Dear GBAtemp members and visitors,

It has come to our attention that over the past two days, a person has somehow been able to access a few user accounts on our forums. Shortly after, rumors started blossoming regarding a possible site/forum/database hack or a password leak. After an extensive search into server logs and lookup tools we have no reason to believe that any part of our site has been compromised.

At this point, as several people have suggested already, we believe that the reason this intrusion happened is because another site (an illegal ROM/ISO download site) was recently hacked and the password database was exposed to the public. Since a portion of our members was also registered on that site, possibly using the same password, this could explain the recent scare.

Even though we have no reason to believe our site has been compromised, we have taken a series of measures to reinforce account security on GBAtemp. Firstly, we have reviewed security on the server and all components of our site to make sure everything is up to date and secure. Some components of the forum software have been updated and following this update, one or two add-ons have ceased functioning. If you see anything that isn't working as expected, please use our Site discussions and suggestions forum to report the issue.

At this point, we recommend all our members to change their password and enable two-factor authentication. We are sending out e-mails to all our members to inform them of this situation and to recommend them to change their password. We strongly recommend using a unique and complex password, not just here but on every site you are registered to.

If you have any information that may help us get a better grasp on the situation, please get in touch with a member of the staff. Thank you for your understanding!

The staff

 

[ItsKipz]

A good idea to remember for secure passwords is that it's a lot harder to guess/brute-force a password that isn't in english. If you speak 2 languages, make your password in a different one/mix them.

 

[alex_0706]

is it also known which accounts where hacked?
can those be messaged so they know to change their PW's?

 

[ItsKipz]

Also, i recommend setting up lastpass and authenticator, securing your password, and setting up 2fa.

 

[the_randomizer]

A good idea to remember for secure passwords is that it's a lot harder to guess/brute-force a password that isn't in english. If you speak 2 languages, make your password in a different one/mix them.

Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.

Also, i recommend setting up lastpass and authenticator, securing your password, and setting up 2fa.

I have the Google Authenticator app on my phone.

 

[ItsKipz]

Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.



I have the Google Authenticator app on my phone.

ayy i'm taking japanese now, that was my idea too xD

 

[Procyon]

Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.



I have the Google Authenticator app on my phone.

I use keepass

 

[the_randomizer]

I use keepass

Ah, okay, added that to my phone as well, better safe than sorry

 

[Aletron9000]

i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?

 

[ItsKipz]

i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?

Yeah, i'm getting that on desktop too, just reload.

 

[seijinshu]

i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?

Yep

 

[iAqua]

i know some of the plugins are disabled due to this. but is anyone else on mobile seeing their bar (profile, alerts, conversations) moving to the side so all you see is your username?

Yeah getting that on mobile.

 

[Vengenceonu]

That iso network.

Which one?

 

[Dumperpreneur]

I now have 2FA and a new password. Thanks for the heads up!

 

[Boogieboo6]

Same problem as @Sonic Angel Knight both on my phone and the school's chromebook.

Spoiler: picture

 

[ItsKipz]

Same problem as @Sonic Angel Knight both on my phone and the school's chromebook.

Spoiler: picture

View attachment 74682

im on a chromebook and im getting that too

(btw am i the only one who hates these shitty laptops?)

 

[the_randomizer]

im on a chromebook and im getting that too

(btw am i the only one who hates these shitty laptops?)

The thing is, I would report it, but I don't know, I'm wary on doing so. I never had this issue until after the maintenance; before it however, it was fine.

Which one?

We can't say, it's against the rules. Google is your friend.

 

[mathieulh]

Well, Japanese is my second language (as I did live there for quite a while via internship and was forced to learn it if I wanted to communicate), so I can try that, and using Romaji.



I have the Google Authenticator app on my phone.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I use a different password to everything, I never use centralized password apps so I remember them all using mnemotechnics,
passwords all use upper case, lower case, special chars and digits and are all over at least 20 characters each.
I use 2FA wherever available, using only Secure token to store TOTP/HOTP secrets and I use U2F or PGP wherever supported.

