# Addressing the recent user account hack scare



## Sonic Angel Knight (Jan 12, 2017)

Thank you sir for the notice and handling things and i appreciate the information and hard work you have displayed. Also sorry for the crisis in the first place and wish it wouldn't happen again.


----------



## Alex4U (Jan 12, 2017)

Why hackers would do things like this? 
Also, thanks for the notice, i was soo spooked.


----------



## Dayfid (Jan 12, 2017)

Thanks for taking care of the problem.


----------



## Boured (Jan 12, 2017)

Hopefully it gets better, and hopefully we can recover and people like Aurora Wright can recover from it.


----------



## The Catboy (Jan 12, 2017)

I am more worried about Aurora Wright and her project. Please do something for her account!


----------



## LittleFlame (Jan 12, 2017)

thanks for shutting this baloney down


----------



## ThisIsDaAccount (Jan 12, 2017)

Thank you for everything, but sadly it appears that AuroraWright's account and her luma3ds page are still defaced. Any chance to restore them? The repo is obviously down until she puts it back up herself, but it would probably be for the best to restore her avatar and remove the video from the luma3ds OP.


----------



## proflayton123 (Jan 12, 2017)

Maybe it was the ninty ninjas getting revenge, probably.


----------



## Modder (Jan 12, 2017)

Thanks for explaining, I feel a lot better about the situation now.


----------



## Seriel (Jan 12, 2017)

Mods can you please suspend the affected accounts until the original owners come online and prove their identity please.


----------



## Edgedancer (Jan 12, 2017)

Thanks for the prompt and upfront response Costello!


----------



## Deleted User (Jan 12, 2017)

Thank you *so much* for enabling 2FA.

back into hiding i go now lmao


----------



## grossaffe (Jan 12, 2017)

proflayton123 said:


> Maybe it was the ninty ninjas getting revenge, probably.


If Nintendo's Ninjas had struck, the only evidence would be the fact that some people had vanished without a trace.


----------



## TheCruel (Jan 12, 2017)

FYI, If I do anything unusual soon, I'm not hacked. I just took a couple hits of LSD and NBOMe.


----------



## proflayton123 (Jan 12, 2017)

grossaffe said:


> If Nintendo's Ninjas had struck, the only evidence would be the fact that some people had vanished without a trace.



Its interesting about auoras github tho


----------



## Blue (Jan 12, 2017)

Maybe the people with compromised accounts should have their original account banned and can have a new one?


----------



## Sonic Angel Knight (Jan 12, 2017)

I know this isn't about the hijacking account but i noticed this problem after returning, so just pointing it out.
My tool bar keeps getting shortened when i load pages, is random and hard to check my notifications. The links also keep getting compressed into a drop box.


----------



## osaka35 (Jan 12, 2017)

thanks for the heads-up and the update, it's appreciated


----------



## ihaveahax (Jan 12, 2017)

Sonic Angel Knight said:


> I know this isn't about the hijacking account but i noticed this problem after returning, so just pointing it out.
> My tool bar keeps getting shortened when i load pages, is random and hard to check my notifications. The links also keep getting compressed into a drop box.
> 
> View attachment 74638


this is happening to me too after the maintenance.


Spoiler


----------



## Seriel (Jan 12, 2017)

I'm not having this issue.


----------



## Modder (Jan 12, 2017)

Aqib Ali said:


> Maybe the people with compromised accounts should have their original account banned and can have a new one?


No, I don't think that's a good solution. They'd have to start from scratch, which I don't think many people would want to do...


----------



## Akira (Jan 12, 2017)

ihaveamac said:


> this is happening to me too after the maintenance.
> 
> 
> Spoiler


same here. Im on MacOS Sierra and using Mozilla Firefox


----------



## Blue (Jan 12, 2017)

Modder said:


> No, I don't think that's a good solution. They'd have to start from scratch, which I don't think many people would want to do...


Carry over ranks/post count? Better than having an account that isn't useable.


----------



## Modder (Jan 12, 2017)

Aqib Ali said:


> Carry over ranks/post count? Better than having an account that isn't useable.


Carrying over all of their posts sounds like more trouble than it's worth, to be honest.


----------



## Jayro (Jan 12, 2017)

Thank you Costello. I've changed my password.


----------



## Deleted User (Jan 12, 2017)

things like this and the aurora wright github for Luma3DS are what i warned @ShinyMK about with his forced auto-updater


----------



## Dr.Hacknik (Jan 12, 2017)

Thanks for the reasuring post. This clears up a lot of stuff, and the scare.


----------



## Costello (Jan 12, 2017)

as I said in the OP -



> Some components of the forum software have been updated and following this update, several addons have ceased functioning. If you see anything that isn't working as expected, please use our Site discussions and suggestions forum to report the issue.


----------



## Mikemk (Jan 12, 2017)

Akira said:


> same here. Im on MacOS Sierra and using Mozilla Firefox


Same here, but only when a red number appears.  Chrome/Windows 10


----------



## tech3475 (Jan 12, 2017)

I'd suggest people start using a password manager of some kind which supports a password generator.

It may make life a bit harder, but at least it reduces the risk of a hacked site causing worse issues elsewhere.


----------



## the_randomizer (Jan 12, 2017)

Trying to get authentication code from Google app, giving me "unspecified error" What? Why?


----------



## CeeDee (Jan 12, 2017)

No major bugs noticed here (iPad, Safari) Will try on computer later.

Only changes noticed are that the image next to each forum on http://gbatemp.net/forums has been changed, and the iOS/mobile favorites icon has been reverted to a generic xenforo one.


----------



## the_randomizer (Jan 12, 2017)

Two step verification is not working when I enter the code from the app, please advise.


----------



## Frederica Bernkastel (Jan 12, 2017)

Thanks for this, and I appreciate the transparency.


----------



## Modder (Jan 12, 2017)

the_randomizer said:


> Two step verification is not working when I enter the code from the app, please advise.


Bro, the admin literally said to report bugs in the Site discussions and suggestions forum, not here. >_>


----------



## andibad (Jan 12, 2017)

thank you for confirmation.

I should routinely lookup my password account before too late to take action. 2 month ago someone trying logging one of my email account (1 attempt failed, 1 logged), is my fault still used old password (main cause come from leaked data from pp.org and that iso site). i not too worry about it since that email only store my old stuff (not really important) and not compromised my primary account.


----------



## Psionic Roshambo (Jan 12, 2017)

It was those Amish hackers....


----------



## MarioMasta64 (Jan 12, 2017)

proflayton123 said:


> Its interesting about auoras github tho


theyd just dmca rather than suggest rxtools though.


----------



## Maplemage (Jan 12, 2017)

Sombra, the door.


----------



## Patxinco (Jan 12, 2017)

Wow, first notice about the issue, hope the hacked accounts get back to his original owners...

As someone suggests up here, get a pasword manager, it's just 1 minute more and it's hella secure, or get the 2FA too

Thanks @Costello for your information, some forum admins should learn from you...


----------



## MarioMasta64 (Jan 12, 2017)

Patxinco said:


> Wow, first notice about the issue, hope the hacked accounts get back to his original owners...
> 
> As someone suggests up here, get a pasword manager, it's just 1 minute more and it's hella secure, or get the 2FA too
> 
> Thanks @Costello for your information, some forum admins should learn from you...


here have some safety rJOK12G7aM7424Rg1%MI (i agree)


----------



## proflayton123 (Jan 12, 2017)

EVeryone should change their passwords


----------



## MarioMasta64 (Jan 12, 2017)

i just got logged out o.o also apparently powerfirm is an older version of a9lh so meh some powerfirm / rxtools fanboy seems to hate that a9lh and luma3ds took its place.


----------



## vedekandy (Jan 12, 2017)

Thanks for the heads up - this kind of thing happens all over the place all the time, but at least they're good enough here to warn us/keep us informed.   Easier to spend 2 minutes changing a password now than getting screwed over later down the line without knowing!


----------



## MarioMasta64 (Jan 12, 2017)

vedekandy said:


> Thanks for the heads up - this kind of thing happens all over the place all the time, but at least they're good enough here to warn us/keep us informed.   Easier to spend 2 minutes changing a password now than getting screwed over later down the line without knowing!


indeed,


----------



## Sonic Angel Knight (Jan 12, 2017)

I was about to question why the site has two administrators, but now i don't think i should, is obvious for help. Just not many sites i know have more than one on the same rank.


----------



## JordenNixNix (Jan 12, 2017)

Thanks for the mail to inform me about the problem.
How can I change my password when I used to login with Facebook on this site?

If I go to two-side verification panel, I must give my current password, but It always fails. (even when I give in my Facebook password).
Is there an alternative to change my password + since I login with Facebook, is my Facebook-page vulnerable as well?


----------



## DavidRO99 (Jan 12, 2017)

I FOUND AN ISSUE
http://s347.photobucket.com/user/da...t 11.14.54 AM_zpsj56g52n6.png.html?sort=3&o=0


----------



## MarioMasta64 (Jan 12, 2017)

DavidRO99 said:


> I FOUND AN ISSUE
> http://s347.photobucket.com/user/davidro99/media/Screen Shot 2017-01-12 at 11.14.54 AM_zpsj56g52n6.png.html?sort=3&o=0


xenforo is the 2fa provider for gbatemp


----------



## InsaneNutter (Jan 12, 2017)

You really should have a unique password for everything you sign up to online. That way if a site gets hacked such as a forum its not a big deal to you personally, change your password and move on.

You can also enter your email address on https://haveibeenpwned.com/ and it will show you which data breaches your email address / password have been included in.

For some context i've been included in some pretty large data breaches:

Adobe
Dropbox
Epic Games
MoDaCo
OVH
Plex
Trillian
vBulletin
If it can happen to Adobe and Dropbox, then it could happen to anyone.

Enabling Two Factor Authentication on modern sites which support is really helps too, even if someone obtains your username and password its pretty much useless to them unless you use the same password everywhere.


