Jump to content

Important Security Update (updated 1/26/24)

Rodrigo

By Rodrigo
in Site Announcements

 Share

Recommended Posts

Rodrigo

Rodrigo

Posted
Posted
UPDATE #4 - 1/26/24

Found and resolved an issue where resetting password via the Forgot Password link would not sync the change over to OGMW.

 

UPDATE #3 - 1/21/24

If you reset your password since Jan 20 2024 and are still unable to access OGMW:

  • Make sure you're logging in with username rather than email address on OGMW. It's still using the old method of providing credentials. It is on the team's radar screen to make it accept both if possible.
  • It's possible your accounts have other metadata discrepancies that are preventing the sync from happening. Feel free to reach out to Eric or Colin via direct message, either here or on the MW Discord Server, so we can get it sorted out for you.

 

UPDATE #2 - 1/20/24
  • All accounts that haven't logged in since Jan 1 2023 have been set to 'awaiting email activation'. Accounts 'awaiting email activation' can't do anything on the OGMW forums or legacy sheets system, they're instead prompted with a notice to request an activation email, which provides them a link which'll activate them and take them out of that group.
  • All OGMW passwords set before Jan 19 2024 are considered expired and must be reset. Users meeting this condition will see a notice directing them to the new Myth-Weavers to change their password. If you changed your password here before today, apologies; you'll need to repeat the process (you can use the same value) to unlock your OGMW account.

 

UPDATE #1 - 1/20/24

Password updates now synchronize from Myth-Weavers back to OGMW. If you've already changed your password, you can repeat the process using the same value for old and new to force the synchronization to occur.

We regret to inform you of a serious security incident that occurred on Myth-Weavers on January 17, 2024. During this incident, unauthorized access was gained to a portion of our user data.

Our investigation has revealed that the attackers exploited vulnerabilities in OGMW to obtain usernames, email addresses, and hashes of passwords. It is important to note that the passwords were stored using a secure hashing algorithm with additional security measures. However, we cannot completely rule out the possibility that some passwords could be compromised.

Therefore, out of an abundance of caution, we strongly urge all users to take the following immediate steps:

  • Change your Myth-Weavers account password immediately. Select a strong, unique password that you do not use for any other online accounts.
  • If you use the same password for any other websites or services, change it there as well.
  • Never reuse passwords across different platforms or accounts. This is the single most important step you can take to enhance your online security.

We understand this news may be concerning, and we apologize for any inconvenience. We are taking this matter very seriously and are actively engaged in:

  • Investigating the attack logs to determine its scope and source.
  • Conducting thorough code audits to identify and address any potential vulnerabilities.
  • Shoring up our defenses to prevent similar incidents from occurring in the future.
  • Communicating the incident through additional channels to maximize reach.

We are committed to protecting our users' data and privacy. We will continue to provide updates as the investigation progresses and as we implement additional security measures.

If you have any questions or concerns, please do not hesitate to reach out to us through the Site Discussion forum or on Discord.

With our apologies,

The Myth-Weavers Team

Additional Tips:

  • Consider enabling multi-factor authentication (MFA) on your Myth-Weavers account and other frequently used online services.
  • Regularly review your account settings and activity logs to monitor for any unauthorized activity.
Link to comment
Share on other sites
namo

namo

Posted
Posted (edited)

Did they obtain info from OGMW, or from both OGMW and Baldr?
(Asking because my password is different in both sites: the OGMW one is super weak (but the site is read-only), while the new one is strong.)

Also, as someone in the cybersecurity field, I strongly recommend using a password manager to create and manage your complex passwords: no Post-It, no Notepad or Excel files please. 😉 There are some free ones (KeePass which is what I use, but is not super pretty / user friendly on Windows), Bitwarden (their free tier), and some paid ones (but avoid LastPass which has had repeat security problems - do a quick search for "provider_name vulnerability" when researching a specific option).

Edited by namo (see edit history)
Link to comment
Share on other sites
azhrei_fje

azhrei_fje

Posted
Posted
1 hour ago, namo said:

Also, as someone in the cybersecurity field, I strongly recommend using a password manager to manage your complex passwords: no Post-It, no Notepad or Excel files please. 😉

Very good advice! In particular, when your browser asks you to use passkeys (instead of passwords), say YES.

