Dear GBAtemp members and visitors,

It has come to our attention that over the past two days, a person has somehow been able to access a few user accounts on our forums. Shortly after, rumors started blossoming regarding a possible site/forum/database hack or a password leak. After an extensive search into server logs and lookup tools we have no reason to believe that any part of our site has been compromised.

At this point, as several people have suggested already, we believe that the reason this intrusion happened is because another site (an illegal ROM/ISO download site) was recently hacked and the password database was exposed to the public. Since a portion of our members was also registered on that site, possibly using the same password, this could explain the recent scare.

Even though we have no reason to believe our site has been compromised, we have taken a series of measures to reinforce account security on GBAtemp. Firstly, we have reviewed security on the server and all components of our site to make sure everything is up to date and secure. Some components of the forum software have been updated and following this update, one or two add-ons have ceased functioning. If you see anything that isn't working as expected, please use our Site discussions and suggestions forum to report the issue.

At this point, we recommend all our members to change their password and enable two-factor authentication. We are sending out e-mails to all our members to inform them of this situation and to recommend them to change their password. We strongly recommend using a unique and complex password, not just here but on every site you are registered to.

If you have any information that may help us get a better grasp on the situation, please get in touch with a member of the staff. Thank you for your understanding!

The staff

 

[iAqua]

Thanks for this.

 

[mathieulh]

2FA sounds nice but is too much of a PITA to use on most sites, especially if you often browse in incognito mode and/or actively log out of web sites ASAP (to reduce the chance of cookie/session key replay attacks). Perhaps I'd feel differently if it weren't the case that I use randomly generated passwords and hence I should only really be vulnerable if (1) my system is compromised (for which 2FA may be of little help), (2) some part of the chain of identification could be MITM (*cough*where's the SSL?*cough*), or (3) the website itself is either compromised or allows for brute force attacking accounts. For (1), I'm as much to blame as if I were using a weak password or reusing passwords. But for (2) and (3), well that's a poor excuse for me, the user, to go out of my way to try to mitigate what should be being done properly on the website end.

PS - By no means is this meant to be chastising anyone (Aurora Wright or GBATemp.net's admins). I just think that 2FA is often overkill and really misses the point: whatever system you use, you have to figure out what the real weakness is/should be. If the issue fundamentally is a weak password, deal with that. If it's that it's too easy for others to snoop the password, deal with that. If the server is so readily compromised, deal with that. If all of that's been well addressed and 2FA still makes sense, do that. Otherwise, well, they'll just compromise the weakest part (hack your email account, reset passwords, and then 2FA can become a joke) which actually makes the situation worse. :/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

2FA is never an overkill. The use of U2F can mitigate your convenience issue.
I will add that centralizing passwords is a bad idea.

In my eyes there should be no compromises when security is involved.
-----BEGIN PGP SIGNATURE-----

iQFfBAEBCgBJQhxNYXRoaWV1IEhFUlZBSVMgKEdlbmVyYXRlZCBmb3IgWXViaWtl
eSBORU8pIDxtYXRoaWV1bGhAZ21haWwuY29tPgUCWHd6cwAKCRCmuJwc9wJSCM+D
B/90qt4P35uH4OcqPoSa3JLKqVN4g681nQPs5xUTZ9a00BeHjCw65rTTMT+6uS2t
yLIigFq7x56iGokn4DNQJn09U9EXNgl8qSN4N54Wk5phhB0TYXNNsFE5auCr40vh
YHRFQD05hJvMN9iBPJ6pmpUYXPXu03XTg7WWkUf39ZCCNxz++7NuD0iv0CMwsxWm
8a+2kkRJzmCUfhAUfzrC05oqwEK1j3DYBiTT5GzegcM5Cc2xB5wPFwVEb/Fd1OJo
h3s+N7ojmRKIogBzViWNCG2b0g9l7JbnhjdaJY3BRIgfuAEbaU3/6admJLr/X9Cz
lCkWv2ui88F3XA2I53SwWZy6
=KBnc
-----END PGP SIGNATURE-----

 

[Deleted User]

Oh that iso site phew, got scared for a second.

 

[ßleck]

I'm not changing my fucking password, come at me leet haxors.

 

[TehCupcakes]

I don't really feel the need to use 2-factor authentication on a site where I have a nil-value account. (E.g. GBATemp)

Thanks for the notice, though. I really appreciate the transparency. I am curious though which site got hacked. (It's not like there's only one iso site. ) I realize you probably can't say the name of the site, but how "recent" are we talking? Does haveibeenpwned know about it?

 

[HyperT]

Costello's account is fine.
GBATemp itself wasn't compromised, but some ISO site was.
I honestly suggest people stop using that iso site. They appear to have some pretty shitty security going on over there. If you do it, use a throwaway account/password.

There was something that may have been an admin account posted on a thread here before the site was taken down. Wasn't going to mention that ad I didn't want to re-muddy the waters

 

[The Catboy]

I would like to post these links here for those worried about Luma3DS. These are the latest builds and tested by myself personally
https://3ds.guide/images/Luma-1eb18c17.zip
Source to link
http://astronautlevel2.github.io/Luma3DS/builds/Luma-1eb18c17.zip
Source to link
http://mirror.gs2012.xyz/3DS/CFW/Luma3DS-AuReiNand/Luma3DSv6.6.7z
Source to Link
I really hope Aurora Wright gets her accounts back up and running again. This was just a horrible thing to happen to such an amazing person.