----------



## DavidRO99 (Jan 12, 2017)

MarioMasta64 said:


> xenforo is the 2fa provider for gbatemp


Wrong, XenForo is the whole forum base, I was just pointing out that the image is default, also all the topics like xbox and art are default images.


----------



## atomsk (Jan 12, 2017)

Thanks for the notice. Make sure you use different passwords for each site.


----------



## MarioMasta64 (Jan 12, 2017)

atomsk said:


> Thanks for the notice. Make sure you use different passwords for each site. @Costello any chance of enabling 2-factor on the site?


its already enabled goto settings.

--------------------- MERGED ---------------------------



InsaneNutter said:


> You really should have a unique password for everything you sign up to online. That way if a site gets hacked such as a forum its not a big deal to you personally, change your password and move on.
> 
> You can also enter your email address on https://haveibeenpwned.com/ and it will show you which data breaches your email address / password have been included in.
> 
> ...



i see .3.


----------



## proflayton123 (Jan 12, 2017)

The notification thing is being weird for Me


----------



## MarioMasta64 (Jan 12, 2017)

proflayton123 said:


> The notification thing is being weird for Me


an everyone problem.


----------



## Seriel (Jan 12, 2017)

MarioMasta64 said:


> an everyone problem.


Everyone except me it seems.
Maybe it would help if you all posted in the thread for the issue your OS and Browser + version
Might help pin down the cause.


----------



## Slattz (Jan 12, 2017)

Erm... I don't think I got an email. Perhaps they are still being sent out?


----------



## Goombi (Jan 12, 2017)

2FA enabled. Thanks for the notice.
I also experience weird behavior of the top right bar, nothing more I noticed.


----------



## MarioMasta64 (Jan 12, 2017)

Seriel said:


> Everyone except me it seems.
> Maybe it would help if you all posted in the thread for the issue your OS and Browser + version
> Might help pin down the cause.


Linux Mint 18.1 latest firefox (it didnt happen till after the breach) im assuming the reloaded the site as alot of the layouts and such have turned like the old-er gbatemp


----------



## Seriel (Jan 12, 2017)

Slattz said:


> Erm... I don't think I got an email. Perhaps they are still being sent out?


Sending the same email to 355,511 different registered members takes a while.
I haven't got mine either, it'll arrive in a bit, although I suspect it has the same info as this thread anyway.


----------



## xstationbr (Jan 12, 2017)

i have updated now, thanks.
i update to 
Cypher121212$

LOL just a joke.


----------



## Seriel (Jan 12, 2017)

MarioMasta64 said:


> Linux Mint 18.1 latest firefox (it didnt happen till after the breach) im assuming the reloaded the site as alot of the layouts and such have turned like the old-er gbatemp


Strange I'm using latest Firefox on Windows atm without issues.
I also haven't seen any regresions, can you point some out?


----------



## proflayton123 (Jan 12, 2017)

iOS 10.1 Safari


----------



## MarioMasta64 (Jan 12, 2017)

Seriel said:


> Strange I'm using latest Firefox on Windows atm without issues.
> I also haven't seen any regresions, can you point some out?


byebye bar


----------



## Slattz (Jan 12, 2017)

Seriel said:


> Sending the same email to 355,511 different registered members takes a while.
> I haven't got mine either, it'll arrive in a bit, although I suspect it has the same info as this thread anyway.


Yea, I thought that. Kinda shitty for AuroraWright though :/


----------



## Seriel (Jan 12, 2017)

LittleFlame said:


> @Seriel stop fearmongering we all want our moment of fame but this is not how you do it


Can you not.
I don't give two shits about "fame" or attention or any nonsense.
I'm just helping fellow tempers as one of them. If anything you're the one trying to get fame with your "cool" post about how I need to calm down.
Seriously just chill already, I'm not trying to scare anyone, everything is fine I'm just helping people debug issues.

But sure fine if you don't want anything to ever be resolved then so be it.


----------



## Bladexdsl (Jan 12, 2017)

that 2 step verification was annoying me so i turned it off. my accounts fine i don't go to them illegal rom/iso sites (i use usenet )


----------



## pixelmasher (Jan 12, 2017)

Isn't this a violation of CFAA?


----------



## Deleted User (Jan 12, 2017)

Man, this is not what I wanted to wake up to this morning...

Then again, it's the internet so I'm not overly suprised; you're pretty much guaranteed to encounter low-lifes who spoil it for the many just for the fun of it.


----------



## AlucardjX (Jan 12, 2017)

password changed and enabled two step method,i am sorry for Aurora  tnx to the admin for the promptly contact!hope all returns normal...


----------



## RedBlueGreen (Jan 12, 2017)

Can anyone recommend a good safe password manager? By safe I mean one that's not going to steal the passwords.


----------



## Seriel (Jan 12, 2017)

RedBlueGreen said:


> Can anyone recommend a good safe password manager? By safe I mean one that's not going to steal the passwords.


Lastpass.


----------



## WiiUBricker (Jan 12, 2017)

RedBlueGreen said:


> Can anyone recommend a good safe password manager? By safe I mean one that's not going to steal the passwords.


Yes, yourself. Just randomly type on your keyboard until you have created a long password and then manually insert special characters to it to give it a bit more spice. Then save it to a document and encrypt it with another password generated the same way. This is your master password. Then you encrypt your encrypted password with another randomly generated password. This is your Grandmaster password. Print your grandmaster and master passwords and lock it in a save place. Alternatively, you can try to memorize them.


----------



## KingVamp (Jan 12, 2017)

Well, I never signed up for a rom site and I actually recently change my password. So, I should be good.


----------



## RedBlueGreen (Jan 12, 2017)

WiiUBricker said:


> Yes, yourself. Just randomly type on your keyboard until you have created a long password and then manually insert special characters to it to give it a bit more spice. Then save it to a document and encrypt it with another password generated the same way. This is your master password. Then you encrypt your encrypted password with another randomly generated password. This is your Grandmaster password. Print your grandmaster and master passwords and lock it in a save place. Alternatively, you can try to memorize them.


But what if I have an evil twin who shares all of my knowledge and they get the passwords?


----------



## mathieulh (Jan 12, 2017)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It's a shame that Gbatemp administrators have had to wait until this whole debacle showed up on their doorstep to implement two factor authentication, site administrators need to be proactive with their security and not wait for things to happen.

Why can we only use facebook as an external site? Google authentication (which supports U2F) is a whole lot more secure than facebook's (or gbatemp's for that matter) and would have been a better choice.

P.S. I am signing this message with my PGP key just so you can ensure my account is not compromised and I am actually the one writing this post.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd10HAAoJEKa4nBz3AlIIqeYH+QEOnxL5GMqye4/+zTwlDCp8
/i8HxSJVJaXM3c8Xmp602FgCjbEvcJWuoBMMBADtgyn9s/OKcyjZgL79LFkRVKD2
o3xqGSwIJB1BZAfsbLAL2KiMy81ibl/ihdM7yp0BicOUrKYo0MIzahdePu7JESzr
VkdgBp5Q+Pf4IUbiol5L8UoWLcdgxf281z4RRt5PFrw33KJMICo0LUea1jtchgZZ
DPGkgJaUXTS5p23ZUdz6uq5Wnow1u2SHw04YMfWIYx1DINSppofC6f/MTQFRmdd6
94OAA+WRfp4DtcRisS+wUzRCaAUYbnP/3JHB8kSjAowhXQlGGPBcZCwJeIB2FPA=
=qJ1d
-----END PGP SIGNATURE-----


----------



## WiiUBricker (Jan 12, 2017)

RedBlueGreen said:


> But what if I have an evil twin who shares all of my knowledge and they get the passwords?


That's not possible. Until you believe in a Multiverse.


----------



## AskaLangly (Jan 12, 2017)

Emails taking nearly an hour to arrive; one to reset password, one to activate 2FA via email.


----------



## mrissaoussama (Jan 12, 2017)

How do I know my password if I signed in with Facebook?


----------



## WiiUBricker (Jan 12, 2017)

mrissaoussama said:


> How do I know my password if I signed in with Facebook?


You sign in via Facebook. If your Facebook is not compromised, I wouldn't worry.


----------



## HyperT (Jan 12, 2017)

Seriel said:


> I'm not having this issue.
> View attachment 74639


Scroll down before page fully loads


----------



## mrissaoussama (Jan 12, 2017)

WiiUBricker said:


> You sign in via Facebook. If your Facebook is not compromised, I wouldn't worry.


You mean they would have access to my Facebook?


----------



## WiiUBricker (Jan 12, 2017)

mrissaoussama said:


> You mean they would have access to my Facebook?


No. What I mean is if they hack your facebook (know your facebook login details) they can login to your GBAtemp account.


----------



## Aletron9000 (Jan 12, 2017)

I changed my GBATemp password. So, I should probably change all of my accounts with the same password right?

Ugh, I hate those type of hackers.


----------



## HyperT (Jan 12, 2017)

Aletron9000 said:


> I changed my GBATemp password. So, I should probably change all of my accounts with the same password right?
> 
> Ugh, I hate those type of hackers.


You should anyway. Don't believe they got anything from GBA unless they got into an admin account...


----------



## WiiUBricker (Jan 12, 2017)

WiiUBricker said:


> Yes, yourself. Just randomly type on your keyboard until you have created a long password and then manually insert special characters to it to give it a bit more spice. Then save it to a document and encrypt it with another password generated the same way. This is your master password. Then you encrypt your encrypted password with another randomly generated password. This is your Grandmaster password. Print your grandmaster and master passwords and lock it in a save place. Alternatively, you can try to memorize them.


@RedBlueGreen Edit: Another possibility would be to create a QR code of your Master and Grandmaster passwords and tattoo it to a well hidden place.