Link to comment
Share on other sites
NickNameless

NickNameless

Posted
Posted
1 hour ago, Acromos said:

I realise I propably shouldn't be saying this - but what is there behind my password that has any value to anyone but me?!

Depends. If you're using a different password here than you use on other websites, and/or perhaps even a different e-mail adress than the one you're using most of the time, then I'll wager there's probably little sensitive information about you here.

However, a lot of people still tend to use the same combination of e-mail adress and password for a lot of websites, and that may include websites where one stores more interesting information for a hacker than a paladin elf's character sheet — like financial or medical data for instance. The first thing hackers do when they acquire batches of e-mails and passwords is to try them on those sites.

Say, hypothetically, that your e-mail and password here would be the same as your Amazon account, which happens to store you credit card number and personal physical address, that could spell very bad news.

Other common uses would include

  • spamming said e-mail address with spam and phishing to try to obtain more, or hack it in turn to use it to send the same thing to your contacts;
  • blackmail (you may not hide the kind of secret that calls for a million dollars ransom, but 2000 people ready to pay $500 to keep some things private would work just as well at the end of the day for the hackers...);
  • and, last but not least, identity theft, which may lead you to wake up one day discovering that you're supposed to repay a loan you never contracted, or that your driver's license has been suspended due to traffic violations you committed in places where you never have been, and so on.
Link to comment
Share on other sites
Derahex

Derahex

Posted
Posted
19 hours ago, Rodrigo said:

We regret to inform you of a serious security incident that occurred on Myth-Weavers on January 17, 2024. During this incident, unauthorized access was gained to a portion of our user data.

Our investigation has revealed that the attackers exploited vulnerabilities in OGMW to obtain usernames, email addresses, and hashes of passwords. It is important to note that the passwords were stored using a secure hashing algorithm with additional security measures. However, we cannot completely rule out the possibility that some passwords could be compromised.

Therefore, out of an abundance of caution, we strongly urge all users to take the following immediate steps:

  • Change your Myth-Weavers account password immediately. Select a strong, unique password that you do not use for any other online accounts.
  • If you use the same password for any other websites or services, change it there as well.
  • Never reuse passwords across different platforms or accounts. This is the single most important step you can take to enhance your online security.

We understand this news may be concerning, and we apologize for any inconvenience. We are taking this matter very seriously and are actively engaged in:

  • Investigating the attack logs to determine its scope and source.
  • Conducting thorough code audits to identify and address any potential vulnerabilities.
  • Shoring up our defenses to prevent similar incidents from occurring in the future.

We are committed to protecting our users' data and privacy. We will continue to provide updates as the investigation progresses and as we implement additional security measures.

If you have any questions or concerns, please do not hesitate to reach out to us through the Site Discussion forum or on Discord.

With our apologies,

The Myth-Weavers Team

Additional Tips:

  • Consider enabling multi-factor authentication (MFA) on your Myth-Weavers account and other frequently used online services.
  • Regularly review your account settings and activity logs to monitor for any unauthorized activity.

A friend of mine made some remarks that are pretty important to note. They're currently very busy so I'll post these in their stead:

  • Since the staff have access to the email address of the entire userbase, I strongly recommend sending an email informing of this breach. If it weren't for a random ping of a discord server, I would never have known of this because I mostly use the sheets part of the website.
  • Are the passwords salted? Rather than using corporative, vague language like "additional security measures" it would be very useful to know exactly just how at risk of being compromised the passwords actually are. That's true transparency.
  • And last but not least, I've been informed that changing your password does not change the password on the old mythweavers site, and you currently cannot change the old mythweavers site password. Which means that if the passwords really are compromised, bad actors can simply log in through the old website. Finding a solution for this that doesn't involve nuking the old website would be preferable.

I would very much like these concerns addressed by @Rodrigo or another member of the staff. I have over 80 sheets myself and I would very much not like to lose them.

Link to comment
Share on other sites
Colin

Colin

Posted
Posted

@Derahex In order:

  • A mass email notification is in progress at the moment. We need to finish the password sync portion of the account sync plugin first.
  • Yes, passwords are hashed and salted.
  • The password sync issue should be resolved by the end of the weekend. The sync plugin has been getting updated since yesterday to include a password sync. At present it is being tested for issues before deployment.

Nuking OGMW is not and was not on the table.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...