MCBans Public Statement

Discussion in 'Bukkit Discussion' started by Firestar, Jan 8, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    Firestar

    To who it may concern,

    You may or may not be aware of the issues we have recently experienced at mcbans.com.

    We would like to inform you that the security issues have now been resolved and any password information leaked is hashed (one-way encrypted) in the highest grade of protection available.

    At the time, we were unaware of some of the more specific details regarding the attack and the data which was compromised. Now that the immediate threat is over and our damage report is complete, we have decided to release all the relevant information on what happened during the attack.

    On 01/01/2012, MCBans became aware of a security breach on a server which contained our users’ personal information. The incident involving protected user information was the theft of a backup of mcbans.com which was made between December 2010 and April 2011 and was hosted on a remote server which then served as forums.mcbans.com.

    This backup contained usernames, highly encrypted passwords (conforming to Internet guidelines), email addresses and up to 500 valid server API keys which are still in use. This information was gained access to by a group of malicious hackers through an exploit in an older version of our forum software.

    We would like to stress that immediate action was taken to combat this leak of information by enabling an IP-Lock on compromised API keys and regenerating the keys of servers which were at high risk of attacks.

    We recommend immediate steps be taken to protect yourselves from potential information breach harm by changing all passwords associated with mcbans.com and any other sites that use the same password as your MCBans account. If you change your password there will be no other implications of this attack.

    MCBans.com has taken these steps to protect your, and others’ personal information from further harm or similar circumstances:
    • Initiated an in-depth business security evaluation.
    • Addressed operational and technological updates or changes triggered by the incident to improve confidentiality, such as (developing an in-house forum/switching forum to IP.B) and updating administrative policies and/or procedures.
    • Contacted all ISPs/hosts used to facilitate this attack. Most if not, all ISP’s/hosts have complied with our requests, and we will continue to ask for take-downs until we see fit.
    • Introduced a new team of System Administrators to overlook our infrastructure and ensure that everything is running highly optimized, and that our systems are secure.
    • Improved system-wide security measures to remove access to unauthorized parties to prevent this from happening in the future.
    MCBans.com would like to sincerely apologize for the inconvenience and concern this incident has caused you. Your privacy is extremely important to us and we will continue to do everything we can to correct this situation and fortify our operational protections for you and others.

    You may contact us with questions or concerns in the following ways:
    Sincerely,
    MCBans Administration
    www.mcbans.com
     
  2. Offline

    JohnTheRipper

    Good to know, thanks for putting out a official statement.
     
  3. Offline

    lmc

    I received an email today linking to the SQL dump, just for your info.

    Glad you guys got this sorted out.
     
  4. Offline

    Liger_XT5

    Thanks for the update, was getting worried here and there.
     
  5. Offline

    rakiru

    Passwords use a secure hashing algorithm.
     
  6. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı Retired Staff

    the_Zorro, Waffletastic and Vhab like this.
  7. Offline

    Firestar

    The person is not a staff member, he merely helped us setup some added security. He is in no way reflecting the MCBans staff. His threats were without backing.
     
  8. Offline

    jamietech

    Has he been removed from the MCBans community or do you condone the behaviour he has conducted?
     
  9. Offline

    Firestar

    He was never a part of the MCBans Community, he doesn't even play minecraft. and no I do not condone his behavior, his attitude was rude and inappropriate.
     
  10. Offline

    jamietech

    So... he has been removed from any access he was granted to MCBans and is no longer working with you?
     
  11. Offline

    Firestar

    As I have said, he was never a member of the MCBans Community. he merely came on to help with security at the time of the event.
     
  12. Offline

    Lildirt

  13. Offline

    Firestar

    yes as stated he will no longer be allowed back in the channel. and any conversations you may have with him will not represent MCBans. I am sorry for his conduct, I did not expect him to react the way he did.
     
  14. Offline

    Killie01

    I can just say one thing: uh oh if they find out how to decrypt passwords...
     
  15. Offline

    Firestar

    they are hashed not encrypted, so there is no special key they need to decrypt it, there are other ways, thats why we suggest you change your passwords.
     
  16. Offline

    NuclearW

    A hashing function is fundamentally a one-way operation. Weaknesses in these functions can be found, and exploited however, but this assumes that the password was not modified before hashing (this is normally known as 'salting').

    Provided the salt used by mcbans is secure, I don't forsee anyone being able to turn the hash back into a real password easily. But nothing is impossible, and if you used the same password on mcbans as anywhere else (especially your linked email account) you really should change it soon.

    Edit: Which leaves me to ask, do you believe the salt to have been discovered, or is it still secure?
     
    rakiru likes this.
  17. Offline

    jamietech

    Thank you for completely ignoring my question.
     
  18. Offline

    Firestar



    and this avoided the question how?
     
  19. Offline

    jamietech

    You did not tell me if he has been removed from staff, instead you told me that he was to help with security.
     
  20. Offline

    Firestar

     
  21. Offline

    jamietech

    So this user is no longer helping MCBans at all?
     
  22. Offline

    Firestar

    he is no longer helping mcbans.
     
  23. Offline

    NinjaGrinch

    I think that answers that. :)
     
  24. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı Retired Staff

    The reason for his specific inquiry there was because, despite calls by the staff for his removal there was the implication for quite some time that he wasn't actually going to be removed. For those wondering about his persistence in the phrasing.
     
    Sayshal likes this.
  25. Offline

    Vhab

  26. Offline

    Firestar

    It is a post written by a competing service, it will be biased.
     
  27. Offline

    Vhab

    As is your press release.
    There are 2 sides to every story.
     
  28. Offline

    TkTech

    Curious, since when was I a competing service? I have never used either product before doing so to research the article. I have never been in your so called competitors channel, but I am long time friends with some of their staff and some of your own (none of who approached me about this, I was informed by other parties). I have been around and involved in the community for much longer than either of your projects.

    Should your competitor act in such an incompetent manner, I would be more than happy to do a similar writeup.

    Please, don't label or accuse me of belonging to a particular side or group. I have nothing to do with either.
     
    efstajas, Jamy, obnoxint and 3 others like this.
  29. Offline

    Firestar

    be as be may, your sources are biased. and information that you may have is 7 months old and does not reflect the current workings of the mcbans system.
     
  30. Offline

    TkTech

    My sources used for fact checking are several of your own staff members. Where errors have been made, they have been immediately corrected, and the wiki history is visible for whatever analysis you wish to do on that.

    You have done *nothing* to back any of your arguments, and continue to make a fool of yourself with baseless claims and your continuing dialog of "just trust us".

    Even if it does not reflect the current system (which it appears to do), the past doesn't just walk away.
     
    Sayshal, Jamy, Daniel Heppner and 2 others like this.
Thread Status:
Not open for further replies.

Share This Page