----------



## seijinshu (Jan 12, 2017)

This is why passwords are not meant to be good on those ROM sites, let alone anything like your good passwords.
My good stuff is like ofjdhisocnrq193(626195)*:&2(_96$: (on phone, too lazy to mix those up)
And those ROM sites passwords are like
b0i$
Note: example passwords. My passwords are much better.


----------



## Maximilious (Jan 12, 2017)

I didn't even know 2FA was an option here - Thanks!


----------



## wprpalmeida (Jan 12, 2017)

what site was it? was it that paradise?


----------



## Tomy Sakazaki (Jan 12, 2017)

wprpalmeida said:


> what site was it? was it that paradise?


That iso network.


----------



## wprpalmeida (Jan 12, 2017)

Tomy Sakazaki said:


> That iso network.


phew, my acct there is completely different


----------



## AgentAntz (Jan 12, 2017)

Costello said:


> Dear GBAtemp members and visitors,
> 
> It has come to our attention that over the past two days, a person has somehow been able to access a few user accounts on our forums. Shortly after, rumors started blossoming regarding a possible site/forum/database hack or a password leak. *After an extensive search into server logs and lookup tools we have no reason to believe that any part of our site has been compromised*.
> 
> ...



Can someone please take that stupid video off of AuroraWrights original post. Its a slap in the face to her hard work.


----------



## kuwanger (Jan 12, 2017)

2FA sounds nice but is too much of a PITA to use on most sites, especially if you often browse in incognito mode and/or actively log out of web sites ASAP (to reduce the chance of cookie/session key replay attacks).  Perhaps I'd feel differently if it weren't the case that I use randomly generated passwords and hence I should only really be vulnerable if (1) my system is compromised (for which 2FA may be of little help), (2) some part of the chain of identification could be MITM (*cough*where's the SSL?*cough*), or (3) the website itself is either compromised or allows for brute force attacking accounts.  For (1), I'm as much to blame as if I were using a weak password or reusing passwords.  But for (2) and (3), well that's a poor excuse for me, the user, to go out of my way to try to mitigate what should be being done properly on the website end.

PS - By no means is this meant to be chastising anyone (Aurora Wright or GBATemp.net's admins).  I just think that 2FA is often overkill and really misses the point:  whatever system you use, you have to figure out what the real weakness is/should be.  If the issue fundamentally is a weak password, deal with that.  If it's that it's too easy for others to snoop the password, deal with that.  If the server is so readily compromised, deal with that.  If all of that's been well addressed and 2FA still makes sense, do that.  Otherwise, well, they'll just compromise the weakest part (hack your email account, reset passwords, and then 2FA can become a joke) which actually makes the situation worse. :/


----------



## About7fish (Jan 12, 2017)

Now where would've they gotten a list of unencrypted usernames and passwords? :^)

In all seriousness, the password I've been using was burned long ago so this change is overdue anyway.


----------



## The Catboy (Jan 12, 2017)

HyperT said:


> You should anyway. Don't believe they got anything from GBA unless they got into an admin account...


Costello's account is fine. 
GBATemp itself wasn't compromised, but some _ISO site_ was.
I honestly suggest people stop using _that iso site_. They appear to have some pretty shitty security going on over there. If you do it, use a throwaway account/password.


----------



## streetbrawler123 (Jan 12, 2017)

Thank u Changed my password =D


----------



## MarioMasta64 (Jan 12, 2017)

WiiUBricker said:


> Yes, yourself. Just randomly type on your keyboard until you have created a long password and then manually insert special characters to it to give it a bit more spice. Then save it to a document and encrypt it with another password generated the same way. This is your master password. Then you encrypt your encrypted password with another randomly generated password. This is your Grandmaster password. Print your grandmaster and master passwords and lock it in a save place. Alternatively, you can try to memorize them.


omg thats exactly what i do lol


----------



## Coto (Jan 12, 2017)

@Costello OK, time to password change then


----------



## BIFFTAZ (Jan 12, 2017)

For sites like that ISO site and a like, I use 10 minute mail & a different user name & a random pass at the time of signing up.


----------



## iAqua (Jan 12, 2017)

Thanks for this.


----------



## mathieulh (Jan 12, 2017)

kuwanger said:


> 2FA sounds nice but is too much of a PITA to use on most sites, especially if you often browse in incognito mode and/or actively log out of web sites ASAP (to reduce the chance of cookie/session key replay attacks).  Perhaps I'd feel differently if it weren't the case that I use randomly generated passwords and hence I should only really be vulnerable if (1) my system is compromised (for which 2FA may be of little help), (2) some part of the chain of identification could be MITM (*cough*where's the SSL?*cough*), or (3) the website itself is either compromised or allows for brute force attacking accounts.  For (1), I'm as much to blame as if I were using a weak password or reusing passwords.  But for (2) and (3), well that's a poor excuse for me, the user, to go out of my way to try to mitigate what should be being done properly on the website end.
> 
> PS - By no means is this meant to be chastising anyone (Aurora Wright or GBATemp.net's admins).  I just think that 2FA is often overkill and really misses the point:  whatever system you use, you have to figure out what the real weakness is/should be.  If the issue fundamentally is a weak password, deal with that.  If it's that it's too easy for others to snoop the password, deal with that.  If the server is so readily compromised, deal with that.  If all of that's been well addressed and 2FA still makes sense, do that.  Otherwise, well, they'll just compromise the weakest part (hack your email account, reset passwords, and then 2FA can become a joke) which actually makes the situation worse. :/



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

2FA is never an overkill. The use of U2F can mitigate your convenience issue.
I will add that centralizing passwords is a bad idea.

In my eyes there should be no compromises when security is involved.
-----BEGIN PGP SIGNATURE-----

iQFfBAEBCgBJQhxNYXRoaWV1IEhFUlZBSVMgKEdlbmVyYXRlZCBmb3IgWXViaWtl
eSBORU8pIDxtYXRoaWV1bGhAZ21haWwuY29tPgUCWHd6cwAKCRCmuJwc9wJSCM+D
B/90qt4P35uH4OcqPoSa3JLKqVN4g681nQPs5xUTZ9a00BeHjCw65rTTMT+6uS2t
yLIigFq7x56iGokn4DNQJn09U9EXNgl8qSN4N54Wk5phhB0TYXNNsFE5auCr40vh
YHRFQD05hJvMN9iBPJ6pmpUYXPXu03XTg7WWkUf39ZCCNxz++7NuD0iv0CMwsxWm
8a+2kkRJzmCUfhAUfzrC05oqwEK1j3DYBiTT5GzegcM5Cc2xB5wPFwVEb/Fd1OJo
h3s+N7ojmRKIogBzViWNCG2b0g9l7JbnhjdaJY3BRIgfuAEbaU3/6admJLr/X9Cz
lCkWv2ui88F3XA2I53SwWZy6
=KBnc
-----END PGP SIGNATURE-----


----------



## Deleted User (Jan 12, 2017)

Oh _that iso site_ phew, got scared for a second.


----------



## ßleck (Jan 12, 2017)

I'm not changing my fucking password, come at me leet haxors.


----------



## TehCupcakes (Jan 12, 2017)

I don't really feel the need to use 2-factor authentication on a site where I have a nil-value account. (E.g. GBATemp)

Thanks for the notice, though. I really appreciate the transparency. I am curious though which site got hacked. (It's not like there's only one iso site. ) I realize you probably can't say the name of the site, but how "recent" are we talking? Does haveibeenpwned know about it?


----------



## HyperT (Jan 12, 2017)

Crystal the Glaceon said:


> Costello's account is fine.
> GBATemp itself wasn't compromised, but some _ISO site_ was.
> I honestly suggest people stop using _that iso site_. They appear to have some pretty shitty security going on over there. If you do it, use a throwaway account/password.


There was something that may have been an admin account posted on a thread here before the site was taken down. Wasn't going to mention that ad I didn't want to re-muddy the waters


----------



## The Catboy (Jan 12, 2017)

I would like to post these links here for those worried about Luma3DS. These are the latest builds and tested by myself personally
https://3ds.guide/images/Luma-1eb18c17.zip
Source to link
http://astronautlevel2.github.io/Luma3DS/builds/Luma-1eb18c17.zip
Source to link
http://mirror.gs2012.xyz/3DS/CFW/Luma3DS-AuReiNand/Luma3DSv6.6.7z
Source to Link
I really hope Aurora Wright gets her accounts back up and running again. This was just a horrible thing to happen to such an amazing person.

I will be attempting to mirror all safe links on my sticky until this mess is cleaned up
http://gbatemp.net/threads/faq-what-cfw-is-best-for-me.428509/


----------



## Deleted User (Jan 12, 2017)

Thanks


----------



## mathieulh (Jan 12, 2017)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Speaking of the devil, https support, when? This is 2017 you know?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd4jtAAoJEKa4nBz3AlIITlUIAJy2WFKTCi1KWNK+WqbDK34l
1UsbkkvrPiBe514069u6ylNGYF3cw7VfqRFVydzI+h40Y+YZWWzsEdPQ1Vxzj4gp
O0vQKpGncwSjE+X8/Kh18QYAZMVy/1dW+vOmHZvTQbJNohtNkI1bOLHpTicNFhAC
eqU6xdiYAmJTmCMFyU1vCX3lOYu8FetMltpg8CU4N4IaVv75DrkgacOmkOW3hjpo
+Uo4MuwXIEf1IxdKpxoRQQzTaD/jl376FjE9HtiDXUROy6bmfobE+g6nVdI5kqEb
KoaPrsIdhwdSgwx9uPmQfGHRQ8uAQNAEnQy/wASSfmnaqcl2h/Qk7SlF68/inGQ=
=Gj0b
-----END PGP SIGNATURE-----


----------



## Minox (Jan 12, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Speaking of the devil, https support, when? This is 2017 you know?
> ...


HTTPS support has been enabled for ages. It's just that people can choose not to use it.


----------



## Deleted User (Jan 12, 2017)

Now I don't have permission to view my warnings. What?


