Jump to content
Phishing Emails & YouTube Messages - Fake Giveaway Read more... ×
Search In
  • More options...
Find results that contain...
Find results in...
chazragg

BlankMeidaGames data breach

Recommended Posts

Posted · Original PosterOP

It would appear BlankMediaGames has been the victim of a data breach.

 

Direct from my have i been pwned email

 

Quote
Breach: BlankMediaGames
Date of breach: 28 Dec 2018
Number of accounts: 7,633,234
Compromised data: Browser user agent details, Email addresses, IP addresses, Passwords, Purchases, Usernames, Website activity
Description: In December 2018, the Town of Salem website produced by BlankMediaGames suffered a data breach. Reported to HIBP by DeHashed, the data contained 7.6M unique user email addresses alongside usernames, IP addresses, purchase histories and passwords stored as phpass hashes. DeHashed made multiple attempts to contact BlankMediaGames over various channels and many days but had yet to receive a response at the time of publishing.

 

 

edit: some extra information courtesy of rcmaehl 

Quote

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. It was honestly was just a matter of time before this happened to them.

2

 

Link to post
Share on other sites

this one is really bad.


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

PC: 2X XEON X5650 | GTX 690 | 2X 240GB SSD | 24GB RAM Windows 10

MacBook: I5 3210M HD4000 | 1 TB SSD | 16GB RAM | macOS Mojave / Windows 10

Link to post
Share on other sites
2 minutes ago, chazragg said:

DeHashed made multiple attempts to contact BlankMediaGames over various channels and many days but had yet to receive a response at the time of publishing.

._. damn.

 

  1. change passwords, also if the same password is used elsewhere
  2. use different passwords
  3. don't use "password" for password
  4. if email is used for sensitive IRL services, considering changing emails.
Link to post
Share on other sites

nice, I just got my email as well. This is my 11th data breach (according to haveibeenpwned), feels normal nowadays.


sennheisermasterrace

Link to post
Share on other sites

So, these guys make cheap browser games? All I can see looking them up is Town of Salem, something I've never heard of or played. Do they do anything else either?

Link to post
Share on other sites
14 minutes ago, Ryujin2003 said:

So, these guys make cheap browser games? All I can see looking them up is Town of Salem, something I've never heard of or played. Do they do anything else either?

Well, that 7 million data could have been simply 7 million accounts. 1 person could have registered multiple accounts. 

Link to post
Share on other sites

I really should get arond to changing all my passwords where I don't have 2FA


I spent $2500 on building my PC and all i do with it is play MTGA & watch anime at 720p...

Builds:

The Toaster Project! Northern Bee! The Cassette Deck!

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, Bananasplit_00 said:

I really should get arond to changing all my passwords where I don't have 2FA

i made the switch to last pass and a yubikey 2 years ago and would never go back.

Link to post
Share on other sites

Original Post is missing a lot but here's some stuff to add to it

 

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. I honestly was just a matter of time before this happened to them.


NotCPUCores Dev | Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 2933MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS


 

Link to post
Share on other sites

Well crap.

 

I don't really want to change my password yet though... It sounds like they haven't increased their security so I could theoretically get breached again. Luckily I changed the password for all the websites I use the most recently and didn't change mine for BMG so it shouldn't be TOO big a deal


Make sure to quote me or tag me when responding to me, or I might not know you replied! Examples:

 

Do this:

Quote

And make sure you do it by hitting the quote button at the bottom left of my post, and not the one inside the editor!

Or this:

@DocSwag

 

Buy whatever product is best for you, not what product is "best" for the market.

 

I seem to like any products who have the same software and hardware maker, as long as it's not Apple. Weird. I like the Surface Book and the Pixel phones, but most definitely don't want an iPhone (I'm not saying they're bad, though).

 

Interested in computer architecture? Still in middle or high school? P.M. me!

 

I love computer hardware and feel free to ask me anything about that (or phones). I especially like SSDs. But please do not ask me anything about Networking, programming, command line stuff, or any relatively hard software stuff. I know next to nothing about that.

