Rubbish News – RPS Forum Hacked

By RPS on January 20th, 2012 at 7:40 pm.

Hello there. It really sucks to be posting this, but this week the RPS forums were hacked. The hackers found a way into the server on the 14th Jan, and had access for five days. We only found out last night; that hole is now closed, and they’re gone.

However, it’s not entirely clear what they did when they were there. There is no evidence that they managed to get at user details, which are well hidden, but simultaneously there’s no absolute evidence that they didn’t. So at this point we have to assume the worst.

If they got to those files, they will have got people’s emails, usernames, and encrypted passwords. Those passwords were encrypted in such a way that our tech bods believe it will take them at least a month to crack. But it means that we *strongly* recommend that you not only change your password on the RPS forums/commenting registration, but if you use that password elsewhere, make sure you change it there too. In fact, we utterly strongly recommend that you never use the same password in two different places, for this very reason.

We’re tremendously sorry. We learned that there had been some sort of incursion yesterday evening – the tech people at Positive closed it off immediately, and have been sorting it out since, working out what they could have found. We learned the information reported above half an hour ago, and have told you as quickly as we can.

An RPS forum account and an RPS commenting account are two different things; again, we don’t yet know what, if anything, was accessed, but you should reset passwords for any RPS accounts you have, as soon as possible. We are emailing everyone who has an account with RPS to let them know, with the details given here.

Please head here to change your forum password:

http://www.rockpapershotgun.com/forums/profile.php?do=editpassword

And here to change your comments password:

http://www.rockpapershotgun.com/wp-login.php, then select “Lost your password” and follow the instructions to set a new one. Note – if that link doesn’t work, try this.

Lovely subscribers/donors – any financial details you use for that are off-site entirely, so no need to worry on that front, but if you use(d) the same password on Paypal that you did/do for RPS, you should change that immediately.

We’re bitterly upset that we were targeted. RPS is a site that has constantly stood up against that which so many hackers claim to be fighting. Of course, we don’t yet know who did this or why.

And please accept our emphatic apologies that this has happened. We are doing our best to ensure this doesn’t happen again. Meantime, it’s business as usual on the site, in comments and on the forum. Thanks for your support, patience, loyalty and loveliness.

RPS Hivemind

.

230 Comments »

  1. sinister agent says:

    If any hackers are reading this, could you please tell me what my password is? I can never bloody remember. Coming up with something that even I can barely remember always seems like such a good idea at the time….

    • Premium User Badge

      Makariel says:

      I have the same problem. I just try to remember what my password here was in order to figure out if I had the same hard to remember password anywhere else :-/

    • The Tupper says:

      Hehe. Exactly.

      One has to wonder what the purpose could be of hacking RPS forums. It’s not like there’s money involved.

    • Kodeen says:

      May I suggest this method of password generation.

      http://xkcd.com/936/

    • Dr I am a Doctor says:

      Try 123456.

      Also, Kodeen, dictionary passwords are much easier to decrypt. Please don’t spread that strip, it can hurt people. (Also please don’t spread Xkcd in general)

    • sinister agent says:

      I’d imagine it’s either an indirect password-gathering thing (despite the warnings, a lot of people even on a relatively tech-savvy site like this will be using the same passwords in other places), or just someone doing it to see if they can/how hard it’d be. That might explain why there was no obvious damage (and hopefully none at all).

      I’m extremely far indeed from being an expert on such matters though. It just seems to stand to reason to my near-brain.

    • Premium User Badge

      yhancik says:

      I checked and correcthorsebatterystapple isn’t in my dictionnary.

    • Nalum says:

      What’s wrong with XKCD?

    • Premium User Badge

      bglamb says:

      May I recommend picking a longer sentence and just using the first letter of each word?

      For example: “This password is hard to guess but easy to remember” becomes – “Tpih2gbe2r”

      Voila.

    • mouton says:

      There are haters for everything.

    • MikoSquiz says:

      Alt text for the strip: “To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.”

    • Premium User Badge

      VelvetFistIronGlove says:

      Dr I am a Doctor: That strip is factually correct. Choosing four random words from a large list is both easier to remember and more secure than a short “good” password. But if you’d done the maths, you would know that.