----------



## mathieulh (Jan 12, 2017)

Minox said:


> HTTPS support has been enabled for ages. It's just that people can choose not to use it.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Indeed, it appears that my workplace's palo-alto firewall was blocking https://gbatemp.net for some reason; It's now fixed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd4oeAAoJEKa4nBz3AlIIMi4IAJ/b45DezbgltEFP1UelNEOZ
2e61b1OVOLeN6oeMKSkTxHxrE23uq3Hkwi/aLyC7wkNIvZdWt2QZnw07/7jEI5EC
CkhXMzxd5aZjGBQov/cpgn+K1FTe1tsEepyc+IjIulEP9nLsK0ggloiWS1+TWLsS
CREX5OQFBL9ZfGMP2ELFI6JfJseqjYVL4r533OpWGqt2YgTYams2+fANX/llSs/8
Qii5Tuy7Z2FC8SxQqlkjjfCix7dhEA1FnhxGjpxPhm6UYj/n7P8zi5LN4PTpVnzU
bmlS8wbs6v5puMACALLlgpJFGwgR1kex4ILKVdVKpbOeHxuKUqNYJALJ3XCalpo=
=E/T8
-----END PGP SIGNATURE-----


----------



## WiiUBricker (Jan 12, 2017)

What's the meaning of this PGP stuff in your posts?


----------



## Procyon (Jan 12, 2017)

How would I find my other places/accounts, I know some shit sites with the same passwords, but I don't use those games anymore.

--------------------- MERGED ---------------------------


----------



## Deleted User (Jan 12, 2017)

WiiUBricker said:


> What's the meaning of this PGP stuff in your posts?


I think it's to verify his posts, like if he gets hacked.


----------



## Viri (Jan 12, 2017)

I changed my password, but I checked which password I used before and which one I used on dat iso site, and yea, Idc  it's just some pass I use for non important things. I would never use that pass for my emails and such


----------



## PRAGMA (Jan 12, 2017)

LiveLatios said:


> things like this and the aurora wright github for Luma3DS are what i warned @ShinyMK about with his forced auto-updater


You realize if I were to get hacked, it wouldnt make a difference right? because my source code is hosted on Github using a 12 character unique password. so trust me, its safe.


----------



## doughmay (Jan 12, 2017)

Thanks for looking out for us! 


Sent from my iPhone using Tapatalk


----------



## Deleted User (Jan 12, 2017)

ShinyMK said:


> You realize if I were to get hacked, it wouldnt make a difference right? because my source code is hosted on Github using a 12 character unique password. so trust me, its safe.


luma was also on github, it got hacked and the source code got compromised


----------



## PRAGMA (Jan 12, 2017)

LiveLatios said:


> luma was also on github, it got hacked and the source code got compromised


probs from Aurora using the same pass on that iso site, i dont even use the same password on that iso site. I have 3 passwords:
"CodeRedPassword", "RegularPassword" and "DontGiveaFuckPassword".
I use my 12 character CodeRed password for Github and Steam and my main email, my regular password on gbatemp etc, and my DontGiveaFuckPassword on 3DSIso etc.
Proof its a "Dontgiveafuckpassword", I give 0 fucks about the accounts using it, that I dont even care if the password is public, so here you go: the dgaf password is "dontsqlme99".


----------



## nedron92 (Jan 12, 2017)

Nice variation to use of passwords xD 
I have **** tooo many dfferent passwords, all are 20charas+, each are unqiue and I use NO password manager.
Yes, it's kind of an system I use and build my passwords, so I can remember then ^^. 
Thought more about 1-2 weeks to create a system, which fit my needs (specialchars, more then 15 chars, numbers, upper-and lowercase chars) and I can remember  
My PasswordManager is my brain and If I akes..I can "forget" passwords easily xD


----------



## flame1234 (Jan 12, 2017)

I just use the random password reset password it gave me when I forgot my password (8 random letters and numbers). I don't use that at any other sites.
Maybe I shouldn't do this as it was sent (awhile ago) in plaintext over email.


----------



## Procyon (Jan 12, 2017)

flame1234 said:


> I just use the random password reset password it gave me when I forgot my password (8 random letters and numbers). I don't use that at any other sites.
> Maybe I shouldn't do this as it was sent (awhile ago) in plaintext over email.



Never use that, always change them...


----------



## Saiyan Lusitano (Jan 12, 2017)

Thank you for the email, GBATemp Team.

I've changed my password.


----------



## Procyon (Jan 12, 2017)

Me too, I forgot it already


----------



## SirHaxALot (Jan 12, 2017)

@Costello "Error" report: The tags of thread are completely f...ed up, example: https://gbatemp.net/threads/release-kit-kat-the-ultimate-3ds-toolkit-pc-client.453015/


----------



## WhiteMaze (Jan 12, 2017)

Saiyan Lusitano said:


> Thank you for the email, GBATemp Team.
> 
> I've changed my password.





Procyon said:


> *Me too, I forgot it already*



Made me burst out laughing. Here's a like.


----------



## Procyon (Jan 12, 2017)

WhiteMaze said:


> Made me burst out laughing. Here's a like.



I need to have a password manager, so I currently use Google's built-in one. XD. I'll use another one in the future, but for now Google works for me (and they say don't be evil).


----------



## Deleted User (Jan 12, 2017)

Procyon said:


> I need to have a password manager, so I currently use Google's built-in one. XD. I'll use another one in the future, but for now Google works for me (and they say don't be evil).


Try LastPass or KeePass. I use LastPass and can vouch, but KeePass lets you use it on your phone, so I may switch.


----------



## Procyon (Jan 12, 2017)

OsamaTookMyCat said:


> Try LastPass or KeePass. I use LastPass and can vouch, but KeePass lets you use it on your phone, so I may switch.



Are they free?


----------



## gudenau (Jan 12, 2017)

When will there be SSL for all logged in users and password related tasks? It's easy to hijack an account, the website has a service that sends what you need every so often as well.


----------



## Deleted User (Jan 12, 2017)

Procyon said:


> Are they free?


Yeah, but you need LastPass premium to use the phone app IIRC


----------



## Procyon (Jan 12, 2017)

OsamaTookMyCat said:


> Yeah, but you need LastPass premium to use the phone app IIRC



and Keepass?


----------



## Deleted User (Jan 12, 2017)

Procyon said:


> and Keepass?


Free for both PC and phone.


----------



## mathieulh (Jan 12, 2017)

WiiUBricker said:


> What's the meaning of this PGP stuff in your posts?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It is meant to sign my message using an asymmetric cryptographic algorithm (RSA to be precise), that way anyone using PGP (or an open source implementation of it) can verify that I am the author of the messages or that those have not been edited. If the messages do get edited, the signature will not match so someone will know something is off.
Given that my private PGP subkeys are stored on a PIN protected Secure Access Module, it is not present on a computer/phone and therefore cannot be stolen, ensuring only someone having physical access to the SAM as well as knowing the right PIN can sign any messages using the key associated with my PGP fingerprint. 
In the event that my account is compromised, a hacker will not be able to forge my posts signature and therefore will not be able to impersonate me.

More on the matter and the tools in use can be found here: 

https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://en.wikipedia.org/wiki/GNU_Privacy_Guard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd6dZAAoJEKa4nBz3AlII35IIAILVch+CEQ4yPlcN911BiNQe
uP6lk8HSCVcrUsbQsUWCVdJai9IP2MxhYtLvZh5oGLJsPYjzp8zj1fKC7JLl4VJa
dSPCLisG784pwrDGTocaxfiSgdtgKIO6ubsTC3sqzevEjaWXKx24QNIaVmO8y0ml
qVT39HGLVUptKb3U58AfHNqz9emZ2P6bqUhYVlsNZ3BrBC8j3SDDU0F0Y4Cceuba
Kx4wyS1FFsOEbywvcwS+kjxK0GDD8Qxl4Iwsthf0RUs/rKbzHoIrWG4jv5lU4S89
Dqm0htBjQpRUn7YKO8+4LZ3XGQwr8m+fiXjDJk3sh3TX2QqNmIFbhhFCPHyPBuM=
=tpT8
-----END PGP SIGNATURE-----


----------



## AdmiralSpeedy (Jan 12, 2017)

Care to actually let us know what other site was hacked? It's entirely possible some of us have accounts there that we no longer use and don't remember...


----------



## Deleted User (Jan 12, 2017)

AdmiralSpeedy said:


> Care to actually let us know what other site was hacked? It's entirely possible some of us have accounts there that we no longer use and don't remember...


The most I heard, it was one of those pirate-y sites. The only one I can think of is snip since it's the most popular. If you have any pirate accounts, just change all of 'em to be safe.


----------



## the_randomizer (Jan 12, 2017)

AdmiralSpeedy said:


> Care to actually let us know what other site was hacked? It's entirely possible some of us have accounts there that we no longer use and don't remember...



ISO sites primarily, you know, a specific list of ISO sites if you catch my drift, without actually saying the name itself, heh. A particular site was hacked not too long ago.


----------



## TeamScriptKiddies (Jan 12, 2017)

gudenaurock said:


> When will there be SSL for all logged in users and password related tasks? It's easy to hijack an account, the website has a service that sends what you need every so often as well.



Just download the firefox/chrome extension HTTPSEverywhere for now, It forces SSL encryption on all websites you visit, whether the site supports it or not.

@Costello Thanks for swiftly addressing the situation!


----------



## Minox (Jan 12, 2017)

TeamScriptKiddies said:


> Just download the firefox/chrome extension HTTPSEverywhere for now, It forces SSL encryption on all websites you visit, whether the site supports it or not.


It forces HTTPS if possible, if it's not supported it can't magically cause the website to work with HTTPS.

GBAtemp has HTTPS support though.


----------



## ItsKipz (Jan 12, 2017)

A good idea to remember for secure passwords is that it's a lot harder to guess/brute-force a password that isn't in english. If you speak 2 languages, make your password in a different one/mix them.


