What sucks about this scene

@VinLark Maybe someone can dox them and then SWAT them.

@pixelmasher That would be illegal.

@VinLark So is breaking into someone's account.

@pixelmasher You must not have a good understanding of the law. Breaking a law towards someone who broke a law doesn't make it correct. It's like fighting fire with fire.

@pixelmasher Both doxxing SWATing them would actually be more illegal than what they did.

Sorry =/ I wish I could say I'm surprised, but ...

Aurora publicly dumping logs is my spirit animal now.

so... was d0k3 involved or not?

@JCCG1989 Not sure why you'd think he'd be

@astronautlevel I'm sorry, it's just that his name was suddenly mentioned and I lost trace of the people. Didn't mean to effend anybody.

His account was not used maliciously & he changed his password

Wow a soapbox for me to stand on? Out of nowhere? Guys this is a good example why if a website or service you use allows 2FA (two-factor authentication), USE IT. I put up a status about this a few days ago, but seriously, the extra ten seconds inconvenience you have when you go to sign in once a month is way preferable to the HOURS of headache you're going to go through to recover any breached accounts, if you get them back at all. My uPlay account got pwned a few days ago, I got email notifications that my password and email address were being requested to be changed. However, my email has a unique password on it and is 2FA secured, so there was an unlikely risk of the attacker also getting access to that. I was able to log into my uPlay account, change my password, and enable 2FA, and now that's all good.

The whole point behind 2FA is it gives you "something you know" (your password) and "something you have" (2FA code generator). In a lot of cases you will want to use 2FA in the form of something like Google Authenticator or Authy, from a mobile phone. So this way, if an attacker gets a hold of your password, they still don't have your phone, and thus no code. If they get a hold of your phone, they hopefully do not have your password (this is why it's important to have unique passwords).

Services that I know utilize 2FA by way of Google Authenticator - GBAtemp (finally!), Google services, Facebook, Amazon, Ubisoft uPlay. Steam has its own 2FA by way of Steam Guard from their mobile app. I haven't taken the time yet to find what other accounts I have that can work with it, and I really ought to. All it takes is one site leaked where you use a password in multiple sites, and you are opening yourself up to multiple attack vectors. Even if you don't use unique passwords, 2FA at least helps to reduce the risk.

OK I'll get off my soapbox now. Aurora Wright, sorry you've had to deal with this. Likewise to anyone else who had their account messed with, whether here or elsewhere. Even though the guy who got into my uPlay account couldn't do much other than change my nickname and avatar, it still leaves you with a really dirty, violated feeling. Having your shit all messed up here, your GitHub repo demolished... I don't even want to think about how frustrated I'd be.

Just a question to pose, Why was F2A disabled in the first place?

It's entirely possible aurora had no idea github supported 2FA. Either that, or the added inconvenience of having to have your phone around whenever you push outweighed the potential security benefits.

Either way, she probably has it on now.

@VinLark it's not that 2FA was disabled, but the forum software version we were running did not yet support it. While these account breaches were being investigated to make sure it wasn't due to a vulnerability on our end, the forum was updated "just in case". That new update brought along 2FA functionality.

Ohhhhh alright that makes sense. Thanks for clearing that up @Sicklyboy

Sicklyboy - GitHub however has always supported 2FA, and her account there was also breached

Right, but just because it SUPPORTS it doesn't mean you're REQUIRED to use it. If it did, it's likely that only her account here would have been impacted. Still sucky, but not AS bad. Just like here, you're not required to use it even though it's supported now. uPlay supports it (which I didn't even know), I wasn't using it, and i got pwned. Back when I used to play WoW, before I had the Bnet authenticator (physical 2FA token), my account got pwned. Got the authenticator and never had another issue.

Wow, I thought it was an outside-of-the-community hacker....A.W. keep doing good work; we totally forgive you for those OTP-less bricks.

One day I'll buy you a 'my pilla'--it's an American thing.

@VinLark Actually I don't since I don't plan on doing any of the stuff mentioned. So I don't really care.