A Small Concern...

[That Matoran with a Vahi]

Hi, sorry to be a bother, but has BZP had any hacking difficulties recently?

I just received two identical spam emails, trying to blackmail me into sending them money. Normally, of course, I'd just ignore / delete / report these and get on with my life - particularly since their blackmail material was something I haven't even done - but I'm a bit concerned because they were titled with my login password for this site. Naturally, I changed my password immediately; but since I'm the kind of guy who uses a different password for everything, I can't see any reason why they would know *that specific password* unless they'd got it from here on BZ.

(Though they have no clue about this place; I doubt the word filter will even let me say what kind of site they thought they'd got that password from!)

Granted, I also hadn't changed said password since, um... I first registered here, which is terrible of me I know. So it's possible they could have accessed it anytime over the past sixteen years and have only just got around to me now; but I thought I ought to mention it, just in case something's up? And in case my account here does start doing unsavoury stuff, since I can't guarantee they didn't get into it before contacting me; how would I know if they had?

And is there anything else I should do to make sure nothing else unwanted gets into my account here?

Thanks; and sorry to be a bother, again.

Edited December 12, 2020 by That Matoran with a Vahi

[Black Six]

I'm not aware of BZPower experiencing any data breaches, although something could have happened in an attack in the past. I'm sorry I don't have anything else to help there.

[Tarn]

IIRC, there was a possible breach with Cloudflare a while back (not just specifically BZPower), and people were encouraged to change their passwords on any platform supported by it. It's possible that's when it happened. If not, then like you said it could've happened at any point in the past sixteen years. There really isn't reason to worry you might get hacked just from using BZP--doesn't hurt to still take the kind of precautions you would anywhere else on the internet, though.

[Chronicler06]

I remember one particular hacking attack BZPower suffered back in 2013, with the most notable disruption being the permanent loss of the archived forums of 2001-2010, which would explain the absence of all those older posts, if you were curious about that. I don't remember what else happened in that event, but if something significant like a data breach ever did occur, I suspect that could have been the most likely time when it might have happened.

[BULiK]

Hi there!

So, I do have a theory that I hope you're willing to test, @That Matoran with a Vahi.

In my opinion, it is plausible that passwords from BZPower were exfiltrated during the aforementioned 2013 security incident, but I do not have the capacity to prove this myself. If I remember correctly, the threat who damaged BZPower claimed to have also stolen a copy of the BZP's forums, which plausibly contained the hashed passwords for every user. According to what I've found, the version of Invision (The forum software that BZPower has used for nearly two decades now) that BZPower's archived forums was running uses salted MD5 hashes to secure every user's passwords. Hashing passwords is a one-way process that prevents even a forum's admins from knowing the true, 'plaintext' password, and has long been the de facto standard for how passwords are stored in any application, from your operating system to webforums like BZP. Unfortunately, while using salted MD5 hashes to store passwords was very common in the early 00's, the MD5 hashing algorithm has been considered insecure for well over a decade now, and is easily crackable (Using computational firepower to attempt to discover the password a hash represents) by modern techniques and modern computational speeds.

What does this mean? It is possible that this threat exfiltrated a copy of the forum's database during that breach, and it is plausible that they would have had access to the hashed passwords of BZPower users from this database, and it is completely feasible for anyone to crack those hashes to discover the true passwords. This doesn't necessarily mean that this perpetrator is the suspect in question who sent you this blackmail email - The 2013 breach was ultimately a crime of anger and passion and thus I highly doubt the perpetrator's goal was to acquire account information and use it to attempt to blackmail random users seven years later. It is far more likely that at some point, somehow or another, the perpetrator either publicly posted the list of passwords or sold them on the internet for some quick cash. At some point in this process over the past seven years, some amount of these passwords (including yours) were cracked to discover their plaintext form, and the account info from BZP's breach was probably aggregated into larger datasets of breached account info that are commonly sold in the internet's hives of scum and villainy. Then years later, some enterprising criminal tried to phish and blackmail people using one of these datasets of breached accounts they either bought or found publicly, and by the luck of the draw you were one of their random selection of targets. It is very possible this suspect did not even know that this account was on BZPower, just the password and your email address.

I mentioned a theory at the beginning, and I hope you can help me with this, because if you are to be believed that you NEVER used this password on any other accounts (Or at the very least, not on any other accounts tied to that email address) then you are the first person (That I know of, at least) who can test if my theory above is true and possibly confirm if the passwords of BZP users circa 2013 have truly been breached.

You can do this by visiting https://haveibeenpwned.com/Passwords and entering this password into it to check if it matches any in known data breaches. If you have any doubts about entering your password on some website to check if it's been breached, then first of all good, you're using your brain and skepticism is absolutely warranted, but second of all, Troy Hunt and his website, Have I Been Pwned (And the newer Pwned Passwords feature of Have I Been Pwned) are reputable in the cybersecurity community (Research it on your own if you're worried! Read his blog post about it if you're so inclined, but it is a bit technical), and third of all, you're specifically testing the password which you yourself admit to have already changed and have never used on any other website, so even if Have I Been Pwned was secretly stealing your password, good news! You are already more secure than most people because you only used this password for BZPower, and even then have changed it since then, so you have no reason to worry whatsoever. I would also recommend checking if the email address you use for BZP is in any data breaches through Have I Been Pwned's main page. Pwned Passwords doesn't reveal what data breaches this password was used in (for obvious reasons) but if it detects this password in a breach then it's possible that breaches containing your email address (which Have I Been Pwned typically is able to tell you) can help me narrow down where BZP's passwords might have been aggregated and more conclusively track down the validity of this breach with harder evidence than trusting your word that this was the only place that password was used.

It could always be a dead end or inconclusive, but if Have I Been Pwned shows that you that this only used on BZP password is in fact in a publicly available dataset of stolen account credentials, then proving this could prevent such confusion and potential danger caused by this breach from effecting others on this site, and I think even the smallest of chances of providing clarity on this matter to BZP's staff and users is worth the minuscule amount of time in your day to test this and report back.

Obviously I'm just some random guy on the internet and we don't know each other well (Shame, I don't think our characters met or interacted much in Six Kingdoms: Escapement/Rebirth) and so listening or communicating privately with BZP staff about this makes more sense, but if you do wish to know more or think you could use my help in this matter and want to speak on a more private channel (given that there are obviously sensitive matters at hand here) feel free to reach out of me. If you have any questions that can addressed publicly in this topic, I'll definitely try to clear anything up and help however I can.

Edited December 16, 2020 by BULiK

[That Matoran with a Vahi]

Thanks for the reassurance, everyone!

@BULiK - Sorry for taking a while to get back to you, I've been busy lately and haven't remembered to check BZP.

In any case, thanks for the detailed explanation! I ran the password through that site, like you suggested; I'll take this conversation to PM though, like you say, since I don't want to throw too much talk of sensitive matters around publicly ^^