----------



## alex_0706 (Jan 12, 2017)

is it also known which accounts where hacked?
can those be messaged so they know to change their PW's?


----------



## ItsKipz (Jan 12, 2017)

Also, i recommend setting up lastpass and authenticator, securing your password, and setting up 2fa.


----------



## the_randomizer (Jan 12, 2017)

ItsKipz said:


> A good idea to remember for secure passwords is that it's a lot harder to guess/brute-force a password that isn't in english. If you speak 2 languages, make your password in a different one/mix them.



Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.



ItsKipz said:


> Also, i recommend setting up lastpass and authenticator, securing your password, and setting up 2fa.



I have the Google Authenticator app on my phone.


----------



## ItsKipz (Jan 12, 2017)

the_randomizer said:


> Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.
> 
> 
> 
> I have the Google Authenticator app on my phone.


ayy i'm taking japanese now, that was my idea too xD


----------



## Procyon (Jan 12, 2017)

the_randomizer said:


> Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.
> 
> 
> 
> I have the Google Authenticator app on my phone.



I use keepass


----------



## the_randomizer (Jan 12, 2017)

Procyon said:


> I use keepass



Ah, okay, added that to my phone as well, better safe than sorry


----------



## Aletron9000 (Jan 12, 2017)

i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?


----------



## ItsKipz (Jan 12, 2017)

Aletron9000 said:


> i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?


Yeah, i'm getting that on desktop too, just reload.


----------



## seijinshu (Jan 12, 2017)

Aletron9000 said:


> i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?


Yep


----------



## iAqua (Jan 12, 2017)

Aletron9000 said:


> i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?


Yeah getting that on mobile.


----------



## Vengenceonu (Jan 12, 2017)

Tomy Sakazaki said:


> That iso network.


Which one?


----------



## Dumperpreneur (Jan 12, 2017)

I now have 2FA and a new password. Thanks for the heads up!


----------



## Boogieboo6 (Jan 12, 2017)

Same problem as @Sonic Angel Knight both on my phone and the school's chromebook.


Spoiler: picture


----------



## ItsKipz (Jan 12, 2017)

Boogieboo6 said:


> Same problem as @Sonic Angel Knight both on my phone and the school's chromebook.
> 
> 
> Spoiler: picture
> ...


im on a chromebook and im getting that too

(btw am i the only one who hates these shitty laptops?)


----------



## the_randomizer (Jan 12, 2017)

ItsKipz said:


> im on a chromebook and im getting that too
> 
> (btw am i the only one who hates these shitty laptops?)



The thing is, I would report it, but I don't know, I'm wary on doing so. I never had this issue until after the maintenance; before it however, it was fine.



Vengenceonu said:


> Which one?



We can't say, it's against the rules. Google is your friend.


----------



## mathieulh (Jan 12, 2017)

the_randomizer said:


> Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.
> 
> 
> 
> I have the Google Authenticator app on my phone.




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I use a different password to everything, I never use centralized password apps so I remember them all using mnemotechnics, 
passwords all use upper case, lower case, special chars and digits and are all over at least 20 characters each. 
I use 2FA wherever available, using only Secure token to store TOTP/HOTP secrets and I use U2F or PGP wherever supported.

Google Authenticator isn't secure, if an attacker compromises your endpoint/cell phone, he can extract the TOTP secrets 
(which are used in conjunction with symetrical algorithms) and calculate all your 2FA codes, get a secure token like a Yubikey
to store your OTP secrets, that way these are kept separate from your device and malware can't get to those.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9C+AAoJEKa4nBz3AlIIg6kH/3mmM9lsCjLIGu7qluYcx9rj
go5spoh0DoPI4OCaz8mY7eZxarJdeUZIjRVMYDuMnYi7ZMdRXTfddUwmy++duL40
7Ej/l0y2k1EauL1ni8rwGeDUC2A6gdYVyq2Qgocw1XJQ7oXP6o3pMfGWH1GUktWE
uEafUWj+mf0zXNTM7vhaY1Sv/yF3axCNjOXvcmFumJpoAhSJbgRbsiT8Jk56UCnT
49DFThq11fGPEXgToTiT8yEW6ouyD9amg2TUR6GRHJ6UaPNOWX1387duVDx3Phin
dm0hQmoP6sqsJWHXKt13ZvCZCtR5wAH2ZZgBB0ty5xoKkHMcSJjBnbt8tQTxxdc=
=5rEG
-----END PGP SIGNATURE-----


----------



## the_randomizer (Jan 12, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> I use a different password to everything, I never use centralized password apps so I remember them all using mnemotechnics,
> ...



Then what do you suggest, not use any kind of authentication? Because that's what it sounds like.


----------



## x06xpower (Jan 12, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> I use a different password to everything, I never use centralized password apps so I remember them all using mnemotechnics,
> ...


wtf  ? woah that's scary


----------



## Patxinco (Jan 12, 2017)

the_randomizer said:


> Then what do you suggest, not use any kind of authentication? Because that's what it sounds like.


He's telling us to do this:


> Get a secure token like a Yubikey
> to store your OTP secrets, that way these are kept separate from your device and malware can't get to those.


----------



## the_randomizer (Jan 12, 2017)

Patxinco said:


> He's telling us to do this:



Then where are they to be stored if not on any kind of devices?
https://www.yubico.com/support/know...articles/how-to-use-your-yubikey-with-google/

Because it sounds like you can't use your phone or PC to store them.

Edit: Oh, they cost money. Never mind.  >.>


----------



## mathieulh (Jan 12, 2017)

the_randomizer said:


> Then what do you suggest, not use any kind of authentication? Because that's what it sounds like.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

That's not not what I suggest at all, 

Use something you know: 
- -A password, typically long, with lower, upper case, special characters and numbers, 
I personally achieve this using mnemotechnics to recall long sentences in Japanese with characters stowed in between

Use something you own: 
- -A Secure Access Module or a Hardware Security Module to store secrets to cryptography challenges used during
two factor authentications, would it be symetrical keys (OTP based) or private keys (PGP, U2F).
This exists in the from of a smart card, a (typically compatible with Android smartphones) NFC device (Yubikey NEO, SIGILANCE...),
a USB device (Yubikey 4, Yubikey NEO, Nitrokey...).


Contrary to popular belief and despite convenience mitigation, a smartphone application does not constitute "something you own"
because unlike SAM or HSM designed to be tamper proof and physically separated from your endpoint, your smartphone 
usually being the endpoint itself and connected to a network, is not, making it therefore all the more practical for an attacker
to exploit the device and extract the keys stored within the apps, as such it becomes "something you know" compromising the
purpose of the two factor authentication, especially if all the factors are stored/used on the same device.

There is no such thing as good security, there is only bad security and worse security, security is only as good as its weakest link
therefore one needs to render his assets as secure as possible, making it time and effort consumming for an attacker to target him.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9f1AAoJEKa4nBz3AlIIGbQH/35OHAPKBjoOJbOnzF5AsjXg
aYIxaN3kGvd/69pUrV9Tm0CAnJJwmZBOWpYaI8eUCJGQIth7flOyajHh15iMnJ1s
R4JW+yn1W15Ya63XPawcoQt4Fo+dzAdR+kKMYLnh6YtgC5Fsq3EPQt5414RGwfyp
6dQ1U137rqJFUoqGKFquazP2w0pWyD7x9lnOAZi8t82iL7u3x0J+pWjJuEr5pBKx
fcAjgZAHIWV3esooE1s3NB3ggMEwvCzX8Fkf2p4NSK+dI+C5CWbBR5SViAxqxoQn
3Eb0WTkOCunm3ggsQJWB7JlGNEe2r1ZR1FANnMMW8LKy/yh/kFUaUFgum8tkoyw=
=vBU3
-----END PGP SIGNATURE-----


----------



## the_randomizer (Jan 12, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> That's not not what I suggest at all,
> ...



Well I don't have the funds to get a secure USB flash drive, so yeah, but I'm not going to be totally paranoid about security either, as it's a waste of energy.


----------



## mathieulh (Jan 12, 2017)

the_randomizer said:


> Well I don't have the funds to get a secure USB flash drive, so yeah, but I'm not going to be totally paranoid about security either, as it's a waste of energy.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It all comes down to how much you value your security and online privacy. 
To me, it's worth spending the money on a $60 secure dongle.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9l4AAoJEKa4nBz3AlIIV8AIAIbnsAp6zjoeDF/T6YywoN9J
ogsfje9eizB6vRJ6qlqTjMD2/Pj9+kidypeLc9cqjizo25Jap3bYnelouvWmpeFp
XvyYL6NsdvPXCiyFRwm5fgLTK1HB4PuZtrvW5G/9IWexXllbYTt3EoBpwnMmjESY
nlsCOTTwRf1HA4nv467hXDPrkQxGQTofD6/IYUTqqdfVnh1YTuR1MRfLMjmoDgDJ
Wu4Ud1xkrdd+FW+QYrUG27c8R3u+WmvQK9wxFTu3G9UVYFeFSkCYCPe4iNey/iaj
P2gcJ4GI/dd+G8TobK4o0hkefKZHI+j5cRqq74GeWTy/f3YXVZXtoig6SrQQYH0=
=tqYk
-----END PGP SIGNATURE-----


----------



## Slattz (Jan 12, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> It all comes down to how much you value your security and online privacy.
> ...



No offense, but I don't think most people want to see the PGP stuff everytime you post, it's quite 'loud'... At least put the PGP signature in a spoiler or something.


----------



## mathieulh (Jan 12, 2017)

Slattz said:


> No offense, but I don't think most people want to see the PGP stuff everytime you post, it's quite 'loud'... At least put the PGP signature in a spoiler or something.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Is that better?


