Doomworld has been compromised.

[Arioch]

Hi folks!

[user76828904]

A wild hacker fish appears!

[Shanoa]

That's unfortunate but I suppose I was due for a password change.

[prower]

2 hours ago, Arioch said:

Hi folks!

Hello fellow boomer who hung out in #doom2 in the 90s and is in their 30s or 40s now

[Fletcher`]

Ralphis could have done better

[MS-06FZ Zaku II Kai]

Changed my password, hope it helps

[MFG38]

Seriously now. What the actual everlasting fuck is going on on my end? I keep getting logged out seemingly at random, I go to log back in and enter my new password that I just reset 15 fucking minutes ago, but it's never correct according to the database, which leads me to reset it again, rinse and repeat ad nauseum.

 

Somebody please tell me I'm not the only one having this problem.

[Silhouette 03]

Just now, MFG38 said:

Somebody please tell me I'm not the only one having this problem.

For some reason I'm logged out on my phone yesterday, despite not actually logging out. I couldn't change my password on my PC despite typing in the right password at least three times. Eventually I got it to change. Linguica will sort it out. I have a lot of faith in them.

[CyberosLeopard]

The only thing I can say is "Huh, interesting".

 

But in all seriousness, this doesn't seem to be a particularly problematic data leak. Do the usual in these scenarios and you should be fine.

32 minutes ago, MFG38 said:

I keep getting logged out seemingly at random

Unfortunately, I'm no expert here, but could it be a issue regarding the browser? Maybe (I can see myself getting scolded by my betters here) the browser is dropping or otherwise deleting the cookie used for authentication? Try a different browser, or update the current one. If it persists, it may well be on Doomworld's side but I wouldn't immediately think it is related to this incident.

[MFG38]

5 minutes ago, CyberosLeopard said:

Maybe [...] the browser is dropping or otherwise deleting the cookie used for authentication?

 

Doesn't explain me having had to reset my password 5 times in the past 24 hours. The ones I enter are allegedly correct but they just refuse to work. That's my issue here. If I can log in to any other site without needing a password reset every time, then the problem is uniquely on Doomworld's end.

[CyberosLeopard]

Strange. If I'm understanding you correctly, you're getting logged out of Doomworld and every you attempt to re-authenticate, you are prompted to reset your password?

[MFG38]

3 minutes ago, CyberosLeopard said:

Strange. If I'm understanding you correctly, you're getting logged out of Doomworld and every you attempt to re-authenticate, you are prompted to reset your password?

 

Yeah, basically.

[TheMagicMushroomMan]

I've had that problem before, long time ago. Not really sure what caused it, but I haven't had any issues since.

[CyberosLeopard]

Damn. Unfortunately, I'm not the person that can exactly help in this; I'm not the sysadmin. I have been looking on the community section of Invision Community (https://invisioncommunity.com/forums/) but I haven't found anything related just yet. There could be an issue with the authentication server, but I really can't say.

 

In the worse case scenario that someone is trying to brute-force your password, I really would not get worried; they will have a very difficult time. I've taken a quick look at the bcrypt hashing algorithm (https://en.wikipedia.org/wiki/Bcrypt) and I don't see any segments regarding that said algorithm shouldn't still be in use.

[Redneckerz]

1 hour ago, MFG38 said:

Seriously now. What the actual everlasting fuck is going on on my end? I keep getting logged out seemingly at random, I go to log back in and enter my new password that I just reset 15 fucking minutes ago, but it's never correct according to the database, which leads me to reset it again, rinse and repeat ad nauseum.

 

Somebody please tell me I'm not the only one having this problem.

Since you try to authenticate your login, it needs to get past a validation system (Could be a server, could be a site-served certificate) and it seems to bug out on you specifically (Can confirm it does not happen here in NL on two different places)

 

Some semi-random thoughts/questions:

• Are you running any blockers or third party plugins?
• What happens if you whitelist the entire site?
• Have you deleted all cookies/login data from the site?
• Can you determine the validation URL/ID it uses? (You probably need your browser in developer mode for this and/or Wireshark)

[MFG38]

2 minutes ago, Redneckerz said:

Are you running any blockers or third party plugins?

 

Only the browser's built-in ad/tracker blocker.

 

4 minutes ago, Redneckerz said:

What happens if you whitelist the entire site?

 

Not sure, gonna have to give that a spin. Not expecting things to improve with that, though.

 

6 minutes ago, Redneckerz said:

Have you deleted all cookies/login data from the site?

 

I've configured my browser settings so that they get auto-cleared whenever I close it. Login data doesn't get saved anywhere either.

[rzh]

On 10/13/2022 at 7:35 PM, Poxel12 said:

Well, this is terrible. Time to change my password to be more polish.

Not to derail the thread, but your comment made me remember that one of my former employers demanded me to sign up for one of their websites / apps so I created a burner email address and the password was just Romanian for "Fuck your mother" and some numbers.

[Use]

Episode 3: WMull's Revenge

[phoo]

Glad to see this is mostly a nothing burger.

Either way, I took this as an excuse to set a new password; now it's absurdly long.
I have to wonder what the character limit is for something like that.

[Poxel12]

12 hours ago, rzh said:

Not to derail the thread, but your comment made me remember that one of my former employers demanded me to sign up for one of their websites / apps so I created a burner email address and the password was just Romanian for "Fuck your mother" and some numbers.

Did he figure out what the password meant?

[riderr3]

That red banner on the top freaked me at the first... But later I made security changes and re-logged without any problems. It will be sad if the old accounts which they have not visited for a long time will be hacked and the attackers use this accounts on their behalf.

[Mr Masker]

2 hours ago, riderr3 said:

That red banner on the top freaked me at the first... But later I made security changes and re-logged without any problems. It will be sad if the old accounts which they have not visited for a long time will be hacked and the attackers use this accounts on their behalf.

Bruh, if the John Carmack Doomworld account comes back to promote Dogecoin, I won't know how to feel.

[act]

On 10/13/2022 at 1:18 PM, roadworx said:

it's probably some 14y/o who had a pissyfit over being banned for spewing racial slurs

Considering the paywall, I think it's just a gigabrained-tier scam that promotes healthy password hygene. Think about it for a minute, people pay to get what is likely a bunk database, and we get encouraged to improve password-related practicies.

[user76828904]

9 hours ago, Mr Masker said:

Bruh, if the John Carmack Doomworld account comes back to promote Dogecoin, I won't know how to feel.

CarmacKoin.

[stphrz]

On 10/14/2022 at 8:38 AM, Arioch said:

Hi folks!

Oh hey! I remember you. Kinda.

[Matthias]

yeah, looks compromised

[Edward850]

4 minutes ago, Matthias (LiquidDoom) said:

yeah, looks compromised

You do understand that's spam, right? That's not being compromised, that's just spam.

[taufan99]

5 minutes ago, Matthias (LiquidDoom) said:

yeah, looks compromised

I remember this also happening many moons ago. Annoying, but not necessarily dangerous IMO.

[Rykzeon]

11 minutes ago, Matthias (LiquidDoom) said:

yeah, looks compromised

Apparently @tecig76970 @wanichxumc just registered the forum an hour ago.

[boris]

The banner is gone, has the issue been fixed? Since chaning passwords only makes sense if the attacker doesn't have access to them anymore.

 

8 hours ago, act said:

Considering the paywall, I think it's just a gigabrained-tier scam that promotes healthy password hygene. Think about it for a minute, people pay to get what is likely a bunk database, and we get encouraged to improve password-related practicies.

 

Hackers selling stolen data is pretty normal.