# User Account Compromises and Game Vandalism ##### 16th November 2018 *Apologies for typos, it's been a long day.* *There were 6 typos. :)* ### UPDATE 17th November 2018 - 2:15AM GMT The database has been restored to the 15th of November, 2018. Any changes made in the last 24 hours have been lost and *-may-* be cherry picked from the 16th of November backup if deemed worthy. You will be FORCED to reset your password on login by using the Forgot Password functionality on the site. You must have access to your e-mail for this. For any reason you do not have access to your e-mail associated to your account, you must go through a validation process with an Admin to get your account back. It is YOUR responsibility to keep your details up to date. If you're concerned your account may have been breached, please read this document, reset your passwords and take the ***Advice*** provided at the bottom of the document seriously. ### The issue at hand: As many of you may have experienced today if you were using Speedrun.com, many user accounts that were moderators on many popular games (such as Ocarina of Time and Celeste) were vandalized by unauthorised access to game moderator's accounts. Speedrun.com's database, at this time, is believed to not be compromised as there are no signs to point to this being the case in any logs we create in relation to access to the system. Several accounts that were compromised were compared, from a database backup of the website running on a local environment, to that of a database dump for **XSplit Broadcaster** that was leaked in 2015. The accounts tested were a 100% (password) match under one of the following which were either linked, or associated, to their Speedrun.com profile: * Username used on XSplit being the same as Speedrun.com username * Email used on XSplit being the same as an account associated on Speedrun.com * Billing address (email, paypal) on XSplit being the same as an email used on Speedrun.com ### What's going on: Pac is currently either asleep (he is in Japan) or AFK and not able to be contacted at this point in time. Myself (Volvagia) and Kabukiman are in a private encrypted chat with Pac at all times and have left messages for him to read once he wakes up or is available. A database backup is kept very regularly of the website. We have copies of the database before, during and after these events. The only things that may be lost are themes as themes and images are not stored within our version control solution due to it consuming a large amount of space. If you have experience with version control, you'll know why this is. At worst, some themes were lost and many users use passwords that were cracked in previous vulnerable systems in 2015. We may (probably will) enforce a site wide password reset and compare your username and password to the XSplit 2015 database to ensure you DO NOT use this password again. Many people apparently have... which is very frustrating, not only for us, but knowing you're leaving yourself vulnerable if you're one of these people who were affected. Updates to follow on this at [@volvagia224](https://twitter.com/volvagia224) on twitter or here on the SRC twitter. ### Advice: **You should NEVER use the same password on more than one application and enforce 2FA (Two Factor Authentication) where possible.** Please change your passwords regularly and use a strong password. Not lowercase with something like "mynameisxhello" - ensure you have capitalisation, special characters and numbers within your password and it is reasonably long. Make extremely strong passwords, absurd in length, containing special characters, uppercase letters and lowercase letters along with numerics and store them in a password manager responsibly. Two I'd recommend are as follows: https://keepass.info/ https://lastpass.com/ Take your pick. Cheers, --- Volvagia