At around 5AM last night, I detected an attempted attack on the server database. Looking into this issue, I found a potential exploit that may have been used to gain unauthorized read-only access to the database, including potential access to customer information. This bug was fixed by approximately 6AM.
First, I would like to sincerely apologize for this incident. While I did not write the original code involved, I take full responsibility for the issue and feel terrible that I did not spot it previously.
The database contains the following sensitive information: username, e-mail (if provided), hashed password (not stored in plaintext), IP address. For a very small number of users (<30) that have provided it, the database also contains their real name (if provided), mailing address (if provided), as well as a “credit card description” if you opted for the site to remember your credit card. This does NOT contain your full credit card number, but does contain the type of card, the last four digits, and the expiry date.
Although the password is hashed, if you use the same password at other sites, I recommend you change those at this time.
Again, I do not know for sure that any information was actually leaked, however, out of an abundance of caution I am planning to do a database rollback and then reset all account passwords of users who have an e-mail address on file.
Since full credit card numbers were not leaked, it is unlikely you will need to contact any credit monitoring agencies. However, here is their contact information should you wish to do so:
- Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
- Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
- TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division,
P.O. Box 6790, Fullerton, CA 92834-6790
My sincere apologies again, and I will keep you posted on this process.
UPDATE: The database has been rolled back to the previous day’s backup (1/19). All accounts with a valid e-mail have had their passwords invalidated, please reset your password. If you previously logged in via Steam or Kongregate, you should be able to continue logging in that way, however you should still reset your 8BitMMO password.
This does not affect your Steam/Kongregate passwords (unless you used the same password at both sites). If you used the same password on the 8BitMMO forums or Wikia, you should change those passwords as well.
UPDATE 2: E-mails are now going out about this, however, it may take a while for all the e-mails to make it out of the system.
im pretty much covered, but…. IP address… i dont feel so safe about that (i havent gotten any plat) but i may change my password still….
Yea I agree with you iron
Wow……um…idk what to say, but thank you sim. This game is a HUGE part of my life and it is amazing to see the creator helping us to stay safe in the game
Still a better love story than twilight.
I did use steam to log in but I Don’t remember what all info i allowed the game to have… Is there a way you could check and contact me about what got stolen? i think i used my old name ale359 last idk if it got updated to my new one.
I mean what might have been stolen.
If you like, you can open a support ticket to request your old password be unlocked. Then you can see what password was used.
Thank you for taking responsibility and informing us about this incident right away.
May I ask which algorithm was used to hash our passwords?
The account system was built in 2011, and SHA1 was selected as the hashing algorithm at that time. Today it is still prohibitively difficult for criminals to crack SHA1 hashes. However, technology & techniques advance, so I am looking into upgrading to a newer hashing algorithm to keep ahead of the curve.
I kinda forgot my 8bitMMO login info. I used to play this a lot however, due to internet problems I had to stop playing. I really hope that 8bitMMO deletes inactive accounts. luckily I’m getting this game for steam
In the blog post it states that the passwords are hashed. Are they also salted?
Unfortunately, the current implementation does not perform salting. I am looking into adding salting in a future update.
I have never seen such a thorough, open and honest post about a security breach. Reacting so quickly and with such clarity makes me feel safer to be honest. A lot of bigger organisations could learn a lot from this.
Sounds like it was a rough night, hope you get some time to recover., your efforts are much appreciated.
Many thanks to you Mr. Zinchak (i hope i got your name right) I thank you for being so honest about this hack, while some developers might have kept it secret, locked away from the public, you warned us, Thanks
P.S i changed my password, im not sure what to do about my IP address ._.
hi i havent played this game in a long time and have had it uninstaled but my steam account was stolen sometime between last night and this morning and i am 99% sure its because of this. so any help yu can give me on recovering my steam account will be a good way to redeem yourselves my username is darthvader925. so contacting steam specificaly for me would be a great way for me to get my steam account back.
You’re gonna have to talk to Steam yourself to get your account back. Sim9 isn’t a part of the Steam support team, all he does is make games.
buy he can contact steam to tell them potential stolen accounts
That’s a good idea. I will e-mail Valve so they are aware of the attack, but you will still need to get in contact with Steam support about recovering your Steam account.
thank you and i already have.
So…This means I’m pretty much screwed. I can’t change my password, since I don’t have an email address…Am I gonna have to start all over, or can you just re-activate my password for me?
Please open a support ticket with us and we will re-activate your password (be sure to change it right afterwards)
are you able to delete my account? its not because of the attacks its because i havent played this in years and i have no need for it, i think my name was FeaRGhosT
If you open a support ticket with your e-mail, I can lookup which account it was and remove your e-mail & password hash from the database
Robby do you know who did it?
Many saw its Zooty, but I don’t know the story behind her…. Starmanfan told me that she got into a fight with Scratso. and was permabanned. All I know is that I have her youtube channel its: [removed]
*Many say its Zooty, and if you want the channel contact me.
Your email is being filtered to spam by gmail…
good job in taking care of it