Important Security Announcement Involving OpenVMK

Discussion in 'Archive' started by Amy, Feb 1, 2016.

Thread Status:
Not open for further replies.
  1. Amy

    Amy Well-Known Member Head Administrator

    Joined:
    Mar 16, 2014
    Messages:
    985
    Likes Received:
    3,708
    In-Game Name:
    Amy
    Hello everyone,

    Something has recently come to our attention that we feel you need to be aware of. Many of you may remember OpenVMK, the remake of VMK that came before MyVMK. It closed down (around September 2013) due to some things that happened. A brief summary is I was the one who was developing the code for OpenVMK, and one day the other people involved in the project decided they didn't want me around anymore, and one of the people involved used their position with the host we were using for it to take the game from me, including the database for the game which contained all user data. Unfortunately there was no way I could have prevented this (as at the time I was working with these people, they had equal control with me and overruled me on using a different host... now it's clear why they were so insistent), and the game shut down shortly after due to outrage.

    Fast forward to today, when we discovered someone outside has a copy of the database from OpenVMK. Back then for reasons not in my control, the passwords were stored insecurely. They weren't stored as plaintext, but they were stored hashed. The thing is, just hashing a password isn't good enough these days. If you want to know more about this, there's a video briefly explaining what I'm talking about below (I definitely think you should watch it!).


    This does not affect MyVMK in any way, your passwords in MyVMK are stored completely securely. However, if you registered for OpenVMK, this person may now have access to your password from it. MyVMK is completely separate to OpenVMK, however due to my involvement with OpenVMK I was able to 100% confirm it as the source of the problem. If you have a super secure password, it's unlikely he will be able to access it, HOWEVER if you had an insecure password back then and still use it on anything today we recommend you change it everywhere that you used that password.

    A little tid-bit on password security, it's generally a good idea to use a different password on everything. Any website you register for can potentially access your password, the creators of the website could do it or someone who has gotten into their system could too. This is why everyone says to use a different password on everything, because that way if one website goes rogue, the rest of your accounts are safe. A good password is also generally a longer one, a computer will have a much harder time cracking a password such as amazonplatelemonadeladysparkle0 than 9382849.

    [​IMG]
    Source: https://xkcd.com/936/

    An important thing to remember, if you did not register for OpenVMK (which is NOT MyVMK!), or did not reuse the password you used on OpenVMK, this does not affect you in any way. If however you did use OpenVMK, and you do still use the password you used on OpenVMK, then we recommend you change your password on any accounts that use that password immediately, ESPECIALLY if you used it on an email account. If you don't know what OpenVMK was, you're safe.

    This is how Littlebelle's accounts was accessed, but we only just discovered it. Again, whilst MyVMK is separate to OpenVMK, we felt we needed to alert you all to this as many of our users were on OpenVMK before MyVMK opened.

    Stay safe out there!
     
  2. BoutThatLife

    BoutThatLife If boys had uteruses they'd be called duderuses

    Joined:
    Sep 29, 2013
    Messages:
    189
    Likes Received:
    12
    In-Game Name:
    BoutThatLife
    how/when did you guys find out about this?
     
  3. Amy

    Amy Well-Known Member Head Administrator

    Joined:
    Mar 16, 2014
    Messages:
    985
    Likes Received:
    3,708
    In-Game Name:
    Amy
    Earlier today, I've been investigating it ever since. I was able to confirm what happened based on access logs from the person. I found them trying to access files from OpenVMK after logging into accounts (which after speaking to the owners of the accounts) I was able to confirm had the same passwords on OpenVMK as MyVMK. He was spamming requests to the login page for a while too, I'm assuming he was trying a lot of accounts passwords.
     
    Krypto, Littlebelle and Gregory like this.
  4. Pirateboi

    Pirateboi Well-Known Member

    Joined:
    Sep 16, 2013
    Messages:
    1,831
    Likes Received:
    466
    In-Game Name:
    Pirateboi
    Thanks for posting, Amy! Appreciate the fact of giving us the opportunity to change our passwords!
     
    Whoosh likes this.
  5. BoutThatLife

    BoutThatLife If boys had uteruses they'd be called duderuses

    Joined:
    Sep 29, 2013
    Messages:
    189
    Likes Received:
    12
    In-Game Name:
    BoutThatLife
    okay thanks for letting us know amy!
     
  6. Rosey

    Rosey しねください!

    Joined:
    Feb 18, 2014
    Messages:
    2,748
    Likes Received:
    1,171
    In-Game Name:
    Rosey
    Thanks for this, gave me a little scare but i had already changed my myvmk password. as for other things.. well i dont remmeber my openvmk password and honestly i have trouble remembering passwords so majority are all the same :/
     
  7. Brandon

    Brandon NFL Football Guru

    Joined:
    Sep 16, 2013
    Messages:
    573
    Likes Received:
    191
    In-Game Name:
    Brandon
    To who ever did that...BUSTED!!!!!!
     