    • Premium User Badge

      bglamb says:

      Anyway, are servers not built with innate resistance to brute force hacks these days?

      I can’t think of a single legitimate reason for a server to respond ‘nope’ to a million password requests on the same account without realising something’s up.

    • Moni says:

      In this case, the site was hacked, so the strength of your passwords is irrelevant. Most of the time, a half-decent, easy to remember password is more important.

    • Premium User Badge

      aleander says:

      Dr I Am a Doctor: you’re mixing advice. Single-word passwords are easier to crack, but there’s a lot more words than letters, digits, special characters and funky emoji taken together. The “no dictionary passwords” applies to bad old days of DES-relatedd crypt function, when every password got truncated to 8 characters. This advice is utterly obsolete, the only thing that keeps it vaguely relevant is broken systems that limit password length.

    • apa says:

      My Password Guide (adapted from several articles after the recent password hacks)

      1. The password MUST be unique.
      – If you don’t use the exactly same password on any other site you’re lot safer. The one cracked from one place can’t open any other account.
      – If you have a system for site-specific passwords don’t make the it too easy to guess. If your RPS password is eg. “345abcmyLongwordpass4rockpapershotgun” and email in the hacked user db is someone@gmail.com and that password “345abcmyLongwordpass4google”, someone just might guess that one.

      2. The password should be long and not a common password (12345678, qwerty, password, any dictionary word, any string found in common rainbow tables).
      – It should contain AT LEAST numbers and uppercase characters in addition to lowercase characters. Special characters (!”#$…) are even better.
      – Almost all dictionary words and easy passwords can be solved instantly. Usually websites encrypt passwords but the encrypted version can be resolved to the cleartext one by looking it up from a “rainbow table”. Eg. encrypted “7ac66c0f148de9519b8bd264312c4d64″ is “abcdefg” decrypted. Just google the encrypted string if you won’t believe how easy it is.
      – The longer a password is and the more different kinds of character it has the harder it is to really decrypt if it isn’t already available in a rainbow table. “11whatevva” is fast (hours), “11whatEvva” is almost as fast but “11whatEvvaotgunpassWrood–” takes a lot longer to crack and there’s even a not-too-clever site-specific part in the middle.

      3. Best solution is to use a program like KeePass or LastPass, use it to generate unique and long passwords. Remember to backup the password database and store it somewhere safe. The last part is the hardest… But if a site gets hacked, you’re safe.

      4. Do as I say, not as I do :)

    • Odeon says:

      @Dr I am a Doctor: Wrong and wrong again. If you don’t understand it, don’t pretend to show that you understand it by using an argument that doesn’t apply (which is hard not to do unless you understand it). Besides, it looks like there are spaces in between each word (though he doesn’t seem to account for them when counting the entropy bits, so I’m probably reading it wrong), adding three special characters in the middle of the password, which cranks up the difficulty significantly. And if you don’t understand XKCD in general, don’t assume that the rest of the world also does not understand it.

      @bglamb: That password is pretty good, but could be improved by capitalizing one or more of the internal letters and adding one or more special characters – “TpiH!2gbE2r”

      @apa: Good guidelines! I’d add a few more things:
      1. Never use your email address or any part of it for a user account that will be visible to any other user.
      2. If you go the manual route, create site-specific passwords and switch them around. For example, use “11whatEvvaotgunpassWrood” for your Google account and use “emaiL4mE@googlEiS!greaT” for your RPS account.
      3. When creating answers for the password-recovery system questions, switch the answers around. For “What was your first car?” answer “Ghetto High School” and for “Where did you go to school?” answer “Bright Green Jalopy”

    • Premium User Badge

      dangermouse76 says:

      This is an axample of a good password:

      S4$K(&6kKf%d”L?v

      I use these across all asites but longer if possible. after that if you need to remember them write them down in your house some where safe. Or place them on an encrypted modern office doc. The encryption on them is very strong.

