CPPS.me development blog

Well, damn.

* Yes, this is a tumblr. :p *

If you want the low-down, here’s the TL;DR:
A test database was found, two passwords (Stanley + d0pe’s) hash’s were cracked, people fucked with it for about 5 minutes.

Full story is below.

Hax?no.

A few of CPPS.me’s machines were *supposedly* today (8th June 2012) at around 6:15PM GMT. That’s when I was informed of a breach. (If you want me to be brief, they were not. - Nothing got hacked).

I was given screenshots of my account on the CPPS.me user manager. A few seconds earlier I had been told that my “Skype” account had a password which was insecure, and the same with my CPPS.me. I changed my Skype account password and changed my CPPS.me account’s password to NULL. I expected this to be the end of the matter, it was not.

Several people went on to IM me about chatlogs with the adversary and them. I took note of what was being claimed and verified if the claims were true. The majority of them were not. Despite this, I was already in the process of shutting down all of the servers (I shut down the MySQL server first, then returned to shutdown all of the servers we control to prevent spread).

During this time, I changed all of my account passwords to ensure nothing else could happen, as a precaution. I was told a number of rumours:

• SQLi was used in the panel for moderators
• CPPS.me’s machines have been ‘rooted’ (gained Administrator access)
• Current live database had been compromised

All of these were false.

It turns out that.. a lot of what was said by these adversaries was exaggeration.

A test database given to someone outside of CPPS.me (incomplete, pretty small actually, not much user data was in this) was found by another person outside of CPPS.me with a pure accident. Only Stanley + d0pe’s passwords were cracked. Nobody else’s. We’ll be enforcing security measures despite this though. We’re paranoid people. In this case, a ‘test’ database compromised of a very small portion of the actual database, enough data to be able to code without compromising security.

None of our servers were actually compromised. It turns out one of the attackers just.. really really liked to exaggerate. Didn’t stop me shutting down everything just in case, but y’know (unlike some people, we did actually react as one should in a situation like this. We killed everything to ensure *nothing* could be done to damage any further, as we were not aware of the extent at the time. — Yes, we still have all the data, yes we have backups too.)

CPPS.me will remain offline while we take precautions, however. The game will not return until we are *really* satisfied with the security, but in conclusion:

we were not hacked.

-The CPPS.me team