If they want your password, they send you phishing e-mails, malware with keyloggers, malware that takes advantage of password manager vulnerabilities (and you thought that would keep you safe), or the real good ones take advantage of website vulnerabilities to steal hashes (oh, look, what happened to Nexus). Nah, legit hackers don't brute force anymore. "Gotta make the passwords harder to guess!" as if anybody's trying to guess it. And the cool thing about MFA? A 6 character simple password is no less secure (and arguably more secure) than a 12 character complex password as long as you use MFA.Īnd what's funny is seeing supposed security people talk about brute forcing like it's still how accounts get cracked. That's why Microsoft has minimal complexity requirements but encourages (and in some cases requires) MFA. Counter-intuitive, I know, right? But longer and more complex passwords lead to people reusing more passwords and saving them in Word or Excel documents on their desktops. You know what the absolute worst thing is for password security? Complex passwords. but in the new envyroment is what I am going to do. Which I think is not what nexus teams wants us users to do.
So now I have totally forgotten which my original account pasword was and I'll be using a new fire and forget account whenever I need one to download heavy mods, make a question in a mod page or see adult content.
Surely I'm not gonna give them a good password so that they can lose it again.
In the internet most of people is very unforgiving, but my thoughts were: 'Well, I've been using their site for free and enjoying it a lot, sure they have earned me understanding that s*** happens and keep going'.īut now the attitude is forcing passwords security and what not, which wasn't the problem on the first but a security issue on their side.
Well, the fight is over and I took control of all my accounts again. Luckily they were secondary for a reason and I had nothing heavy to worry about them more than some random Corean using them to contact with random girls around the world. Since the theft of accounts and passwords here on nexus I had to fight over all my secondary instagram, facebook and steam accounts. Yep, just gonna join here, of course this account is a 10minute mail account.
If you haven’t already, please log out and back in, in order to update your account and password and migrate to the new user service.Recognising our obligation to all of you, however, we are strongly urging you to be vigilant of potential phishing and credential stuffing attacks. While we noticed the suspicious activity on 8th November 2019, and we have no evidence of past activity in our logs, we cannot say for certain whether the exploit had been used before, and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.įurther, and as is required by law, we have informed the ICO about this incident and we are in the process of fulfilling our obligations related to the matter. We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service.Įven though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place. In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services.