    • FataMorganaPseudonym says:

      @Dr I am a Doctor

      The fact that you are disparaging xkcd lets me know that I can safely ignore any opinions you post in the future. Thanks for making the Internet just a little bit easier.

    • Koozer says:

      I try and use long passwords with non-dictonary words, numbers, lower case and upper case, and characters. I saytry and use because half the websites in the world don’t accept special characters, have a maximum length, don’t like spaces or other stupid limitations.

    • sinister agent says:

      3. When creating answers for the password-recovery system questions, switch the answers around. For “What was your first car?” answer “Ghetto High School” and for “Where did you go to school?” answer “Bright Green Jalopy”

      And then you completely forget what answer you gave, because it’s three years since you joined and goddamn it.

      It always pisses me off when sites give you a drop down menu, and worse, when they’re all questions that one could quite easily find the answers to anyway if you know whose account you’re messing around with. Let me ask my own question, you numpties.

    • Metonymy says:

      Hackers, if you have anything racy or clever to say, feel free to use my name

    • Premium User Badge

      Dare_Wreck says:

      @sinister agent: That’s another reason why a program like KeePass or Lastpass come in handy – they can record your fake security question answers so that you won’t need to keep them straight a year later. That gets around the problem with sites that give you a set number of questions to choose from, especially when the questions are of the type where the answers aren’t farther than a Google search away, like you point out.

    • TLGAthena says:

      If they got the hash table, what password you chose is irrelevant, even 20 char gobbledygook ones can be broken in around circa 15 seconds (no, this isn’t a joke, look up rainbow table attacks) unless said hash was salted.

      Just change your passwords and stop worrying, if they have the hash table AND it wasn’t salted, they’ve got our passwords anyways.

    • JuJuCam says:

      My password tip is to generate your own gibberish word that is actually pronounceable, either a portmanteau or if you’re really clever about it generate a core word out of real English consonant and vowel combinations, throw some prefix and suffixes at it, and you’ll have something memorable that you shouldn’t have to write down.

      Compare a LastPass generated password: o@y}F=NLqV

      To something like Disprailunkesque or Prodiltyunderble

      You can do all the standard character replacements to make it more secure but bottom line is if you keep it legible you’re far more likely to recall it if you need to use it somewhere away from your LastPass database, while still being resistant to dictionary attacks.

    • SirMarth01 says:

      @apa I’d like to throw in my support for KeePass. Two-channel auto-type obfuscation is a brilliant way to deal with keyloggers, and it’s cross-platform, as well. KeePass can also conveniently be used for other applications, such as Steam or Desura.

      (Although unfortunately, at least in Steam’s case, copy and paste are not supported, so TCATO doesn’t work with it. Standard auto-type is still supported, however, which functionally has the same level of security as typing in the password yourself.)

    • Aquamarine Jesus says:

      I used a randomly generated password on my email account and after typing it in several times a day for many months it is committed to muscle memory.

      Oddly, for the life of me I can’t write it down or tell you what it is but put me in front of a keyboard and I can type it without thinking about it.

    • Durkan says:

      but JuJu cam … If we come up with meaning for your words then they’ll end up in the dictonary and then you’ll be easy to hack surely ;)

      I’m going for

      Disprailunkesque

      [adj] Similar to or likened to a Disprailunk

      or Prodiltyunderble

      [noun] The lower eeful bone of a Prodillitylactyl

    • Chufty says:

      TLGAthena: Two things. Firstly, I’d be surprised if the passwords aren’t salted on the RPS database as it’s a very simple, common and computationally inexpensive thing to do (as simple as appending the username to the password before hashing it, for example).

      Secondly, rainbow tables are limited in length and scope and so are only useful with shorter passwords containing common characters. If your password is longer than the biggest computed rainbow table for whatever hashing algorithm RPS uses, then you’re safe. Large rainbow tables take a very, very long time to compute.

    • steviesteveo says:

      @Dr I am a Doctor

      What you’ve done there is figure that passwords with 4 words can be decrypted one word at a time like in the movies.

    • SlappyBag says:

      @Aquamarine Jesus – I’m pretty much the same but with trying to spell. Many people when trying to figure out a words spelling with fake write it with a pen, I pretend there is a keyboard in front of me and try to type it.

