Dear GBAtemp members and visitors,

It has come to our attention that over the past two days, a person has somehow been able to access a few user accounts on our forums. Shortly after, rumors started blossoming regarding a possible site/forum/database hack or a password leak. After an extensive search into server logs and lookup tools we have no reason to believe that any part of our site has been compromised.

At this point, as several people have suggested already, we believe that the reason this intrusion happened is because another site (an illegal ROM/ISO download site) was recently hacked and the password database was exposed to the public. Since a portion of our members was also registered on that site, possibly using the same password, this could explain the recent scare.

Even though we have no reason to believe our site has been compromised, we have taken a series of measures to reinforce account security on GBAtemp. Firstly, we have reviewed security on the server and all components of our site to make sure everything is up to date and secure. Some components of the forum software have been updated and following this update, one or two add-ons have ceased functioning. If you see anything that isn't working as expected, please use our Site discussions and suggestions forum to report the issue.

At this point, we recommend all our members to change their password and enable two-factor authentication. We are sending out e-mails to all our members to inform them of this situation and to recommend them to change their password. We strongly recommend using a unique and complex password, not just here but on every site you are registered to.

If you have any information that may help us get a better grasp on the situation, please get in touch with a member of the staff. Thank you for your understanding!

The staff

 

[nedron92]

Nice variation to use of passwords xD
I have **** tooo many dfferent passwords, all are 20charas+, each are unqiue and I use NO password manager.
Yes, it's kind of an system I use and build my passwords, so I can remember then ^^.
Thought more about 1-2 weeks to create a system, which fit my needs (specialchars, more then 15 chars, numbers, upper-and lowercase chars) and I can remember
My PasswordManager is my brain and If I akes..I can "forget" passwords easily xD

 

[flame1234]

I just use the random password reset password it gave me when I forgot my password (8 random letters and numbers). I don't use that at any other sites.
Maybe I shouldn't do this as it was sent (awhile ago) in plaintext over email.

 

[Procyon]

I just use the random password reset password it gave me when I forgot my password (8 random letters and numbers). I don't use that at any other sites.
Maybe I shouldn't do this as it was sent (awhile ago) in plaintext over email.

Never use that, always change them...

 

[Saiyan Lusitano]

Thank you for the email, GBATemp Team.

I've changed my password.

 

[Procyon]

Me too, I forgot it already

 

[SirHaxALot]

@Costello "Error" report: The tags of thread are completely f...ed up, example: https://gbatemp.net/threads/release-kit-kat-the-ultimate-3ds-toolkit-pc-client.453015/

 

[WhiteMaze]

Thank you for the email, GBATemp Team.

I've changed my password.

Me too, I forgot it already

Made me burst out laughing. Here's a like.

 

[Procyon]

Made me burst out laughing. Here's a like.

I need to have a password manager, so I currently use Google's built-in one. XD. I'll use another one in the future, but for now Google works for me (and they say don't be evil).

 

[Deleted User]

I need to have a password manager, so I currently use Google's built-in one. XD. I'll use another one in the future, but for now Google works for me (and they say don't be evil).

Try LastPass or KeePass. I use LastPass and can vouch, but KeePass lets you use it on your phone, so I may switch.

 

[Procyon]

Try LastPass or KeePass. I use LastPass and can vouch, but KeePass lets you use it on your phone, so I may switch.

Are they free?

 

[gudenau]

When will there be SSL for all logged in users and password related tasks? It's easy to hijack an account, the website has a service that sends what you need every so often as well.

 

[Deleted User]

Are they free?

Yeah, but you need LastPass premium to use the phone app IIRC

 

[Procyon]

Yeah, but you need LastPass premium to use the phone app IIRC

and Keepass?

 

[Deleted User]

and Keepass?

Free for both PC and phone.

 

[mathieulh]

What's the meaning of this PGP stuff in your posts?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It is meant to sign my message using an asymmetric cryptographic algorithm (RSA to be precise), that way anyone using PGP (or an open source implementation of it) can verify that I am the author of the messages or that those have not been edited. If the messages do get edited, the signature will not match so someone will know something is off.
Given that my private PGP subkeys are stored on a PIN protected Secure Access Module, it is not present on a computer/phone and therefore cannot be stolen, ensuring only someone having physical access to the SAM as well as knowing the right PIN can sign any messages using the key associated with my PGP fingerprint.
In the event that my account is compromised, a hacker will not be able to forge my posts signature and therefore will not be able to impersonate me.

More on the matter and the tools in use can be found here:

https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://en.wikipedia.org/wiki/GNU_Privacy_Guard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd6dZAAoJEKa4nBz3AlII35IIAILVch+CEQ4yPlcN911BiNQe
uP6lk8HSCVcrUsbQsUWCVdJai9IP2MxhYtLvZh5oGLJsPYjzp8zj1fKC7JLl4VJa
dSPCLisG784pwrDGTocaxfiSgdtgKIO6ubsTC3sqzevEjaWXKx24QNIaVmO8y0ml
qVT39HGLVUptKb3U58AfHNqz9emZ2P6bqUhYVlsNZ3BrBC8j3SDDU0F0Y4Cceuba
Kx4wyS1FFsOEbywvcwS+kjxK0GDD8Qxl4Iwsthf0RUs/rKbzHoIrWG4jv5lU4S89
Dqm0htBjQpRUn7YKO8+4LZ3XGQwr8m+fiXjDJk3sh3TX2QqNmIFbhhFCPHyPBuM=
=tpT8
-----END PGP SIGNATURE-----

 

[AdmiralSpeedy]

Care to actually let us know what other site was hacked? It's entirely possible some of us have accounts there that we no longer use and don't remember...

 

[Deleted User]

Care to actually let us know what other site was hacked? It's entirely possible some of us have accounts there that we no longer use and don't remember...

The most I heard, it was one of those pirate-y sites. The only one I can think of is snip since it's the most popular. If you have any pirate accounts, just change all of 'em to be safe.

 

[the_randomizer]

Care to actually let us know what other site was hacked? It's entirely possible some of us have accounts there that we no longer use and don't remember...

ISO sites primarily, you know, a specific list of ISO sites if you catch my drift, without actually saying the name itself, heh. A particular site was hacked not too long ago.

 

[TeamScriptKiddies]

When will there be SSL for all logged in users and password related tasks? It's easy to hijack an account, the website has a service that sends what you need every so often as well.

Just download the firefox/chrome extension HTTPSEverywhere for now, It forces SSL encryption on all websites you visit, whether the site supports it or not.

@Costello Thanks for swiftly addressing the situation!

 

[Minox]

Just download the firefox/chrome extension HTTPSEverywhere for now, It forces SSL encryption on all websites you visit, whether the site supports it or not.

It forces HTTPS if possible, if it's not supported it can't magically cause the website to work with HTTPS.

GBAtemp has HTTPS support though.