times over) hash could easily lead to that, plus the actual search, taking about the month RPS mentioned (though obviously it would depend on how much computer power the attackers have available). And that would still only catch things which match dictionary words, or common patterns, since beyond that you would be back in the realms of pure per-user brute-force searches.
If the site’s developers really know what they’re doing with the security, you’ll find some sites use a unique salt per user, which would mean that an attacker would need to generate a separate rainbow table for every account, at which point it’s no better than simply brute-force searching for possible matching hashes.
report
I would take this time to recommend tools like this: https://agilebits.com/ or http://lastpass.com to store and manage your passwords.
Both my passwords to RPS Main Site and the forums were randomly generated strings such as:
ZuFwWs4WyXnBMFGXcqwf3XrRqzUvdn
That way I do not have to remember the passwords, and they aren’t used for any other site. I only have to remember one extra strong password to access my password store.
report
I mention it every time there is an article like this, but I suggest using a program like Keepass to save and generate passwords. Works wonders since I only have to know a few passwords off the top of my head (email, online storage, and the key file itself).
report
I’ll still love you even if you have a problem with your nether areas being open to unknown parties for a bit. Not your fault!
report
Thanks, Mrs The Tupper – didn’t know you posted here.
Love you too tiggy-winkles!
TTx
report
*sadface*
This ain’t nice when it happens to nice people and not just some faceless company. :-(
report
I spent the last 15 minutes trying to get the damn picture pixel perfect and was getting so frustrated, then I found the “get new password” button. Oh man its been a long week
report
When are hackers gonna do something useful like hack EA’s banhammer gang, or siphon off funds from Russian Oil exporters to fund STALKER 2?
The annoying little fuckers seem to have no agenda apart from pissing of people who’ve done no harm to anyone (that’s us ok), and keeping their local pizza joint in business.
Ban Pizza and the hackers will just die of starvation!
report
Just to repeat what I asked earlier, am I right in saying that the account we use to comment on articles and the accounts on the forums are separate things? Because I (like many others I’d imagine) have never used the forums before and my login details I use to comment don’t work on the forums.
EDIT: Just noticed that its mentioned in the article, so is it possible that access to the forums also gave them access to comment account information like with the Steam hack?
report
Yes, that’s right, they’re separate.
report
First videogamesplus get hacked, then someone tries to take a loan in my name and then this. Awful week this. Luckily there’s no personal details and such here.
report
I don’t want to be a burden in your hour of need, but your article needs clarification.
1) Encrypted passwords.
I really highly doubt they were encrypted at all. It would be an entirely unusual thing. What I much rather suspect is that they were hashed. Is that so, and, if so, were they salted, and, if salted, individually?
2) What level of access they had. If they had admin-level access to the forums, they can probably install forum plugins. if they can do that, they can run arbitrary code, and if they can do that, finding out the database details for the forums is trivial. Are the database details for wordress the same as for the forums?
3) “User details hidden” – this implies there is no evidence that they got database access to the forums, or even full admin-level access (since nothing is hidden from admins). So what exactly did they have (known) access to?
( EDIT: Just saw this article was posted pretty much straight after the attack was discovered. In which case, extra kudos, and no snark is implied for the details not being available. But I hope they do become so. )
Sorry this happened to you… it’s been going around recently :/
further edit: this isn’t the most recent article any more, but it’s still showing as the top one. Nice one :)
report
I would like to know this too.
If RPS is using individually salted passwords, we’re pretty much safe because the hackers would have to create individual rainbow tables for every password, which is pretty much infeasible unless you have a Googol-sized database lying around at home along with the collective computing power of a botnet or SETI@home or the like. Plus a lot of time on your hands.
report
Thanks for this information and for not hiding anything from us and being open and honest.
report
Hmmm thats not cool
report
For RPS, I use a easiest password ever. Nothing on value was lost.
report
WHAT THE FUCK. Apparently EA has a password limit of 16 characters. Somebody report this bullshit already :/
report
Get away from her you BITCH!
…is what I would like to say to the hackers.
report
God dammit! Now I have to go and change all my password from house123 to something else!
report
The error message when there’s trouble with the forum is always highly perplexing.