      Now thats bad.

      As for passwords, I’ve pretty much used the same one since I was like 8. Then I made a website for somebody and liked his and mixed it in with mine =P

    • Faxmachinen says:

      Four or more random words make for a strong password, but you’ll quickly note with dismay that the vast number of services limit you to less than sixteen characters.

      As for rainbow tables, a SHA-1 checksum is 160 bits. Until all 10^48 hashes have been mapped in a rainbow table (in about 10^37 years at 1k hashes per second), it does matter which password you choose. But it just goes without saying that you should always salt the fries password hashes.

    • Tengil says:

      Actually, the only version of xkcd that’s even vaguely tolerable is

      http://www.goatkcd.com/sfw

  2. Premium User Badge

    Stellar Duck says:

    What a shame.

  3. Duffin says:

    Shitballs.

  4. Unaco says:

    [slow clap]
    What a shame.

  5. Premium User Badge

    dangermouse76 says:

    I am not getting a new one sent to my mail it’s been 10 minutes is that normal.

    • John Walker says:

      You should be receiving a link that lets you select your new password, rather than having a new one sent to you. I imagine the system is pretty loaded right now. If something doesn’t come through in the next hour or so, email john@rockpapershotgun.com, and I’ll reset it by hand.

    • Premium User Badge

      dangermouse76 says:

      It’s all good I followed the other link and changed it through the wordpress dash board. All good, thankfully I am so paranoid I dont share any similar passwords between sites.
      Thanks for the help though.

    • Premium User Badge

      bear912 says:

      I was just about to suggest that you just use the WordPress admin-dash-panel-board, but then I realized that there was already a link to it in the article.

    • MellowKrogoth says:

      Since the hackers have the emails, you shouldn’t be sending links. You should be saying “come to the RPS forums and do this and this to reset your password.”

    • alm says:

      Is the wordpress one the same as the forum one? I was under the impression they are completely different.

    • ibloat says:

      *Edit* I guess my forum account disappeared for some reason.. created a new one, so nvm

  6. Farsearcher says:

    Thanks for informing us quickly and honestly.
    Bah, now I have to think of a new random password.

  7. Protome says:

    It’s a shame, but these things happen.

  8. Alaric says:

    Meh. Sucks in principle, but largely irrelevant. For so long as RPS doesn’t store important info, this is just an inconvenience at worst.

    • Bonedwarf says:

      I have a random password for here, so meh… And I DO have a generic password I use in a lot of places, but nowhere I give a shit about. Important stuff (email, bank etc…) have entirely different passwords.

      At the point where I largely don’t care anymore. Hackers will always be scum and I’m done dancing to their tune.

    • Premium User Badge

      phuzz says:

      I have separate passwords for important stuff (banks, email etc) but I tend to use similar passwords with a few variations for forums, commenting and stuff.
      It’s the random passwords that I might not have to use much that I want to be easy to remember. So the worst result is that someone sufficiently dedicate to tracking me down could pwn all of my commenting identity across the intewubs, I can live with that.

      Although it’s my steam password, which is important, but that I don’t use much that is hardest to remember.

      Fortunately I’ve just realised that I never got around to registering for the newer RPS forums, so none of my details are in there :)

  9. Premium User Badge

    Smashbox says:

    You’ve inspired a crusade to replace all my passwords with newer, better, stronger, slower versions. So, at least some good came of this.

    Me, I blame Obama.

    • DeathHamsterDude says:

      That is exactly what happened to me. Second I saw the e-mail I downloaded KeePass and generated a whole bunch of random passwords for here and all my other regular sites. There’s still a few that I need to change, but I have new passwords where I spend 99% of my time on the internet.

    • rayne117 says:

      OBUMMER

  10. vecordae says:

    Sorry that this happened, mate. For what it’s worth, my identity is so awful that it will surely only harm anyone who’s stolen it.

    • DavidHewlett says:

      Imagine you steal the identity of a CIA spy who’s just been found out and use it to travel through Iran, making a photo-documentary about nuclear installations. That would suck.

