Important Security Announcement Involving OpenVMK

Status
Not open for further replies.

Amy

Well-Known Member
Head Administrator
#1
Hello everyone,

Something has recently come to our attention that we feel you need to be aware of. Many of you may remember OpenVMK, the remake of VMK that came before MyVMK. It closed down (around September 2013) due to some things that happened. A brief summary is I was the one who was developing the code for OpenVMK, and one day the other people involved in the project decided they didn't want me around anymore, and one of the people involved used their position with the host we were using for it to take the game from me, including the database for the game which contained all user data. Unfortunately there was no way I could have prevented this (as at the time I was working with these people, they had equal control with me and overruled me on using a different host... now it's clear why they were so insistent), and the game shut down shortly after due to outrage.

Fast forward to today, when we discovered someone outside has a copy of the database from OpenVMK. Back then for reasons not in my control, the passwords were stored insecurely. They weren't stored as plaintext, but they were stored hashed. The thing is, just hashing a password isn't good enough these days. If you want to know more about this, there's a video briefly explaining what I'm talking about below (I definitely think you should watch it!).

This does not affect MyVMK in any way, your passwords in MyVMK are stored completely securely. However, if you registered for OpenVMK, this person may now have access to your password from it. MyVMK is completely separate to OpenVMK, however due to my involvement with OpenVMK I was able to 100% confirm it as the source of the problem. If you have a super secure password, it's unlikely he will be able to access it, HOWEVER if you had an insecure password back then and still use it on anything today we recommend you change it everywhere that you used that password.

A little tid-bit on password security, it's generally a good idea to use a different password on everything. Any website you register for can potentially access your password, the creators of the website could do it or someone who has gotten into their system could too. This is why everyone says to use a different password on everything, because that way if one website goes rogue, the rest of your accounts are safe. A good password is also generally a longer one, a computer will have a much harder time cracking a password such as amazonplatelemonadeladysparkle0 than 9382849.


Source: https://xkcd.com/936/

An important thing to remember, if you did not register for OpenVMK (which is NOT MyVMK!), or did not reuse the password you used on OpenVMK, this does not affect you in any way. If however you did use OpenVMK, and you do still use the password you used on OpenVMK, then we recommend you change your password on any accounts that use that password immediately, ESPECIALLY if you used it on an email account. If you don't know what OpenVMK was, you're safe.

This is how Littlebelle's accounts was accessed, but we only just discovered it. Again, whilst MyVMK is separate to OpenVMK, we felt we needed to alert you all to this as many of our users were on OpenVMK before MyVMK opened.

Stay safe out there!
 

Amy

Well-Known Member
Head Administrator
#3
how/when did you guys find out about this?
Earlier today, I've been investigating it ever since. I was able to confirm what happened based on access logs from the person. I found them trying to access files from OpenVMK after logging into accounts (which after speaking to the owners of the accounts) I was able to confirm had the same passwords on OpenVMK as MyVMK. He was spamming requests to the login page for a while too, I'm assuming he was trying a lot of accounts passwords.
 
#6
Thanks for this, gave me a little scare but i had already changed my myvmk password. as for other things.. well i dont remmeber my openvmk password and honestly i have trouble remembering passwords so majority are all the same :/
 

Amy

Well-Known Member
Head Administrator
#19
About to change my password from meridian123 to meridian321. thank you
Great idea! (joking lol, sorry have to put this just in case)

Maybe it's time to add 2nd pass authentication.
I think that's overkill for a game like this and I doubt anyone would even use it... but the main reason this was posted wasn't for peoples game accounts, those aren't a big issue because we can see when they're accessed by different people and if things are traded away, react accordingly so most people get their items back in those cases. The real concern is peoples non-game accounts, in other words, their emails and other things, since most people use the same password on everything if someone gets both a password and an email from a website, they can often log into that persons email account and access everything on it, which can in turn let you access all kinds of things from other games to online banking. That's why it's bad to use the same password everywhere.

Again though, this started 3 years ago. Originally everyone knew what happened back then, with the OpenVMK staff taking the things from me (it was all VERY public and so was the resulting revolt, it was the reason MyVMK started and OpenVMK ended in the first place). The reason this was posted now is because someone I know to be very, VERY untrustworthy (i think most of you who have been around for a while should be able to figure out who, your first guess is probably right) recently got given a copy of the backup from one of the people who took it in the first place, and I know for an absolute fact he's using it (for those of you who don't know, essentially what happened there was one of the people on the OpenVMK staff happened to have some kind of control over the host I was using, and they took an image of the drive since it was a VPS).
 
Status
Not open for further replies.
Top