Dear LFS Racers,
An update on the recent thread about a leak of LFS passwords from an unknown source.
After an LFS user admitted having a list of tens of thousands of username + password combinations, after some heated discussion on a thread that has now been removed, the user admitted he shouldn't have done this and decided to send the information, to start to put right the situation.
We are grateful for this action, after the initial disruption, this was the right thing to do.
I have started to analyse the data. I don't want to give exact figures but the user names are in the 10s of thousands.
Of these, roughly 5% are invalid (too short or too long, can't possibly be an LFS user name)
Of the possibly valid names, around 40% are not found in our database.
The other 60% are valid user names. Of these, more than 90% are DEMO and under 10% are LICENSED.
So many user names are invalid, proving that if these names come from a single source, it's not an official LFS source. I believe that people may have used their username somewhere else. Maybe in a pirate community or in some other app that required their user name.
I will do further checks on this data, but wanted to give you an update on the progress so far. Many of the licensed users will need to be contacted in some way, probably by an automated email.
I'll leave the thread closed for now as I don't really think I need more info at this point.
Changes I have made in the past few days regarding security:
- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- GAMEpassword can also only be changed via an email.
So now it should be impossible for you to lose control of your account if you haven't already. Although for all the accounts we have not yet protected, if your password is known to any hackers with this data, they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.
A note on security, even if it may sound repetitive:
- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about
- NEVER ENTER YOUR LFS USERNAME AND PASSWORD INTO ANOTHER WEBSITE OR PROGRAM
- IF YOU HAVE EVER ENTERED YOUR USERNAME AND PASSWORD SOMEWHERE ELSE - CHANGE YOUR PASSWORDS NOW!
Thank you for reading.
An update on the recent thread about a leak of LFS passwords from an unknown source.
After an LFS user admitted having a list of tens of thousands of username + password combinations, after some heated discussion on a thread that has now been removed, the user admitted he shouldn't have done this and decided to send the information, to start to put right the situation.
We are grateful for this action, after the initial disruption, this was the right thing to do.
I have started to analyse the data. I don't want to give exact figures but the user names are in the 10s of thousands.
Of these, roughly 5% are invalid (too short or too long, can't possibly be an LFS user name)
Of the possibly valid names, around 40% are not found in our database.
The other 60% are valid user names. Of these, more than 90% are DEMO and under 10% are LICENSED.
So many user names are invalid, proving that if these names come from a single source, it's not an official LFS source. I believe that people may have used their username somewhere else. Maybe in a pirate community or in some other app that required their user name.
I will do further checks on this data, but wanted to give you an update on the progress so far. Many of the licensed users will need to be contacted in some way, probably by an automated email.
I'll leave the thread closed for now as I don't really think I need more info at this point.
Changes I have made in the past few days regarding security:
- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- GAMEpassword can also only be changed via an email.
So now it should be impossible for you to lose control of your account if you haven't already. Although for all the accounts we have not yet protected, if your password is known to any hackers with this data, they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.
A note on security, even if it may sound repetitive:
- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about
- NEVER ENTER YOUR LFS USERNAME AND PASSWORD INTO ANOTHER WEBSITE OR PROGRAM
- IF YOU HAVE EVER ENTERED YOUR USERNAME AND PASSWORD SOMEWHERE ELSE - CHANGE YOUR PASSWORDS NOW!
Thank you for reading.