“Parchment is an interpreter for Interactive Fiction”, it says.
Well… OK. Thanks for the info, I guess?
report
(Deleted due to brain failure)
That aside, thanks for a) not gathering info from us that you don’t need, so the impact is minimized and b) being open and apologetic about it. This won’t lessen my opinion of the hivemind at all.
report
That’s something I hadn’t considered before (and why I’m not so bothered by this). RPS never asked for more info than was required – appreciated.
report
Hello im the Hack….lol sorry I can not finsih that sentence without laugthing XD
Question, is the password to the forums the same than the RPS site?
report
Much sadness.
report
This place has forums?? I seriously had no idea. Awesome. Sorry about your hacking problem or whatever.
report
Bad luck, guys — now get back to your excellent games criticism!
report
Thanks for sending out the second WordPress link to reset a password. The graphical captcha seems to require pixel-perfect alignment – a little tricky to accomplish on a tiny touchpad.
I also hope none of the RPS admins login over unsecured wireless connections given the lack of SSL on the login page.
report
Yes, this is an important point: Login pages that do not use SSL are a big no-no. Requesting and iImplementing an SSL-certificate should be a high priority!
report
Look at you hacker…
report
Pathetic creature of meat and bone!
report
Thats ok, every spam site ever already has my email address and other details.
report
Oh tell me about it. I have all my important stuff on a different email to my spam ridden one though. That one has become a kind of sacrificial lamb
report
changed my password, thanks for the heads-up.
report
I had noticed that there was a fair bit of (supreme-quality) freelancing going on with the site today. I imagine you’ve all been busy chaps, but well done for keeping everything running. Have a beer.
report
[paranoia] So if the hacker got in and had control of the site … how do we know that this post wasn’t made by the hacker and those links are just phishing links to collect our usernames and passwords???[/paranoia]
report
It’s a bit concerning that this is the second time in about as many months that this has happened.
report
I assume you’re talking about the Vbulletin malware thingy?
report
*Paranoid mode*
I wonder if this has something to do with that anti SOPA/PIPA-campaign?
report
I made an account like 6 hours ago so I guess I’m safe?
report
This had better turn up as a topic of discussion on Rum Doings.
report
Well at least you’ve got the hackers narrowed down to the part of the map highlighted in light blue. It’s just a matter of time now.
To those not in the know, yes there are RPS forums, and yes they are pretty cool. I only just discovered them recently myself and had to create a new forum account to participate, so they are definitely separate accounts. However, both parts are hosted at http://www.RockPaperShotgun.com, so it’s best to assume that both are compromised.
To the RPSH, thanks for the quick and honest admission and advice to change passwords, especially the bit about the password being used anywhere else. It’s worst if you use both the same user name AND the same password in more than one spot, but depending on what other information the hackers have, it could be bad enough just using the same password.
report
RPS is a site that has constantly stood up against that which so many hackers claim to be fighting.
I really like RPS, but I don’t really think attacking a big game publisher or FBI or whatever is any better. I just wish they’d all stop.
report
That is so very definitely not what was meant by the quote you highlight. It wasn’t even implied.
report
You’re right, but some people do think that.
report
“WordPress 3.3.1 is available! Please notify the site administrator.”
It seems that RPS has 3.2.1 from last July. If it has any vulnerabilities, they are surely common knowledge by now…
report
I work in information security and we see plenty of these types of incidents.
There are definitely security issues with older versions of WP, but the really nasty ones tend to be WP plugins written by 3rd parties with little or no regard for security. That said the forums were hacked and are running on vbulletin. It was probably SQL injection and if so RPS needs to go through the logs and look for the SQL commands that were sent the server as well as go through the entire SQL database to make sure that nothing malicious was added.
report
I DEMAND TO KNOW the technical details of this hack immediately!
You know, it is in my rights to know how my password has has been compromised according to a law that I have just made up. Don’t make me conjure a lawyer now. Was this about wordpress shenanigans?
report
Thank you for the email.
