Forum Security Advisory

Discussion in 'Bukkit News' started by Kaelten, Dec 7, 2015.

Thread Status:
Not open for further replies.
  1. You guys are developers!
    Its simple to make a password storing app, just if it is accessible for yourself.
    Got an email from Curse.
  2. @ChipDev keepass is a thousand times more secure than what we could create. Even with direct access to the database it is nearly impossible to decrypt a SSH-256 bit encryption.
    Last edited: Dec 10, 2015
  3. And.. you haven't changed your passwords? If I got a message that my accounts were being logged in to by somebody other than me, I'd change the passwords first thing.
    bwfcwalshy likes this.
  4. Offline


    So no other curse sites are affected by this? I have an account, (same password (I think) and username) on Minecraft Forums
  5. Offline

    timtower Ninja on the waves Moderator

    @craftedbyman I think that it would be better if you change both passwords just to be safe.
  6. Offline


    @timtower yea I was just about to. Is there anyway to see activity logs of recent logins of my account on this site?
  7. Offline

    timtower Ninja on the waves Moderator

    @craftedbyman Curse can do that I think, but they didn't do anything. Not that I can see at least.
    That they have your data doesn't mean that they also use it right away.
  8. Good news! There's probably nothing stopping exactly the same sort of admin account compromise happening on since it too is served over plaintext by default.
    mbaxter likes this.
  9. Offline


    @lol768 Now this is just getting ridiculous.
  10. Well, they are old accounts and not even I have the password to those. I realized I changed my Bukkit password a long time ago, so the two incidents are unrelated.
  11. Offline

    Kaelten Administrator Curse

    MCF is hosted on different technologies and requires 2FA for all admins and moderators. If a compromise was made to the control panel the surface area of attacks possible on that software is _much_ smaller. Functions like editing the login template is not possible in that software. Regardless of the lower risk, that team is also working to implement full SSL logins.
  12. So are you going to start requiring it for them on here too?
    Mrs. bwfctower likes this.
  13. And will there be an option for regular users like me to use 2FA?
  14. Offline


    What if it's HIS account that's been hacked and if we change our passwords the hacker will get them?!?!
  15. Why would you not require your admins to use two-factor authentication?
  16. Could you please clarify if they captured usernames, email addresses, or both?
    Thank you.
  17. The data entered in the login form was captured.
    Since you can login with your Username as well as your email adress, it would depend on what you used to login during that timeframe.
  18. Thank you. At least they couldn't take over my Minecraft account, because I only use my username when logging in here and my Mojang account requires the email address to login.

    I assume this security breach is the reason for the login issues that surfaced in October. What's disappointing is that the forum admins didn't bother to investigate what was causing the problem.
  19. @Bobcat00 sorry but that bug is still there. The forum has been compromised since August. Curse suspects a man in the middle attack while they were at minecon
  20. Man, that was ages ago.
  21. Source?
    timtower likes this.
  22. 2FA would not have prevented this account compromise.
    bwfcwalshy likes this.
  23. Offline


    Multiple attempts to log into my accounts with the released information. This has been one hell of a headache.
  24. Has everyone gotten this email, or did only the breached get it? Ugh...
  25. Offline


    @Saphiria_ Doesnt matter; Change your passwords.
    teej107 likes this.
  26. Warning! Looks like the attack is still in place!

    I couldn't find proof of it yet but I am sure. I read about the incident in the news and thought it was fixed. Then I logged into DevBukkit to answer a comment. Not long after I was disrupted when someone from Amsterdam connected to my computer using Teamviewer. Stupid me, I used the same credentials there.

    Please have a look at

    This is the IP the attacked used to connect through Teamviewer: REDACTED
    Last edited by a moderator: Dec 28, 2015
  27. Offline

    timtower Ninja on the waves Moderator

    @AmShaegar People are looking into it, can't find anything from a quick skim though.
  28. @timtower Me neither. But it would be an enormous coincidence if they got my credentials otherwise.

    Edit: Just recognized: I used my phone when answering that comment on dev bukkit. But I doubt an attack would be limited to mobile logins only.
  29. Offline

    timtower Ninja on the waves Moderator

    @AmShaegar Bukkit has no mobile platform, so that can't be the issue.
  30. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı Retired Staff

    That doesn't prevent a malicious party from injecting code that only appears to potential victims when certain criteria (like a mobile browser, where viewing source is less common) are met.
Thread Status:
Not open for further replies.

Share This Page