Hello LFS racers,
We have become aware of a user, based in Turkey, who has obtained control of quite a few LFS licenses and is selling them online.
We are aware of approximately 50 licenses that were compromised. In each case the user has logged in using the web password and usually changed the email to one of his own emails. We have written to the affected account owners and we have a few more to investigate. In each case we have reverted the email to the previous email and set completely random passwords.
Yesterday I improved the security of accounts and will continue to work on it.
Before yesterday afternoon, it was possible to change any aspect of your account after logging in. Email, web password and game password could be updated instantly.
Changes I have made so far:
- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- Email address cannot be changed at all. This is temporary (see below for plans).
- You receive a notification email if GAMEpassword is changed. I intend to duplicate the system for changing WEBpassword.
So now it should be impossible for you to lose control of your account. Although if your password is known to this 'hacker' then they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.
We do not know how the user has obtained passwords. We believe he may acquire the GAMEpassword somehow. If your WEBpassword is the same as your GAMEpassword then at that point he already can log in to your account. You should never use a GAMEpassword that is the same as your WEBpassword and it is extremely important not to use the same password as any other accounts you have that are important to you.
When writing to the people who had their accounts stolen, we have been asking them if they have any clue how their information could have got out, if they used LFS credentials anywhere or installed software that could be relevant. Unfortunately we get very few replies, which has also been the case in the past.
I could not find any evidence of "brute force" attacks (using thousands of attempts to guess passwords).
Even if it may sound repetitive:
- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about
Current plans for changing email:
I think two methods must be implemented.
1) If you have access to the old email to receive a code there, it could be updated in a similar way to WEBpassword - via an email sent to your old email address.
2) If you do not have access to the old email but can log in using your password, I intend to send an email to the old email anyway (to warn the user, in case the logged-in user is really a hacker trying to gain control of your account) and after 1 week you will be allowed to change your email using the current system (that is temporarily disabled).
We have become aware of a user, based in Turkey, who has obtained control of quite a few LFS licenses and is selling them online.
We are aware of approximately 50 licenses that were compromised. In each case the user has logged in using the web password and usually changed the email to one of his own emails. We have written to the affected account owners and we have a few more to investigate. In each case we have reverted the email to the previous email and set completely random passwords.
Yesterday I improved the security of accounts and will continue to work on it.
Before yesterday afternoon, it was possible to change any aspect of your account after logging in. Email, web password and game password could be updated instantly.
Changes I have made so far:
- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- Email address cannot be changed at all. This is temporary (see below for plans).
- You receive a notification email if GAMEpassword is changed. I intend to duplicate the system for changing WEBpassword.
So now it should be impossible for you to lose control of your account. Although if your password is known to this 'hacker' then they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.
We do not know how the user has obtained passwords. We believe he may acquire the GAMEpassword somehow. If your WEBpassword is the same as your GAMEpassword then at that point he already can log in to your account. You should never use a GAMEpassword that is the same as your WEBpassword and it is extremely important not to use the same password as any other accounts you have that are important to you.
When writing to the people who had their accounts stolen, we have been asking them if they have any clue how their information could have got out, if they used LFS credentials anywhere or installed software that could be relevant. Unfortunately we get very few replies, which has also been the case in the past.
I could not find any evidence of "brute force" attacks (using thousands of attempts to guess passwords).
Even if it may sound repetitive:
- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about
Current plans for changing email:
I think two methods must be implemented.
1) If you have access to the old email to receive a code there, it could be updated in a similar way to WEBpassword - via an email sent to your old email address.
2) If you do not have access to the old email but can log in using your password, I intend to send an email to the old email anyway (to warn the user, in case the logged-in user is really a hacker trying to gain control of your account) and after 1 week you will be allowed to change your email using the current system (that is temporarily disabled).