    JazzyEESPurple likes this.
  8. Cinderella

    Cinderella Princess

    Joined:
    Sep 16, 2013
    Messages:
    86
    Likes Received:
    24
    how do you change your password on the game?
     
  9. SkywayStitch

    SkywayStitch Well-Known Member

    Joined:
    Dec 24, 2013
    Messages:
    493
    Likes Received:
    177
    So glad I used Amazonplatelemonadeladysparkle0 instead of amazonplatelemonadeladysparkle0 as my password.
     
    Meridian, MushroomLove, Emsy and 4 others like this.
  10. Amy

    Amy Well-Known Member Head Administrator

    Joined:
    Mar 16, 2014
    Messages:
    985
    Likes Received:
    3,708
    In-Game Name:
    Amy
    When you log into the game there's an icon next to your name that looks like a wrench, if you click that you can change your password on the page it takes you to.
     
    Littlebelle, Gregory and Cinderella like this.
  11. Brandon

    Brandon NFL Football Guru

    Joined:
    Sep 16, 2013
    Messages:
    573
    Likes Received:
    191
    In-Game Name:
    Brandon
    [​IMG]
    click the gears
     
    Cinderella likes this.
  12. Figaro

    Figaro Well-Known Member

    Joined:
    Jan 16, 2016
    Messages:
    32
    Likes Received:
    20
    You can change your in game password here
     
  13. mark

    mark Well-Known Member

    Joined:
    Sep 29, 2013
    Messages:
    2,976
    Likes Received:
    1,381
    only 656,518 credits?!
     
    waterfallglow likes this.
  14. Dana

    Dana Active Member

    Joined:
    Mar 29, 2014
    Messages:
    3
    Likes Received:
    5
    Is anyone having troubles getting into the game? Now I'm paranoid.... :blank:
     
  15. waterfallglow

    waterfallglow balance is important both in life and art.....

    Joined:
    Oct 10, 2013
    Messages:
    785
    Likes Received:
    551
    In-Game Name:
    waterfallglow
    i watched the video Amy :) and thx for letting us know! the video was interesting.
     
  16. Littlebelle

    Littlebelle Smile and the world smiles with you

    Joined:
    Sep 16, 2013
    Messages:
    2,229
    Likes Received:
    2,350
    In-Game Name:
    I am back!!!
    tumblr_inline_nm22ijpR8A1qbethy.gif

    I just wanted to say thank you to Amy for looking into this. You did not need to do this and I really appreciate how thorough you were. Also to Kali for her professionalism at working to return my items.
     
    kallyrose, Elegance and Krypto like this.
  17. Kali

    Kali MyVMK Staff MyVMK Staff

    Joined:
    Apr 15, 2014
    Messages:
    80
    Likes Received:
    61
    Happy to help! :)
     
  18. Meridian

    Meridian hello

    Joined:
    Jan 27, 2014
    Messages:
    371
    Likes Received:
    303
    About to change my password from meridian123 to meridian321. thank you
     
    Pecosace and Gregory like this.
  19. MacPat

    MacPat Contributor

    Joined:
    Jan 28, 2015
    Messages:
    99
    Likes Received:
    69
    In-Game Name:
    Stellarspace
    Maybe it's time to add 2nd pass authentication.
     
  20. Amy

    Amy Well-Known Member Head Administrator

    Joined:
    Mar 16, 2014
    Messages:
    985
    Likes Received:
    3,708
    In-Game Name:
    Amy
    Great idea! (joking lol, sorry have to put this just in case)

    I think that's overkill for a game like this and I doubt anyone would even use it... but the main reason this was posted wasn't for peoples game accounts, those aren't a big issue because we can see when they're accessed by different people and if things are traded away, react accordingly so most people get their items back in those cases. The real concern is peoples non-game accounts, in other words, their emails and other things, since most people use the same password on everything if someone gets both a password and an email from a website, they can often log into that persons email account and access everything on it, which can in turn let you access all kinds of things from other games to online banking. That's why it's bad to use the same password everywhere.

    Again though, this started 3 years ago. Originally everyone knew what happened back then, with the OpenVMK staff taking the things from me (it was all VERY public and so was the resulting revolt, it was the reason MyVMK started and OpenVMK ended in the first place). The reason this was posted now is because someone I know to be very, VERY untrustworthy (i think most of you who have been around for a while should be able to figure out who, your first guess is probably right) recently got given a copy of the backup from one of the people who took it in the first place, and I know for an absolute fact he's using it (for those of you who don't know, essentially what happened there was one of the people on the OpenVMK staff happened to have some kind of control over the host I was using, and they took an image of the drive since it was a VPS).
     
    Meridian likes this.
Thread Status:
Not open for further replies.