Passwords Compromised

**Rogean** · #1 03-01-2009, 03:27 AM

Recently a group of people gained access to an Administrator's account on the EQEmu forums, and edited the site templates to include a javascript entry which submitted all logins to a remote web server. As soon as we found out about this we locked the forums and removed the script.

Unfortunately, the hackers have the username and password of Every user who has logged in to the forums in the last 2 months. Yes, the passwords are encrypted in our database, but the javascript was executed as the passwords were typed into the login field, and before they were encrypted on the server. This means they get a cleartext version of the password, non-encrypted.

As as result, we have reset everyone's password on the boards and sent the new one to the email address on the account. I suggest that everyone get their new password and then change it to something you haven't used before. If your password was the same for your login accounts, I would change those too (Hell, change them anyways even if they weren't the same).

I apologize for the inconvenience this has and will cause, unfortunately we live in a world full of assholes that like to do this kind of shit.

neiv2 · #2 03-01-2009, 11:40 PM

I did not receive a reset email for my Neiv account and had to create this one to post this. Moreover, I attempted to use the reset password feature on the forum login page, but received no email for the account email address. I have reset the passwords for all my emails and have tested all of them. I'm receiving emails just fine from the email address used for my Neiv account; but still have not received a password reset email from the forums. Should I be concerned?

On a separate note, I just checked through past emails and it appears I received a registration activation notice for an account named gandalf00 on Feb 13. I do not recall creating such an account. Six minutes after that notice came in I received a "Welcome to EQEmulator Forums" email in reference to that same account. I paid no attention to those emails when they came in, thinking they were updates of some sort. I searched on that username, but there are no posts associated with it.

Skrimazo · #3 03-02-2009, 04:07 AM

I have two accounts on EQ Emulator, because initially, I thought two accounts were required for two-boxing. Silly me.

Skrimazo (this account) got it's e-mail, but Ikeren, my primary account; didn't. I've requested the e-mail be sent ~10 times today, without success.

Furthermore, I tried to register Ikeren-2 with the same e-mail address, to check if maybe I had forgotten which e-mail I used for Ikeren

Quote:

The email address you entered is already in use. If you have forgotten your password, please click here.

I click here, I get to lost password recovery.
I try to send out a new password to the e-mail that Ikeren was signed up with (and Ikeren-2 would have been signed up with), and nothing happens.

And I have been checking my Junk-mail folder.

kgb · #4 03-02-2009, 09:32 AM

I've seen a post link here and I see the questions regarding the failure to receive an email upon requesting such detail.

Is something borken? Huge mail back log? Other?

fizzol · #5 03-02-2009, 11:53 AM

Sorry for the dumb question, but how do I change my login server password?

kurosakikun · #6 03-02-2009, 11:58 AM

To change login server passwords go to the user control panel. Under the miscellaneous section, at the bottom, there is a "login server" button. Press that and it will list the 3 login accounts linked to your eqemu account.

If you're not receiving emails for password reset, then you can probably assume that whomever has stolen your login details has changed the account email. Meaning you never will see them, and you have no access to the account.

kgb · #7 03-02-2009, 12:29 PM

I would agree but disagree for the following reason...

If said intruders did change email addresses on compromised, then why is my email address recognized when requesting account credentials? Unknown email addresses used through the recovery are noted as unrecognized in the recovery response.

Hopefully it all gets worked out without too much trouble.

Skrimazo · #8 03-02-2009, 04:39 PM

Quote:

If you're not receiving emails for password reset, then you can probably assume that whomever has stolen your login details has changed the account email. Meaning you never will see them, and you have no access to the account.

Same as KGB pointed out, plus new registration tied to that e-mail gives me

Quote:

The email address you entered is already in use. If you have forgotten your password, please click here.

Lisrada · #9 03-03-2009, 04:07 PM

Question.

What do we do if we don't know which email we used to make our account? I'm sure I know 2 of the 3 I used by I can't tell because hotmail won't receive emails.

Yeormom · #10 03-04-2009, 07:53 PM

If you we're essentially making fake accounts just to have more login server id's, it might be time to cut your losses and move on. If you have a specific character on a server that is a problem, that server may support such a transfer.