Dear GBAtemp members and visitors,

It has come to our attention that over the past two days, a person has somehow been able to access a few user accounts on our forums. Shortly after, rumors started blossoming regarding a possible site/forum/database hack or a password leak. After an extensive search into server logs and lookup tools we have no reason to believe that any part of our site has been compromised.

At this point, as several people have suggested already, we believe that the reason this intrusion happened is because another site (an illegal ROM/ISO download site) was recently hacked and the password database was exposed to the public. Since a portion of our members was also registered on that site, possibly using the same password, this could explain the recent scare.

Even though we have no reason to believe our site has been compromised, we have taken a series of measures to reinforce account security on GBAtemp. Firstly, we have reviewed security on the server and all components of our site to make sure everything is up to date and secure. Some components of the forum software have been updated and following this update, one or two add-ons have ceased functioning. If you see anything that isn't working as expected, please use our Site discussions and suggestions forum to report the issue.

At this point, we recommend all our members to change their password and enable two-factor authentication. We are sending out e-mails to all our members to inform them of this situation and to recommend them to change their password. We strongly recommend using a unique and complex password, not just here but on every site you are registered to.

If you have any information that may help us get a better grasp on the situation, please get in touch with a member of the staff. Thank you for your understanding!

The staff

 

[the_randomizer]

Welcome to da Interneto

Yeah, which is weird, someone used the same username on Snapchat, lol like I'd ever used that site.

 

[Saiyan Lusitano]

Yeah, which is weird, someone used the same username on Snapchat, lol like I'd ever used that site.

Someone on Instagram has my exact real name but what's weird about it is that it was an Oriental girl with a male western name. I never use my real name outside of places like Amazon, other retailers and banks.

Oh... I sign up for freebies which never arrive -- this explains it.

 

[Gizametalman]

Someone on Instagram has my exact real name but what's weird about it is that it was an Oriental girl with a male western name. I never use my real name outside of places like Amazon, other retailers and banks.

Oh... I sign up for freebies which never arrive -- this explains it.

I dunno, but you shouldn't be sayin that you use your real name in a Bank account.
We just got hacked, they'll probably gonna use any information that you may give them.
Even small information as: "I use my real name in this or that" will suffice to make malicious things.
Of course, if they decide to target you.

 

[Deleted User]

Yeah, which is weird, someone used the same username on Snapchat, lol like I'd ever used that site.

I only use Snapchat for sending the pictures I take of random shit I see outside to a small handful of friends, but not even that really.

 

[Zero72463]

Damn lol I didn't even know anything was going on.

 

[Deleted member 408979]

me neither,but thank goodness its over!

 

[Keith_Loving]

This thoroughly pisses me off, please create a program where each user can input their account number to check if their account has in fact been accessed by another user. Or have the forum MODS contact the members of the site, where it is known unauthorized access has been done. This can be easily checked with the MOD tools. Go to "Track Users by IP". Any matching IPS will obviously reveal a user accessing multiple accounts. At least PM me to tell me that I am the only user accessing my account on GBAtemp....

Why not add a tool on the user profile so the user can input only the IP addresses they want to use with their account and let the members manage their own IP restrictive access to their account on here.

thanks

 

[Costello]

This thoroughly pisses me off, please create a program where each user can input their account number to check if their account has in fact been accessed by another user. Or have the forum MODS contact the members of the site, where it is known unauthorized access has been done. This can be easily checked with the MOD tools. Go to "Track Users by IP". Any matching IPS will obviously reveal a user accessing multiple accounts. At least PM me to tell me that I am the only user accessing my account on GBAtemp....

we have already contacted all of the user accounts we believe have been accessed by a third party, there werent many.
you weren't one of them

Why not add a tool on the user profile so the user can input only the IP addresses they want to use with their account and let the members manage their own IP restrictive access to their account on here.

you can achieve pretty much that with two factor authentication. Use Google Authenticator it's pretty easy to use and it's safe

 

[Nevermore]

Which ISO site was hacked? Not sure which account I should be wary of (I mix and match all over the place).

PM me the name of the one, if it's against the rules to say. No need for a link, just the name so I know.

 

[TotalInsanity4]

Which ISO site was hacked? Not sure which account I should be wary of (I mix and match all over the place).