    • diamondmx says:

      Somehow, when the Iranians catch you, I don’t think they’re going to believe that story.

    • DickSocrates says:

      #GetOffRPSGlitter

  11. The Tupper says:

    Oh – and chin up, Hivemind. It’s not the end of the world.

  12. Shivoa says:

    Time to create a new policy, passwords are random strings of 50 characters that are emailed to you every time you want to log in to something. Email providers are given infinite money to build a secure system for email access, everyone can forever be happy (and log in by c&p’ing their one time use key to log in each time they need to access a site). It’s the only sane way.

    • patch says:

      But how would people log into their email in the first place?

      Edit: Actually, never mind. Next time I’ll actually read the whole comment before I reply.

  13. Eclipse says:

    Everytime it happens I hope for the hackers to die horribly, someday one of them will

  14. Donkeyfumbler says:

    Lastpass randomly generated password for each site I visit so it’s no skin off my nose. Thanks for the prompt email though. You’re in good company these days so no need to worry :)

    • The Tupper says:

      Indeed. It’s happened to bigger, but few better.

    • menderslan says:

      Thanks so much for the lastpass suggestion. I’ve just installed it and it’s brilliant. Now I’m in the process of changing all of my passwords to randomly generated ones.

  15. Brun says:

    This does not affect the comments accounts, right? I’m pretty sure I’ve never made an account for the forums.

    • Soundish says:

      Doesn’t look like it applies to comment accounts, I just tried to log into the forums using my comment username and password and it doesn’t work, looks like they are completely separate accounts. Save me going on a paranoid password changing binge though I guess.

    • Brun says:

      This has been my experience as well, but I’d figure I’d ask.

    • Soundish says:

      Would be nice to get some confirmation about this though.

    • Premium User Badge

      frymaster says:

      as per the article (probably didn’t say it when you asked, to be fair), it’s recommended you change the password on your comment accounts (“wordpress”) as well.

      Since RPS seem to have posted as soon as they got news, it’s possible they don’t even _know_ if wordpress was affected or not

    • John Walker says:

      Yes, like the post says, it does apply to comment accounts too.

  16. Kadayi says:

    Damn it. Still in a way if people decided to hack you, it’s some form of compliment I guess. After all the Gawker stuff I went separate passwords on everything, so no biggie personally tbh. Also http://www.lastpass.com is great for keeping track of all of that sort of thing.

    • InternetBatman says:

      Same here. Gawker forced me to change the way I did passwords and now I have a unique one for each site I’m registered at.

  17. phenom_x8 says:

    Done it! Actually my password in RPS are the longest one (15 char) I can remember! Yes, its the only password I can remember my whole life because you’re so special,guys!

  18. Premium User Badge

    yhancik says:

    (oh my first reply fail for the occasion)

  19. Brun says:

    This rubbish me the wrong way.

  20. nimzy says:

    You get bonus points for using an image from Uplink.

  21. Premium User Badge

    yhancik says:

    What’s wrong with XKCD?

    Some people enjoy it! Ugh, can you imagine?

  22. Premium User Badge

    Feste says:

    Sorry to hear about it guys. Thanks for telling us and being frank about it.

  23. Premium User Badge

    Spork says:

    Thanks for letting us know quickly – as said above this is nothing unusual these days, the difference is in how the site responds.

    An alternative to LastPass (which has supposedly been hacked before) is KeePass – stores things locally so it’s not such a tempting target. I especially like the readable passphrase generator, which gives you a 128bit password you can actually remember.

  24. Patrick says:

    I have reset both of my passwords. I am sorry you guys got hacked but thanks for being upfront and honest about it. I mean you guys could have just pretended nothing was wrong and then shut down the site for months *cough PSN cough*.

  25. Inigo says:

    There was a forum?

  26. Premium User Badge

    SnackyOx says:

    Thanks for the info – I am assuming subscription donations are secure?

    • Alec Meer says:

      Just updated the post to reflect that, but, basically, yes, as all that stuff’s with Paypal – the only issue is if you use(d) the same password here as you do for Paypal or any other sites that do hold financial details.