I will be attempting to mirror all safe links on my sticky until this mess is cleaned up
http://gbatemp.net/threads/faq-what-cfw-is-best-for-me.428509/

 

[Deleted User]

Thanks

 

[mathieulh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Speaking of the devil, https support, when? This is 2017 you know?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd4jtAAoJEKa4nBz3AlIITlUIAJy2WFKTCi1KWNK+WqbDK34l
1UsbkkvrPiBe514069u6ylNGYF3cw7VfqRFVydzI+h40Y+YZWWzsEdPQ1Vxzj4gp
O0vQKpGncwSjE+X8/Kh18QYAZMVy/1dW+vOmHZvTQbJNohtNkI1bOLHpTicNFhAC
eqU6xdiYAmJTmCMFyU1vCX3lOYu8FetMltpg8CU4N4IaVv75DrkgacOmkOW3hjpo
+Uo4MuwXIEf1IxdKpxoRQQzTaD/jl376FjE9HtiDXUROy6bmfobE+g6nVdI5kqEb
KoaPrsIdhwdSgwx9uPmQfGHRQ8uAQNAEnQy/wASSfmnaqcl2h/Qk7SlF68/inGQ=
=Gj0b
-----END PGP SIGNATURE-----

 

[Minox]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Speaking of the devil, https support, when? This is 2017 you know?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd4jtAAoJEKa4nBz3AlIITlUIAJy2WFKTCi1KWNK+WqbDK34l
1UsbkkvrPiBe514069u6ylNGYF3cw7VfqRFVydzI+h40Y+YZWWzsEdPQ1Vxzj4gp
O0vQKpGncwSjE+X8/Kh18QYAZMVy/1dW+vOmHZvTQbJNohtNkI1bOLHpTicNFhAC
eqU6xdiYAmJTmCMFyU1vCX3lOYu8FetMltpg8CU4N4IaVv75DrkgacOmkOW3hjpo
+Uo4MuwXIEf1IxdKpxoRQQzTaD/jl376FjE9HtiDXUROy6bmfobE+g6nVdI5kqEb
KoaPrsIdhwdSgwx9uPmQfGHRQ8uAQNAEnQy/wASSfmnaqcl2h/Qk7SlF68/inGQ=
=Gj0b
-----END PGP SIGNATURE-----

HTTPS support has been enabled for ages. It's just that people can choose not to use it.

 

[Deleted User]

Now I don't have permission to view my warnings. What?

 

[mathieulh]

HTTPS support has been enabled for ages. It's just that people can choose not to use it.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Indeed, it appears that my workplace's palo-alto firewall was blocking https://gbatemp.net for some reason; It's now fixed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd4oeAAoJEKa4nBz3AlIIMi4IAJ/b45DezbgltEFP1UelNEOZ
2e61b1OVOLeN6oeMKSkTxHxrE23uq3Hkwi/aLyC7wkNIvZdWt2QZnw07/7jEI5EC
CkhXMzxd5aZjGBQov/cpgn+K1FTe1tsEepyc+IjIulEP9nLsK0ggloiWS1+TWLsS
CREX5OQFBL9ZfGMP2ELFI6JfJseqjYVL4r533OpWGqt2YgTYams2+fANX/llSs/8
Qii5Tuy7Z2FC8SxQqlkjjfCix7dhEA1FnhxGjpxPhm6UYj/n7P8zi5LN4PTpVnzU
bmlS8wbs6v5puMACALLlgpJFGwgR1kex4ILKVdVKpbOeHxuKUqNYJALJ3XCalpo=
=E/T8
-----END PGP SIGNATURE-----

 

[WiiUBricker]

What's the meaning of this PGP stuff in your posts?

 

[Procyon]

How would I find my other places/accounts, I know some shit sites with the same passwords, but I don't use those games anymore.

--------------------- MERGED ---------------------------

 

[Deleted User]

What's the meaning of this PGP stuff in your posts?

I think it's to verify his posts, like if he gets hacked.

 

[Viri]

I changed my password, but I checked which password I used before and which one I used on dat iso site, and yea, Idc it's just some pass I use for non important things. I would never use that pass for my emails and such

 

[PRAGMA]

things like this and the aurora wright github for Luma3DS are what i warned @ShinyMK about with his forced auto-updater

You realize if I were to get hacked, it wouldnt make a difference right? because my source code is hosted on Github using a 12 character unique password. so trust me, its safe.

 

[doughmay]

Thanks for looking out for us! [emoji106]


Sent from my iPhone using Tapatalk

 

[Deleted User]

You realize if I were to get hacked, it wouldnt make a difference right? because my source code is hosted on Github using a 12 character unique password. so trust me, its safe.

luma was also on github, it got hacked and the source code got compromised

 

[PRAGMA]

luma was also on github, it got hacked and the source code got compromised

probs from Aurora using the same pass on that iso site, i dont even use the same password on that iso site. I have 3 passwords:
"CodeRedPassword", "RegularPassword" and "DontGiveaFuckPassword".
I use my 12 character CodeRed password for Github and Steam and my main email, my regular password on gbatemp etc, and my DontGiveaFuckPassword on 3DSIso etc.
Proof its a "Dontgiveafuckpassword", I give 0 fucks about the accounts using it, that I dont even care if the password is public, so here you go: the dgaf password is "dontsqlme99".