Jump to content

[SECURITY NOTIFICATION] Administrator account compromised - 19/08/21


Nervous

Recommended Posts

Hello everyone,

 

The 19/AUGUST/2021 two forum accounts were compromised :

@ThatMuricanGuy and @Groz

 

The attacker immediately logged on the accounts without any failed attempts, and then used Groz's account to change my password in order to login on my account: 

qOPPuS9.png

 

When I got disconnected, I immediately understood something was wrong and cut the forum access completely to everyone.

I brought the forum online for my IP only, and investigated the logs. Upon observing what happened, I took the following actions : 

- Groz / ThatMuricanGuy / Nervous forum accounts' email and passwords were changed.

- Groz / ThatMuricanGuy / Nervous UCP accounts email and passwords were changed.

- Groz discord account got his roles removed until I have confirmation he had 2FA setup (no answer yet)

 

The attacker was able to login on ThatMuricanGuy's UCP account as his 2FA wasn't enabled :

iLeuhfC.jpg

However, no actions were done other than this, no searches or anything.

 

The only really malicious actions performed were from Groz's forum account, where the attacker got time to download the memberlist: 

nvbg05b.jpg

 

This memberlist contains the following fields : 

DXIw4V9.png

 

Which means the following important information were leaked due to the breach :

- Your forum username

- Your forum associated email

- Your forum last IP used

 

Your encrypted passwords are not at risk at all as it cannot be accessed from any account and weren't accessed by the attacker.

Once again and as I repeat very often, you MUST use unique passwords on every websites you go on. If your current GTAW password isn't unique, CHANGE IT.

 

Actions remaining to do :

  • CNIL notification:
    • I am currently writing an official notification to the CNIL (Commission nationale de l'informatique et des libertés) which is a French governmental organization that is required to be notified once personal data are leaked or a breach happens. I'll update here with whatever I can attach from it.
  • Police report:
    • I'll be filing a police complaint in the next hours too and update here with what I can attach from it.
Edited by Nervous
  • Upvote 23
  • Thanks 6
  • Applaud 19
Link to comment

I will be updating this thread as legal procedure goes forward and as we perform more actions.

Once again, you don't /need/ to change your password as it wasn't affected at all, but it is recommended if it wasn't unique.

 

Such breaches are unfortunately very common on forums but I have always been very transparent with the community when it comes to security incidents, as I don't wish to hide it from you. The goal is to be 100% transparent on all actions, same for legal actions that will follow.

  • Upvote 6
  • Thanks 2
  • Applaud 5
Link to comment
  • Nervous changed the title to [SECURITY NOTIFICATION] Administrator account compromised - 19/08/21

We've been able to identify the user responsible for the attack.

 

Username : liq543

His HWID, rockstar name, emails, and various IPs (mostly used through VPN / servers) have been added to the police report and also completed in the CNIL report.

 

I have already been contacted by an officer from the CNIL for an appointment tomorrow to discuss the next steps to take.

On our side, 2FA is now forced for all administrators on forum and will soon be forced on UCP.

We're also working on implementing an ingame lock based on your rockstar account, which means that if anyone breaches your ingame account, they'll also need to breach your rockstar account to login.

  • Upvote 1
  • Thanks 3
  • Applaud 2
Link to comment

2FA is now forced enabled on UCP for all supports / admins.

 

I would also like to thank some of you who came up with extremely valuable information about the user, including his full name and address. However, remember to never share the information you could find publicly, even here it would still be considered doxxing if you share anything about the attacker IRL life.

This will be logged in the police file and used by the law enforcement agency directly.

  • Thanks 1
Link to comment
Guest
This topic is now closed to further replies.
×
×
  • Create New...