Saturday, August 4, 2018

/v/scape BTFO (Port-Mortem)

tl;dr /v/scape server was compromised. Consider everything tied to /v/scape compromised. Your passwords were in plain text so if you have any accounts using that password, you should change them immediately. Your /v/scape account may be locked and you will need to contact a staff member to unlock the account. This is to protect your account.

On August 3 2018 at ~19:30 UTC our server was broken into. This was after a two week+ sustained attack. We were using a password login for the server with no alerts on failed login attempts (I am serious, unfortunately). This made it relatively easy for the attacker to gain access. On August 3 2018 at ~20:15 UTC we noticed what was happening and took action. The VPS provider was emailed and the server reinstall was complete on August 4 2018 at ~2:00 UTC. Our backups were recent so players should experience no data loss from this episode.

The attacker had access to everything related to /v/scape. Everything should be considered compromised at this point including, but not limited to, usernames, passwords, PINs, IPs, MACs, and email addresses from the Mantis. Any accounts that use your password from /v/scape should be changed immediately.

Ironically, we had been working on password hashing/salting and authentication recently. It was planned that we would roll that out in the next couple of days, but obviously that was too late. There were a number of things we should have done differently and they should have been done years ago, but we naively thought we wouldn't be targeted by anyone and maintained an extremely lax security posture. We have already taken steps to better protect ourselves in the future. Among them is hash the passwords instead of letting them sit in the player files in plain text. This is now implemented and your password will be stored as a hash once you have logged in and out of the server as of today (August 4 2018). Two-factor authentication for your accounts will be (optionally) available soon. We also will no longer be using password logins for the VPS. Much more has been done and will be done over the coming weeks.

If your account is locked, you will need to contact a staff member to have it unlocked for you. We are going to restore all accounts no matter how long that takes us. You can message us on Steam from the /v/scape Steam group or make a new account and message us in game.

Lastly, I want to apologize to all of you. This failure was entirely our own. We knew the weaknesses and took years to fix them. We ignored common sense and we knew better. There's nothing I can say here that can or should restore your trust in us (if you ever had any). All I can offer you is an apology and a promise that we are taking all steps we can to prevent this from ever happening again. I am personally taking a more active role in ensuring server security and I know the rest of the team is taking this much more seriously as well.

Latent