Spoiler: PGP Signature



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9vPAAoJEKa4nBz3AlIIt9sH/0fkanJdxpPPfgSkuylrmZC1
ojzLgi2/MLekvmqyJqv2WxNWigXZT8bnhFYiwR5e5AIISBwTeE9dQAzWlgcaOP+h
I/UN38JPk0ql/5V5LIJ71/WuL205EJwiTx/I6/63R1BK4Oqzui9tOm/7hvWzLFKH
48CV57T68hs9nVtaRtmXwWnQkM2QR04a9FAukgTjKBXnalBr4edpsNYWsPTl+Ha4
jP7RrpIMk6+EfX9Z+msvQoYDcHq7WvHBSmj+vwVXzJdZn6HsPfq10AQXeyyIBjHj
GrBzoX9SY2dOVZsbbbyU0X4BN8+AKXK3SUN6Dph1chnR8AUncqdv/UIf+Hh7T7k=
=cNqZ
-----END PGP SIGNATURE-----


----------



## Kithron (Jan 12, 2017)

Thank you for the information, changed my own password and enabled 2FA with my favorite app named Authy.


----------



## Slattz (Jan 12, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Is that better?
> ...


Yea, thats good . Thanks for actually taking my advice, I honestly thought a fight would break out or something


----------



## mathieulh (Jan 12, 2017)

Slattz said:


> Yea, thats good . Thanks for actually taking my advice, I honestly thought a fight would break out or something



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To be honest, as it is, it might be breaking the signature, someone would need to manually append the content
of the spoiler to verify the post.

I hope this is enough, I am aware the whole PGP metadata can be annoying, it would be much better if forums had
built-in PGP support.


Spoiler: PGP Signature



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd959AAoJEKa4nBz3AlII9eYIAKOknZJzv9fLg+edt1QOkHuu
yWzNDCZ45cfjkPTMIP3pG6UVF/uwKh/+YVsjE7ujIFtKIVp3hNWIYgxLy+hRT61O
CKhFyhIgp3HQHDItyd9IDqAG7wJpaHtvyLwoYuWPK20WEP0cPynlHnilFscfoVi4
O8y9AZ1RLsieOuXkAX/rn/ZifYg6STcE+xZJMKkimCW+hHc7PjWf0/ManUSAOV66
74sVKi41WuuhLXFal5T2DiOJ36r3jUkLNKHOzcrAs7k/F5tJqDeAfdpqKolI/+FA
+LIElNk/Sy4rfcfHUucdkwPYH2h5cczauyLPgOKu5Zv+bhMZZNKftwxOqkrWZa8=
=3MlM
-----END PGP SIGNATURE-----


----------



## tony_2018 (Jan 12, 2017)

2 factor or nothing.


----------



## snails1221 (Jan 12, 2017)

Temp hax


----------



## Deleted User (Jan 12, 2017)

ItsKipz said:


> A good idea to remember for secure passwords is that it's a lot harder to guess/brute-force a password that isn't in english. If you speak 2 languages, make your password in a different one/mix them.


Oohoho, _NOBODY_ will guess my password if I make it in Esperanto!

...._absolutely_ nobody.


----------



## Deleted-355425 (Jan 12, 2017)

rekt.


----------



## Raylight (Jan 12, 2017)

what if we log in through facebook?


----------



## shaunj66 (Jan 12, 2017)

Raylight said:


> what if we log in through facebook?


There's no need to do anything.


----------



## Raylight (Jan 12, 2017)

shaunj66 said:


> There's no need to do anything.


thank god


----------



## redrumy3 (Jan 12, 2017)

I rarely log in and just usually lurk but thanks for letting us know! Appreciate it!


----------



## Gizametalman (Jan 12, 2017)

Ugh... not again.
Could anyone please answer this question:

If _somehow_ the "hackers" has my email (the one I registered with in GBATemp) do you think they could possible get all those OTHER sites which I've used the same email account? 
You know? Lots of personal information, like bank numbers, phone, how I managed to escape from La Migra, how I dismembered a human and eat it... ok, kiddig with this one.
But seriously, do you think that may be possible?
Because, if so, I'll be deleting all the accounts that I have in different sites. 
*¬_¬*


----------



## Joe88 (Jan 12, 2017)

Gizametalman said:


> Ugh... not again.
> Could anyone please answer this question:
> 
> If _somehow_ the "hackers" has my email (the one I registered with in GBATemp) do you think they could possible get all those OTHER sites which I've used the same email account?
> ...


if you used the same exact password on all those sites sites than yes


----------



## Gizametalman (Jan 12, 2017)

Joe88 said:


> if you used the same exact password on all those sites sites than yes





 

Meh, I don't have any friends anyways...


----------



## Saiyan Lusitano (Jan 12, 2017)

Joe88 said:


> if you used the same exact password on all those sites sites than yes


Well, crap. Not in a panic mode or anything as I use LastPass to generate passwords so even I myself don't know my own passwords by heart.


----------



## TheToaster (Jan 12, 2017)

So, if my password on that one ISO site was different from the password that I have here on GBATemp, I am not in risk of getting my account compromised, right?

Sent from my SAMSUNG-SM-G850A using Tapatalk


----------



## AdmiralSpeedy (Jan 12, 2017)

OsamaTookMyCat said:


> The most I heard, it was one of those pirate-y sites. The only one I can think of is snip since it's the most popular. If you have any pirate accounts, just change all of 'em to be safe.



It would just be nice if someone said the actual name of the site that was hacked. Nobody here really believes that GBAtemp doesn't help facilitate piracy, do they? I mean I would guess that probably 75% of the people in the Wii U section are there to find out how to pirate games directly from Nintendo.

I don't really pirate games but it's entirely possible I have an account where the breach happened from the past...


----------



## Ryccardo (Jan 12, 2017)

Good thing I use a different username and a dedicated survey/porn Yahoo email on the iso site!


----------



## Deleted member 373057 (Jan 12, 2017)

tech3475 said:


> I'd suggest people start using a password manager of some kind which supports a password generator.
> 
> It may make life a bit harder, but at least it reduces the risk of a hacked site causing worse issues elsewhere.


Agreed.
I use KeePass2. Has done me nothing but good in the long run.


----------



## Ev1l0rd (Jan 12, 2017)

Allow me this chance to link to http://haveibeenpwned.com . Enter your username or an email to see if you've been hacked. Also has a notify option.

(Verified safe by Reddit admins.)


----------



## the_randomizer (Jan 12, 2017)

Ev1l0rd said:


> Allow me this chance to link to http://haveibeenpwned.com . Enter your username or an email to see if you've been hacked. Also has a notify option.
> 
> (Verified safe by Reddit admins.)



Apparently I was somehow breached in snapchat, what? I don't even have an account on there


----------



## VinsCool (Jan 12, 2017)

Ev1l0rd said:


> Allow me this chance to link to http://haveibeenpwned.com . Enter your username or an email to see if you've been hacked. Also has a notify option.
> 
> (Verified safe by Reddit admins.)


Heh good good. No breach anywhere.


----------



## the_randomizer (Jan 12, 2017)

VinsCool said:


> Heh good good. No breach anywhere.



One of my emails was breached way back in 2015, I've since added double authentication to that, and my Gmail account, which hasn't had any breach.


----------



## Deleted User (Jan 12, 2017)

Ev1l0rd said:


> Allow me this chance to link to http://haveibeenpwned.com . Enter your username or an email to see if you've been hacked. Also has a notify option.
> 
> (Verified safe by Reddit admins.)








I'm honestly shocked.


----------



## osirisjem (Jan 12, 2017)

There are no know Xenforo exploits, so if here was been compromise it was at the login or server level.


----------



## Deleted User (Jan 12, 2017)

osirisjem said:


> There are no know Xenforo exploits, so if here was been compromise it was at the login or server level.


A quick Google search says otherwise.


----------



## osirisjem (Jan 12, 2017)

Tomato Hentai said:


> A quick Google search says otherwise.


that's for xenAPI - a xenforo addon.
Which I doubt the Temp uses.

Keep in mind xenforo has been out for 6 years.


----------



## Deleted User (Jan 12, 2017)

osirisjem said:


> that's for xenAPI - a xenforo addon.
> Which I doubt the Temp uses.


I guess I didn't read (again lol), but there were way more in that Google search too.


----------



## WiiUBricker (Jan 12, 2017)

I hope that the people who got their accounts stolen (not hacked) will get them back asap.


----------



## osirisjem (Jan 12, 2017)

There have been a few security fixes but none that have been exploited. Vs vBulletin that is an ongoing exploit.


----------



## Thomas83Lin (Jan 12, 2017)

Ev1l0rd said:


> Allow me this chance to link to http://haveibeenpwned.com . Enter your username or an email to see if you've been hacked. Also has a notify option.
> 
> (Verified safe by Reddit admins.)


lol I'm pwned all over the place, its mostly on hax sites. Glad I use a different password for each site.


----------



## Daniel41550 (Jan 12, 2017)

did u make gbatemp


----------



## Saiyan Lusitano (Jan 12, 2017)

Ev1l0rd said:


> Allow me this chance to link to http://haveibeenpwned.com . Enter your username or an email to see if you've been hacked. Also has a notify option.
> 
> (Verified safe by Reddit admins.)


So I've been pwned on 7 breached sites but no pastes thankfully. I'll bet that one of those was Sony Entertainment.

LastPass is very useful to alert if there's something off and so is Gmail.


----------



## Gizametalman (Jan 13, 2017)

the_randomizer said:


> Apparently I was somehow breached in snapchat, what? I don't even have an account on there


Welcome to da Interneto


----------



## the_randomizer (Jan 13, 2017)

Gizametalman said:


> Welcome to da Interneto



Yeah, which is weird, someone used the same username on Snapchat, lol like I'd ever used that site.


----------



## Saiyan Lusitano (Jan 13, 2017)

the_randomizer said:


> Yeah, which is weird, someone used the same username on Snapchat, lol like I'd ever used that site.


