So, I discovered a malicious attempt over the past 24-36 hours by an individual who was trying to brute force their way into accounts. The good news is that I do not believe that anything on the site/server was vulnerable, compromised, or anything like that. So I do not think anyone's information was at all compromised on our end.
What was happening was someone was essentially just brute forcing our log in system with specific Username/Password combinations phishing for a match. The vast majority of attempts were Usernames that do not even exist on Sylestia. So my assumption is this person had a list of known compromised Usernames/Passwords and was just trying it on our site using a bot script.
Unfortunately, they ended up discovering 400 matches over the past 24-36 hours. From what I can tell, the vast majority of these matches were for accounts long since abandoned. Every single one of these accounts has had their password forcibly reset. I will eventually be sending out emails to the affected accounts notifying them of the circumstances. But if you happened to be one of these ~400 accounts, your password will no longer work and you will need to use the Forgot Password page to reset it.
Again, just to reiterate, I do not believe anything on Sylestia was compromised during this. This was just a brute force access attempt from some sort of list someone obtained with known Username/Password combinations. This list did not come from Sylestia. I am confident that our data is secure and not at all compromised.
That said, I would advise players to make sure that their Sylestia password is unique and not something used elsewhere.
Changes Will Be Coming
In light of this situation, I will be making quite a few changes to our entire log in system. I will be trying to implement these changes as quickly as I can. I have already implemented some of them to help mitigate against this brute force 'attack'. These are the following changes I am planning:
1. I plan on changing the log in to be your Email Address instead of your Username. This will make it much harder for someone to guess half of your log in credentials right from the start.
2. I plan on improving server-side tracking for log in attempts and put systems in place to automatically thwart brute force attempts. Some of this is already active now after today.
3. I plan on creating an option for players to utilize a form of Two-Factor Authentication via their email. Essentially, if enabled and if a log in action is taken from an unknown or un-whitelisted IP Address, instead of allowing that log in to happen, the server will send a code to your Email Address that will then have to be submitted to allow the log in to complete.
4. I may also change the backup security option from Date of Birth to something else more secure.
Again, I will be trying to implement these improvements as quickly as I can. Please let me know if you have any questions or concerns. Thank you for taking the time to read this.
Update: 12/16 @ 5:30AM
Alright - I have released the first pass of login/account security updates. Firstly, I have added the following Account Security Settings under Account -> Settings:
This new setting has replaced the existing IP Safeguard setting. The IP Safeguard is still active in the background with whatever settings you left it at, however, that will be phased out within a few weeks. It's just a matter of cleaning up the code and getting it out of the system.
When enabled for a selected option, any successful login attempt (meaning, someone logs in with the correct Username and Password) from an 'unknown' source will result in the following verification process:
This will also send an Email to your account's Registered Email address that will look something like this:
Simply follow the instructions from the prompts to authenticate your login attempt. Once successful, you will log into Sylestia like normal and the IP Address (if that safeguard is selected) or the Device/Browser (if that safeguard is selected) will be stored for 90 Days. After 90 Days, it will expire and you will need to re-authenticate from that location/device again. Please note, the Device/Browser safeguard relies on storing a cookie on that Browser. So if you don't save cookies, it will think you are logging in from a new Device every login attempt.
If you select the safeguard option for every login attempt, then, well, every login attempt will require the authentication verification. This is obviously the most secure option, but might not be suitable for everyone.
If you select no safeguard, there will never be a verification prompt and anyone who has your Username and Password can log in undeterred.
Additional Notes
So, just to reiterate, this is the first pass at improving account security. I have already started some additional security measures behind the scenes that will be fully implemented over the upcoming weeks/months.
At this point, everyone's account is automatically defaulted to the Safeguard against Unknown IP Addresses. Additionally, everyone's original registration IP Address as well as their last log in IP Address were automatically saved as 'Known' IP Addresses for the next 90 days.
If you wish to change this Safeguard setting, just navigate to Account -> Settings and change to the desired setting.
When I have more time, I plan on expanding player customization for these security safeguards. This will include being able to see your currently saved 'Known' locations/devices as well as adjusting the expiration time (which at the moment is defaulted to 90 Days).
Overall, this was quite a chore to integrate into our existing login system. I tried to make sure everything is all synced up properly, but if I missed something and you do encounter any issues, please do not hesitate to let me know.
If you have any questions about anything regarding this update or future updates, please don't hesitate to ask.
I wondered if something might have been up when i received 2 private messages from 2 different users with the same links to things and saying almost nearly the same thing in each message. only difference between the 2 is it looked like they had two different animated attachments and different avatars. I didn't click any of the links for anything.
LonelyRyu
Level 72
Knight
Joined: 4/24/2015
Threads: 74
Posts: 423
Posted: 12/13/2020 at 10:34 AM
Post #57
Thank you for the update, Krinadon.
It is sad that there are people out there who waste their time and talents to commit such acts like hacking, and for what? It is admirable that you are on top of things and were able to head it off so quickly.
Hope the culprit is discovered soon and confronted.
Galaxea
Level 72
The Kind-Hearted
Joined: 11/12/2014
Threads: 138
Posts: 2,324
Posted: 12/13/2020 at 12:43 PM
Post #58
Agreed
Rakshadoodle
Level 69
The Kind-Hearted
Joined: 3/11/2020
Threads: 85
Posts: 488
Posted: 12/13/2020 at 1:01 PM
Post #59
Thank you Krin so much. I can't believe someone would have the nerves to go invade people privacy and plus Christmas is almost coming and that person must have been desperate. Thank you very much for letting us know
Rashomon
Level 62
Trickster
Joined: 2/14/2020
Threads: 179
Posts: 7,362
Posted: 12/13/2020 at 1:45 PM
Post #60
Thank you so much for letting us know, Krin. This kind of thing really scares me O-O
Go to Page:
1, 2, 3... 5, 6, 7... 11, 12, 13
Confirm Action
Are you sure you wish to delete this post?
Confirm Action
Are you sure you wish to restore this post?
Confirm Action
Are you sure you wish to report this post?
Go to Top
This Page loaded in 0.013 seconds.
Terms of Service | Privacy Policy | Contact Us | Credits | Job Opportunities