Nexus Mods Possibly Hacked, Fallout 4 Mods Altered

Happy bloody Christmas. We should probably take this as a reminder to go and change our passwords on everything, and make sure no two sites or services have the same login, I guess. At the very least, we need new passwords for Nexus Mods, the site which has long hosted a gazillion mods for 216 games, particularly Bethesda RPGs – including Fallout 4, which has not yet followed Skyrim to the Steam Workshop. There’s been a possible hack, with some Fallout 4 mod-makers reporting suspicious changes having been made to their uploaded files. Nexus’ owners have established that the breach only affects user registrations up until mid-2013, although that still comprises almost six million accounts and very much covers the Skyrim heyday.

Bear in mind you may well have used Nexus at some point even if you don’t play Bethesda games – it also hosts mods for the likes of The Witcher 3, Mount and Blade, World of Tanks, Starbound, XCOM, Far Cry 3 and hundreds of others. It’s not at all impossible than you’re one of its ten million registered users even if you don’t entirely remember being so.

The authors of the Higher Settlement Budget, Rename Dogmeat, and BetterBuild mods say someone other than them made changes to the versions of their mods hosted on Nexus, while site representative DarkOne brought the news of a “potential database breach.”

He says “it’s too ambiguous to draw any concrete conclusion”, but is nonetheless advising that everyone changes their Nexus password ASAP. Whoever’s responsible for the breach has access to user IDs, usernames, email addresses for registrations prior to July 22, 2013. Passwords are encrypted – hashed and salted – though it’s not impossible that that could be broken in time. The better news is that Premium member’s payment details aren’t kept anywhere, as they outsource all that to Paypal.

In an update, Nexus clarified that you should be safe if you either registered after July 22, 2013 or changed your password subsequent to that – but change it again anyway. As for the three affected mods (if others are compromised we don’t know about it yet), apparently their creators used very simple passwords, and this appears to be how the hackers found their way in and added the suspicious “dsound.dll” file to it. They don’t know what the file does as yet, but it has been sent off for analysis.

The site’s also rushing to implement more rigorous monitoring and two-step security for the future. They’re very apologetic about this, repeat that they don’t know for sure a hack’s happened but want to be on the safe side, and point out that they spend some $60,000 a year on security so aren’t cavalier about this stuff.

More details here, but all you really want is this link, which is where you can change your password.

Once your account is all fine and dandy, you might want to use it to lay hands on some of the Fallout 4 mods we recommended here.

24 Comments

  1. abHowitzer says:

    July 2013? So a possible breach has been kept quiet by attackers for over two years?! This is frighteningly professional.

    • Robmonster says:

      I don’t think that’s what they are saying. It sounds like any user accounts following that date were not stolen, presumably in a different database or format.

    • LionsPhil says:

      I suspect it’s more likely that that’s the date when Nexusmods changed to a stronger hashing algorithm or such, especially with the “if you’ve changed your password since you should be OK” bit.

    • Arctic_Howler says:

      Try reading the Nexus site post… it was a data dump that dumped EVERYTHING up to that date as the security was updated around that time… As such any information from prior to that update was compromised while data after that date is being considered safe, but they’re still requesting everyone to change their passwords for safety reasons…

  2. Darth Gangrel says:

    Apparently, a lot of people are right now changing their passwords (or something else), because I can’t load the site.

    Either way, I first made an account in February this year and it’s much different than my other passwords. It consists of 19 characters, big/small letters and numbers. I go to moddb to download mods and haven’t used Nexus at all before I made my account.

  3. frightlever says:

    “including Fallout 4, which has not yet followed Skyrim to the Steam Workshop”

    Is it likely to? I thought Bethesda wanted to own the official modding space with their own service, presumably allowing them to eventually monetize it, if not with FO4 then somewhere down the line.

    • Primey says:

      Correct. Fallout 4 won’t be getting steam workshop support

      • Holderist says:

        There’s a button in the launcher that goes to the workshop. (even though nothing is there right now)

        • frightlever says:

          Not on my launcher there aint.

