+- MFGG Forums (https://forums.mfgg.net)
+-- Forum: MFGG (https://forums.mfgg.net/forumdisplay.php?fid=4)
+--- Forum: News and Events (https://forums.mfgg.net/forumdisplay.php?fid=14)
+--- Thread: About the main site news (/showthread.php?tid=3103)
About the main site news - Mors - 04-09-2024
So, if you've been to the main site you might have noticed that the last news post is from 2021. Whuh? What? You might have also heard about something along the lines of the main site getting compromised.
TL;DR: Someone compromised a staff account, deleted all the news posts, and promoted their own stuff. No need to worry though because we do have backups and will restore things fully soon.
That being said, if I was just a regular member of the community, and something like this had happened but the details were swept under the rug with just that, I'd be annoyed. So to have full transparency, this post will have a full explanation of the events that had transpired.
But before that, I will emphasize a few things:
- Nothing is lost permanently here. They deleted the news, but we temporarily restored all the ones from up to 2021 for now, and will bring back the rest shortly (from an off-site backup hopefully).
- Except for a certain specific user I'll get to, your account is safe and not accessed from outside.
- Nothing else is touched. The games and whatnot are intact and safe.
- There's no real big security risk going on. There's no backdoor as far as we know, it's just someone guessing a staff account's password.
- This is not connected to any other prior incident.
- They didn't have access to the full backend of the site. Only a specific portion, which they seemingly only used to snoop on one member, then spam on the news section.
So here's what happened, based on what I heard from the staff members who were awake at the time, and my own investigation of the logs:
- They first visited a user's profile. When you google their name, MFGG is one of the first results to pop up, so that's likely how they discovered the site. This user had never done anything on the site, at least since the late 2000s.
- They tried to log in to it, but failed.
- So, they tried to log into various staff accounts instead. They got the password wrong many times in the process.
- But eventually one of them worked. Our guess is that the password was either super easy to guess, or it was included in a prior database leak from a different website. This is why you don't use the same password across multiple websites.
- Using the staff account they immediately took control of the mystery user's account as well. From what I can tell, they proceeded to do nothing with it, and the account itself did not contain much information. We ended up locking this account.
- They also banned me to prevent me from stopping them. I was asleep at the time, as this whole thing happened around at 6 AM for me, so I was not there to see my first MFGG ban, sadly.
- They deleted pretty much all the main site news posts as well. Come on man...
- They then started posting a bunch of news post of their own, flaunting their victory, and promoting their Twitter accounts. Those accounts are pretty barren though, and mostly have posts related to... Yep, you guessed it, Roblox.
- Fun With Despair noticed all this and tried banning them. Before he could though, they just changed the password of his account and started using it to spam instead.
- We quickly tried to sort things out, reverted back a quick backup we had from 2021 for emergencies, cleared session records to log them out of the staff accounts, reset the passwords of ALL staff accounts, and deleted the accounts they had made.
- Turns out this was not enough and they were still somehow logged into Despair's account, so we additionally IP banned them as well, and temporarily banned Despair's account also just to be safe.
Some MFGG and Mario Flashback OGs will remember the Roblox raids. To sum it up, there used to be a group of people who would use exploits to put messages in popular Roblox games (I'm talking about games played by millions) that tell them to raid a server to receive free Robux (Roblox currency). MFGG was a target of these attacks. Why? No idea, none of us got anything to do with Roblox. But I'm almost certain that those people who organized the raids are not the same people who nuked the news posts here. It's just that Roblox attracts a lot of toxic kids. We also don't know the identity of those raiders, don't pay attention to anyone else who says otherwise.
The other incident in question is the previous main site takeover. There was another incident of another staff account getting compromised in the exact same way, and someone spamming stuff in the news, with far less impact. We had taken precautions after the said incident, and even revamped the entire backend to improve the site's security as a whole, but it clearly wasn't enough and some staff members still kept using unsecure passwords.
We have also been dealing with the issue of an individual from an affiliated community joining our Discord server to spam slurs and random screenshots. That's also unrelated.