 

Compooters:

Spoiler

Desktop:

Spoiler

CPU: i7 6700k, CPU Cooler: be quiet! Dark Rock Pro 3, Motherboard: MSI Z170a KRAIT GAMING, RAM: G.Skill Ripjaws 4 Series 4x4gb DDR4-2666 MHz, Storage: SanDisk SSD Plus 240gb + OCZ Vertex 180 480 GB + Western Digital Caviar Blue 1 TB 7200 RPM, Video Card: EVGA GTX 970 SSC, Case: Fractal Design Define S, Power Supply: EVGA Supernova G1 650 watt (soon to be Seasonic Focus+ Gold 650w Yay!), Keyboard: Logitech G710+, Mouse: Logitech G502 Proteus Spectrum, Headphones: Creative Fata1ty, Monitor: LG 29um67 (2560x1080 75hz freesync)

Home Server:

Spoiler

CPU: Pentium G4400, CPU Cooler: Stock, Motherboard: MSI h110l Pro Mini AC, RAM: Hyper X Fury DDR4 1x8gb 2133 MHz, Storage: PNY CS1311 120gb SSD + two Segate 4tb HDDs in RAID 1, Video Card: Does Intel Integrated Graphics count?, Case: Fractal Design Node 304, Power Supply: Seasonic 360w 80+ Gold, Keyboard+Mouse+Monitor: Does it matter?

Laptop (I use it for school):

Spoiler

Surface book 2 13" with an i7 8650u, 8gb RAM, 256 GB storage, and a GTX 1050

And if you're curious (or a stalker) I have a Just Black Pixel 2 XL 64gb

 

Link to post
Share on other sites
33 minutes ago, rcmaehl said:

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. I honestly was just a matter of time before this happened to them.

oof. that's moonpig all over again

Link to post
Share on other sites

noooo my town of salem wins


Current PC

CPU: AMD A8-6600k (@4.2Ghz)

GPU: GTX 1070Ti 8gb FTW2 iCX

Motherboard: GA-F2A78M-HD2 

RAM: 8gb Patriot DDR3-1600mhz

Storage: Samsung 830 EVO 120gb, WD Blue 1tb 7200RPM 

PSU: SeaSonicM12II 620w (I wish I didn't buy this)

 Peripherals: Logitech G305//Corsair K55 RGB 

Displays: Asus MG248QR//Dell 1905FP

PSU Tier List v3 

 

New PC (getting parts)

CPU: i7-9700k

Cooling: EVGA CLC 280 RGB [✓]

GPU: EVGA GTX 1070Ti 8gb FTW2 iCX [✓]

Mobo: GIGABYTE Z390 AORUS PRO [✓]

RAM: XPG SPEXTRIX X41 2666mhz (Grey) [✓]

 Storage: T-Force Delta 250gb, WD Blue 1tb 7200RPM [✓]

PSU: 650w+ and ranked well

Case: Fractal Design Meshify C White

Peripherals: Logitech G305//Corsair K55 RGB [✓]

Displays: Asus MG248QR//Dell 1905FP [✓]

Extra: Sky blue front panel, sky blue cable extensions [✓]

 

Other

Phone: Huawei Mate 10 Lite (China steal my data???)

Dog: Irish Water Spaniel, Lucy, 9 years old (I didn't know what to write)

School Laptop: Acer Chromebook R11 ((less RAM than my phone)

Link to post
Share on other sites
4 hours ago, chazragg said:

i made the switch to last pass and a yubikey 2 years ago and would never go back.

I don't like password managers, feels a lot like putting all your eggs in one basket. They brech the password manager and they get all your passwords instead of each app individually. Not that I doubt that password managers have good and well built security systems but I just don't like it much. 


I spent $2500 on building my PC and all i do with it is play MTGA & watch anime at 720p...

Builds:

The Toaster Project! Northern Bee! The Cassette Deck!

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites

Yeah ivebeenpwned here, signed for this site years ago with some friends at a LAN party. They got my good email too...