PM me the name of the one, if it's against the rules to say. No need for a link, just the name so I know.

The 3DS one, if memory serves. No idea if they share account info though

 

[Deleted User]

I dunno, but you shouldn't be sayin that you use your real name in a Bank account.
We just got hacked, they'll probably gonna use any information that you may give them.
Even small information as: "I use my real name in this or that" will suffice to make malicious things.
Of course, if they decide to target you.

Well, Bank accounts sometimes need your Tax ID (in the US anyways) and that needs to match your real legal name.

 

[Chary]

Which ISO site was hacked? Not sure which account I should be wary of (I mix and match all over the place).

PM me the name of the one, if it's against the rules to say. No need for a link, just the name so I know.

Both ones who's names are that of Nintendo's current handheld and console. Both were compromised.

 

[Deleted member 408979]

fortunately,the freeshop didnt suffer much damage (as far as i know)

so,at least we didnt lose all CIAs...

 

[RedBlueGreen]

Both ones who's names are that of Nintendo's current handheld and console. Both were compromised.

Is that including that chaos site?

 

[Asia81]

I got hacked too, but I have my account back.
Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.

 

[RedBlueGreen]

I got hacked too, but I have my account back.
Idk why I got disconnected and my password didn't work anymore, so I asked by mail for a fortotten password.

Was your password similar to the one from that ISO site? I'm just wondering how much other users have to worry.

 

[Asia81]

Was your password similar to the one from that ISO site? I'm just wondering how much other users have to worry.

No, it was a random strong password generated by LastPass, using 18 characters
Something like WAqse0iw0ZbM1nx4E4 (Example, not the old and not the new, of course xD).

 

[SonicRings]

Enable two-factor authentication? No thanks, don't want to be absolutely screwed if I happen to lose my phone and the backup codes! I'll stick to my randomly generated passwords

 

[pixelmasher]

No, it was a random strong password generated by LastPass, using 18 characters
Something like WAqse0iw0ZbM1nx4E4 (Example, not the old and not the new, of course xD).

Didn't LastPass get hacked? I thought I read that somewhere, but I think it was a while ago.

 

[kuwanger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

2FA is never an overkill. The use of U2F can mitigate your convenience issue.
I will add that centralizing passwords is a bad idea.

In my eyes there should be no compromises when security is involved.
-----BEGIN PGP SIGNATURE-----

iQFfBAEBCgBJQhxNYXRoaWV1IEhFUlZBSVMgKEdlbmVyYXRlZCBmb3IgWXViaWtl
eSBORU8pIDxtYXRoaWV1bGhAZ21haWwuY29tPgUCWHd6cwAKCRCmuJwc9wJSCM+D
B/90qt4P35uH4OcqPoSa3JLKqVN4g681nQPs5xUTZ9a00BeHjCw65rTTMT+6uS2t
yLIigFq7x56iGokn4DNQJn09U9EXNgl8qSN4N54Wk5phhB0TYXNNsFE5auCr40vh
YHRFQD05hJvMN9iBPJ6pmpUYXPXu03XTg7WWkUf39ZCCNxz++7NuD0iv0CMwsxWm
8a+2kkRJzmCUfhAUfzrC05oqwEK1j3DYBiTT5GzegcM5Cc2xB5wPFwVEb/Fd1OJo
h3s+N7ojmRKIogBzViWNCG2b0g9l7JbnhjdaJY3BRIgfuAEbaU3/6admJLr/X9Cz
lCkWv2ui88F3XA2I53SwWZy6
=KBnc
-----END PGP SIGNATURE-----

So, you think 2FA is a good idea for a padlock on, say, a storage box? Not at all overkill? Meanwhile, where is U2F actually used? And how much does it help if I (likely) leave it in my computer all the time for the "convenience issue"? The only way that someone should be able to get my passwords on my end is precisely through the same sort of attack that would render U2F mostly (if not entirely) ineffective. Finally, if centralizing passwords is a bad idea, what would you recommend? Not having passwords? Because intrinsically if I remember all my passwords, I'm centralizing them all.

BTW, a quick check and it sounds like U2F would be vulnerable to side channel attacks. The only known way to mitigate that kind of attack consistently, even when you know of the channel of attack, is through consistent timing of events. Ie, a trade off of security over performance. So, uh, what sort of system do you run?