[Age 330] TLK has suffered a data breach
Posted: Thu Dec 12, 2019 9:02 pm
TLK has suffered a data breach.
On the 25th of October I was alerted to a suspect submission to our programming platform. This triggered an investigation which led to the discovery of another file. Further checks into the server logs uncovered a data breach.
The data accessed includes:
*Unique user ID
*Username
*Password (hashed with BLOWFISH or MD5 if not logged in for a long time)
*Email
Date of registration
*IP last logged in with
Last Login Date
IP you registered with
Sex (as given in profile)
*Email you registered with
Time zone (as given in profile)
* = personally identifiable information or security sensitive data
This data breach was investigated and resolved within a matter of hours. We have now implemented higher levels of security in the way the code is structured. This was the cause of the lag on Friday.
The way the code was added to the server had actually been prevented only days later as we tightened up on security, however we did not notice this till afterwards.
The password data that was accessed was NOT stored “plain”, it was encrypted in one of two ways:
Active players: BLOWFISH: This is the current acceptable way of securely storing passwords and is considered safe.
Inactive accounts: MD5: This is considered insecure. As each of these accounts log in to the game their password is automatically upgraded to the BLOWFISH security. However, if they have not logged in for the past 12 months then the upgrade has never taken place.
We can never access your password, so cannot simply take the insecurely stored ones and upgrade them – this would require us to know your password!
I urge everyone to reset their passwords as a matter of urgency, and will be sending an email out to all users in the coming days. If you use the same password anywhere else then you should change it there too. Using the same password on different websites is always a huge risk and should not be done.
Timeline:
25th October:
1449: a developer alerted me that they found something suspicious in the submissions to our programming platform.
1517: The suspect addition was identified and found as being added to the server on the 3rd October.
- This code allowed remote code execution.
1528: An additional security flaw was discovered whilst initially investigating the cause.
1533: An emergency group was formed to deal with the security breach.
1534: An additional file that is not part of our codebase was found added on the same day.
- This file allowed access to the database
1539: All server logs (45GB) for the previous month started to be downloaded & emergency backup began.
1541: Work began on fixing the identified security flaw.
1555: All logs and backup completed.
1556: Rouge files removed from the server.
1610: Security fix applied to dev & tested as working.
1613: Initial suspect connection to rogue file identified.
16:39: Access to database confirmed – a data breach had occurred.
1936: Security updates applied to the live game.
TL;DR
We got hacked, change your password.
On the 25th of October I was alerted to a suspect submission to our programming platform. This triggered an investigation which led to the discovery of another file. Further checks into the server logs uncovered a data breach.
The data accessed includes:
*Unique user ID
*Username
*Password (hashed with BLOWFISH or MD5 if not logged in for a long time)
Date of registration
*IP last logged in with
Last Login Date
IP you registered with
Sex (as given in profile)
*Email you registered with
Time zone (as given in profile)
* = personally identifiable information or security sensitive data
This data breach was investigated and resolved within a matter of hours. We have now implemented higher levels of security in the way the code is structured. This was the cause of the lag on Friday.
The way the code was added to the server had actually been prevented only days later as we tightened up on security, however we did not notice this till afterwards.
The password data that was accessed was NOT stored “plain”, it was encrypted in one of two ways:
Active players: BLOWFISH: This is the current acceptable way of securely storing passwords and is considered safe.
Inactive accounts: MD5: This is considered insecure. As each of these accounts log in to the game their password is automatically upgraded to the BLOWFISH security. However, if they have not logged in for the past 12 months then the upgrade has never taken place.
We can never access your password, so cannot simply take the insecurely stored ones and upgrade them – this would require us to know your password!
I urge everyone to reset their passwords as a matter of urgency, and will be sending an email out to all users in the coming days. If you use the same password anywhere else then you should change it there too. Using the same password on different websites is always a huge risk and should not be done.
Timeline:
25th October:
1449: a developer alerted me that they found something suspicious in the submissions to our programming platform.
1517: The suspect addition was identified and found as being added to the server on the 3rd October.
- This code allowed remote code execution.
1528: An additional security flaw was discovered whilst initially investigating the cause.
1533: An emergency group was formed to deal with the security breach.
1534: An additional file that is not part of our codebase was found added on the same day.
- This file allowed access to the database
1539: All server logs (45GB) for the previous month started to be downloaded & emergency backup began.
1541: Work began on fixing the identified security flaw.
1555: All logs and backup completed.
1556: Rouge files removed from the server.
1610: Security fix applied to dev & tested as working.
1613: Initial suspect connection to rogue file identified.
16:39: Access to database confirmed – a data breach had occurred.
1936: Security updates applied to the live game.
TL;DR
We got hacked, change your password.