10 hours ago, chazragg said:

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. It was honestly was just a matter of time before this happened to them.

So would this indicate they probably can decrypt these passwords? Better have another look at my password manager.

 

Also, thanks for reminding me that I can get email alerts, should have set that up ages ago.

Link to post
Share on other sites

I have three emails for this basic purpose:

 

A shitty email used for shitty things, including scripts to delete the constant spam it gets (hasn't been leaked).

 

An email used for video gaming services (the one that was leaked).

 

An email for serious stuff.

Link to post
Share on other sites
Posted · Original PosterOP
14 hours ago, Bananasplit_00 said:

I don't like password managers, feels a lot like putting all your eggs in one basket. They brech the password manager and they get all your passwords instead of each app individually. Not that I doubt that password managers have good and well built security systems but I just don't like it much. 

I see where you are coming from, I like LastPass because a majority of the major sites support an auto change password feature so if my account was every breached I think I could change all my passwords before anyone could crack the hashed passwords. you could also use software like keypass which is a local version, we use it here at my work.

Link to post
Share on other sites
Posted · Original PosterOP
12 hours ago, Hit_and_run_poster said:

i've got have i been pwned set up and i've got a BMG account but i didn't get any email

well, you only get the email if your email address appeared in the list posted online, maybe you were lucky and didn't get posted? 

Link to post
Share on other sites
Posted · Original PosterOP
13 hours ago, imreloadin said:

It must be my age showing because I've never heard of this dev or this game at all...

there was also a Starcraft 2 arcade game that was similar called mafia. really interesting but I find it best played as a group as PuGs can ruin the fun

Link to post
Share on other sites
19 hours ago, rcmaehl said:

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. I honestly was just a matter of time before this happened to them.

Exactly. Nowadays SSL is pretty much essential for anything containing emails and passwords.

 

BMG had it coming though, they were an easy target.

Not only was it the lack of SSL and the old forum software, but it was also the fact they were a relatively small game whose developers were most likely oblivious to the fact that the emails, passwords, IP addresses and whatever else they stored on their servers was not adequately protected.

I'm not one to jump to conclusions, but the fact that they couldn't even use SSL or update their forum software just makes me think BMG didn't really know what was going on with the security side of things.

 

Take everything I say with a grain of salt. I'm not a web developer nor a cybersecurity expert.

 


I'm not liable for anything that may happen to you and your PC if you decide to follow my advice. Take everything I say with a grain of salt, some things may not be correct.

Make sure to tag or quote who you are trying to reply to, that way they will see your answer.

Useful links: Community Standards | PSU Tier List 3.0 | Posting Guidelines | Build recommendations

 

Link to post
Share on other sites
4 hours ago, chazragg said:

I see where you are coming from, I like LastPass because a majority of the major sites support an auto change password feature so if my account was every breached I think I could change all my passwords before anyone could crack the hashed passwords. you could also use software like keypass which is a local version, we use it here at my work.

Yah I'd be a lot more up for a local version tbh but for now il keep off


I spent $2500 on building my PC and all i do with it is play MTGA & watch anime at 720p...

Builds:

The Toaster Project! Northern Bee! The Cassette Deck!

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites

I only used the Steam version of the game, not the browser so I never made an account with BMG AFAIK. I think I'm fine unless this penetrates into that as well, but it sounds like it's mostly a browser security issue.


"Put as much effort into your question as you'd expect someone to give in an answer"- @Princess Cadence

Make sure to Quote posts or tag the person with @[username] so they know you responded to them!

Purple Build Post ---  Blue Build Post --- Blue Build Post 2018 --- Project ITNOS

CPU i7-4790k    Motherboard Gigabyte Z97N-WIFI   RAM G.Skill Sniper DDR3 1866mhz    GPU EVGA GTX1080Ti FTW3    Case Corsair 380T   

Storage 1x Samsung EVO 250GB, WD Black 3TB, WD Black 5TB    PSU Corsair CX550M      Cooling Cryorig H7

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×