At around 5AM last night, I detected an attempted attack on the server database. Looking into this issue, I found a potential exploit that may have been used to gain unauthorized read-only access to the database, including potential access to customer information. This bug was fixed by approximately 6AM.
First, I would like to sincerely apologize for this incident. While I did not write the original code involved, I take full responsibility for the issue and feel terrible that I did not spot it previously.
The database contains the following sensitive information: username, e-mail (if provided), hashed password (not stored in plaintext), IP address. For a very small number of users (<30) that have provided it, the database also contains their real name (if provided), mailing address (if provided), as well as a “credit card description” if you opted for the site to remember your credit card. This does NOT contain your full credit card number, but does contain the type of card, the last four digits, and the expiry date.
Although the password is hashed, if you use the same password at other sites, I recommend you change those at this time.
Again, I do not know for sure that any information was actually leaked, however, out of an abundance of caution I am planning to do a database rollback and then reset all account passwords of users who have an e-mail address on file.
Since full credit card numbers were not leaked, it is unlikely you will need to contact any credit monitoring agencies. However, here is their contact information should you wish to do so:
- Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
- Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
- TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division,
P.O. Box 6790, Fullerton, CA 92834-6790
My sincere apologies again, and I will keep you posted on this process.
UPDATE: The database has been rolled back to the previous day’s backup (1/19). All accounts with a valid e-mail have had their passwords invalidated, please reset your password. If you previously logged in via Steam or Kongregate, you should be able to continue logging in that way, however you should still reset your 8BitMMO password.
This does not affect your Steam/Kongregate passwords (unless you used the same password at both sites). If you used the same password on the 8BitMMO forums or Wikia, you should change those passwords as well.
UPDATE 2: E-mails are now going out about this, however, it may take a while for all the e-mails to make it out of the system.