EVE Search - inEVE.net - Site Security Announcement

All Channels

Skill Discussions

inEVE.net - Site Security Announcement

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Pages: [1] :: one page
Author	Thread Statistics \| Show CCP posts - 0 post(s)
Sara Dawn	Posted - 2007.06.13 22:02:00 - [1] Hello Friends, this is not a happy time for me and in the interest of your own safety I come before you with this announcement. There has been a "breach" if you can call it that, where someone found a debug log of the registration process forgotten by myself while i was debugging problems with registrations that contained ' and other issues regarding the set as trusted. That log file contained the inputs from the fields in the registration page, including information if it was in the IGB or not. Let me make it clear that not everyones ineve site username / password and email was contained in that log, but unfortunately it did contain a considerable amount to warrant this. At this time it appears the information has not been misused. This why since today at lunch time the site has forced everyone to change their passwords and confirm their email. I would have sent this to everyone by email, but the great majority of you do not enter a valid email which leaves me to turn into the forum. If you happen to use the same password for your email account or eve account please change it immediately (and please for security sake, never use the same passwords for your email, eve account, ineve, other website). So in a nutshell: - A registration debug log file was discovered and downloaded from ineve containing the ineve account information of a substantial number of people - I have removed it (fixed it), as it was forgotten by me while solving some registration problems a while back :( - I have forced everyone to change their passwords when they try to login - I ask everyone who used the same password in their email or eve account to change it as soon as possible I'm terribly sorry about this, my apologies to everyone. I would like to thank the person who emailed me regarding this issue, I'm not sure if I can reveal his name, but anyway, you know who you are. -- Sara Dawn inEVE.net Skills Showroom http://ineve.net/
Stems Trade Consortium	Posted - 2007.06.13 23:15:00 - [2] Dang that definitely sucks
RaTTuS BIG BIG is Beautiful	Posted - 2007.06.14 07:36:00 - [3] thanks for the Warning -- BIG Lottery, BIG Deal, InEve & Skills Blog
Plave Okice Gallente Combat Systems	Posted - 2007.06.14 11:42:00 - [4] Thanks for your honesty and heads up
William Hartas Caldari OcUK	Posted - 2007.06.14 14:05:00 - [5] This is a pretty freakin' major security breach, I bet a lot of people have used the same password on your website that they do elsewhere.
Kasigi Caldari Perkone	Posted - 2007.06.14 14:14:00 - [6] Surely this should be posted in the GD forum? It could affect many many thousands of people and is a bit out of the way here. People need to be aware of this, hell, make it a news item, it's important!
Jameroz Cosmic Odyssey YouWhat	Posted - 2007.06.15 18:58:00 - [7] Whoa... giving out Eve or email password to random website would be rather stupid
William Hartas Caldari OcUK	Posted - 2007.06.16 11:23:00 - [8] I'm stunned that there could be many people who are dumb enough to use their eve passwords for the service (yes, it does happen) but nobody really seems to care that they could have been compromised. Six replies to this thread shows that.
Danzig256k Caldari Mortal Devastating Kin	Posted - 2007.06.16 12:59:00 - [9] thx for the heads up, i rather find out this way, then to discover my acct got hacked or something.
QuantumX Minmatar Sicarri Covenant	Posted - 2007.06.16 13:15:00 - [10] Thanks for this
voogru Gallente Massive Damage	Posted - 2007.06.16 22:08:00 - [11] Edited by: voogru on 16/06/2007 22:08:12 Originally by: Sara Dawn - I have forced everyone to change their passwords when they try to login - I ask everyone who used the same password in their email or eve account to change it as soon as possible I'm terribly sorry about this, my apologies to everyone. You are not... storing the passwords in the database as... plain text are you? At the very least you should hash the passwords (md5) with a salt. Ie. md5(password . md5(randomly generated salt for the account)) And when writing debugging data to a log, I'd see no reason the password field, and if there was, the hash would suffice.
Richard Villiers Gallente Quid Pro Quo	Posted - 2007.06.17 00:40:00 - [12] Is this the reason why inEVE was not reachable for about 1.5 hours just now? _____ Originally by: Neon Genesis This forum is about opinion, however, you are wrong.
Sara Dawn	Posted - 2007.06.17 02:39:00 - [13] Edited by: Sara Dawn on 17/06/2007 02:38:23 Replies: Passwords are stored in md5. The debug file just had all the variables from the registration form. It was down when i was benchmarking a alternative machine as a database server, and then I decided to move the database to that other box as benchmarks showed a good performance improvements. But only time and load will tell if it really makes a big difference or not.
Gangus Minmatar Matari BackBone	Posted - 2007.06.18 09:32:00 - [14] Hi Sara, Thanks for the warning about this happening, passwords will be changed in the next minute or 3. Seriously though folks, if you got scared by this you've got to have been pretty silly in the first place by using the same password as your EVE account and having your account name the same as your character name. I must admit I personally dislike the prospect of trusting any site the IGB asks me about, and I think I have good reason for being this way. I signed up to InEVE after having watched the site for a while and not spotting anybody getting hacked due to it, and decided to take a gamble, and I'm happy I did, even though I've worried about it more since, but funnily enough, your having gotten hacked has increased my confidence in you, as you gave full disclosure, (ccp are you listening? ) and you didn't take the opprotunity to use the drama to look around a few other accounts under the cover of being hacked. I'll continue to use the Skills Showroom, and I encourage others to do the same. Keep up the good work, Gangus Never mess with a guy in an ugly ship. He's bitter and has nothing to lose.

Pages: [1] :: one page
First page \| Previous page \| Next page \| Last page

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.