Someone on Instagram has my exact real name but what's weird about it is that it was an Oriental girl with a male western name. I never use my real name outside of places like Amazon, other retailers and banks.

Oh... I sign up for freebies which never arrive -- this explains it.


----------



## Gizametalman (Jan 13, 2017)

Saiyan Lusitano said:


> Someone on Instagram has my exact real name but what's weird about it is that it was an Oriental girl with a male western name. I never use my real name outside of places like Amazon, other retailers and banks.
> 
> Oh... I sign up for freebies which never arrive -- this explains it.


I dunno, but you shouldn't be sayin that you use your real name in a Bank account.
We just got hacked, they'll probably gonna use any information that you may give them.
Even small information as: "I use my real name in this or that" will suffice to make malicious things.
Of course, if they decide to target you.


----------



## Deleted User (Jan 13, 2017)

the_randomizer said:


> Yeah, which is weird, someone used the same username on Snapchat, lol like I'd ever used that site.


I only use Snapchat for sending the pictures I take of random shit I see outside to a small handful of friends, but not even that really.


----------



## Zero72463 (Jan 13, 2017)

Damn lol I didn't even know anything was going on.


----------



## Deleted member 408979 (Jan 13, 2017)

me neither,but thank goodness its over!


----------



## Keith_Loving (Jan 13, 2017)

This thoroughly pisses me off, please create a program where each user can input their account number to check if their account has in fact been accessed by another user.  Or have the forum MODS contact the members of the site, where it is known unauthorized access has been done.  This can be easily checked with the MOD tools.  Go to "Track Users by IP".  Any matching IPS will obviously reveal a user accessing multiple accounts.  At least PM me to tell me that I am the only user accessing my account on GBAtemp....

Why not add a tool on the user profile so the user can input only the IP addresses they want to use with their account and let the members manage their own IP restrictive access to their account on here.

thanks


----------



## Costello (Jan 13, 2017)

Keith_Loving said:


> This thoroughly pisses me off, please create a program where each user can input their account number to check if their account has in fact been accessed by another user.  Or have the forum MODS contact the members of the site, where it is known unauthorized access has been done.  This can be easily checked with the MOD tools.  Go to "Track Users by IP".  Any matching IPS will obviously reveal a user accessing multiple accounts.  At least PM me to tell me that I am the only user accessing my account on GBAtemp....


we have already contacted all of the user accounts we believe have been accessed by a third party, there werent many.
you weren't one of them



> Why not add a tool on the user profile so the user can input only the IP addresses they want to use with their account and let the members manage their own IP restrictive access to their account on here.


you can achieve pretty much that with two factor authentication. Use Google Authenticator it's pretty easy to use and it's safe


----------



## Nevermore (Jan 13, 2017)

Which ISO site was hacked?  Not sure which account I should be wary of (I mix and match all over the place).

PM me the name of the one, if it's against the rules to say.  No need for a link, just the name so I know.


----------



## TotalInsanity4 (Jan 13, 2017)

Nevermore said:


> Which ISO site was hacked?  Not sure which account I should be wary of (I mix and match all over the place).
> 
> PM me the name of the one, if it's against the rules to say.  No need for a link, just the name so I know.


The 3DS one, if memory serves. No idea if they share account info though


----------



## Deleted User (Jan 13, 2017)

Gizametalman said:


> I dunno, but you shouldn't be sayin that you use your real name in a Bank account.
> We just got hacked, they'll probably gonna use any information that you may give them.
> Even small information as: "I use my real name in this or that" will suffice to make malicious things.
> Of course, if they decide to target you.


Well, Bank accounts sometimes need your Tax ID (in the US anyways) and that needs to match your real legal name.


----------



## Chary (Jan 13, 2017)

Nevermore said:


> Which ISO site was hacked?  Not sure which account I should be wary of (I mix and match all over the place).
> 
> PM me the name of the one, if it's against the rules to say.  No need for a link, just the name so I know.


Both ones who's names are that of Nintendo's current handheld and console. Both were compromised.


----------



## Deleted member 408979 (Jan 13, 2017)

fortunately,the freeshop didnt suffer much damage (as far as i know)

so,at least we didnt lose all CIAs...


----------



## RedBlueGreen (Jan 13, 2017)

Chary said:


> Both ones who's names are that of Nintendo's current handheld and console. Both were compromised.


Is that including that chaos site?


----------



## Asia81 (Jan 13, 2017)

I got hacked too, but I have my account back.
Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.


----------



## RedBlueGreen (Jan 13, 2017)

Asia81 said:


> I got hacked too, but I have my account back.
> Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.


Was your password similar to the one from that ISO site? I'm just wondering how much other users have to worry.


----------



## Asia81 (Jan 13, 2017)

RedBlueGreen said:


> Was your password similar to the one from that ISO site? I'm just wondering how much other users have to worry.


No, it was a random strong password generated by LastPass, using 18 characters
Something like WAqse0iw0ZbM1nx4E4 _(Example, not the old and not the new, of course xD)._


----------



## SonicRings (Jan 13, 2017)

Enable two-factor authentication? No thanks, don't want to be absolutely screwed if I happen to lose my phone and the backup codes! I'll stick to my randomly generated passwords


----------



## pixelmasher (Jan 13, 2017)

Asia81 said:


> No, it was a random strong password generated by LastPass, using 18 characters
> Something like WAqse0iw0ZbM1nx4E4 _(Example, not the old and not the new, of course xD)._



Didn't LastPass get hacked? I thought I read that somewhere, but I think it was a while ago.


----------



## kuwanger (Jan 13, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> 2FA is never an overkill. The use of U2F can mitigate your convenience issue.
> ...



So, you think 2FA is a good idea for a padlock on, say, a storage box?  Not at all overkill?  Meanwhile, where is U2F actually used?  And how much does it help if I (likely) leave it in my computer all the time for the "convenience issue"?  The only way that someone should be able to get my passwords on my end is precisely through the same sort of attack that would render U2F mostly (if not entirely) ineffective.  Finally, if centralizing passwords is a bad idea, what would you recommend?  Not having passwords?  Because intrinsically if I remember all my passwords, I'm centralizing them all.

BTW, a quick check and it sounds like U2F would be vulnerable to side channel attacks.  The only known way to mitigate that kind of attack consistently, even when you know of the channel of attack, is through consistent timing of events.  Ie, a trade off of security over performance.  So, uh, what sort of system do you run?


----------



## lolboy (Jan 13, 2017)

I admit that hacking/exploiting games and consoles can be fun but hacking GBATemp accounts is sad. 

This forum (many of its users) have provided many goods to the community of gaming and have spend time on helping others.


I changed my password the moment I saw this post and hope all others have done that aswel.


----------



## Deleted User (Jan 13, 2017)

Is it a glitch that I can't see my toolbar when going into a thread? I can only see my name.


----------



## Asia81 (Jan 13, 2017)

pixelmasher said:


> Didn't LastPass get hacked? I thought I read that somewhere, but I think it was a while ago.


Really? I didn't know it.

--------------------- MERGED ---------------------------



VinLark said:


> Is it a glitch that I can't see my toolbar when going into a thread? I can only see my name.


same for me, but only when i am in a thread.
in the main forum it's normal


----------



## DinohScene (Jan 13, 2017)

Time to update all me passwords.


----------



## The Catboy (Jan 13, 2017)

Asia81 said:


> I got hacked too, but I have my account back.
> Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.


I am glad to see that you got your account back. I could tell it was the hacked the second the person who hacked you posted.


----------



## Costello (Jan 13, 2017)

VinLark said:


> Is it a glitch that I can't see my toolbar when going into a thread? I can only see my name.


this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
so try Ctrl+F5 a few times and it should be OK. At least it's OK for me


----------



## The Catboy (Jan 13, 2017)

Costello said:


> this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
> so try Ctrl+F5 a few times and it should be OK. At least it's OK for me


Glitch seems fixed for me (Latest Chrome on Ubuntu 16.10)


----------



## hobbledehoy899 (Jan 13, 2017)

Costello said:


> this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
> so try Ctrl+F5 a few times and it should be OK. At least it's OK for me


With Pale Moon 27.0.3 running on Linux Mint 18.1 the site seems to running just fine and as usual!


----------



## Minox (Jan 13, 2017)

Asia81 said:


> I got hacked too, but I have my account back.
> Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.


That was my doing after noticing someone had tampered with your account.


----------



## mathieulh (Jan 13, 2017)

kuwanger said:


> So, you think 2FA is a good idea for a padlock on, say, a storage box?  Not at all overkill?  Meanwhile, where is U2F actually used?  And how much does it help if I (likely) leave it in my computer all the time for the "convenience issue"?  The only way that someone should be able to get my passwords on my end is precisely through the same sort of attack that would render U2F mostly (if not entirely) ineffective.  Finally, if centralizing passwords is a bad idea, what would you recommend?  Not having passwords?  Because intrinsically if I remember all my passwords, I'm centralizing them all.
> 
> BTW, a quick check and it sounds like U2F would be vulnerable to side channel attacks.  The only known way to mitigate that kind of attack consistently, even when you know of the channel of attack, is through consistent timing of events.  Ie, a trade off of security over performance.  So, uh, what sort of system do you run?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Let's be realistic here, to perform a side channel attack on your U2F token (assuming the attacker puts the time, money and effort) and capture it's ECC private key,
an attacker would have to physically posess your token for an extended period of time (at the very least a week, more realistically a month). There is no way, 
unless you are incapacitated that you would not notice your U2F token missing, once you do, it can be revoked.

By centralizing passwords, I mean putting those in the same place where they could be accessed by an attacker, (like an application) If you are remembering all of your passwords,
unless your mind is compromized (which actually can happen through means such as chemical induction with substances like scopolamine), these passwords are safe from being stolen directly 
(instead an attacker would look into compromizing your endpoint and use software such as keyloggers)

As to what I run, it depends on how much security I need for a given task. For instance I do own a shielded air gapped computer with speakers and microphone disabled used for specific infrequent cryptographic operations.