Google Authenticator isn't secure, if an attacker compromises your endpoint/cell phone, he can extract the TOTP secrets
(which are used in conjunction with symetrical algorithms) and calculate all your 2FA codes, get a secure token like a Yubikey
to store your OTP secrets, that way these are kept separate from your device and malware can't get to those.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9C+AAoJEKa4nBz3AlIIg6kH/3mmM9lsCjLIGu7qluYcx9rj
go5spoh0DoPI4OCaz8mY7eZxarJdeUZIjRVMYDuMnYi7ZMdRXTfddUwmy++duL40
7Ej/l0y2k1EauL1ni8rwGeDUC2A6gdYVyq2Qgocw1XJQ7oXP6o3pMfGWH1GUktWE
uEafUWj+mf0zXNTM7vhaY1Sv/yF3axCNjOXvcmFumJpoAhSJbgRbsiT8Jk56UCnT
49DFThq11fGPEXgToTiT8yEW6ouyD9amg2TUR6GRHJ6UaPNOWX1387duVDx3Phin
dm0hQmoP6sqsJWHXKt13ZvCZCtR5wAH2ZZgBB0ty5xoKkHMcSJjBnbt8tQTxxdc=
=5rEG
-----END PGP SIGNATURE-----

 

[the_randomizer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I use a different password to everything, I never use centralized password apps so I remember them all using mnemotechnics,
passwords all use upper case, lower case, special chars and digits and are all over at least 20 characters each.
I use 2FA wherever available, using only Secure token to store TOTP/HOTP secrets and I use U2F or PGP wherever supported.

Google Authenticator isn't secure, if an attacker compromises your endpoint/cell phone, he can extract the TOTP secrets
(which are used in conjunction with symetrical algorithms) and calculate all your 2FA codes, get a secure token like a Yubikey
to store your OTP secrets, that way these are kept separate from your device and malware can't get to those.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9C+AAoJEKa4nBz3AlIIg6kH/3mmM9lsCjLIGu7qluYcx9rj
go5spoh0DoPI4OCaz8mY7eZxarJdeUZIjRVMYDuMnYi7ZMdRXTfddUwmy++duL40
7Ej/l0y2k1EauL1ni8rwGeDUC2A6gdYVyq2Qgocw1XJQ7oXP6o3pMfGWH1GUktWE
uEafUWj+mf0zXNTM7vhaY1Sv/yF3axCNjOXvcmFumJpoAhSJbgRbsiT8Jk56UCnT
49DFThq11fGPEXgToTiT8yEW6ouyD9amg2TUR6GRHJ6UaPNOWX1387duVDx3Phin
dm0hQmoP6sqsJWHXKt13ZvCZCtR5wAH2ZZgBB0ty5xoKkHMcSJjBnbt8tQTxxdc=
=5rEG
-----END PGP SIGNATURE-----

Then what do you suggest, not use any kind of authentication? Because that's what it sounds like.

 

[x06xpower]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I use a different password to everything, I never use centralized password apps so I remember them all using mnemotechnics,
passwords all use upper case, lower case, special chars and digits and are all over at least 20 characters each.
I use 2FA wherever available, using only Secure token to store TOTP/HOTP secrets and I use U2F or PGP wherever supported.

Google Authenticator isn't secure, if an attacker compromises your endpoint/cell phone, he can extract the TOTP secrets
(which are used in conjunction with symetrical algorithms) and calculate all your 2FA codes, get a secure token like a Yubikey
to store your OTP secrets, that way these are kept separate from your device and malware can't get to those.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9C+AAoJEKa4nBz3AlIIg6kH/3mmM9lsCjLIGu7qluYcx9rj
go5spoh0DoPI4OCaz8mY7eZxarJdeUZIjRVMYDuMnYi7ZMdRXTfddUwmy++duL40
7Ej/l0y2k1EauL1ni8rwGeDUC2A6gdYVyq2Qgocw1XJQ7oXP6o3pMfGWH1GUktWE
uEafUWj+mf0zXNTM7vhaY1Sv/yF3axCNjOXvcmFumJpoAhSJbgRbsiT8Jk56UCnT
49DFThq11fGPEXgToTiT8yEW6ouyD9amg2TUR6GRHJ6UaPNOWX1387duVDx3Phin
dm0hQmoP6sqsJWHXKt13ZvCZCtR5wAH2ZZgBB0ty5xoKkHMcSJjBnbt8tQTxxdc=
=5rEG
-----END PGP SIGNATURE-----

wtf ? woah that's scary

 

[Patxinco]

Then what do you suggest, not use any kind of authentication? Because that's what it sounds like.

He's telling us to do this:

Get a secure token like a Yubikey
to store your OTP secrets, that way these are kept separate from your device and malware can't get to those.