          I think there may be something on the console versions, where mods are definitely being curated by Bethesda, but I don’t see anything on the PC launcher. Similarly, if you go to the Fallout 4 listing on Steam there’s no mention of the Workshop. If Fallout 4 gets Steam Workshop support it’ll be after Bethesda mod curation fails, and long after anyone cares.

    • Primey says:

      Oh and bethesda said the mods will be free. (Damn comment section has no edit button)

      • SaintAn says:

        When did they say that? They’ve been going back and forth on saying they’ll bee free and that they are bringing back that payed mod scam. Pretty sure they still plan to bring back paid modding with FO4 and Skyrim.

  4. Solidstate89 says:

    Smartest thing websites like this could do (and this one has done) is to not store any payment details. Bravo for them, because this otherwise commonsense piece of security, is sadly not all that common.

    Guess it’s off to LastPass to change my password then. Here’s your irregularly scheduled reminder that you should be using a password manager by now; don’t care which one you choose. Dashlane, LastPass, KeePass, 1Password – just set one up and use a unique password for every service you have an account with.

    • c-Row says:

      How does that work with multiple clients? Sometimes I want to login from my laptop rather than my PC for example.

      (not trying to sound sarcastic or anything, I am really curious)

      • Solidstate89 says:

        Depends which password manager you use. LastPass is a browser-based addon, so any browser that you have access to (and can install the Lastpass addon onto it) can sync your encrypted passwords through LastPass’ servers.

        KeePass is all locally controlled by you, but you can still sync the password database through a cloud provider like DropBox, Google Drive, OneDrive, etc. There are then third party programs you can install that can link in to the KeePass database for things like your phone or browser. It requires more work, but some people prefer having that level of control – whether the database can get synced or not.

        Then you have services like Dashlane or 1Password (as well as some others whose names I don’t know, as they’re not as commonly used as the ones I listed) that by default use local programs to store and manage your passwords. You can then choose to use their background syncing methods or not. They also have first party developed addons for browsers and such, but they only function if you have the requisite desktop software from Dashlane or 1Password installed, they don’t work by themselves like LastPass does.

        They are also varying levels of totally free in every way (KeePass) to free, but cost monthly or annual subscriptions to unlock certain features/platforms (LastPass/Dashlane) to requiring a one-time purchase for all updates for – for example – version 3, but having to pay to upgrade to version 4 when a new version comes out (1Password).

      • Faxmachinen says:

        As far as putting your password database in the cloud, I would recommend using a local (rather than US-based) cloud hosting company and/or one with end-to-end encryption. Make sure to use a memorable password for the cloud service, but don’t use the same as for the database.

        I personally use SpiderOak, though it is based in the US.

    • Press X to Gary Busey says:

      A pocket notebook and a pen is a pretty good portable password management system.

      • Solidstate89 says:

        It’s pretty shite actually. Especially if you have hundreds of accounts all with separate passwords.

        Have fun searching your notebook when that happens.

        • Press X to Gary Busey says:

          Not really, just some organising. I have 241 entries from the past ten years in my old notebook, all randomised, strong passwords. Ordered alphabetically by service (even some reference aliases) with two pages per letter. G, S and V are the only ones that ran over their first 21 lines per page.

          I recently started a second one (a nice small hardcover) and transfer as I need them and take the opportunity to refresh the passwords.

          It’s a life saver when I have to log in to services at the university computers, two smart phones and two computers with 4 operating system partitions across them.

  5. anHorse says:

    Wow. Checked my account because of this and I’ve had the thing since 2007 and it’s attached to a lame hotmail address I’d totally forgotten about

  6. Sulpher says:

    Oh noes, my PRON MODZ! dont hack my eye peas, plz

  7. DMStern says:

    Mandatory registrations, what a jolly thing, eh?

    • gwathdring says:

      Well, if you use a junker e-mail account and password that’s not duplicated on anything you care about … no harm comes to you with no real security effort. If it gets compromised or you start caring, you can create a new junker e-mail or update your security credentials for the site accordingly.

  8. Tekrunner says:

    And today the Starbound forum was hacked (it’s unclear at this point whether the database was dumped or not, but it sounds possible). Could this possibly be related?