In conjunction to this, I am using several SAM (4 Yubikey NEO, 2 Yubikey 4) for various applications, a Yubikey HSM for specific AES operations a Nitrokey HSM for my local CA and a few standalone PIV smartcards for Veracrypt. I don't trust any of my keys to be stored outside Secure Access Modules.


Spoiler: PGP Signature



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYeLZoAAoJEKa4nBz3AlIInXkH/1/pLHgy8D60MB4i4cyod0vI
H15wN6LZykzfh9qNdooiE6RWd76JYdvGZW9pn8kRyBau5hn235Cen1sjQI4J/gqi
LyxVXrVSzPsrC96LcimdSJzGcWsNnaePwkM4br/hCoNeaDkSBjDF9/OVu6Po0qOL
Lbrzj2LoiPa6ikOCvZY6dIxBAvrirdBaHa0QjcPIvC/sT9HYib1wxG2kPy1TUGtE
X7hEOh4YYmr3A6772daxUVTWK9xagUj8I7smihZwqH2Q8B8Lv+RtTgE8UYpdRFKW
V+hjj6J1a6iIHjbyF1H35uFJHdKTlmix4kStI/qrkvup1AuPg/HsC9dmF5fCDcE=
=xBLJ
-----END PGP SIGNATURE-----


----------



## Costello (Jan 13, 2017)

Costello said:


> this bug was fixed, but you may need a cache refresh because it was a javascript change (browsers tend to cache javascript)
> so try Ctrl+F5 a few times and it should be OK. At least it's OK for me


nevermind, actually the bug is back... for some reason. I will have to investigate!
edit: it's gone again, I think its because I was using another browser on which I forgot to rerfresh


----------



## Asia81 (Jan 13, 2017)

Crystal the Glaceon said:


> I am glad to see that you got your account back. I could tell it was the hacked the second the person who hacked you posted.


Did the hacker posted some message with my account?

--------------------- MERGED ---------------------------



Costello said:


> nevermind, actually the bug is back... for some reason. I will have to investigate!


seems ok for me, latest version of firefox w10


----------



## The Catboy (Jan 13, 2017)

Asia81 said:


> Did the hacker posted some message with my account?
> 
> --------------------- MERGED ---------------------------
> 
> ...


I don't want to derail this thread, so I will PM you


----------



## Deleted User (Jan 13, 2017)

I had my account password reset 2 times. Was one time me being hacked or something? I changed my password and then you guys reset my password because my account has been "compromised"


----------



## kuwanger (Jan 13, 2017)

mathieulh said:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Let's be realistic here, to perform a side channel attack on your U2F token (assuming the attacker puts the time, money and effort) and capture it's ECC private key,
> ...



Where are you getting your figures on how long it'd take to capture the ECC private key?  In any case, I'd agree that it's unlikely there'd be an attack on your U2F token directly.  As for centralized passwords, it sounds like you're saying less about "centralized" and more about "attacker accessible".  Ie, something like a U2F token that stored your keys with a master password would be similar, which is what U2F seems to be functionally (you just don't know the master password)*--I assume that's what your "Secure Access Modules" are.  It also comes with all the same headaches of revoking access.

As for the last part, I'm very dubious of the fact that there are so many variants of Yubikey.  It's unclear to me Yubikey 4 vs FIDO U2F Security key, even though one is twice the price.  There's also the issue that you have to trust Yubikey not to store keys (or you have to build your own).  In any case, my point about the system you run is cache attacks and actually how powerful side channel attacks can be.

* I know it's technically different but since you can make your own U2F Key, the notion that a U2F Key is "what you have" is dubious to some extent.  You can just as well simulate a U2F Key in software, which defeats the whole purpose but would create the illusion of more security.  To me, most 2FA that uses email verification falls into the same category.


----------



## mathieulh (Jan 13, 2017)

kuwanger said:


> Where are you getting your figures on how long it'd take to capture the ECC private key?  In any case, I'd agree that it's unlikely there'd be an attack on your U2F token directly.  As for centralized passwords, it sounds like you're saying less about "centralized" and more about "attacker accessible".  Ie, something like a U2F token that stored your keys with a master password would be similar, which is what U2F seems to be functionally (you just don't know the master password)*--I assume that's what your "Secure Access Modules" are.  It also comes with all the same headaches of revoking access.
> 
> As for the last part, I'm very dubious of the fact that there are so many variants of Yubikey.  It's unclear to me Yubikey 4 vs FIDO U2F Security key, even though one is twice the price.  There's also the issue that you have to trust Yubikey not to store keys (or you have to build your own).  In any case, my point about the system you run is cache attacks and actually how powerful side channel attacks can be.
> 
> * I know it's technically different but since you can make your own U2F Key, the notion that a U2F Key is "what you have" is dubious to some extent.  You can just as well simulate a U2F Key in software, which defeats the whole purpose but would create the illusion of more security.  To me, most 2FA that uses email verification falls into the same category.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

For starters, the attack you are talking about refers not to U2F in particular but Only the YubiKey Standard and YubiKey Nano with firmware before version 2.4, so this vulnerability has been fixed since April 2014 and only concerns specific old Yubikey 2 hardware (which I myself do not posess), this was due to a lack of entropy (the unique ID being only 6 bytes long) and non random execution order and timing operations (which has fixed since firmware 2.4 and at the hardware level in Yubikey 3 and onward, although it has never affected the Yubikey NEO), this rendered a side channel attack very cost efficient (in the thousands of dollars), and doable in a timely fashion (hours), hardware however does not typically have this kind of vulnerability, especially temper proof SAM that perform operations in die and short of decapsulating to access traces, disallow most types of precise power measurements required by side channel attacks. It is also important to note that this attack allowed an attacker to get the device's AES key used to generate Yubikey's own OTP hash, it however does not allow the attacker to extract/calculate the ECC private key used in U2F.
More on this vulnerability in the following link:
https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/02/04/paper_yubikey_sca.pdf

As to U2F there is no such thing as a "Master password" considering it uses asymmetric cryptography to authenticate you (ECC to be precise) meaning the private key never leaves the device, basically you register a public key on a remote server with an AppID (to prevent phishing) and a key handle (to identify a registered pair), the server sends an encrypted challenge to your U2F dongle, the dongle decrypts it with the private key, signs it, and sends it back to the server, the server verifies the challenge's signature and authentication proceeds if it matches, this mitigates phishing (the hacker does not know your public key and cannot forge the AppID without bypassing the providers' SSL certificate) and replay attacks (the challenge is only valid once for the very brief period it is issued)

More details on how key generation is performed is available here:
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html

About the Yubikey 4 vs the FIDO U2F security key, the Yubikey 4 emulates a full set of CCID (PIV/GPG/OATH) smartcards along with the U2F specification, to put it simply it has more features (the U2F security key only handles U2F) Yubikey4 is more expensive because in die storage capable of handling 4096 bit keys along the processing power required to perform RSA operations with that large number of bit does not come cheap.

And yes, you would have to trust Yubikey, Nitokey or whoever else your vendor is, not to save your per device keys during the manufacturing process, at the end of the day, there's always some vendor you need to trust unless you build something from scratch.

Cache attacks only work if one of your endpoint is compromised and only to a point. If your endpoint is compromised you have bigger issues than someone targeting your account.

As to U2F, just like any other modern cryptographic algorithm, it is always based on software implementation (with the exception of electro-mechanical rotor cipher machines such as the Enigma machine or Turing's cryptologic bomb), as such it can obviously be reproduced in software (after all, it's a protocol based on the ECC algorithm, itself based on the mathematical notion of elliptic curves, but I digress...)

As such you can indeed emulate your U2F security dongle in software (for engineering purposes and whatnot), you would however have to be very dumb to actually register it on a service hosted on an online production server! The whole purpose of U2F is to keep the ECC secret key, or the elements used to generate the secret key, kept securely on a secure storage where it cannot be read nor retrieved by software running on your endpoints! (computers or otherwise); it is obvious that running it in a space where the key can be retrieved/read renders the whole concept of using U2F useless, the same issue actually occurs with people using TOTP on smartphone applications such as google authenticator (as I mentioned earlier in this very thread)
As such, your statement just does not make any sense in a security standpoint (or otherwise).


Spoiler: PGP Signature



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYeTpIAAoJEKa4nBz3AlIIS8UH/1cLC5b6SdVUAb4Hh3MEGXtc
bLyg/DQTN18e92tYpJHcSjoZzigeig4eWkBIJvnuZdRVkeLhrhSeYQXSMnH9tgiM
p+BSvaIhx5jnxo7EmExtpBGaPSWwITsInwtaKRZSk221yyv0fZz0cxtP+zyeOvNW
PV5MyDHMrQIkvDqdDUy7+qnexzQTE9KWM8YDy0EItf8sJ45MT2L9rzB1h3QIWloD
ixfnmQCPh9wY1eurDG5VZm6buts8+xFsHbV6M6gAn1TLPvhOBu3YwRHcLx7ljUsv
Nje7msMs+J53+UYIvGL154rTVOMW9RSjYNPFAYLm6nLA+O4m5aMM9a2vqhlKfJU=
=Li8t
-----END PGP SIGNATURE-----


----------



## Deleted User (Jan 14, 2017)

Thanks for warning us. I have secured my Facebook account password now!


----------



## Costello (Jan 14, 2017)

We have received first hand confirmation that there is no known vulnerability on our site, and that these accounts were hacked because their e-mail address/nicknames were listed on leaked databases. There are several sites out there that allow to make such verifications, some of these site even provide passwords in plain text. 

We strongly recommend everyone again to make sure to use a unique password on GBAtemp and to enable two step authentication. 

There is no need to further discuss the issue at this point. I will lock this thread. If you have any further questions feel free to PM me and I will reply when I can.


----------