  27. Cryptoshrimp says:

    Eh, nothing is uncrackable. I had hoped that once the lulzsec pillaging was over, I wouldn’t have to change my password again. I’ve almost got a dictionary full of passwords and it’s a hassle to remember them.

  28. Sudogamer says:

    Use LastPass, let it generate random passwords for everything you log into and let IT remember them (not you).. We put up a mini article on it here after the big lulzec wave of hacks

    • nutterguy says:

      Beeing using Lastpass for about 4 years now and I CANNOT recommend them enough to everyone. Fantastic service that is really well run and so easy to use that my mum uses it as well! :-P

      It can automatically generate super secure passwords, remember them all, automatically log you in to all of your different sites, use several authentication/dual authentication methods, allows mobile access, the list goes on. Seriously, use it. Also try it’s security test.

    • Tams80 says:

      I’m sceptical of anywhere that keeps all my passwords in one place. Sure my computers do, but they are spread all over the hard drives. Yes, you could not have it connected to the web, but if it;s on a computer it can have access to it.

      I’ll just trust the piece of paper on my desk I think.

  29. Trurl says:

    No worries. I assume every site I use will eventually be hacked, so I’m prepared.

    For those of you fretting about passwords, I suggest you start using a secure password managing application like KeePass. There are a bunch of free ones out there, and they make it very easy to have a separate highly secure password for every site.

    I also recommend you print out your password list periodically and stick the printout in a safe at your home or band, just in case.

  30. Gunrun says:

    “Those passwords were encrypted in such a way that our tech bods believe it will take them at least a month to crack.”

    What sort of encryption were you using exactly? Proper salted hashed passwords should be basically uncrackable forever, and it’s worrying that yours weren’t this.

    • Psychedelic Squid says:

      No such thing as uncrackable, just “would take so long that there’s no point in sticking with it over easier targets”. Also, getting to the stronger (no dictionary words, no common patterns) passwords would take a lot longer, since the only really doable (read: might actually be worth the amount of time needed) brute force search is still the dictionary attack.

      Now, if they’re salted (with a global salt; more on that later), you can assume that will take a bit longer, because you can’t just use pre-generated rainbow tables (a list of hashes mapped to the password known to generate them when using a given hashing algorithm – these are handy for someone searching for passwords, because they just search the DB for hashes matching one in their rainbow table, and bam! they’ve got a confirmed password), so you’ll at least need to generate a rainbow table for that individual site (slow, but again, not infeasible). This is the most likely one for RPS to be using, as a decently slow-but-not-too-slow (quick enough to not hinder log-ins perceptibly, but slow enough that all that extra time adds up when you’re running it thousands of times over) hash could easily lead to that, plus the actual search, taking about the month RPS mentioned (though obviously it would depend on how much computer power the attackers have available). And that would still only catch things which match dictionary words, or common patterns, since beyond that you would be back in the realms of pure per-user brute-force searches.

      If the site’s developers really know what they’re doing with the security, you’ll find some sites use a unique salt per user, which would mean that an attacker would need to generate a separate rainbow table for every account, at which point it’s no better than simply brute-force searching for possible matching hashes.

  31. owenj says:

    I would take this time to recommend tools like this: https://agilebits.com/ or http://lastpass.com to store and manage your passwords.

    Both my passwords to RPS Main Site and the forums were randomly generated strings such as:

    ZuFwWs4WyXnBMFGXcqwf3XrRqzUvdn

    That way I do not have to remember the passwords, and they aren’t used for any other site. I only have to remember one extra strong password to access my password store.

  32. Premium User Badge

    Gundato says:

    I mention it every time there is an article like this, but I suggest using a program like Keepass to save and generate passwords. Works wonders since I only have to know a few passwords off the top of my head (email, online storage, and the key file itself).

  33. The Army of None says:

    I’ll still love you even if you have a problem with your nether areas being open to unknown parties for a bit. Not your fault!

    • The Tupper says:

      Thanks, Mrs The Tupper – didn’t know you posted here.

      Love you too tiggy-winkles!

