PSA: Change Your Doomworld Password

We sure do have a lot of rules and guidelines threads - find them all here, and please make sure you've read them! Also, community-wide announcements (that aren't major ZDoom News) go here as well.
User avatar
Kinsie
Posts: 7352
Joined: Fri Oct 22, 2004 9:22 am
Graphics Processor: nVidia with Vulkan support
Location: MAP33

PSA: Change Your Doomworld Password

Post by Kinsie »

Apparently some script kiddy knocked over the Doomworld database and spilled a bunch of the contents, including encrypted passwords. Now, they're encrypted with bcrypt, so the odds of them being cracked are pretty damn low to say the least, so you probably shouldn't freak out too much. That being said, it can't really hurt to err on the side of caution and change your Doomworld password anyway. It takes like ten seconds!

Also: The passwords of any sites you used the same password on. You really shouldn't reuse passwords across multiple sites for exactly this reason! I recommend using a password manager like KeePass to keep everything straight.

If you don't have a Doomworld account, then this thread doesn't apply to you, and reading it was probably a waste of your time. I'm sorry. Please accept this overelaborate screen capture mechanism as compensation:
Image
User avatar
Kinsie
Posts: 7352
Joined: Fri Oct 22, 2004 9:22 am
Graphics Processor: nVidia with Vulkan support
Location: MAP33

Re: PSA: Change Your Doomworld Password

Post by Kinsie »

Doomworld Statement
Linguica wrote:As you may have heard by now, Doomworld (probably) got pwned by a script kiddie. I don't know what databases were accessed but they claim email addresses and password hashes, at the least. I will be looking into this further of course.

To summarize what you should know about your account:
  • We don't store your password directly, but the output of a salted and hashed one-way algorithm. You can change your password if you wish but no one should be able to decrypt it anyway.
  • If you signed up using an OpenID service like Twitter, Google etc, we only store some sort of token, no password or password-related data ever touches our end, so you shouldn't have to worry.
  • The forum's admin panel uses 2-factor authentication so I don't particularly think that anything sensitive could have been accessed or changed that way, but if someone exfiltrated the database via other means it wouldn't really matter.
  • As the admin, this is ultimately my fault, and I am very sorry it has happened. I will have to consider this and consult with others to decide what sort of site changes need to be made to help fix this situation. In general this is a good opportunity to consider your password hygiene and begin using a password manager with unique passwords if you haven't done so.
User avatar
Redneckerz
Spotlight Team
Posts: 993
Joined: Mon Nov 25, 2019 8:54 am
Graphics Processor: Intel (Modern GZDoom)

Re: PSA: Change Your Doomworld Password

Post by Redneckerz »

Just a heads up, thanks Kinsie for sharing this. :)

Return to “Rules and Forum Announcements”