Who would do such a thing? Damn them!
report
There are RPS forums?!
report
I tried to get my account on RPS deleted a few months ago, but never got a response. Can a friendly mod please, please contact me about this?
report
I was getting bored of my old password, anyway!
report
This is why we need SOPA!
report
Twats!
report
On the Gabe Newell scale of feeling sorry for the person who’s been hacked, with Gabe being a 10 your about a 7, the delivery was great, and the somberness and disappointment palpable, but the wording was a bit off, Gabe seemed like he was writing his letter of apology through tears while eating a mongo bag of doritos with salsa to stop the shame, this was more of a coolheaded, I’m sorry for your trouble.
But thanks guys, couldn’t have happened to a better bunch, good of you to come out so quickly with the news. Yet another reason why hackers are bad, PIPA and SOPA for the win!
report
Oh wait, something was off there wasn’t it..
report
Condemnation for not protecting their passwords better? Was that what was off? Oh how we joked about it when it was someone else…
report
A year ago the thought of a hacker getting access to one of my passwords would piss me off, but now I just shrug and accept it as part of life.
Thank you, whoever hacked the PSN, Steam and RPS.
report
same here.
nowadays ALL my passwords are 25+ digit alphanumeric upper and lower case strings (with different emails too)
report
It sucks, but if RPS reporting has taught us anything it is that sites get compromised, so since the Sony etc days my password has been a Keepass2 disposable.
Out of curiosity, what did RPS learn from their reporting? Oh. Silly question. Off to re-jig my disposable password for another. Wouldn’t want some hacker coming on here and posting all sarcastic like.
report
Why do we even have passwords anymore
report
Yesterday my bank called about canceling a card that may have been compromised (the same one I replaced last year for Sony’s PSN snafu). I don’t know if I should be grateful not to have any money at risk from this RPS hack because I just lost the relevant card that all my game spending went on. Irony has me.
report
Posting to test if I’m actually logged in or not, since WordPress isn’t telling me and the ‘login’ link is still there.
Edit: Dammit.
report
I thought this was satire until I got to the “please reset your password” links.
Sucks that this would happen to RPS.
report
Poop.
PW changed.
Still love you.
report
To be honest the majority of hackers aren’t Anonymous style-crusaders, but people just trying to steal money and info that might allow them to get money.
report
I’m guessing that commenting accounts are safe as they are universal wordpress accounts anyway and have nothing to do with the forum. Password is changed just in case anyway.
report
What are they gonna do? Troll in my name?
report
PCG Insurgency
report
Ugh, I can’t reset my password. Every time I try, I just get an error that says “password reset is not allowed for this user”.
report
Email me at john@rockpapershotgun.com, and I’ll sort this out in the morning.
report
Go to bed John – you’ve undoubtedly done enough for one day. And probably sober too, poor bastard.
report
What is there to even be gained from attacking a video game web forum? There’s no money changing hands.
Poor stupid computer literate kids these days…
report
I just wanted to let the RPS staff know how angry I am with this outrageous news.
How could a company as big and advanced as yours could do such a thing.
I work my BUTT OFF every day to earn money and now all my credit card info could be stolen. This will of course result in a lawsuit I can assure you that.
I trusted this company with my personal info and now there is a good chance that these could be stolen.
oh wait. Thats the message I was supposed to send to Sony few months ago. But i just ended up giving up on them and return back to PC gaming. And I dont intend to ever look back.
report
Thank you for the prompt warning.
Events like this are perfect examples of why I use LastPass. Randomized password for every single website.
report
this place has forums?
report
Link at the top, on the right.
report
Abandon ship and switch to xenforo.
http://xenforo.com/
report
By now every hacker on the planet must have my forum passwords.
Still nobody is helping me with my post-count. I am disappoint.
report
Aww. This seems to happen to every cool site at least once. Don’t worry RPS, I still love you!
report
I am not going to reset my password. I am just going to NOT care. I don’t even know my password here; and I’m not going to waste time thinking about it.
Sometimes ignoring this bullshit is just better.
report
Apparently I’m not allowed to reset my password. I’m doomed. DOOMED.
report
I have nothing to add, I just logged in to test if my password was the one I recalled.