      TTx

  34. nutterguy says:

    *sadface*

    This ain’t nice when it happens to nice people and not just some faceless company. :-(

  35. NathaI3 says:

    I spent the last 15 minutes trying to get the damn picture pixel perfect and was getting so frustrated, then I found the “get new password” button. Oh man its been a long week

  36. aircool says:

    When are hackers gonna do something useful like hack EA’s banhammer gang, or siphon off funds from Russian Oil exporters to fund STALKER 2?

    The annoying little fuckers seem to have no agenda apart from pissing of people who’ve done no harm to anyone (that’s us ok), and keeping their local pizza joint in business.

    Ban Pizza and the hackers will just die of starvation!

  37. Soundish says:

    Just to repeat what I asked earlier, am I right in saying that the account we use to comment on articles and the accounts on the forums are separate things? Because I (like many others I’d imagine) have never used the forums before and my login details I use to comment don’t work on the forums.

    EDIT: Just noticed that its mentioned in the article, so is it possible that access to the forums also gave them access to comment account information like with the Steam hack?

  38. Premium User Badge

    Nero says:

    First videogamesplus get hacked, then someone tries to take a loan in my name and then this. Awful week this. Luckily there’s no personal details and such here.

  39. Premium User Badge

    frymaster says:

    I don’t want to be a burden in your hour of need, but your article needs clarification.

    1) Encrypted passwords.

    I really highly doubt they were encrypted at all. It would be an entirely unusual thing. What I much rather suspect is that they were hashed. Is that so, and, if so, were they salted, and, if salted, individually?

    2) What level of access they had. If they had admin-level access to the forums, they can probably install forum plugins. if they can do that, they can run arbitrary code, and if they can do that, finding out the database details for the forums is trivial. Are the database details for wordress the same as for the forums?

    3) “User details hidden” – this implies there is no evidence that they got database access to the forums, or even full admin-level access (since nothing is hidden from admins). So what exactly did they have (known) access to?

    ( EDIT: Just saw this article was posted pretty much straight after the attack was discovered. In which case, extra kudos, and no snark is implied for the details not being available. But I hope they do become so. )

    Sorry this happened to you… it’s been going around recently :/

    further edit: this isn’t the most recent article any more, but it’s still showing as the top one. Nice one :)

    • Dreamhacker says:

      I would like to know this too.

      If RPS is using individually salted passwords, we’re pretty much safe because the hackers would have to create individual rainbow tables for every password, which is pretty much infeasible unless you have a Googol-sized database lying around at home along with the collective computing power of a botnet or SETI@home or the like. Plus a lot of time on your hands.

  40. hardband says:

    Thanks for this information and for not hiding anything from us and being open and honest.

  41. Snugglesworth says:

    Hmmm thats not cool

  42. Tei says:

    For RPS, I use a easiest password ever. Nothing on value was lost.

  43. Hirmetrium says:

    WHAT THE FUCK. Apparently EA has a password limit of 16 characters. Somebody report this bullshit already :/

  44. DiamondDog says:

    Get away from her you BITCH!

    …is what I would like to say to the hackers.

  45. KingKio says:

    God dammit! Now I have to go and change all my password from house123 to something else!

  46. Premium User Badge

    Harlander says:

    The error message when there’s trouble with the forum is always highly perplexing.

    “Parchment is an interpreter for Interactive Fiction”, it says.

    Well… OK. Thanks for the info, I guess?

  47. Premium User Badge

    Llewyn says:

    (Deleted due to brain failure)

    That aside, thanks for a) not gathering info from us that you don’t need, so the impact is minimized and b) being open and apologetic about it. This won’t lessen my opinion of the hivemind at all.

    • The Tupper says:

      That’s something I hadn’t considered before (and why I’m not so bothered by this). RPS never asked for more info than was required – appreciated.

  48. NaN says:

    Hello im the Hack….lol sorry I can not finsih that sentence without laugthing XD
    Question, is the password to the forums the same than the RPS site?

  49. Premium User Badge

    Andy_Panthro says:

    Much sadness.

  50. sethhuber says:

    This place has forums?? I seriously had no idea. Awesome. Sorry about your hacking problem or whatever.