Forum Breach - Summary of Investigation and Final Report
Here is the final report on the recent breach of our forums and outgoing mail services. On and before the months of May and June, our forums were subject to a mass-bruteforcing attack targeting accounts owned by staff, including administrators and moderators. We began implementing measures to mitigate the attack as soon as we detected it.
We were able to establish this timeline of events by iterating server backs-up and performing a forensic examination of all differences encountered.
Unfortunately, On the 8th of June a user account with access to the administrative parts of the forum and which failed to follow our strong requirements for randomized passwords was compromised. On the same day a dump of the forums was downloaded. Due to the confusing nature of how the PHPBB Administration logs work, this went unnoticed for a brief period of time as the admin logs were wiped clean by the compromised user.
Subsequently, on the 30th of June, the hackers decided to send out mass-mails via our forum software to all the users registered on the forum. The content of these emails were blatant lies and accusations of corruption and GM abuse, completely bereft of any substantiation. Despite the claiming possession of damning evidence found in forum records nothing was presented - an impossiblity since no such evidence exists.
The hackers claimed that "The security of the server is very bad and all user information not protected, simple sql users can access all other databases" - which is also not true. All of our SQL users have specific grants which grants them access only to the exact data that they need. The forum database and game server databases aren't even on the same server. None of your website or in-game credentials were discoverable in the dump.
As the systemops team lead, I can only apologize that your forum username, bcrypt hashed password, email, and IP addresses were compromised. We follow strong guidelines when it comes to security and all of our infrastructure is protected by bastion servers, firewalls and 2FA authentication. Unfortunately, security is only as good as the weakest link; which in this case was a user account with a password that was eventually bruteforced. It also took way too long for us to detect the breach on the forums.
To better our security on our webservices, we will be enforcing 2FA and other methods of authentication system wide such that no administrative or moderate panels, dashboards, or software can be compromised in the same way ever again. We will also look at modifying the phpbb software itself to ensure that new and unknown logins are better logged.
We are disgusted that the hackers released the private information of players in full, without any kind of redaction or anonymizing, thereby fully violating those players privacy and exposing them to spam, phishing attacks, and other unwanted attention. This was a poor attempt at discrediting the Light's Hope Project, however the only victims in this incident are you, the players.
To Elysium Project:
These conclusions are based in part on the following facts:
On the 8th of June (the same day of the breach) a user account with the name 'Ryudzake' signed up to our forums. This user used the same IP address as the hacker that compromised our forums. Doing a bit of googling, one can find the same user posting on a Russian Forum asking for how to upload a shell to a phpbb forum, as well as buying dictionary/bruteforce attacks on hashes:
Update: It appears that the posts have magically disappeared from this users account shortly after writing this post. Who could have thought. Please see the archived mirrors for the posts in question.
Interestingly enough, you can find the same user asking for "decryption" attempts on hashes for user accounts that were used by current Light's Hope staff on Elysium Project:
EFAD8ADC92D82321DEC9C20C6C43BEC036A604D7:BLAYDEZ sha1 mangos 5$ 766115c4605cbb9a9ce863814e78b22cd9dad9b3:SKEITHELYSIUM 1$ 34d0faf1105099216c4e773b34d44572e6399b05:TURINPT sha 1 mangos 1$ D73C4D749860760375F066EE923AB0270684156D:GEMT sha1 mangos 1 $ 43D4847C532653D9A8C66069FF0F2C321D86EE35:BROTALNIA sha1 mangos 1$ 3DEA76BB01C1E6827AAC12D5BD80459B3E8D2FA4:WHITEKIDNEY3 sha1 mangos 1$
Note: We also note that none of the hashes presented for bruteforcing are for current Elysium staff accounts - or any Elysium staff accounts at all, something we would expect to see if they were likewise compromised. To us, this further implies Elysium's participation in this attack. The user has also requested that numerous other hashes be bruteforced. In simple terms, 'Ryudzake' attempted to pay a third party to bruteforce the sha1 hashes to obtain a matching plaintext password.
An important note: Tekkaz never had access to the original logon database dump when we first split from Elysium and the passwords for a large amount of these users were changed before they were imported onto our servers.
This directly implies that whoever has access to these hashes has either hacked the Elysium Project and has access to their logon database or the Elysium Project is working together with the hacker(s) that compromised our forums
Therefore we ask the Elysium Project: Which one of these is true: Have you been hacked yourself? or are you the ones behind the attacks on our forums?
Personally, I believe the facts speaks for themselves. The likelyhood that a random hacker that has hacked both our forums and the Elysium Project would have any reason to send out these untruthful messages to our playerbase in attempt to severely damage our reputation and trust is so ridiculously small as to be non existant.
On behalf of our users, we have submitted the breach to haveibeenpwned.com and the incident has been reported to the FBI's IC3 center and Germany's Federal Police (Bundeskriminalamt) Cybercrime division.