Hello, all.

So, I discovered a malicious attempt over the past 24-36 hours by an individual who was trying to brute force their way into accounts. The good news is that I do not believe that anything on the site/server was vulnerable, compromised, or anything like that. So I do not think anyone's information was at all compromised on our end.

What was happening was someone was essentially just brute forcing our log in system with specific Username/Password combinations phishing for a match. The vast majority of attempts were Usernames that do not even exist on Sylestia. So my assumption is this person had a list of known compromised Usernames/Passwords and was just trying it on our site using a bot script.

Unfortunately, they ended up discovering 400 matches over the past 24-36 hours. From what I can tell, the vast majority of these matches were for accounts long since abandoned. Every single one of these accounts has had their password forcibly reset. I will eventually be sending out emails to the affected accounts notifying them of the circumstances. But if you happened to be one of these ~400 accounts, your password will no longer work and you will need to use the Forgot Password page to reset it.

Again, just to reiterate, I do not believe anything on Sylestia was compromised during this. This was just a brute force access attempt from some sort of list someone obtained with known Username/Password combinations. This list did not come from Sylestia. I am confident that our data is secure and not at all compromised.

That said, I would advise players to make sure that their Sylestia password is unique and not something used elsewhere.


Changes Will Be Coming

In light of this situation, I will be making quite a few changes to our entire log in system. I will be trying to implement these changes as quickly as I can. I have already implemented some of them to help mitigate against this brute force 'attack'. These are the following changes I am planning:

1. I plan on changing the log in to be your Email Address instead of your Username. This will make it much harder for someone to guess half of your log in credentials right from the start.

2. I plan on improving server-side tracking for log in attempts and put systems in place to automatically thwart brute force attempts. Some of this is already active now after today.

3. I plan on creating an option for players to utilize a form of Two-Factor Authentication via their email. Essentially, if enabled and if a log in action is taken from an unknown or un-whitelisted IP Address, instead of allowing that log in to happen, the server will send a code to your Email Address that will then have to be submitted to allow the log in to complete.

4. I may also change the backup security option from Date of Birth to something else more secure.


Again, I will be trying to implement these improvements as quickly as I can. Please let me know if you have any questions or concerns. Thank you for taking the time to read this.


Update: 12/16 @ 5:30AM
Alright - I have released the first pass of login/account security updates. Firstly, I have added the following Account Security Settings under Account -> Settings:



This new setting has replaced the existing IP Safeguard setting. The IP Safeguard is still active in the background with whatever settings you left it at, however, that will be phased out within a few weeks. It's just a matter of cleaning up the code and getting it out of the system.

This new setting has 4 options:

Safeguard Login Attempts Against: Unknown IP Address (Default Option)
Safeguard Login Attempts Against: Unknown Device/Browser
Safeguard Login Attempts Against: Every Login Attempt
Safeguard Login Attempts Against: None (Not Recommended)

When enabled for a selected option, any successful login attempt (meaning, someone logs in with the correct Username and Password) from an 'unknown' source will result in the following verification process:



This will also send an Email to your account's Registered Email address that will look something like this:



Simply follow the instructions from the prompts to authenticate your login attempt. Once successful, you will log into Sylestia like normal and the IP Address (if that safeguard is selected) or the Device/Browser (if that safeguard is selected) will be stored for 90 Days. After 90 Days, it will expire and you will need to re-authenticate from that location/device again. Please note, the Device/Browser safeguard relies on storing a cookie on that Browser. So if you don't save cookies, it will think you are logging in from a new Device every login attempt.

If you select the safeguard option for every login attempt, then, well, every login attempt will require the authentication verification. This is obviously the most secure option, but might not be suitable for everyone.

If you select no safeguard, there will never be a verification prompt and anyone who has your Username and Password can log in undeterred.


Additional Notes
So, just to reiterate, this is the first pass at improving account security. I have already started some additional security measures behind the scenes that will be fully implemented over the upcoming weeks/months.

At this point, everyone's account is automatically defaulted to the Safeguard against Unknown IP Addresses. Additionally, everyone's original registration IP Address as well as their last log in IP Address were automatically saved as 'Known' IP Addresses for the next 90 days.

If you wish to change this Safeguard setting, just navigate to Account -> Settings and change to the desired setting.

When I have more time, I plan on expanding player customization for these security safeguards. This will include being able to see your currently saved 'Known' locations/devices as well as adjusting the expiration time (which at the moment is defaulted to 90 Days).


Overall, this was quite a chore to integrate into our existing login system. I tried to make sure everything is all synced up properly, but if I missed something and you do encounter any issues, please do not hesitate to let me know.

If you have any questions about anything regarding this update or future updates, please don't hesitate to ask.

Thank you for telling us this, Krin. This is very good to know. I hope that guy gets caught and slapped, because hes a moron.

Thank you, Krin. I'm glad nobody was hurt, though I haven't a single idea what the reason behind such an attempt would be.

What would this person have to gain by doing this?

Link: https://www.sylestia.com/forums/?thread=95099&page=1#4 Author: Savynn Time Posted: 12/12/2020 at 7:06 PM What would this person have to gain by doing this?

Hard for me to really answer that. Could have just been some personal pet project for the person to see if it would work. Or perhaps they wanted to create a bot army of Sylestia accounts - although that seems very strange to me lol... There's almost no way someone could do that without being noticed and just getting the accounts banned and whatnot.

I really don't have a real answer to that question though.

ty krin

will everyone be auto-logged out when the email login goes live?

any, nyte revamp when?

Thanks for informing us Krin

Thankyou soo much for letting us know of this happening. I greatly appreciate it.