As the MFGG staff we made one big crucial mistake here. We did not make absolutely sure that all staff accounts, including the inactive ones, used secure passwords. We kinda just trusted each other, but that was clearly not enough. Thankfully, nothing serious happened outside the temporary loss of news posts, but things could be so SO much worse. Still, we are going to take full responsibility for this breach, and make ABSOLUTELY SURE nobody's able to brute force into staff accounts in the future. We are terribly sorry for all that happened.
There are a few lessons to learn here:
- Do not reuse the same password in multiple places. Use a password manager if necessary.
- If you have old, unused accounts on sites where the account getting compromised would be a problem, please make sure that they have strong passwords.
- Make frequent backups.
- Don't let your kids play Roblox.
RE: About the main site news - Fun With Despair - 04-09-2024
To add to this, while we did not have any passwords or information leaked as a result of this attack, I would still highly recommend changing your password, especially if your account is rather old.
It is somewhat likely that they got this password from an external leak of passwords that happened to be shared with their MFGG password as Mors summarized, and as a result it is unknown if they have other passwords. Shortly after their removal from the site, they used an account made in 2006 to submit an empty "game" with a description containing the spam they were posting on the main page likely as another form of taunt.
Whether they got into this account via resetting the password or via similar means (using leaked passwords from elsewhere) isn't really known but I would play it safe just in case. While it's unlikely that an average user account getting hacked would lead to anything beyond more spam, it's still good to stay on top of your passwords and make sure you aren't using a password shared with another site.
RE: About the main site news - Vert - 04-09-2024
Why do Roblox kids hate Mario fangames so much? It boggles the mind.
Anyway, seeing as they failed to break into the site through other ways, it really reinforces how the weakest link in computer security is the guy behind the screen. Maybe there should be an official procedure for dealing with old staff accounts to prevent this in the future?
RE: About the main site news - Fun With Despair - 04-09-2024
(04-09-2024, 03:21 PM)Vert Wrote: Why do Roblox kids hate Mario fangames so much? It boggles the mind.This is actually being discussed right now. Its probably going to be the case that we go through and make sure no previous staff members or inactive staff accounts in general still have any access above that of a normal member.
Anyway, seeing as they failed to break into the site through other ways, it really reinforces how the weakest link in computer security is the guy behind the screen. Maybe there should be an official procedure for dealing with old staff accounts to prevent this in the future?
RE: About the main site news - Namedude - 04-09-2024
(04-09-2024, 03:21 PM)Vert Wrote: Why do Roblox kids hate Mario fangames so much? It boggles the mind.
Because Roblox kids hate fun.
RE: About the main site news - AGuyCalledKlaz - 04-09-2024
Good lord. This has got to be the worst security breach incident in MFGG's 20 or so year history.
At least nobody else got their accounts hacked, NOR were fan-games and such affected thankfully. The worst thing that can happen to a fan-game site is if the fan-games get removed.
RE: About the main site news - VinnyVideo - 04-09-2024
Oh joy... it's been a while since we've run into this kind of shenanigans. Yes, this is another reason why it's important to use strong passwords and to avoid reusing important passwords!
I have a mainsite backup dating to February 29, so I was able to restore all the missing updates except for the ones made in the past month or so. It might be possible to recover the handful of remaining updates, since those get posted on the MFGG Discord.
RE: About the main site news - OssieTheOstrich - 04-09-2024
When I first witnessed the updates being missing I thought my computer or internet was acting up. The idea of the site being hacked was the last thing that crossed my mind; This is really one of the strangest things to have happened here.
Hopefully any new security measures ensures this doesn't happen again..
RE: About the main site news - TonyBalonneViper - 04-10-2024
Hoping this doesn't happen again.
RE: About the main site news - VinnyVideo - 04-14-2024
All the missing updates and update comments should be back now!
The only thing that could possibly be missing would be comments made to mainsite updates #888, #889, or #890.
Let me know if you run into any issues.