Well, since I am already here: does anyone have a cure for the-binding-of-Isaac addiction? After more than 70 hours playing I really need to move on.
report
http://sites.google.com/site/broguegame/
Perhaps one of the best classic-style roguelikes I’ve had the pleasure of playing. Of course, you may not like classical roguelikes, but I never miss an opportunity to plug Brogue, no matter how tenuously related to the subject.
report
@Skabooga
Thanks for the tip, I installed Brogue and it looks very interesting. Right now I am trying Bastion, but keep returning to Isaac. Tetris-level addiction dude.
report
wot
report
Major Bummer. Why can’t people just stay away from others’ stuff?
report
Spam stream incoming? I wouldn’t be surprised.
Luckily, I’d already been forced into changing all my passwords by the steam hacking (is that lucky?)
I now have different passwords (and usernames where possible) for most sites, and use KeepPass to keep track of them.
If I lose keepass, or have to log in on a remote PC without access to it, then I’m screwed though. ;-)
report
God damnit.
report
Thanks for the heads-up. Details changed :)
report
this is truly unfortunate, sad to see this happen to such a great site
report
Grrrrrrr, I’ve just changed my Mail Password for my Talktalk Account and now my old password works but not the new one and now it seems I can’t even get on to the ‘MyAccount forgot password’ thing because it keeps coming with a hite with ‘You are not authorized to access this feature.’ message BOLLOCKS! What the fuck’s up with that? Fuck sake ANOTHER call on my mobile to a call-centre? Damnit why did I choose to have my line just for the net? (sustainted sigh through clenched teeth)
report
Here I am with my slightly different password! Well done guys for being honest and on it :)
report
Shit. Can you guys tell us how strong the encryption was? I am hoping it was hashing and not encryption and that its salted and stuff. 1 month to crack for the simplest passwords?
report
Well if you know that much, you know that if they know the algorithm they can get the simplest passwords pretty much right away.
You also know its best practice to change you password anywhere you shared it with here.
report
Nah it doesn’t work like that. Knowing the algorithm merely enables you to have a go at the system. Basically when you have encryption you want to retrieve the data you have encrypted whereas when you have ‘hashing’ you do a lot of maths on whatever data you want and store it. That way when you try to login they do the same maths on whatever password you enter and compare it with the stored password mess. If they are the same you are allowed the login. If someone gets their hand on teh hashed password it takes a lot of computing power to figure out what it is. The more complex the maths the harder it is to guess the password from the hash.
report
Heh thanks to all the recent hacks i allready have a few of my passwords possibly compromissed, at this point i handle passwords like email accounts. Some of them are just spam and not really secure.. the one for RPS commenting had allready been on that list.
Problem is i keep forgetting my “high security” passwords and recently got my CC locked for online usage because i couldn’t remember they right password in 3 tries :/
report
Thanks for the email notification, pass already changed now.
you might wanna need to update your wordpress version
report
agh
report
Bugga
report
Fortunately,
A: I don’t use dictionary words in my passwords
B: The password I used on RPS was my ‘super-low security’ one, that if anyone DID manage to decrypt, would only get them access to some small forums and f2p MMOs.
report
Don’t sweat this too much.
1 – This is part of being on the internet at this stage of the game
2 – You noticed before it went too long (this time at least) which is not easy for everyone to do, so kudos
3 – you told us all
4 – you didn’t keep the passwords in a foolishly unsafe way
5 – you didn’t keep unnecessary additional identifying information along with the passwords
That’s pretty much all the right things to do right there.
Some things you might already do, but probably should
1 – recommend that users pick a unique password for this site, so as not to put more important logins at risk
1a – if that’s too much to ask, at least do not share the password for RPS with your back account et al.
2 – recommend users consider using a unique email for RPS, if possible
Also, unsure how your subscriptions work. Hopefully you’ve found a way to shift that problem to the experts.
report
sucks, lets hope they won’t be able to get in again. I was in the process of phasing out the password i used here. So a little kick in the butt to get on with it. :)
report
Not going to reset my password.
It can’t be bruteforced since it’s too nonsensical, and what if the hackers snuck something into the “Recover your password” code that actually sends them the clear-text versions of the passwords?
report
“It can’t be bruteforced”
You are a funny guy.
report
No it can’t… no dictionary word, combination of dictionary words or number-replacement of dictionary words would match the jumble that my password is… and to put it in real terms, assuming the password cracking script knew the length of my password, and also knew that it was just a combination of letters and numbers, they’d have to go through (10 * 10 * 10 * 10 * 10 * 10 * 10 * 26 * 26 * 26 * 26 * 26) ^ 12 combinations of the letters a-z and 0-9, and that’s just lower cased.
So no, it can not be bruteforced. Or maybe it can – I assume you know my password, since you sound so very sure.
EDIT: Also… read this.
report
By “even if they knew” I assume you mean “now that I’m about to tell them”? But be that as it may, I’m impressed that you managed to fit 144 characters into a 20-character password field.
report
No worries – I assume any site I have a login for will eventually be compromised.
report
Had some strange emails sent to all my contacts last night from the same email i use for this site, maybe linked? Not 100% sure. Changed password for that email and this site.
report
:(
report
Well that sucks.
report
It was better in case with Kotaku – I used Facebook login over there, and every time I hear about another hack I just wish everyone could implement OAuth.
report
Wait, so the forums and the comments passwords are different? How needlessly complicated.
Sorry you guys got hacked, though, this has become one of my favorite sites.
report
I’m blaming Nick Mailer
report
I would change my email on the forums but I don’t think I trust you with my new email address.
report
Cheers for letting us know.
report
Personally, i tend to use one password for important sites, one for less important things that i have paid for and one for things i don’t pay for at all, and don’t mind if it is hacked. So they got the latter one, which allows me to log on to other gaming sites… I doubt anyone really wants that.
I have to change my work one every couple of months which is really annoying, but i have found a good way of generating lots of passwords is to think of what you are doing at the moment, then adding a couple of strange characters.
E.g. If you are going on holiday, Holidaying^^ might be a good password to use. Then if you forget it, you just think back to what you were doing when you came up with the password and it’s easy to remember. I’ve forgotten my password 3-4 times over the last 8 years, always remembered them though :)
report
Please could someone clarify – it says the forum was hacked and therefore potentially the forum passwords stolen. Is that different from the commenting password? I have never used the forum, only commenting, which would imply I am safe, unless commenting passwords were stored in the forum too. But if I am safe, why is there a link to change my commenting password? I’d be grateful if someone would clarify if I need to do anything. Thank you, ladies and gentlement.
report
I believe these comments are hosted on wordpress and are seperate from the forums.
report
Bummer.
report
Too bad to hear, guys. Luckily this was the only site I was using this particular password on so it’s not really much of an inconvenience. Reminds me to start moving more sites over to keepass or something.
report
I signed up right in the middle of the ‘attack window’ and was freaking out slightly as I use the same password for nearly everything (like a numpty). Then I remembered that I never figured out how to change my comment password here anyway so I am still using the wicked complicated auto-generated one from sign-up. Thank you, difficult-to-use-password-changing-system! I am very relieved!
report
Darn. So someone hates RPS enough to attack it? Or is it that it was visible enough to attract a random defacer? Either way; it’s a surprise to see a decent news site hit. Not a nice adventure. Oh well- at least they’re gone :D
report
I hate hackers so much. What a useless bunch of dicks. Even the supposedly friendly neighbourhood idealist hackers of Anonymous do nothing but harm. When your social skills are inadequate and you can’t express your feelings, or you’re overlooked because your opinions are moronic, get out your hacking skills.. I suppose.. Exact same thing as violence. Too dumb to argue your point? Resort to fists.
report
Your opinion is also moronic, at least from some points of view. So what’s the difference? Hackers are like soldiers, they can be used in both good and wrong ways. Rarely they are independent enough to have their own agenda. Hating someone because of his hobby or job is stupid. Unless this someone is writing comments for profit.
report
Hmmm this is bad I use variations of this password quite regularly, the fact it’s easy for computers to crack when it receives strong and good ratings also not appreciated.
report
This sux
report
HACK THE PLANET!!
Wait… wat.
report
nOoOOOO!
report